last person joined: 17 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Multiple radius certificates

Jump to Best Answer
  • 1.  Multiple radius certificates

    Posted Feb 07, 2017 07:39 AM

    Today we'are authenticating clients with EAP/TLS. The RADIUS certificate is SHA1. This certificate will expire soon. Since SHA1 is not recommended anymore we're going to enroll SHA256 from a new internal CA (not the same CA that SHA1 is generated from).

    To make this as smooth as possible, it would be nice if we in addition could install the SHA256 RADIUS certificate on the ClearPass. After all clients using the new certificate the SHA1 can be deleted. 

    Is this possible ?
    If not, is there another smooth solution ?

    ClearPass version
    There are currently two servers in a cluster.
    All clients are running Win 7 or Win 10.
    Using GPO to enroll clients certificate and wireless setup.



  • 2.  RE: Multiple radius certificates

    Posted Feb 07, 2017 08:09 AM

    I would create the radius server certificates now.  Use a GPO to add the radius server certificates and/or their certificate authorities to the client's trust store ASAP.  When you install and switch to the new radius server certificate, your clients will be ready (some will prompt that there is a different radius server certificate, however).

  • 3.  RE: Multiple radius certificates
    Best Answer

    Posted Feb 08, 2017 02:36 AM

    Thanks for your replay.

    We added the new CA and Issuing certificates on the CP. Then we installed the SHA256 client certificate on a test PC, and it works. Client was authenticated and connected to the network.


  • 4.  RE: Multiple radius certificates

    Posted Aug 24, 2017 08:59 AM

    Hi - I'm going through this same process now in a large healthcare environment.  All managed machines are prepped up and working as expected via GPO.  The problem for me is thousands of old medical devices that don't support SHA-2 certs.  It would be great if we could install SHA-1 and SHA-2 certs in CP.  It appears my only option is to operate the clients without a cert at all, or spin up a new SSID that supports the old SHA-1 cert?