Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Certificate Chain Was Broken for Onboarding Hosts When CPPM Cert Replace

This thread has been viewed 4 times

  • 1.  Certificate Chain Was Broken for Onboarding Hosts When CPPM Cert Replace

    Posted Sep 13, 2016 03:18 PM

    My certificate chain for CPPM:

    • Corp. (Self-signed) Root-CA (1)
      • Corp. Intermediate CA (2)
        • ClearPass Policy Management (2a)
        • Domain hosts (2b)

    My Certificate chain for Onboarding with CPG is the Intermediate CA:

    • Corp. (Self-signed) Root-CA (1)
      • Corp. Intermediate CA (2)
        • ClearPass Guest/Onboarding Intermediate CA (4)
          • Onboarded hosts (4a)

    Notes on the numbers:

    • 1: RootCA
    • 2 and 4: IntermediateCA
    • 2x and 4x: hosts that have certs issue by 2 or 4

    Problem: When CPPM radius certificate (2a) expired and new certificate was installed, although cert (1), (2) and (4) were not changed,  all onboarded hosts cert (4a) chain were broken and required re-onboarding to work.  All domain hosts with cert (2b) are working normal as expected.

     

    Any explains? Design flaw? Better design suggestions?

    Regards,

     



  • 2.  RE: Certificate Chain Was Broken for Onboarding Hosts When CPPM Cert Replace

    EMPLOYEE
    Posted Sep 13, 2016 08:50 PM

    That is probably because your onboard client is configured to trust the Server Specifically, and not just the Root CA that you are issuing it from.  if it only trusts a specific server, if that server is not authenticating, it will not work.

     

    In Onboard, under Network Settings> Enterprise Trust, manually configure it to trust the CA Certificate, and any Server Cert that has been issued by tha CA will be trusted by the client:

     

    trust.png



  • 3.  RE: Certificate Chain Was Broken for Onboarding Hosts When CPPM Cert Replace
    Best Answer

    EMPLOYEE
    Posted Sep 14, 2016 03:23 AM

    Did you keep the common name (CN) on the new ClearPass RADIUS certificate the same? If you change it (single change character is enough), you will get the results that you see.

     

    Try to avoid changing RADIUS certificates as much as possible, so use certificates that live as long as possible. And if you change the cert, make sure the certificate hierarchy (so root CA) and at least the CN is exactly the same for the new cert.

     

    I see that you have your Onboard CA for issueing client certificates as an intermediate to your enterprise root. That is something I would avoid,unless you have a very good reason to bind Onboard in your enterprise PKI; and understand the consequences like that any Onboard generated certificate has full authority in the enterprise trust scope. I prefer to keep the Onboard CA as a standalone. Makes it easier to deploy, less dependencies, and no worries about unintended trust for onboard client certs in your enterprise PKI.



  • 4.  RE: Certificate Chain Was Broken for Onboarding Hosts When CPPM Cert Replace

    Posted Sep 14, 2016 05:09 PM

    Thank you both for very well writen solutions and suggestions. 

     

    Herman, it likes the light bulb just turns on in my head.  I was unclear about certificates and trust for Onboarding.   I thought for BYOD to access enterprise secured network, they must be trust by enterprise RootCA because I can only install one Radius ClearPass certificate for both enterprise domain hosts and for BYOD.  So I requested ClearPass Guest to be Intermediate CA in enterprise PKI. 

     

    Now looking at the Network Settings >> Enterprise Trust that Colin pointed out, the automatic setting will trust all ClearPass servers in the cluster.

     

    It would be a lot easier to configure CPG as a RootCA to issue certificates to BYOD.     

     

    Best regards,