Security

Reply
SBS
Contributor II

new certificate for cppm cluster and not break ipad communications

 Hello,   We need to upgrade our CPPM security certificate based on this.. .https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html

 I believe we use the same certificate for SSL and radius on CPPM (we have a 4 node cluster).   This shouldn't be a problem except we have a couple thousand ipads that are managed thru an MDM (Airwatch), and we dont' want to break them :-)  Here's how they get connected....  Fresh out of the box the ipad is joined to an open ssid with internet access, it reaches out and connects to the airwatch server and thru the scep process it gets a certificate which gets pulled down to the ipad.  The ipad then uses that ceritificate to authenticate to the wifi network.  it's my understanding that the Radius certificate is what authenticates the ipad to CPPM.   I'm not familiar with Airwatch but I have to figure, is there a way that we could get our new certificates and get them installed on CPPM without breaking our ipads communications ?    TAC told me to just not replace the radius certificate, but at some point we need to replace that b/c the cert will be expiring.  I'm at a total loss for what we can do here... Is there a way we could load a new ssl and radius cert on cppm and somehow get that new info thru Airwatch to the ipad clients, would it be smart enough to know which cert to use.  Is that even an option?  Are there other ways?

 

The person that deals with Airwatch is researching that end but I wanted to pose the question to the community for help to understand options and any gotchas, etc.

 

Thank you!
Sarah

 

 

 

Aruba Employee

Re: new certificate for cppm cluster and not break ipad communications

Hi Sarah,

 

You can renew the https/radius certificate from the same CA with the same parameters as of the existing certificate. This will allow the existing enrolled iPads to connect without any issue.

I am no expert in Airwatch, but the new certificate can also be pushed from the Airwatch to iPads (future enrollment) if that is an option.


Thank you,
Saravanan Rajagopal

**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the post.
Contributor I

Re: new certificate for cppm cluster and not break ipad communications

Thats correct, we have the same scenario, just renew the Radius certificates from the same Ca and upload to CPPM, iPads wont notice and should connect fine via EAP-TLS.

 

Same setuo here 4 CPPM cluster and Airwatch for MDM. Works fine.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: