Security

I need to change the RADIUS certificate in clearpass. I am using the ClearPass RADIUS server for a few purposes - Device Authentication as well as EAP-TLS Authentication.

 

 

I know that EAP-TLS clients check this certificate and will prompt the user if the certitifcate is not trusted. I can solve this by deploying the new certificate to all clients.

 

What I'm not sure about however is if Devices using RADIUS for authentication will stop functioning if the certificate is changed. Do devices check the RADIUS certificate?

 

Thanks,

Many devices require the user to click on "Accept" when the radius server certificate is changed.  On windows devices you can push the Radius Server's Certificate to the trust list ahead of time using group policy.  With other platforms, it will stop communicating until the user clicks on "Accept"..

Ah sorry I wasn't super clear - I have networking equipment authentication happening via RADIUS. For example routers and switches.

 

Do these devices check the RADIUS certificate? How can I tell?

 

I'm leaning towards no, as access tracker shows these as type PAP.

PAP does not use a server certificate.

Gurus,

 

My customer is changing their clearpass radius cert that has new intermediate and root cert. 

 

will this change impact the current onboarded client from connecting?

 

or it will only ask "Continue to connect" because the cert is not trusted in the client yet. 

Users will likely not be able to connect if the whole chain has chained. If you're only using EAP-TLS and/or managed supplicants, you should use a private/internal CA-signed EAP server certificate so you have control over the chain and cert lifetime.

Capalli,

We are only using Eap-tls and using the onboard local CA. The only thing that will be changed is the radius server cert intermediate and root cert on administration>certificate

I tried to change the cert and still able to connect but prompting to continue connect to the ssid.

Let say I change the radius/https server cert to public cert by entrust, the existing onboarded client would still be able to connect without prompting to continue connect?

You should use a public cert for HTTPS and an internal/private for EAP.

It would be better if use public cert for both right? What's the disadvantage if using public cert for radius?

It would still allow existing onboarded user to connect without require reonbord right?

Public certs should only be used for EAP when using legacy EAP methods like PEAP. You should use an internal/private cert for EAP.

but if the client device is more than just a corporate asset, would it better if i use public cert for radius cert?