Security

Hi all,

I've wireless network with two SSID, one corporate with 802.1x authentication and a guest network with captive portal configured on CPPM.

Actually termination of 802.1x session is on controller (Aruba 3200 (master) and Aruba 7030 (local)) and we are planning to move authentication directly on CPPM. On ClearPass I've just installed a public certificate for captive portal (as HTTPS Server Certificate) so my question is: Can I use same certificate also as Radius Certificate? I can't use self-signed ceritificate because I don't want uncheck manually "validate certificate server" on wireless network card settings because I've about 300 laptops.

 

Thanks to all 

As long as it's not a wildcard or EV certificate, yes you can.

Ok,

I checked and I found that we have "*.domain.net" certificate, so it is a wildcard certificate. But, I'm new in this area, why I can't use it for both service? Do you know some workaround for this?

Some client operating systems will reject a wildcard certificate for EAP (which is a good thing from a security standpoint). You should acquire a basic, single name certificate for use with EAP (auth.domain.xyz, network-login.domain.xyz, etc).

If these clients are in Active Directory, you can use group policies to push out your private CA root certificate and the WLAN settings.

 

Check out Aruba ClearPass Workshop - Wireless #4 - AD Client Certificates EAP-TLS to see how you can set that up, where this video even enrolls client certificates.

 

If you request a new public RADIUS certificate for ClearPass, try to get one that has the longest lifetime as possible (5-10 years). Changing RADIUS certs can be risky, especially when you switch CAs, or you CA internally switches intermediate CAs.

Hi,

before buy a new public certificate, I tried to set group policy in the active directory domain but unfortunately it doesn't work. We configure a wireless network with WPA2 Enterprise - AES, authentication method: Microsoft PEAP with authentication user or computer and unccheck "validate server certificate" but when I try to connect on clear-pass authentication was rejected with alerts:

"EAP-PEAP: fatal alert by client - unknown_ca eap-tls: Error in establishing TLS session".

Did I miss something? I have to add CPPM certificate on wireless configuration?

Until now  we use termination on the controller, but default certificate is expired on 08/11/2017 and, so we would pass authentication  directly on CPPM.

As I can't use wildcard certificate on CPPM I created a Self Signed Certificate

 

Thanks for you help

 

Best Regards

As mentioned, before you go any further, you need to acquire a public CA-signed, single domain certificate.

You should NEVER uncheck validate server certificate. With that unchecked, all of your user's credentials are at risk.

Ok,

thanks for the advise, but unfortunately, due to some internal issue we couldn't buy a public CA for the moment, we are using a trial certificate on controller and it will expire soon.

If I would use Self Signed certificate, created by CPPM, if you known or if there is some "how to" etc.., There is a way to update Authority Certification List on windows wireless client via GPO in active directory?  

 

Thanks

 

Giuseppe Pasinelli

This video (and some other parts of the series) may help.

If you don't have AD Certificate Services, which automatically pushed its root into the domain computers, you should be able to do it in the GPO:

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities:

 

Self-signed certificates are NEVER recommended for EAP as many clients will reject them.

If you choose to use one, yes you'd have to use group policy to install it into the local cert store and also configure the 802.1X supplicant.

Agree with Tim, I may have jumped over that. Use the group policy to push your (self-signed) private CA root, and issue your RADIUS cert from there. The RADIUS (EAP) cert itself indeed should not be self-signed.

Hi,

Understood, now I'm checking if I can install AD CS and I'll try to create a Certificate with AD. If it will not work I'll purchase a public certificate.

 

Thanks both for your help

 

Best Regards

 

Giuseppe Pasinell

Hi all,

I create certificate with AD Certification Service, I uploaded it to CPPM as Radius Certificate and every works.

 

Thanks for yours help

 

Best Regards

 

Giuseppe