Dear all,
After reading this clearpass Certificates 101 from our dear Danny, I have quite a lot to ask:
TLDR:
1. Is there any updated version of Certificates 101 for 6.9.x and above ?
2. What are the parameters that I should match between AD and clearpass, to be able to generate a proper ClearPass server certificates ?
3. In EAP-PEAP setup, should I also 'ask' the customer's existing AD to sign the clearpass-generated CSR ? But actually my customer doesnt have CA at the moment. What should I better do ? Should I go with just a self-signed ?
4. And at the first place, should the clearpass joined to the customer's domain (whose users coming from those domains) ?
5. Lastly, how should I generate a database and HTTPS server cert for the sake of being able to NOT use -V option when Making Subscriber ? Because I was not able to perform the make subscriber without the -V option, and with -V option I was able to do it successfully.
Ok, back to the questions:
- One is, is there an updated version of 6.9.x above ? Because as we all have been deploying, there are 4 type of server certificates that we can generate now, instead of 2 as of 6.3.x.
- Particularly to my deployment case, I always kinda have this issue of "AD status: {Device Timeout}" with %hs something something, which I was able to resolve by disjoin and rejoining back the clearpass to our customer's domain.
- For my clearpass, I generate self-signed cert to all four kind of cert that 6.9.x now supports. We have EAP-PEAP deployment, which I don't think we need a CA to sign the cert. In the endpoint itself, existing, the adapter does not have the "Verify server cert" option checked. The fact that with this kind of setup it is working in other institutions in the same cluster, makes me more convinced that it will work consistently as well in my new setup. Which now I honestly doubt.
- I have just changed the clearpass DNS to a newly setup local AD derived from their AD in the WAN, and then I encounter this "AD status: {Device Timeout}" again. Last time around, I started facing this issue probably because:
a) I join clearpass to domain first, then
b) I generated a new server cert.
c) The issue then solved after I disjoin and rejoining back to domain.
d) This makes me believe that the self-signed cert is actually also used in EAP-PEAP authentication although in the endpoint, the "Verify server cert" is unchecked.
- But now, it does not work again after changing the DNS IP in clearpass. FYI, their AD also acts as DNS server.
- So, with all that info, what actually should I check in the AD so I can follow the same parameters to generate a proper cert ? Because now, I dont know until what extent this setup will work consistently.