Security

 View Only
last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Root CA with different serial number

This thread has been viewed 6 times
  • 1.  Root CA with different serial number

    Posted Jul 31, 2024 03:25 AM

    Dear Air Heads,

    WE are facing an issue. The end user authenticates using EAP-TEAP [TLS/TLS]. When connecting to the network, the edge device (windows 11) shows "Action required, login". When login is clicked, the device authenticates and enforces the correct VLAN on the switch port (untagged). We suspected a trust issue with the certificate. Upon inspection, it is found that the root CA certificates serial numbers ere different on ClearPass and edge devices (LAPs and desktops) but are from the same CA server. May I know that both CAs must have the same serial number to function?

    Reg,

    Shamzudheen



  • 2.  RE: Root CA with different serial number

    Posted Jul 31, 2024 07:48 AM

    No, they don't need have the same serial number to function. You can renew a certificate (and Root CA as well) and keep the same key pair but have different expiration and because the certificates are different they have a different serial number. But in general there should not be different versions of the same Root CA in use at the same time, so it makes sense to verify where this is coming from and fix it to have the same root CA everywhere.

    Despite this corner-case, the CA that issued the ClearPass EAP certificate can (and in many cases is) be different from the CA that issued the client certificates; even from different roots. ClearPass must have the Root CA that issued the client certificates in it's Trust List with method EAP. The clients must have the Root CA that issued ClearPass/RADIUS EAP server certificate in it's certificate store and if certificate checking is done it needs to be selected to be trusted.

    I've seen quite weird things when multiple (root) CA certificates have the same name but different keys. If 'action required' is displayed, it can be the server certificate not trusted, it can also be that there are multiple client certificates, and the client cannot decide which one to use.

    In such a situation, it's useful to have a look at this setup together with someone who fully understands certificates. It can be a topic hard to understand.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------