08-06-2018 01:14 PM
Just wanted to check with you guys about CPPM cluster deployments.
I have read the CPPM Certificates document and still not sure so hence why I am creating this post.
So I will have two servers deployed as a publisher and subscriber pair, which are in the same subnet and they have a VIP between them. I will have two SSIDS, one will be DOTX and a Guest.
For the Radius server cert I will get the VIP to resolve to the CN name by putting a DNS entry. The certificate will be an internal cert for this. This is fine I am happy with this.
For the guest certificate (HTTPS) they will have a public certificate, and will have a separate certificate on the controller side. What should the CN name be and should this be resolvable? Should there be an ALIASE put in for this? Do I need to create another VIP on the guest network? What is the best practice configuration in terms of certificates when you have a DOTX and guest SSID going through Clearpass?
Can you also confirm what the behaviour would be if the same cert was used for CPPM guest and the wireless controller? What would be the client behaviour?
Solved! Go to Solution.
08-06-2018 01:20 PM
- Do not use the same web server certificate on ClearPass and the controller.
-- For ClearPass, the web server certificate should contain the FQDNs for the VIP and individual nodes (VIP as CN, VIP + nodes as SubjectAltNames). This should always be a public CA-signed certificate.
-- For the controller’s captive portal certificate, the common name should be something generic and user friendly (like network-login.yourdomain.com) and should not be defined in DNS. This should always be a public CA-signed certificate.
Re: CPPM Certificates
Re: CPPM Certificates
08-10-2018 08:13 AM
Thank you for your reply. Sorry for the late response,
Seems like I have been doing it incorrectly so far.
Just need clarification on this:
"Do not use the same web server certificate on ClearPass and the controller."
Can you please explain what will be the client behaviour if the same cert is used? Just want to make sure I can explain this to my customer so he knows it is essential that a different cert for his HP MSM controllers.