That depends on the client configuration. Your clients should trust your RADIUS server's certificate, by having the root and certificate name configured.
If you changed the certificate, and either the RootCA, or the server name changed, it is expected that your clients will not be able to connect. Changing your RADIUS certificate is something you need to carefully plan and execute.
In this situation, as I don't know the previous situation, nor the current situation, I would recommend working with your Aruba partner, or Aruba Support to find out what went wrong and how to possibly recover with the fewest interruptions to your clients.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jul 06, 2021 10:07 PM
From: lalo rocha
Subject: ClearPass RADIUS certificate expiring
Hello Herman
I have a problem with the CA certificate, I created a different certificate than the one that was installed and my clients with windows operating system do not recognize it, I have to add the Wi-Fi network manually. What can I do so that my clients reconnect without manually setting the Wi-Fi network in windows.
I currently have Clear Pass version 6.10
------------------------------
lalo rocha
Original Message:
Sent: Jul 28, 2020 04:22 AM
From: Herman Robers
Subject: ClearPass RADIUS certificate expiring
Best practice for an expiring RADIUS EAP Server certificate is to just request a new one and install that.
There are three constraints:
- Use the same SAN/CN as in your previous certificate. Note that having a SAN with the same name as the CN now is mandatory.
- Get the certificate signed by the same root CA. If you don't clients will have issues trusting it. If you can't use the same root CA, prepare for the reconfiguration of all your clients.
- Make sure the lifetime of your newly signed certificate is less than 825 days.
I think this summary from JISC/Eduroam in the UK is a nice resource.
-