Security

Reply
Contributor I

Changing RADIUS Certificate on Clearpass - Device Authentication

I need to change the RADIUS certificate in clearpass. I am using the ClearPass RADIUS server for a few purposes - Device Authentication as well as EAP-TLS Authentication.

 

 

I know that EAP-TLS clients check this certificate and will prompt the user if the certitifcate is not trusted. I can solve this by deploying the new certificate to all clients.

 

What I'm not sure about however is if Devices using RADIUS for authentication will stop functioning if the certificate is changed. Do devices check the RADIUS certificate?

 

Thanks,

Guru Elite

Re: Changing RADIUS Certificate on Clearpass - Device Authentication

Many devices require the user to click on "Accept" when the radius server certificate is changed.  On windows devices you can push the Radius Server's Certificate to the trust list ahead of time using group policy.  With other platforms, it will stop communicating until the user clicks on "Accept"..


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor I

Re: Changing RADIUS Certificate on Clearpass - Device Authentication

Ah sorry I wasn't super clear - I have networking equipment authentication happening via RADIUS. For example routers and switches.

 

Do these devices check the RADIUS certificate? How can I tell?

 

I'm leaning towards no, as access tracker shows these as type PAP.

Guru Elite

Re: Changing RADIUS Certificate on Clearpass - Device Authentication

PAP does not use a server certificate.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: Changing RADIUS Certificate on Clearpass - Device Authentication

Gurus,

 

My customer is changing their clearpass radius cert that has new intermediate and root cert. 

 

will this change impact the current onboarded client from connecting?

 

or it will only ask "Continue to connect" because the cert is not trusted in the client yet. 

Guru Elite

Re: Changing RADIUS Certificate on Clearpass - Device Authentication

Users will likely not be able to connect if the whole chain has chained. If you're only using EAP-TLS and/or managed supplicants, you should use a private/internal CA-signed EAP server certificate so you have control over the chain and cert lifetime.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Changing RADIUS Certificate on Clearpass - Device Authentication

Capalli,

We are only using Eap-tls and using the onboard local CA. The only thing that will be changed is the radius server cert intermediate and root cert on administration>certificate

I tried to change the cert and still able to connect but prompting to continue connect to the ssid.

Let say I change the radius/https server cert to public cert by entrust, the existing onboarded client would still be able to connect without prompting to continue connect?
Guru Elite

Re: Changing RADIUS Certificate on Clearpass - Device Authentication

You should use a public cert for HTTPS and an internal/private for EAP.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted
Occasional Contributor II

Re: Changing RADIUS Certificate on Clearpass - Device Authentication

It would be better if use public cert for both right? What's the disadvantage if using public cert for radius?

It would still allow existing onboarded user to connect without require reonbord right?
Guru Elite

Re: Changing RADIUS Certificate on Clearpass - Device Authentication

Public certs should only be used for EAP when using legacy EAP methods like PEAP. You should use an internal/private cert for EAP.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: