Security

Hi

I have a question regarding the certificates on ClearPass subscribers.

ClearPass version 6.4.4.

Currently I configure a three node cluster with one publisher and two subscribers.

I would like to have a common name for Guest registration pages and unique names on each host for Radius.

Most of the clients are non-managed BYOD clients and only trust public CA's. A certificate from internal CA isn’t an option.

Onboarding isn't planned to be implemented.

What would be the best certificate strategy?

Option 1. One SAN enabled certificate with one CN like clearpass.domain.com for https and the FQDN for each host as SAN for the Radius service

Option 2. Unique certificates for both https and radius

Option 3 Any suggestions appreciated

In my opinion Option 1

I would definately make the the radius certficate common among all of the applicances if you have roaming clients or they would connect to all appliances so that they don't have to accept a different certificates. I would have a common CN and multiple SAN's for each appliance.

A lot of your Q's are discussed/answered in this TechNote

CPPM - Certificates 101 Technote V1.0 .pdf

Thank you for the tech note link!

This document aswered my questions.

Regards

Jonas

The certificate technote mentioned here should go into Aruba Network's Tech Note Hall of Fame.  I've updated to the version 1.2 ( CPPM - Certificates 101 Technote V1.2 .pdf ).  If you read that document carefully and apply its recommendations, you will leave this world knowing PKI better than you found it.   Even if you do not have a solid foundation for using certificates in your ClearPass environment, this will be highly enlightening.   The appendices also go into general PKI discussions that will help you understand why you want to use certificates in the first place.  Well done Danny Jump.   And great study material for those looking to get their ACCX.