Hi
Yes, you can have multiple Radius certificates installed as Service Certificates in ClearPass. In that case you have to select the certificate to utilize for each service that should have another certificate than the server Radius certificate.
But I think the idea to have the same SSID for all users is a good idea. This will give the least amount of configuration of the clients and in ClearPass, but maybe with restrictions on the access when traveling if needed. If clients traveling should get another role or VLAN this can be implemented in the enforcement policy by returning different set of parameters back during the authentication process.
If you would like to have separate SSID for traveling computers, it will require more work. So far, there are no problems with this, but you also need to configure the clients to trust the correct certificate. I'm not quite sure exactly how you intend to do with the separate SSID for persons traveling, because if I understand correctly that SSID would be the same on all sites. In that case also clients not traveling will see this SSID in the home site, and possibly try to connect to it. Clients jumping back and forth between SSID's is never good.
I think that Service Cerificates in your case would just make the configuration over complicated and hard to troubleshoot. Because you need to configure the clients from different parts of the organization differently, and also configure ClearPass to reply with different certificate based on where in the organization the client is located.
One thing to keep in mind is that if you have installed a Service Certificate in ClearPass, but are not having it selected in any service, it's still required to be valid. If the certificate expires, and the Radius service restarts the service will not start again.
Best Regards
Jonas Hammarbäck
Original Message:
Sent: 6/24/2024 11:10:00 PM
From: cdelarosa
Subject: RE: Clearpasses in different countries with different CAs
hello Jonas
I read that in clearpass you can install multiple radius/EAP certificates and associate them to specific service. This feature seems to be useful if CPPM is authenticating users from multiple organizations ( i see multiple organizations as well yes its the same company but the name is a bit different and different CAs) and well you can match the correct certificate with the service of each domain
I was thinking this could work for me but then, they want to use the SAME SSID for the person that travel if we could have a second SSID for all this users that travel i guess this could work?
For what you were telling me up there is for using it on a single SSID? using EAP TLS
Thanks
Original Message:
Sent: Jan 29, 2024 10:46 AM
From: cdelarosa
Subject: Clearpasses in different countries with different CAs
Okay I got it
"The clients must trust the other domain PKI"
This is the part I was missing
That is something the client must work on in their pkis. Right now I believe that's not happening. Both PKIs are independent and are not being trusted. I will have to ask.
Thank you very much for explaining this to me
Kudos!
Original Message:
Sent: Jan 29, 2024 10:26 AM
From: jonas.hammarback
Subject: Clearpasses in different countries with different CAs
The clients must trust the other domain PKI as well, and in the 802.1x GPO you should also mark the root of the other domain's PKI as trusted for EAP.
In my last answer I referred to the changes needed on the ClearPass server side.
Certificates are often a complex topic where you need to trust the issuer of the certificates and also configure the 802.1x policies on the clients.
Your case is a bit of a special case with a lot of additional parameters to consider. I would recommend to contact an Aruba partner or Aruba SE to get assistance to look into the specific questions you have.
This is (hopefully) list of all that must be configured on both sides:
- Each ClearPass server must trust the PKI in the other domain
- Possibly LDAP connection to the other AD, if group membership should be utilized
- ClearPass must have configuration in the EAP-TLS service to handle the clients from the other domain
- Clients must trust the PKI in the other domain
- Clients should only have certificate for client authentication from the own domain
- Clients should have a 802.1x configured by GPO
- In the GPO the root certificates from both PKI's should be selected as trusted for 802.1x (in the picture below both root certificates should be selected)
- In the GPO the client may need to configure how to select the client authentication certificate under the Advanced settings in this dialogue where the client should only select certificates based on the root in the own domain.
------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Jan 29, 2024 09:41 AM
From: cdelarosa
Subject: Clearpasses in different countries with different CAs
Hello
I can do that with no issues but wouldn't I need the certificate on the certificate store in the radius part of the select usage of the domain B also?
That will not bring me issues of did not complete eap transaction, because it is from another domain.
