08-22-2019 07:32 AM
Real soon now we need to replace our radius.york.ac.uk certificate. Not only does it expire but . so does the CA chain. As I currently use the CloudPath ExpresConnect ES server to generate client certificates for EAP-TLS eduroam connectivity I thought I'd use CloudPath to generate a new "radius.york.ac.uk" cert for use on clearpass instead of the public one currently used.
Rather than wait till the existing cert expired I thought I'd try and test stuff using the clearpass service certificate option So ......
1). Clone our wired 802.1x auth clearpass service and rename
2). Restrict its usage to my test switch by specifying a NAD-IP address
3). Create and upload uoy-radius.york.ac.uk into clearpass specifying it as a service certificate
4).Edit (1) to add a service certificate of uoy-radius.york.ac.uk
5). Make sure the local root and intermediate CA certs are in my mac keystore ( which they are as I'm TLS'ing onto the wired network)
6).Force a reauth on my Mac
and the world ends!
In clearpass I get the following, so I'm guessing that the client cannot validate the uoy-radius.york.ac.uk cert
Is anyone using clearpass service certificates for this sort of thing ?
TLS session error
| Alerts for this Request |
Solved! Go to Solution.
Re: Anyone using clearpass service certificates?
08-22-2019 10:15 AM
08-23-2019 04:07 AM - edited 08-23-2019 04:07 AM
.. and it works
On test switch (ComWare)
client receives a cert of the form cn=uoy-radius.york.ac.uk,....... local CA chain
and performs eap-tls auth
Connecting iMac to Aruba 2930 switch client receives cert of form radius.york.ac.uk .... public CA chain
and still works ... simples ....