Security

Hi,

 

Is it possible to use the same certificate for both the ClearPass and controller by defining the appropriate Subject Alternate Names during the creation of the CSR?

 

I found this article and it would seem to indicate that this is possible. I just wanted to make sure that I was interpretting it correctly.

 

The certificate would be used for the captive portal, the mgmt ports on each ClearPass server, and the redirection link that is hit during web-auth (we currently have disabled HTTPS for this process).

 

Cheers

The guest POST from the client to the controller cannot use the SAN. So if you're not using HTTPS for the POST, then the SANs would only be used for GUI access

 

I can't say I'd ever recommend doing this though. Your RADIUS server certificate and key should always be well contained.

So if we would like to switch back to HTTPS on the controller for the guest POST, we will need to purchase an additional certificate just for the controller?

 

Just to clarify as well about the guest POST, are you referring to when the guest does the submissions of the guest account? Or when they actually authenticate through the web form and the redirect to the controller occurs? This is probably a stupid question.....

The submission through the web form. That POSTs back to the controller and
uses the controller's cert.



I've never tried just using the same cert with the ClearPass common name.
I'd imagine that would be pretty weird because the controller will have a
static entry for the ClearPass FQDN.

I think follow you now.

That is controlled by this settings in the Guest Self-Registration page correct? 

 

So to play it safe, it sounds like we should aim for a separate certificate for the controller.

 

You mentioned eariler the RADIUS certificate:

I can't say I'd ever recommend doing this though. Your RADIUS server certificate and key should always be well contained.

 

 

I am just curious, currently we are using using our commercial cert for both the HTTPS and RADIUS components on the CPPM. Is this something that is not recommended?

I remember when we first setup the CPPM I don't believe there was an option to have a separate cert. This is something new that came in later versions of CPPM I believe? So is it still safe to use the same cert for both?

I would expect your situation to work under the following circumstances for the certificate that you want to install on both ClearPass and controller:

- The hostname used for the redirection (in the IP Address field in your screenshot) is the Common name (CN) for your certificate. So that is the 'main' name for your certificate.

- The ClearPass HTTPS certificate uses a different name (SAN) that is as well in the certificate. ClearPass cannot use the CN as there will be a name collision: your client cannot address both ClearPass and the controller login page on the same name.

 

About recommendation for the RADIUS certificate, which can be installed separately through the drop-down in the ClearPass Server Certificate screen, it really depends on your requirements. The separate certificate is there for quite some years now, I extimate it was already in 6.0. Roughly, if you have only internal clients and controlled clients that need to authenticate via 802.1X/RADIUS, and have an internal PKI setup you are likely better off with a private CA certificate. If you have a lot of external clients, like in eduroam or BYOD or if you don't have a PKI, a public certificate is more likely to be your best match. Please check the ClearPass Certificates 101 Technote for some additional guidance.

Hi @Herman Robers,

 

Sorry for my late reply.

 

I appreciate your detailed reply.

You mention near the end that if we have BYOD devices that a commercial CA may be the better way to go. We do have an internal PKI via AD, but we do not use it to a large extent.

 

We do do quite a bit of Onboarding of BYOD devices (Android and Apple mainly), and given my experience with those in the past, a commercial CA probably makes sense for the radius.

 

Thank you again!

 

Cheers

Just wanted to give an update on this.

 

I only realized recently that the default cert that came with our controller had been revoked, because of this I needed to move a little faster on dealing with the certificates on our controller.

 

The solution I went with with the help of Aruba Support was as follows.

Captive Portal (redirect URL)

• I used an existing commercially signed wild card certificate we had.
• I combined the certificate, and intermediate certificates into a single file. This was done using the cat command in linux and redirecting the output to a new crt file.
• I then used openssl to generate a pfx
  

  openssl pkcs12 -export -in yourcert_wChain.crt -inkey privateKey.pem -out yourcert_wKey_wChain.pfx

• This file was then uploaded into the controller
  Configuration tab > MANAGEMENT (left pane) > Certificates
• Once uploaded I changed the "Captive Portal Certificate" to the certificate I just uploaded
  Configuration tab > MANAGEMENT (left pane) > General

WebUI Management Authentication Method

• I used our Microsoft PKI to generate a web certificate.
• Each controller in our environment has their own certificate.
• You can generate the CSR from
  Configuration tab > MANAGEMENT (left pane) > Certficates > CSR
• Once the CSR is generated click "View" and copy the CSR (everything including the begin and end statements)
• Head over to your Microsoft PKI and generate a cert.
• Then just follow the same procedure to upload the cert into the controller.
• Then change the WebUI certificate to the one you just generated.
  Configuration tab > MANAGEMENT (left pane) > General > WebUI MANAGEMENT AUTHENTICATION METHOD

Certificates on the controllers are now changed and everything appears to be working as intended.

 

Thanks to Aruba Support for your assistance!

 

Cheers