Let me jump in as I have mentioned some point around this in the past.
What you mention is exactly the point. End users should not be in the position to accept certificates, which more or less results in the conclusion that you should have some automation/tooling to get the client configured which would be AD GPO, Intune, MDM, for managed computers and an onboarding tool like ClearPass Onboard, Eduroam CAT/geteduroam, SecureW2 or others. There make sure root, server trust and no allowing users to accept rogue certs is enforced.
Then if you need tooling anyway, there is no benefit of using public certificates and those being pre-deployed in the device in advance. If you trust on trusted certificates in the device, you mean that you want end users to trust that certificate, and indeed they will trust whatever you throw at them. As there are some known limitations with public certs, like short validity times and CAs changing roots over time outside of your control, but with big impact, I would use private certificates.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Sep 07, 2023 08:10 AM
From: hammertim
Subject: RADIUS Private Certificate Authority Justification
I don't see this as a security justification.
If users are trusting the RADUIS cert themselves, then the root CA is irrelevant. Most users will trust whatever is thrown their way, regardless of what the cert actually says.
Original Message:
Sent: 9/7/2023 7:40:00 AM
From: bosborne
Subject: RE: RADIUS Private Certificate Authority Justification
We used to use a public CA certificate with users just trusting the certificate CA chain so we could update the RADIUS server certificate without needing to re-onboard users.
A few years ago, within 1 day of a scheduled certificate replacement, I found out our vendor had changed their certificate chain. We narrowly averted a network outage. Since our onboarding vendor SecureW2 has a clous PPKI we were planning on using for EAP-TLS, we set up private CAs and a 15 year RADIUS certificate. We encourage our users to re-onboard to get the added new trust before deploying.
Using a private CA chain closes the hole of somebody getting a certificate from the same CA chain and our users trusting that. We also do not need to worry about RADIUS server certificate expiry.
Since we were already paying for the PKI, there was no additional expense for us.
------------------------------
Bruce Osborne ACCP ACMP
Liberty University
The views expressed here are my personal views and not those of my employer
Original Message:
Sent: Sep 06, 2023 12:46 AM
From: hammertim
Subject: RADIUS Private Certificate Authority Justification
I regularly hear in Aruba circles that it is recommended to use a private certificate authority for ClearPass RADIUS, for example, in Herman's "Aruba ClearPass Workshop (2021) - Wireless Access #2 RADIUS - Basic part 2" (1:04), and then a public certificate authority for ClearPass Guest/Captive Portals, etc.
I've spoken with a few security professionals (who don't have any specific Aruba ClearPass experience) and they have all said that a public CA should be used on a RADIUS server and think it is unusual for Aruba to not recommend this. They have suggested maybe ClearPass has a particular reason/function/feature unique to ClearPass and maybe this is why it is recommended.
I've read through the "ClearPass Certificates 101" document but I couldn't see any justification for this, other than "Not for deep discussion at this juncture but discussed in a lot more depth later in my TechNote, we support the ability to privately sign a certificate (typically done for the RADIUS certificate)". Maybe I've missed the section where it is discussed in a lot more depth.
I've seen Herman post here the following reasons (this is my understanding of the post):
- Server certs issued by a private CA can be valid for longer than 12 months, therefore, there is no need to replace the certificate each year. This obviously isn't relevant to the HTTPS cert.
- A public CA might change or retire the root CA it is using, forcing a config update to clients. Using a private CA gives you the flexibility and control to change or retire a root CA if you wish to.
I don't see these as security reasons to use a private CA, they are management/maintenance reasons.
Is anyone aware of security reasons why ClearPass should be using a private CA for its RADIUS cert?