Security

last person joined: 15 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Be careful with expired certificates

  • 1.  Be careful with expired certificates

    Posted May 23, 2020 07:27 AM

    If you do some testing in our production ClearPass, be sure not to have expired RADIUS service certificates. We had one just expire (meant to fix it next week as it was for new service I was testing on) and this caused our whole CPPM cluster to fail. Might have been because I was adding a new subscriber which might have done a refresh for the RADIUS service.

     

    In all our CPPM servers RADIUS service stopped and didn't start. 

     

    Problem was that the RADIUS service certificate mapped to a service under Authentication -> Service Certificate expired. After we switched it to a valid certificate everything started working again.

     

    This was on 6.8.2

     

    (btw is it possible to update subscribers first to a newer version and only after that the publisher?)



  • 2.  RE: Be careful with expired certificates

    Posted May 23, 2020 07:31 AM

    It is well known that if the radius certificate expires the radius service stops: https://community.arubanetworks.com/t5/Security/CPPM-RADIUS-cert/td-p/271086

     

    You can also configure clearpass to alert you via email when this happens:  https://community.arubanetworks.com/t5/Security/Radius-Certificate-Expiration-Alert/m-p/552596#M45658



  • 3.  RE: Be careful with expired certificates

    Posted May 23, 2020 07:33 AM

    Wonder if this mentioned in the manuals? Of course it's my fault for not updating the certificate, but for future reference I'd like to check if there are other similar things that I should be aware of.

     

    Now the expired certificate issue is very well known to us too