Security

Reply
Contributor I

New PKI server certificate migration

Hi,

I am using internal CA server certificate on ClearPass for radius authentication and everything is working fine. Now our PKI infrastructure is going to change so can we use old pki and new pki radius server certificate on same ClearPass server as I want to ensure that client pc should authenticate wether they have old or new pki client certificate. 6.7 have one option for service specific certificate but how do I add the service categrisation rule based on certificate (old or new pki certificate pc ) as they are using same nad and same auth source.
Super Contributor I

Re: New PKI server certificate migration

The client certificate and server-side certificate have nothing to do with each other.
As I understand correctly your clients and ClearPass are going to use a new certificate because of a new PKI.

You can't filter a service based on the client certificate.
The migration is simple.

At ClearPass:

* At the new root/Intermediate CA to the trust list
* If you filter in the service on the CA make sure you will add the new PKI
* At this point the clients should be able to authenticate

At the clients:

* Make sure you trust the new ClearPass RADIUS certificate in the wired/wireless dot1x configuration

After this moment, the clients trust the new ClearPass certificate you can replace the ClearPass RADIUS certificate. Make sure you have a backup of the public/private key so you can roll back the replacement.


Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Contributor I

Re: New PKI server certificate migration

Hi Willem,

Thanks for your response but I have different requirement.
I want to use both the pki at the same time as we don't have bandwidth to replace all client site certificate immediate.

Can we use two radius server certificate with different pki at the same time??
Super Contributor I

Re: New PKI server certificate migration

No and that is not needed. Just trust the new ClearPass certificate at the client and just can replace the ClearPass certificate without any issue.
The same for ClearPass. At the new root/Intermediate CA to ClearPass and ClearPass can support both client certificates.

Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Occasional Contributor I

Re: New PKI server certificate migration

Highlighted
Super Contributor I

Re: New PKI server certificate migration


@PDudakia wrote:

You could use following functionality in 6.7.x or later versions:

 

https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/Content/CPPM_UserGuide/Admin/service_certificate_assign_to_service.htm


Not possible and not needed for this case.


Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Occasional Contributor I

Re: New PKI server certificate migration

Adding service certificate is possible and maybe required if clients are hardcoded to trust only specific root CA in Radius server certificate.

Guru Elite

Re: New PKI server certificate migration

A service-level EAP server certificate will not really help here.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: