Security

Hi All,

 

Customer want to use Machine Certificate & User Certificate for Authentication.

 

Due to Policy , Customer want use Machine certificate from One CA (Eg:- CA-1) and User Certificate from Other CA.(Eg:- CA-2)

 

So from ClearPass Point of View we need to have Radius Server Certifcate from  CA-1 for Machine authentication and Radius Server Certificate from CA-2 for User Authentication is my Understanding.

 

Is this Feasible using 6.8.x ? 

 

 

Thanks in advance

 

 

No need to create a RADIUS server from each CA just need to import both CA in the trusted list



Thank you

Victor Fabian

Pardon typos sent from Mobile

I agree we need to upload both CA certificates in Trust list.

 

For EAP-TLS we need to upload Radius Server certificate by Submitting CSR from CPPM to each CA right?

 

 

OK I understand Now. We can use Radius Server certificate from any CA as we use Server Certificate to Validate Radius Server.

 

As both Machine & User Same Radius Server that is CPPM we can use Radius Server certificate from any CA to the needful.

 

Both CA  certificates in Trust list of CPPM will validate both Machine & User certicate Presented by Client Device. 

 

Hope my understanding is correct . Please correct me if my understanding is wrong.

The client will send a certificate from 2 different CA's so that is why CPPM needs to add them in it's trust list.

 

You can serve both requests from 1 service, just make different rules where you identify the certificate from each request.

 

In both situation, the clients will be presented the same "server" certificate, installed in CPPM as a radius certificate. So the clients just needs to trust this 1 certifcate (chain).

Yes correct .

ClearPass validates the client cert using the CA from the trust

The windows client validates any RADIUS cert if the RADIUS cert CA is the cert store

So just need to make sure the RADIUS cert CA is in all your client cert store



Thank you

Victor Fabian

Pardon typos sent from Mobile

Thanks a lot :-)