Security

 View Only
  • 1.  ClearPass GUI/Captive portal presenting EAP certificate

    Posted Nov 30, 2023 11:45 AM
    Edited by Ropz Nov 30, 2023 11:47 AM

    Hi Community,

    Sorry if this question has already been asked by someone else ;

    I am facing a weird issue in my lab and had the same in one of my customers deployment : 

    > Got a cluster of 3 cppm servers
    > Got EAP autosigned certificates (by default, didn't touch them)
    > Got a public signed wildcard for https(rsa) certificate
    > Got the root + intermediate public ca enabled and with role "other" in the trust list
    > The dns resolution is working fine (for gui access and for captive portal)

    But, when i'm trying to access the GUI of the servers (any of the 3 of them) of when i try to connect to my guest SSID, it seems that the server responds back with it's EAP autosigned certificate .... never presents me https(rsa) one

    I tried to patch to version 6.11.6.x, same issue
    I tried to clear the https certificate in CLI (command "system reset-server-certificate")  and then re-import it : same issue

    Anyone has a clue of why i get this behavior ?

    Thanks for help !



  • 2.  RE: ClearPass GUI/Captive portal presenting EAP certificate

    Posted Nov 30, 2023 12:45 PM

    Edit : 

    > Just changed my EAP certificates with ones delivered by my own Enterprise PKI : same issue ; it still presents me an autosigned certificate when trying to access GUI

    The autosign presented : 


    The https certificate : 


    The EAP certificate : 



    The Root/Intermediate Public ca in the trust List : 



    Dunno what to do more ?




  • 3.  RE: ClearPass GUI/Captive portal presenting EAP certificate
    Best Answer

    Posted Dec 01, 2023 02:48 AM

    Hello,

    Did you check the certificate that is presented with the Guest portal, is it not the HTTPS - ECC certificate.

    If yes just disable it on all CPPM servers.

    Kind regards

    Christian




  • 4.  RE: ClearPass GUI/Captive portal presenting EAP certificate

    Posted Dec 02, 2023 10:46 AM

    Thank you guys, it totally worked .... 

    Just to know : did i miss something ? is it written somewhere on a guide that we have to disable this ECC certificate ?

    Thanks dudes




  • 5.  RE: ClearPass GUI/Captive portal presenting EAP certificate

    Posted Dec 01, 2023 02:47 AM

    Hi,

    In 6.11 you have https-ECC certificate select by default, so i think the auto signed certificate you see is the ECC one.

    You have to disable it if you want CPPM to use RSA instead