Security

I am setting up a new CPPM environement. I have a IAP with a VC, which is managed by Airwave.

I was able to register the Device (IAP) in CPPM with Radius. Now I want to change the connection to RadSec.

So first I´ve created a CSR in CPPM, requested a cert from our CA, and imported this cert in CPPM as RadSec Server Certificate. Then I´ve exported this Cert and imported it in Airwave as Server Cert and configured this Cert as RadSec Server Cert in Airwave. I´ve also configured the RadSec CA Cert in Airwave.

Now I see in CPPM Event Viewer:

TLS connection couldn't connect for x.x.x.x(IAP): Errors: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed

Any hints?

Kind regards

Matthias

Hi Matthias,

Most likely the issue is that you can't use a Server certificate as a Client certificate while establishing a connection to RadSec in CPPM.

The first part seems correct where you get the RadSec server certificate signed by the CPPM CA. However, if you use the same certificate and put it in Airwave, RadSec will not accept it as the purpose of that certificate is not Client Authentication.

So, I will suggest that you need to create a new CSR (preferably not in CPPM) but locally using openssl. Set the certificate purpose to "user cert". Then get it signed by the CPPM CA as you did before and use that certificate with the private key in Airwave. It should work.

Also, ensure that both the IAP and CPPM have the CA certificates. Also, that the NAS-IP-Address is being populated in the AAA server in IAP. Often that is blank and RadSec is not able to authenticate the controller/IAP properly

Thx for the explanation. My fallacy... Works perfect now