Security

Reply
Highlighted
Contributor I

Changing RADIUS Certificate on Clearpass - Device Authentication

I need to change the RADIUS certificate in clearpass. I am using the ClearPass RADIUS server for a few purposes - Device Authentication as well as EAP-TLS Authentication.

 

 

I know that EAP-TLS clients check this certificate and will prompt the user if the certitifcate is not trusted. I can solve this by deploying the new certificate to all clients.

 

What I'm not sure about however is if Devices using RADIUS for authentication will stop functioning if the certificate is changed. Do devices check the RADIUS certificate?

 

Thanks,


Accepted Solutions
Highlighted
Guru Elite

Re: Changing RADIUS Certificate on Clearpass - Device Authentication

PAP does not use a server certificate.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide

View solution in original post


All Replies
Highlighted
Guru Elite

Re: Changing RADIUS Certificate on Clearpass - Device Authentication

Many devices require the user to click on "Accept" when the radius server certificate is changed.  On windows devices you can push the Radius Server's Certificate to the trust list ahead of time using group policy.  With other platforms, it will stop communicating until the user clicks on "Accept"..


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Contributor I

Re: Changing RADIUS Certificate on Clearpass - Device Authentication

Ah sorry I wasn't super clear - I have networking equipment authentication happening via RADIUS. For example routers and switches.

 

Do these devices check the RADIUS certificate? How can I tell?

 

I'm leaning towards no, as access tracker shows these as type PAP.

Highlighted
Guru Elite

Re: Changing RADIUS Certificate on Clearpass - Device Authentication

PAP does not use a server certificate.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide

View solution in original post

Highlighted
Occasional Contributor II

Re: Changing RADIUS Certificate on Clearpass - Device Authentication

Gurus,

 

My customer is changing their clearpass radius cert that has new intermediate and root cert. 

 

will this change impact the current onboarded client from connecting?

 

or it will only ask "Continue to connect" because the cert is not trusted in the client yet. 

Highlighted
Moderator

Re: Changing RADIUS Certificate on Clearpass - Device Authentication

Users will likely not be able to connect if the whole chain has chained. If you're only using EAP-TLS and/or managed supplicants, you should use a private/internal CA-signed EAP server certificate so you have control over the chain and cert lifetime.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Occasional Contributor II

Re: Changing RADIUS Certificate on Clearpass - Device Authentication

Capalli,

We are only using Eap-tls and using the onboard local CA. The only thing that will be changed is the radius server cert intermediate and root cert on administration>certificate

I tried to change the cert and still able to connect but prompting to continue connect to the ssid.

Let say I change the radius/https server cert to public cert by entrust, the existing onboarded client would still be able to connect without prompting to continue connect?
Highlighted
Moderator

Re: Changing RADIUS Certificate on Clearpass - Device Authentication

You should use a public cert for HTTPS and an internal/private for EAP.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Occasional Contributor II

Re: Changing RADIUS Certificate on Clearpass - Device Authentication

It would be better if use public cert for both right? What's the disadvantage if using public cert for radius?

It would still allow existing onboarded user to connect without require reonbord right?
Highlighted
Moderator

Re: Changing RADIUS Certificate on Clearpass - Device Authentication

Public certs should only be used for EAP when using legacy EAP methods like PEAP. You should use an internal/private cert for EAP.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: