Security

Gang, I need a server cert so windows machines can access the SSID to onboard. I believe it needs to be a SAN cert according to your cert 101 paper. If its 3rd party, does it need to be a registered domain? All the san entries are for a non-registered domain. Ideas? 

A public CA will only issue certificates to domains you own.


Thanks,
Tim

Yes, the domain is not registered; internal domain. So for my situation needing a 3rd party cert, what do you suggest? 

You can contact the CA and ask if they'll add a private domain, but the answer is likely no.

Keep in mind that the RADIUS server certificate for 802.1X does not have to be a real DNS name.

You could do auth.public-domain.com even though that may not exist in DNS. It is simply presented to the user to verify the server's identity.


The other option is to use a private cert and distribute the CA cert to clients.

Thanks,
Tim

ok, so a SAN cert is not needed and I could use one of my regestered domains for this? 

 

Would a wildcard cert suffice? 

If you're using this certificate just for 802.1X and not the web interface, then yes, you can use a single domain certificate and upload it to all of your CP servers.

Wildcard certificates should not be used as a RADIUS server certificate but can be used on the web side.

Thanks,
Tim

Ok one last question and Im out-of-your-hair. Yes this is for 802.1x windows server validation only. I will request 1 cert from my 3rd party CA. What should be in the subject line, meaning, I dont want to specify my CPPM hostname or I wont be able to use it on both CPPM servers right?

 

I dont have a VIP, just 2 CPPM Nas. Do I need a different cert for both and both will have the each CPPM hostname in cert subject/CN? 

If you want a server for 802.1x only, it should have the hostname of the server that it is on, period.  You would mainly get involved with SANs when you want to have webauth and have multiple servers trusted as the same server.  You don't have that issue with 802.1x.  The name should be the hostname of the server.

• If you're using a certificate for both the web interface and RADIUS, you will need a multi-domain / UCC certificate with the real DNS name of the VIP as the common name and the server DNS names as the SAN
• If you're using separate certificates for the web interface and RADIUS, the web server certificate will need the real DNS names of the servers and VIP, while the RADIUS server can be any FQDN.

Guys, so i created a 3rd party cert for the 2 CPPM servers. The servers are server.internaldomain.local. But I generated the certs as server.externaldomain.com becouse the 3rd party CA wont create certs for non-registered domains. No when non-domain windows systems connect to the SSID they get the below error. Any advice on how to resolve this? 

You need to configure the EAP supplicant on the clients to trust the root CA of your certificate and also put the common name of the certificate as the server name check.

On AD joined machines, this is usually done via group policy.


Thanks,
Tim

These are not windows AD joined machines. This SSID services AD joined machines and non-AD joined windows systems  to get onboarded. Now that I have this 3rd party cert as the radius server cert, Im thinking this is going to be an issue for the domain joined machines unless we create windows profiles in GPO, which we dont want to do; long story. Is it possible for CPPM to have 2 radius server certificates? What would you do to quell the errors? 

The only way to prevent the server prompt is to preconfigure the clients.

You can also just click the connect button. You should only have to do it once.

Thanks,
Tim