If not, I would like to know why I installed that certificate in the first place then, i thought i needed it so it worked properly, the certificate in the trust list and the certificate on the select usage on the certificate store, but it seems for at least the users from the other countries don't need it when they are on another domain.
I'm just trying to understand what I'm doing, sorry about so many questions
I
Original Message:
Sent: Jan 29, 2024 09:17 AM
From: jonas.hammarback
Subject: Clearpasses in different countries with different CAs
Hi
You should not touch the certificates on the clients.
In ClearPass A install the root and any intermediate certificates from domain B under Administration\Certificate\Trust list and enable usage EAP and AD/LDAP Server.
On ClearPass B install the same from domain A.
If you need to apply roles based on the different user groups from B in when a person visiting country A you also need to create a matching LDAP connection from ClearPass A to domain B to be able to read the AD groups. In that case you also need to update the role mapping and enforcement policies accordingly. The same must also be done on on the other side.
If all users visiting A from B should be in the same role, you will just need a single line in the role mapping policy to assign that role based on the issuing CA in domain B.
------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Jan 29, 2024 08:51 AM
From: cdelarosa
Subject: Clearpasses in different countries with different CAs
Hello jonas hope you are doing great
Right now they have like i said 2 differente domains and each domain has different CAs and each countries has a clearpass cluster
Each clearpass from each country can reach both domains thats not a problem
Each country has their own domain and their own users country A its on a.domain .local and country b its on b.domain.local. Clearpass of country A has requested the CA of clearpass A so usersr from CA a in domain a.domain.local can authenticate on clearpass a with no issues and its working fine that part the same is for coutnry B
Now the problems comes when a manager in country B wants to travel to country A, he has different CA and he works with different domain. How do i install i request a certificate of country B for clearpass and install it? if i do and install it on the certificate store, that deletes the certificate A that is stored on the certificate store and my users that are local in the country will stop working with the EAP tls. Thats the problem im trying to overcome
Unless i didnt understand what you mean? if i didnt please correct me
Managers from country A should travel to country B and viceversa. The SSID should be the same in each country thats the request let say the SSID its ARUBA in each country with EAP TLS but the different is that its on a different domain with different CA, but the domains are reachable from both clearpases in each countries
The part i lost you is where you said i can install the certificate in each country but if i do ill lose my other certificate that i need, can you explain to me that part? how it will work if i loose that certificate? at least for the local users
Thanks
Original Message:
Sent: Jan 29, 2024 02:24 AM
From: jonas.hammarback
Subject: Clearpasses in different countries with different CAs
Hi
If I understand right the two servers are not part of a cluster, so they are stand alone servers?
If that's the case you must install the CA certificates of domain A on ClearPass server B and the CA certificate B on server A.
Are the domains reachable between the countries? In thatcase you should configure lookup of users in domain B from server A and domain A from server B. Also make sure the CRL or OCSP is reachable between the two countries.
It shouldn't be a problem to solve the authentication of users from the other domain as long as the communication works. If you don't have connection between the domains/countries you can still trust the root from the other side, but not perform AD lookup and revocation check. In that case you may prefer to assign a limited role for devices from the other country.
Only limitation is if both root CA certificates have the exact same common name. In that case ClearPass can't authenticate users from both domains.
I have rised a feature request to change the behavior of ClearPass to work in situations where there are multiple roots with the same common name, as the case is with intermediate certificates. https://innovate.arubanetworks.com/ideas/SEC-I-2038
------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Jan 29, 2024 12:07 AM
From: cdelarosa
Subject: Clearpasses in different countries with different CAs
Hello guys I ran into the following issue recently
I have a CA in Country A
I have a different CA in country B which is in another domain
The client wants that went their managers to go from country A to country B so they can connect with the same SSID
If they had the same CA I do think that would be an issue but they have different CAs with different domains
Each country has its clearpass, and I just can sign the Clearpass with one of the CAs I cannot use them with 2 CAs so I'm not sure what I can do here or how can i manage this situation
Has anyone run into this situation? if you have, how did you manage it?
We are using EAP TLS
Thanks