Security

 View Only
  • 1.  certificate radius for global trust device

    Posted 30 days ago

    Dear All,

    currently on our environment we have .1x configuration with clearpass, 

    we do not have issue for mac/IOS/android,  but several windows need to manually invalidate for "validate server certificate"

    we are already inject ssl digicert to clearpass, but its wildcard,

    are we have the documentation about what type of certificate that should be injected to clearpass so we shouldn't uncheck the "validate of server" on windows laptop ?



    ------------------------------
    Regards,

    Hudaya

    ACCP, ATP, ACP-CA
    ------------------------------


  • 2.  RE: certificate radius for global trust device

    Posted 30 days ago

    Hi.


    For RADIUS you can't use wildcard cert. You need to have dedicated certificate and you need to include SANs field with IP addresses and DNS names for all Clearpass servers in the cluster, if you would like to use single certificate for RADIUS.

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2024
    ------------------------------



  • 3.  RE: certificate radius for global trust device

    Posted 29 days ago

    Dear @GorazdKikelj ,

    thanks for your response,

    i'm already found the documentation for user acknowledgment. 

    Thankyou



    ------------------------------
    Regards,

    Hudaya

    ACCP, ATP, ACP-CA
    ------------------------------



  • 4.  RE: certificate radius for global trust device

    Posted 29 days ago

    Hi

    What version of Windows do you have on the clients?

    There are some changes in how the validation of the certificate is done in different versions of Windows and some Windows 11 updates. To be compliant with most versions today provide the name(s) found in the RADIUS certificate and also check the checkbox "Do not prompt the user..."

    The screenshot below is from Windows 11 23H2 with EAP-TLS.

    One version of Windows 11 had case sensitive validation of the name in the certificate, all other are not case sensitive.

    On this link you can get more information about how Windows validates the RADIUS certificate:
    https://learn.microsoft.com/en-us/windows-server/networking/technologies/extensible-authentication-protocol/windows-11-changes



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: certificate radius for global trust device

    Posted 29 days ago

    Note the further requirement when configuring the Windows supplicant that the RADIUS certificate cannot be a wildcard so that the "Connect to these servers" entry can be provided with the FQDN that was set on the RADIUS certificate.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 6.  RE: certificate radius for global trust device

    Posted 29 days ago

    Dear Jonas and chulcher,

    we have different kind of windows 11 and all need to be automatically validated,

    so we need clearpass to injected with ssl greenbar,

    thanks for the response 



    ------------------------------
    Regards,

    Hudaya

    ACCP, ATP, ACP-CA
    ------------------------------



  • 7.  RE: certificate radius for global trust device

    Posted 29 days ago

    If by "SSL greenbar" you are referring to the old green bar feedback in browsers when an EV certificate was used, that doesn't exist in the supplicant.  And no longer exists in browsers.

    The only way to prevent ANY current OS from warning on the RADIUS certificate trust is to pre-configure the supplicant with the trust settings.  The usage of a wildcard certificate for a RADIUS service is not supported.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 8.  RE: certificate radius for global trust device

    Posted 29 days ago

    SAN entries are not necessary for IP addresses, and only a single FQDN needs to be listed.

    Simple, single server certificate for RADIUS can be used on all of the ClearPass nodes, and the FQDN on the certificate should NOT be DNS resolvable as there is zero reason to do so.

    The HTTPS certificate is a different story.  Please do NOT use the same certificate for RADIUS and HTTPS.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------