Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass onboard Certificates

This thread has been viewed 7 times

  • 1.  Clearpass onboard Certificates

    Posted Apr 18, 2017 11:36 PM
      |   view attached

    Hi guys,

     

    1. is there any special reason for clearpass to push the radius certificate into the trusted root certificate authorities store in windows? I am a little confused by this.... i was thinking it should only push the root CA and the intermediate CA but what is the reason to push the clearpass radius certificate to the users?

     

    2. My radius certificate is expiring in a couple of days.... the other 2 ceritificates highlited in my attached image is showing the root CA and my intermediate CA, so my next question is, if i renew the RADIUS certificate in clearpass does it need to be the same CN for the certificate? or it can be any name as long as the device have the root CA and the intermediate CA it will be able to validate the radiusserver identity.

     

    Thanks 

     

     



  • 2.  RE: Clearpass onboard Certificates

    Posted Apr 19, 2017 03:17 AM

    Hello!

    In regards to question #2..

     

    Is this just for Onboard or company 802.1x?

    In general for 802.1x..

     

    In your Windows SSID profile - do you have "Validate Certificate" checked? Also - do you have "Connect to these servers" with a fqdn entered in here?

     

    If you do - then you absolutely don't want to change the CN in the certificate since that would cause windows to NOT connect. In Clearpass you would be seeing alot of timeouts with errors like "Client did not complete EAP transaction".

     

    If you want to change the CN you should change the GPO that push your SSID profiles and add the new name as valid servernames to connect to.

     

    For Onboard.. If you change the Radius CN I'm pretty sure it would break the certificate validation for the currently enrolled devices and make them unable to logon. Depending on the type of device it might just cause them to get a popup just to authenticate connecting to that new server. Still - more noice for support which I'm sure you don't want ;)

     



  • 3.  RE: Clearpass onboard Certificates

    Posted Apr 19, 2017 10:41 AM

    if that is the case, evidently something is not working for me, i am attaching a couple of screenshots of how my windows computer is setup and then i changed the radius cert in clearpass and the computer is still able to connect... btw all this certs and the profile were pushed by quick connect the first time the device onboarded...



  • 4.  RE: Clearpass onboard Certificates

    EMPLOYEE
    Posted Apr 19, 2017 11:21 AM

    Reboot the machine and see if it still authenticates.



  • 5.  RE: Clearpass onboard Certificates

    Posted Apr 19, 2017 12:30 PM

    No, it is still working, i rebooted the computer and it is still authenticating the user...



  • 6.  RE: Clearpass onboard Certificates

    EMPLOYEE
    Posted Apr 19, 2017 11:19 AM

    1) It's to ensure the broadest compatibility between clients. 

     

    2) If the supplicant is configured to validate the root CA and common name, you should be fine with a new certificate from the same issuer with the same common name.