Occasional Contributor I

Clearpass Auth via generic LDAP: How do I install a cert for StartTLS

Hey, everyone!


I have a working service in Clearpass, that authorizes Guest Operators against a generic ldap. In the dev environment we were able to connect via a password. In order to move to the production environment, we need to install a cert provided our PKI, and use StartTLS with the ldap directory.


Where do I install that cert? I thought it might be the RADIUS server certificate, but the install fails with the error that the cert I'm importing is not appropriate for use with Web Servers. It is true that my cert does not have the extended usage 'TLS Web Server Authentication', but that's not what the RADIUS server is doing anyway??


What am I doing wrong here? Where should my cert be installed?

Guru Elite

Re: Clearpass Auth via generic LDAP: How do I install a cert for StartTLS

Are you trying to authenticate to an LDAP server over port 686?  The LDAP server must have a server certificate and the ClearPass server must have the CA certificate for the server cert that was issued to the LDAP server imported into Administration> Certificates> Trust List.


If that is not what you mean, please let us know...

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Occasional Contributor I

Re: Clearpass Auth via generic LDAP: How do I install a cert for StartTLS

I'm sorry it has taken me so long to respond to this. Thank you again for taking the time.


The issue is that I have been given both a 'server' certificate to identify the LDAP directory to Clearpass and a 'client' certificate that will identify Clearpass to the LDAP server. Encryption and authentication both ways without the need for passwords.


I can't replace the RADIUS server cert, because the cert from ldap only has the 'client' usage. Even if i did replace the RADIUS cert, I could only do that once, and therefor could only do client auth to one such data store at a time. While the directory admins have allowed, in very few cases, password binds for applications that don't support client based auth, those passwords are all stored as sha-12 hashes (which Clearpass does not currently support).


I need to find out if there IS some way to implement a client cert for StartTLS, and if not, get some sense of which feature (client based auth for LDAP or sha-512 for passwords) is more likely to be pursued should I make the request.

All-Decade MVP 2020

Re: Clearpass Auth via generic LDAP: How do I install a cert for StartTLS

Hi Mark,


Were you ever able to figure out a way to do this?





Search Airheads
Showing results for 
Search instead for 
Did you mean: