VIA client with certificate based authentication and mobility controller/clearpass
04-06-2020 10:16 AM - edited 04-06-2020 10:17 AM
I previously had a VIA client - virtual mobility controller - clearpass setup to test client connection authentication (password based), which I have setup and tested successfully (RADIUS authentication through Clearpass).
Since then I have been trying to change the setup to certificate based, but I am failing badly!!!! My knowledge of certificate types and how they work is quite poor, which is partly the problem, so let me start with some basic questions and statements which I hope you can confirm.
1. I can load the VPN profile successfully from the controller which highlights the configuration is now using IKEv2 and authentication-type: user-cert.
2. The certificates offered in the VIA client, do not show however the server certificate, which I would expect the VIA client to receive from the mobility controller. Is this assumption correct?
3. I have generated a server certificate, using my own CA/OpenSSL and installed this (both at Mobility Controller and the controller instance level below it)
4. Under configuration -> services -> VPN -> General VPN, I have selected the pre-installed server certificate for VPN clients. I have done this at both levels mentioned under point 3.
5. There is another menu point called "Certificates for VPN clients" in the same GUI section below General VPN. I do not understand what this is for.
6. Are there any changes needed at the Clearpass level to enable certificate based authentication?
7. Once the VIA client has received the controller server certificate, do I still need to re-authenticate with the users credentials?
Any help and hints on the above would be much appreciated.