Security

I don't think this is possible, so probably more of a feature request, but nevertheless interested in feedback.

 

Is it possible to use a different radius server cert for different services in CPPM?  The user case I'm thinking is that for corp/domain devices the internally signed server cert is presented.  For non-domain/byod devices using EAP-PEAP, they would be presented with a publicly signed server cert and hence a seamless experience.

 

NPS seems to have this capability and would be nice if it was possible in Clearpass as well.

You can setup multiple root CA in onboarding so the device can have a different signing trust chain but they all will have to trust the one radius cert.

yeah, was wondering without the onboarding though.

 

Most byod deployments I come across are about just giving personal devices internet only with AD authentication.  EAP-PEAP is fine for that, but having the warning about an untrusted cert is not a seamless experience.

 

Feature request it is then.

 

:-)

The current solution is to use QuickConnect or a public RADIUS certificate.

I have to agree with capalli on that one.  The accepted solution is to use a public certificate that ALL of your clients trust.  That is the way most radius servers accomplish this.  With regards to the MSFT server supporting this, once an incoming authentication hits an EAP rule, the NPS server has to do something with it, or drop it, otherwise you will get a mismatch.  It will not allow you to process EAP rule after EAP rule for matches...

Agreed.  So on that note with a public server cert.

 

With EAP-TLS, does it matter if the server cert and client certs are signed by different CAs?

No, as long as your server trusts the root.

Please keep in mind and make sure you start explaining to your customers that starting next year most CA will not issue private certs for radius . Its has already been stated by the CA org and some of the vendors that they will revoke any cert for a domain that is not publicly accessible. 

 

This is the time to start to educate customers and users on what should be done when connecting to a private networks. The pros and cons etc....

 

I know a lot of users and customers will complain but what is better "easy to use" or "not having their data and credit card information stolen" :) If they want an easier to use then they need to consider using QuickConnect or OnBoarding. 

Guys, great info.  The few times I've used a public signed cert for radius, it was used for https as well so had a proper resolvable fqdn.

 

For others who stumble upon this, some further info to what Troy mentioned.

 

https://www.digicert.com/internal-names.htm

 

All the gory details about the baseline requirements here.  Page 10 of v_1_1_9 has the relevant info mentioned above.

 

https://cabforum.org/baseline-requirements-documents/