Security

Hello All,  I have 3 cisco controller  and clear pass guest system . We are planing to istall SSL certitificate to eliminate certificate warnng message and to have a professional user experiance . 

--What is the best approch instaling SSL certificate ?

--Do I need to  raise the CSR form  each controller and clear passguest seprately an upload  certificate ? or  certificate needed only    in clearpass ?

-- Can I use a wild card SSL certificate or need to buy seperate certificate ?

Please assist me with clarification .

There are no issues using a wildcard or one of the other multi domain certificates.  You would probably want to use local tools to generate your key and csr, and then upload the key, certificate, chain/root certificates on the appropriate page.

Also, since the client POSTs their credentials to the Cisco controllers as part of the login process, you do want that to be a secure channel.

FWIW, Aruba controllers default to a valid certificate when using securelogin.arubanetworks.com as the NAS address.  A custom certificate is only needed when you want to see your hostname throughout.

Can you please double check whether wildcard certificate will do the job ?. I talk to Aruba TAC today they suggested me to go for  standard SSL certificate as the Amigopod hostname and controllers hostname should match , wildcard certificate will not make this .

There are no technical problems with wildcard certificates.  On the controller side, it normally will detect the hostname out of the certificate and use that for itself.  In the case of a wildcard, since there is no hostname, it always uses captiveportal.yourdomain.tld.  You will need this when setting up the NAS area of the web login or self-registration.

I do not know what context your statement the Amigopod hostname and controller hostname should match.  For obvious reasons the hostnames must be different.

What you do need to make sure is that your DNS infrastructure will return the correct address for your Amigopod hostname.  Since the controller is inline to the guests, it can trick itself and mask DNS problems.  But Amigopod needs to be addressable. 

I know its been two weeks since an update on this, but I thought I'd comment as I have a similar setup.

We have 3 Cisco Controllers, and 1 recently installed Aruba, all using Clearpass/Amigopod for guest.  

Regarding Wildcard certificates, I can confirm that they work on Amigopod/Clearpass.  

I can also confirm that I had absolutely no Luck whatsoever, getting wildcard certificates to work on the Cisco Controllers at all.   I did not attempt on the Aruba Controller.

In my setup, the Cisco Controllers all use the same certificate, and I purchased a seperate certificate for the Aruba Controller.  Just make sure on both setups that you go through the steps to combine the Purchased Cert and the Intermediate Certificates into the same file and you should be fine.  There is some pretty good documentation out there for doing this.

Also make sure you do what "gbenedict" suggested regarding DNS and the resolving of the names. and you should be good.

No Certificate issues here after doing all of that.  

Thanks Shawn , Can you pleasse share the document you refer for this .

Sorry, I wasn't really referring to any specific document.  I was referring to documentation regarding SSL Certificate generation and Combinations in general.  Not to give Props to Cisco, but this document (Also Attached):

http://www.cisco.com/image/gif/paws/109597/csr-chained-certificates-wlc-00.pdf

Gives a pretty good step by step setup for creating a CSR and then putting all the Chained certificates together into a single file that is compatible with multiple formats.  

I've had no troubles whatsoever, using these instructions to generate CSR and Chained certificates for multiple vendor devices.

Attachment(s)

csr-chained-certificates-wlc-00.pdf   35 KB 1 version

Hello,

Thanks for your document . 

I generated CSR and contacted verisign for a third party CA signed certificate  . They said since my requirement is to secure a internal recourse(intranet) I cannot go for a normal SSL certificate instead go for MPKI(Managed PKI) solution . Please let me know which type of SSL certificate I should go for ?

Thats seems strange.  All mine are privately addressed devices and i was able to purchase Verisign Certificates without any issue.  I'm going to have to defer to someone else to answer this one.

Anyone have any ideas?

Well, this falls back to the DNS issue.  The IP address is the only thing that truly makes it an intranet hostname.  Do you own at least the true top level of the hostname you want?  i.e. acme.com in guest.intranet.acme.com.  We also have never seen anyone need anything more than a regular cert.  They need to verify the top level only.

They said all internal servers treated with MPKI .

Can you please share me the exact link of the certificate you bought from verisign ? they strictly says that they are only provising SSL certificate for a server that resides in internet , for any that of internal should go with Managed PKI

If you're asking where we purchase, we purchase directly from Verisign using the links on this page, or through our account with them:

https://www.symantec.com/verisign/ssl-certificates/secure-site

If you're asking for me to post a link to one of the sites I've purchased certificates to use on, I can't do that as they are all private addresses that are not accessible from outside our own network.  As long as you own your top level domain, like example.com or example.edu, then you should be able to purchase certificates for any sub domains without any issue, like private.example.com or private.network.example.edu.  

Just an FYI, in the case of wildcard certs, wildcard certificates purchased for the Top level domain, will not work for the sub domains.  You must purchase a wildcard certificate for every sub domain that you wish to address or you will get certificate errors.

I think you need to talk to a different verisign rep and get a second opinion.

+1 to ShawnShoe

Thanks for all who have contributed  . The issue is gerring narrow down now. I had requested SSL for the hostname  SOMETHING.com.LOCAL. Since " .LOCAL "   is an invalid top level domain name on the internet they refused to issue a certificate for that hostname and suggested to go for MPKI . Now i have re generated a CSR with Wifi.SOMETHING.com  and awaiting for the certificate 

Regards,

Shafi.