Security

 View Only
Back to discussions
Expand all | Collapse all

FQDN

This thread has been viewed 48 times

  • 1.  FQDN

    Posted Mar 31, 2023 04:00 AM

    Hi all,

    Our Clearpass Policy server was setup by a 3rd party. It's two policy servers, let's call the A-NAC01 and A-NAC02

    When I check the server configuration I see the following

    Hostname A-NAC01 
    FQDN is blank

    (Same for A-NAC02)

    When I check the cert that devices check it is CN=A-NAC01

    When I'm setting up a wired configuration, and specify the NAC server, should I just use A-NAC01? Is there an issue with how this is setup?




  • 2.  RE: FQDN

    Posted Mar 31, 2023 01:11 PM

    Hey Dave
    The Name listed in the Cert CN is most important from a RADIUS perspective.
    But your post prompts a few questions:
    Is it the same CERT on both CPPM nodes?
    Is the CERT CN the same on both CPPM nodes?
    Do you have DNS ARecords pointed configured for the CERT CN?



    ------------------------------
    Zak Chalupka
    Principal Engineer - HPE Aruba
    ACDX | ACMP | ACSP | ACCP
    wifizak@hpe.com
    ------------------------------

    Original Message


  • 3.  RE: FQDN

    Posted Mar 31, 2023 01:30 PM
    Edited by DaveG Mar 31, 2023 01:35 PM
    I'll have to double check , but I've a feeling each node has it's own cert with it's own CN , but the cluster name is matching the name of node 1.

    DNS is pointing to Node 1 name's too.

    Thanks


  • 4.  RE: FQDN

    Posted Mar 31, 2023 02:00 PM

    For Context, it is generally best practice for the nodes to share a CERT.
    The CN will be a FQDN representing both nodes i.e. "clearpass.domain.com"
    Then you will add SANs to the CERT to represent each individual node i.e. "DNS:node1.domain.com,IP:10.0.0.11,DNS:node2.domain.com,IP:10.0.0.12"



    ------------------------------
    Zak Chalupka
    Principal Engineer - HPE Aruba
    ACDX | ACMP | ACSP | ACCP
    wifizak@hpe.com
    ------------------------------

    Original Message


  • 5.  RE: FQDN

    Posted Apr 01, 2023 09:08 AM

    Thanks, this is really clear. 

    Just one further question if I may, the IP address in the SAN, does that point to the Virtual IP of that node? So we just have two nodes, publisher and subscriber so would it be

    CN=NAC.Company.Loc
    SAN=DNS:node1.domain.com,IP:Virtual IP of this node,DNS:node2.domain.com,IVirtual IP of this node,"

    I'll need to check the GPO now and see what our 802.1x policy is pointing to.


    Original Message


  • 6.  RE: FQDN

    Posted Apr 02, 2023 11:38 PM
    Edited by BrettV Apr 03, 2023 12:06 AM

    "the IP address in the SAN, does that point to the Virtual IP of that node?"

    Dave, from a client perspective, the values listed in the SAN fields, whether IP addresses or DNS names, must match the destination the client is trying to reach. So if you have listed a VIP on your infrastructure config somewhere for a client to a make a connection to, then yes - add the VIP.

    I'd list the VIPs (along with the FQDNs that match the VIP if any) but you really should list the unique IPs/FQDNs of the servers as well, because otherwise, you can't be sure which server you are accessing (via the web GUI for example). How can you be sure that another server hasn't taken ownership of that VIP?

    I rarely use IPs in my certs, but if I have to (usually from customer demands), I'd submit a CSR that looks like this:

    CN = clearpass.domain.name
    ## SAN ##
    DNS.1 = clearpass.domain.name
    DNS.2 = node1.domain.name
    DNS.3 = node2.domain.name
    IP.1 = 10.0.0.111 (node1 VIP)
    IP.2 = 10.0.0.101 (node1 unique IP)
    IP.1 = 10.0.0.112 (node2 VIP)
    IP.2 = 10.0.0.102 (node2 unique IP)

    Some browsers no longer check the CN field, so you should include the CN as a SAN entry to ensure 100% compatibility with all client devices.



    ------------------------------
    Regards,

    Brett V
    ------------------------------

    Original Message


  • 7.  RE: FQDN

    Posted Apr 03, 2023 04:12 AM

    All, thank you so much.

    Apologies for the multiple questions!


    Original Message


  • 8.  RE: FQDN

    Posted Apr 03, 2023 09:15 AM

    Hi, just one thing to add.

    You need to list the IPs only if someone or something it's going to access clearpass using the IPs. If you are only going to use FQDNs to reach the Clearpass servers you just need the DNS entries on the SANs field as Brettv said.

    I hope this helps


    Original Message


  • 9.  RE: FQDN

    Posted Apr 03, 2023 09:23 AM

    Thanks, but does that mean I need to add the nodes and IP on our standard DNS server?

     Or that as long as the cert is providing the three FQDNs, the clients will accept that? This is just for client/radius auth, not accessing via HTTP.


    Original Message


  • 10.  RE: FQDN

    Posted Apr 03, 2023 09:29 AM

    If it's for RADIUS you don't need to add the fqdns in the DNS server. 

    Regards


    Original Message


  • 11.  RE: FQDN

    Posted Apr 04, 2023 10:36 AM

    General guidelines for RADIUS:
    - Use the same certificate on all ClearPass/RADIUS servers; this avoids any issues that may be related to the clients seeing different certificates when different RADIUS servers are used for authentication.
    - Don't use a Wildcard certificate for RADIUS, as some clients have shown issues with that. Single FQDN or multiple SAN certificates are fine. Note that modern certificate rules dictate that the CN should not be used for server authentication, and at least 1 SAN with the same name as the CN should be included. Not 100% sure if that also applies for RADIUS, but better follow that guidance.
    - The FQDN used in the certificate does not need to be registered in DNS. For the same reason adding the node FQDNs or IP addresses does not make sense, and I would leave them out to avoid any confusion.
    - Use a private CA/PKI for your RADIUS certificate to allow longer validity time (and reduce the amount of certificate renewals) and increase the chance that when you renew the certificate it is issued by the same CA and with the same name.

    The guidance by BrettV above, with the cluster name as CN and first SAN, all cluster node names as SAN, the Guest or Onboard FQDN as SAN would apply for the HTTPS certificate. If you use Guest as well, that certificate will need to be signed by a public trusted CA, and those will not sign certificates with (private) IP addresses as those can't be validated as 'under control of the certificate requester'. If you don't use Guest or Onboard, you may use a private CA and include the IP addresses.

    Hope this provides enough guidance to make the right choices for your certificates.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


Related Content