Security

 View Only
last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Multiple Radius certificate in Clearpass

This thread has been viewed 28 times
  • 1.  Multiple Radius certificate in Clearpass

    Posted Aug 01, 2022 01:09 PM
    Hello Communiy,

    I have an issue regarding Android 11 and 12 and the onboarding process. Android it does not trust anymore selfsign/local CA signed certificate. So I should create a Radius certificate on Clearpass signed by a pubblic ca. The problem is that I have already a Radius certificate signed by local CA that allow me to authenticate the pc into the local domain through EAP-TLS.

    Do you know if there is a way to let both the radius certificate (the one signed by local CA and the one signed by public CA)?

    Kind Regards
    FU


  • 2.  RE: Multiple Radius certificate in Clearpass

    Posted Aug 01, 2022 02:39 PM
    Yes, you can override the certificate used for a particular Service.


  • 3.  RE: Multiple Radius certificate in Clearpass

    EMPLOYEE
    Posted Aug 02, 2022 03:43 AM
    As mentioned, you can use a service certificate for RADIUS in ClearPass. However, you probably shouldn't move to a public certificate for RADIUS. Instead use a provisioning tool like Mobile/Enterprise device management for company managed devices, or ClearPass Onboard for personal managed devices; and use a private CA (not self-signed certs).

    Android 11/12 will not trust a public certificate either, unless your users manually find and select the issuing CA which is cumbersome and error-prone.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 4.  RE: Multiple Radius certificate in Clearpass

    Posted Aug 03, 2022 04:30 AM
    Hello Herman,

    Thanks for you reply.
    Actually we would like to use the Onboard license in order to onboard BYOD device (there is no MDM in the company).
    With iOS 15 and Android 9 no problem at all to do the onboard.
    With Android 11 and 12 we have an issue during the installation of the Onboarding profile in the device.
    The onboarding in the clearpass has been set in Root Mode (radius certificate is provided by CA created inside the Clearpass)
    The Smartphone during the autentication will reply to the clearpass with internal error: Instead the iOS is able to install the radius certificate (signed by the internal root ca of the company).

    It seems that the Android 11 and 12 does not trust the internal root CA self sign by the Clearpass and the local CA of the company... that's why I was thinking about public ca certificate used as service certificate in a dedicated service rule...

    Kind Regards
    Fabio


  • 5.  RE: Multiple Radius certificate in Clearpass

    Posted Aug 03, 2022 07:38 AM
    MDM >>>>> BYOD

    The exact problem you describe will continue to get worse and both Google and Apple apply more certificate trust security to their devices.  An MDM has now, IMHO, become required for MDM flows to avoid any certificate trust warnings/issues. 


  • 6.  RE: Multiple Radius certificate in Clearpass

    Posted Aug 04, 2022 03:42 AM
    MDM is unrealistic for many situations, not least of which being you can only enrol a device in one MDM so it's useless for managed devices that are guests on other wireless networks. The problem is Google has decided not to allow a trust-on-first-use approach like every other vendor.


  • 7.  RE: Multiple Radius certificate in Clearpass

    EMPLOYEE
    Posted Aug 04, 2022 10:23 AM
    For secure deployments you would need the client certificate deployed as well to do EAP-TLS. Issues with CPPM Onboard unable to deploy a profile, has in most cases to do with errors in the server certificate, incorrect hostnames, use of HTTP instead of HTTPS. Aruba support should be able to get you going, but make sure before you contact them that you have a publicly trusted certificate for HTTPS on your ClearPass server.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 8.  RE: Multiple Radius certificate in Clearpass

    Posted Aug 05, 2022 04:41 AM

    Hello Herman,

    I have found in the Android forum that since Android 11 it is not possible for an application (like QuickConnect) to install a selfsign CA or a Local CA in the certificate store. That's why the enroll process in quickconnect is so fast and it miss different steps during the profile installation, compare to Android 9.
    The workaround that I have found is to install the CA previous to lauch the quickconnect.
    I have open a ticket to Aruba and they suggest to use a Public digital certificate (as you said). The customer has a public wildcard that is used for the https guest portal. Problem is that you need a public certificate able to use the key for digital signature, certificate signing. For the guest webpage I have just client authentication and server authentication.

    I will verify this last part.

    Thanks a lot for your feedback

    Kind Regards
    Fabio