Security

Hi there,

We're currently in the process of migrating clients to use EAP-TLS. As part of the migration we need to install a second Radius server certificate on our clearpass boxes to sit alongside an existing server certificate. Is this something we're able to do?

We dont currently have a test environment, so not something we can verify in a lab environment.

We're running Clearpass 6.6.0

Thanks

Are the EAP-TLS certificates being issued by the same CA as the existing server certificate?

Yes, they will be.

If the EAP-TLS certificates are  issued by the same CA, you do not have to change the server certificate for the clients to work.  Your EAP-TLS clients would still have to have the issuing CA's certificate in their trust store, just like the EAP-PEAP clients.

If the EAP-TLS certificates are issued by a different CA, your clients would still have to trust the existing server certificate, but you would also have to upload the issuing CA's certificate into the ClearPass radius server's trust list under Certificates> Trust List.

There can only be one! One Radius cert for your Clearpass cluster..

You say "It will be" - what does that mean?

That in the migration period you will have two separate CA's and end up with the new one only?

I'm assuming you are going from EAP-PEAP to EAP-TLS. That means you will have to update the GPO's for the clients to reflect this change.

Just for the baseline to get this to work (with security intact)

1. The clients will have to have the rootCA certificate of the Radius server certificate in their Trusted Root Auth cert-store

2. The clients will have to have a list of the radius server names they need to trust

3. The clients need to change their Auth method from EAP-PEAP to "Smartcard or other .."

If you are also changing RootCA then you would have to do this in several steps to ensure all clients are updated with the new RootCA in their Trusted Root certstore.

If so..

1. Update GPO's to push the new RootCA and most likely push client certs at the same time. This to prepare for the EAP-TLS transistion.

2. Update Clearpass Radius cert from the new RootCA using the same servername. Keeping the same name should make the clients keep trusting the Radius server, and since they trust the RootCA they will trust the certificate..

3. Update client GPO's to change 802.1x authentication to "Smartcard or other.."

.. I think ;)

To confirm - We're currently using EAP-PEAP for client connectivity, but looking to move to EAP-TLS.

The main issue we're up against, and hence the query, is that we'll be using a global policy for EAP-TLS connectivity on the client, and the configuration for Windows has the 'Connect to these servers' option enabled, which is referencing the FQDN of 2 x server certificates that we do not currently have installed on our Clearpass servers. On testing, this currently causing a certificates mismatch error, and requires manual connect to the SSID.

Obviously, we'd like to stick to using the global policy, so our current thinking is that we install the Radius certificates matching the FQDN in the policy, allowing clients to connect via EAP-TLS once the updated policy is applied to their machines.

Both the existing and the new certificates are issued by the same CA.

You should add a "connect to these servers" entry for your existing radius (ClearPass?) server for this to work.  "Connect to these servers" is supposed to limit what actual radius servers your clients can connect to, vs. just Validate which would allow your client to connect to anything in your client's trusted store.  

To test this, you should create an OU that has the new group policy settings and put your test client machines  in it, so that you don't affect production clients.

"To specify which Remote Authentication Dial-In User Service (RADIUS) servers your wired access clients must use for authentication and authorization, in Connect to these servers , type then name of each RADIUS server, exactly as it appears in the subject field of the server’s certificate. Use semicolons to specify multiple RADIUS server names. "

https://msdn.microsoft.com/en-us/library/dd759247(v=ws.11).aspx

Thats an option, it's just we have no control over AD, so any changes we want would take weeks to be implemented in order for us to test.

If we had a certificate available to us today, would installing it on Clearpass be something that would work, or is there a hard limit to 1 Server radius certificate in Clearpass?