Security

This community is currently in a read-only state due to a maintenance window. For more info click here
Reply
Highlighted
Moderator

Re: CPPM Cluster and Certificates

Yes, cn needs to be fqdn in a non-SAN certificate.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Contributor II

Re: CPPM Cluster and Certificates

I gave hostname xxx-CPPM-02

 

CN has CPPM-6.0.1

 

generally CN is FQDN

Highlighted
Contributor II

Re: CPPM Cluster and Certificates

Is it that important ..for CN to be FQDN. I didnt gave any fqdn...im redirecting based on IP for onboarding from controller. I dont c any issues as im doing HTTP(ok , not secure) for onboarding and onboard CA to issue certs.

 

May be if i redirect for HTTPS for guest portals. It throws error as untrusted connection.

 

apart from that.....if at all i use virtual IP then also if i use same server certificate i think there will be no issue. Issue arises only if i onboard over HTTPS and using guest portals from clearpass to authenticate guest users.

 

if i am wrong..please correct

Highlighted
Moderator

Re: CPPM Cluster and Certificates

Please make your CN = FQDN.... because when your users enter a URL in their browser this is what is checked against the server certificate presented from CPPM... they need to match else you will get a browser error. Above everything else its also BEST practisce. 

 

SOme of your other questions.... clustering is TOTALLY independent from VIP... you can cluster CPPM noes from enywhere as long as you have connecivity and firewall ports required are open.

 

VIP is  L2 function ONLY, this is not a CPPM restriction is a genric networking restriction for HSRP/VRRP/NSRP Etc. as L2 multicast is used for heartbeat.

 

PUB adn Standby-PUB is a different thing again as I think you are maybe confusing this in your undertstanding..... this used to ONLY a L2 feature but we relwxed this in CPPM 6.3 and stand by is supported over L2 or L3 adjacency.

 


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Highlighted
Contributor II

Re: CPPM Cluster and Certificates

@dannyjump: tanq.

i went throught tech note on certficates.

 

In Publisher/Subscriber model .. i understood that subscriber can only authenticate the users hitting the service which we configured and pushed from publisher.

 

If i am trying to onboarding a new ios. As suscriber has read only to databases am i onboarding it in publisher onboard repository and replicating to all subscribers????

 

If Publisher A with controller A and subcriber B with controller B in case. Where should i redirect for onboarding to subscriber or publisher from controller B and i will redirect radius requests to subscriber. But in case, subscriber goes ..should i manually change redirection to publisher to authenticate.

 

Highlighted

Re: CPPM Cluster and Certificates

You can point to either one, but all users are created in the publisher. It all comes down to latency and does it make sense to send all users to the pub or the sub or split the users.

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Highlighted
Moderator

Re: CPPM Cluster and Certificates

JUst to ad to Troy's post.... if you Onboard on a SUBCRIBER we (CPPM) handles behind the scene the creation of the account of the PUBLISHER and the replication from the PUBLISHER out to the SUBSCRIBER in your cluster..... this piece is all transparent to you and/or the user onboarding.


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Highlighted
Contributor II

Re: CPPM Cluster and Certificates

Onboarding should be directed to subscriber but subscriber has only read only to databases ri8? ?? then how can it register the device??

anyhow authenticating is directed to subscriber as primary and publisher as secondary in AAA of controller.

 

Highlighted
Moderator

Re: CPPM Cluster and Certificates

i repeat my previous post......

 

if you Onboard on a SUBCRIBER we (CPPM) handles behind the scene the creation of the account of the PUBLISHER and the replication from the PUBLISHER out to the SUBSCRIBER in your cluster..... this piece is all transparent to you and/or the user onboarding.


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Highlighted
Contributor II

Re: CPPM Cluster and Certificates

@dannyjump: tanq danny..i got it..

 

if i redirect from controller  to subscriber to onboard and subscriber is down . should i have to change login page  url manually in controller captive portal to onboard. and even for guest captive portal???

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: