Hello Community,
We recently expanded our clearpass from 2 servers (publisher and subscriber) to 4 servers (publisher and 3 subscribers). Running 6.5 patch 3. We have a public cert (Radius and ssl are the same public cert ). We use CPPM to send system owned windows domain machines to Active Directory for 802.1x authentication. We also use CPPM for onboarding personal (non system owned) machines and also onboard system owned (non domain devices). We are discussing the proper steps to implement a new public cert. since we have added the additional servers.
We have thousands of devices that are already onboarded. And are trying to understand fully what to expect when installing a new public cert for CPPM (radius/ssl)
1) For devices that are already onboarded, when we install the new public cert on the 4 CPPMs will this break the previously onboarded user's connectivity?
2) If yes, will those devices have to fully re-onboard to get the new cert? Can you help me understand why specifically? We had a meeting with our server and security team and this question came to light. Trying to wrap our heads around why specifically?
3) Is there any correlation to the public cert and the onboard (clearpass issued) cert?
Say our clearpass issued onboard cert is good for X number of days, so depending upon when you enroll is when you have to reonboard again I believe. If a user onboards a device, then a month later our public cert expires, will they have to re-onboard that soon b/c public cert?
Do we need to consider anything for the clearpass cert when we do the public cert?
4) Are there any recommendations or best practises?
Thank you,
Sarah