Security

last person joined: 22 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass - RADIUS Cert Question

This thread has been viewed 5 times

  • 1.  ClearPass - RADIUS Cert Question

    Posted Dec 15, 2016 07:18 PM

    My current RADIUS cert is set to expire in a couple days and Clearpass is giving me the red notification across the top "The RADIUS Server Cert will expire in 2 day(s)".  I created a CSR, had it signed by our PKI CA, then imported the cert, private key file and password.  On the cert page it shows the cert as valid and the expiration date changed to match the 5-year cert expiration.  However, the red warning stating the cert will exire in 2 days is still at the top of the page.  

    Two questions:

    1. Does this cert need to be referenced/changed anywhere else in ClearPass, other than the Server Certificate/RADIUS Certificate page?

    2. Will a 5-year web server certificate suffice for the certicate type?  

     

    It should be noted that I have a subscriber in the cluster and I changed the cert on that one yesterday and the expiration error message went away. Finding it out of the ordinary that the one on the publisher is staying around. 

     

    Thanks!



  • 2.  RE: ClearPass - RADIUS Cert Question

    EMPLOYEE
    Posted Dec 15, 2016 07:21 PM
    That should be all you need to do.



    I would open a TAC case just to make sure everything is OK.


  • 3.  RE: ClearPass - RADIUS Cert Question

    Posted Dec 16, 2016 10:09 AM

    Thanks for the quick reply as always, Tim.  Came in this morning and it's gone.  Looks like it cleared itself when the alert timer changed from 2 days to 1 day.  



  • 4.  RE: ClearPass - RADIUS Cert Question

    EMPLOYEE
    Posted Dec 19, 2016 03:18 AM

    This is normal behavior. The certificate warning seems to be generated during the nightly maintenance and disappears again when at the next run it appears that the certificate is valid again. I have not found a way to trigger this, I believe I even restarted the ClearPass appliance without success but the next day the warning was gone after I replaced the cert.

     

    You made a good decision to get a 5-year certificate, as it reduces the maintenance of your certificates. Take the certificate valid as long as possible, at least for RADIUS.

     

    Replacing the certificate with '2 days to go' is risky, as I have seen many cases where the certificate request/issue process can be delayed on formalities like signatures. Most times it will be okay, but you don't want to risk your ClearPass certificate to expire. Bear in mind that some clients with clock offsets (can be days) will not accept the cert when according to their clock the certificate expires. I would try to have your certificate replaced at least a week before expiration, and if possible few hours/days after issuance.



  • 5.  RE: ClearPass - RADIUS Cert Question

    Posted Dec 27, 2016 10:26 AM

    Thanks for the great information, Herman.