Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Certificates on Clearpass

This thread has been viewed 91 times

  • 1.  Certificates on Clearpass

    Posted Sep 21, 2022 07:13 AM

    Hi all,

    I am working with Clearpass for a while. 

    I always had the infrastructure done before I step in and now for the first time I need to make it all from scratch.
    I am having trouble understanding the certificate section on the initial setup.

    I did understand there is HTTPS certificate and Radius certificate.

    Not sure what is the exact role of each one of them.

    And if the https certificate has to be public?

    In addition, if I want to form a cluster, which certificate is needed? and does it mandatory to install it before forming the cluster?

    I would appreciate an answer and just a link to some guides because I already went through a lot of them.




  • 2.  RE: Certificates on Clearpass

    Posted Sep 21, 2022 08:35 AM

    Not sure what is the exact role of each one of them.
    HTTPS is used for the Web Admin interface of ClearPass and all Portals (Guest, Onboard, etc.).  RADIUS is used for EAP/802.1X.

    And if the https certificate has to be public?
    If you are doing guest portals where you do not control the endpoints yes.  If not, then no.  It could be an internal CA or self-signed.

    In addition, if I want to form a cluster, which certificate is needed? and does it mandatory to install it before forming the cluster?
    HTTPS is used.  Along with the database certificate.  You will be prompted when you form the cluster to trust the HTTPS certificate of the other node.  I always make sure my Certificate Trust Lists and the actual Certificates on all cluster nodes are configured completely before joining together.


    Original Message


  • 3.  RE: Certificates on Clearpass

    EMPLOYEE
    Posted Sep 21, 2022 10:04 AM
    Please read the ClearPass Certificates 101 Tech Note. (bit old, but 'the spirit' still stands).

    In general, for your HTTPS certificate take a public signed certificate that matches all of the names that you want to address your ClearPass on (multi-SAN, Wildcard). For EAP/RADIUS create a long living certificate issued from a private Certificate Authority; install the same EAP Certificate on all of your ClearPass nodes.

    Here is a video on the HTTPS certificate and ClearPass. and another one for the RADIUS/EAP certificate.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 4.  RE: Certificates on Clearpass

    Posted Sep 22, 2022 05:40 AM

    Hi Herman,
    Thank you for replying.

    I did see the first video of the HTTPs certificate.
    About the RADIUS certificate, you suggest not using a public certificate.
    But I have a customer that doesn't have CA in the organization. My question is if it is possible to use the public certificate I used for the HTTPS? (if it is even possible) or it is better to use a self-signed certificate in this case for the RADIUS certificate?



    ------------------------------
    Best regards,
    Alon Haber
    ------------------------------

    Original Message


  • 5.  RE: Certificates on Clearpass

    Posted Sep 22, 2022 09:40 AM
    Yes Public certificates work fine for RADIUS/EAP.
    Original Message


  • 6.  RE: Certificates on Clearpass

    EMPLOYEE
    Posted Sep 23, 2022 06:02 AM
    While public certificates work fine for RADIUS/EAP, the recommendation is to use a private CA. You can even use the Onboard CA for that if there is no internal CA in the customer.

    Public certificates don't have much benefits, because for EAP/802.1X you will need to configure your clients to trust the certificate anyway. Public certificates have the 'issue' that they expire every year, and public CAs change their roots every now and then in which case you will need to touch all of your clients to get the new root trusted. If you use a private CA under your own control, you also control the certificate lifetime (can be longer than 1 year) and you can assure that your CA is still available when you need to renew.

    If you are fine with that, as mentioned a public certificate will just work fine.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 7.  RE: Certificates on Clearpass

    Posted Oct 17, 2022 02:40 PM
      |   view attached
    Hi Sir,

    I want to ask about one thing mentioned at Danny Jump's 101 tech note, as attached.

    It says "domain name in CN / SAN must match the domain name of the server itself".

    Does this mean the ClearPass server's hostname must be appended with the domain , e.g. "ABC-CP-01.abc.com"; 
    OR
    "ABC-CP-01" is enough as long the ClearPass server is joined to the "abc.com" domain.

    That's all for now ..

    Thank you as always.
    Original Message


  • 8.  RE: Certificates on Clearpass

    Posted Sep 22, 2022 04:17 AM

    Wow !!

    Thank you for the detailed answer.

    I got some of it much better now.
    Can you tell me what exactly a database certificate means? I had never heard about this one before.

    About the radius certificate, do I need it for the endpoints in addition to the Clearpass? or in the nodes? switches/controllers?



    ------------------------------
    Best regards,
    Alon Haber
    ------------------------------

    Original Message


  • 9.  RE: Certificates on Clearpass

    Posted Sep 22, 2022 09:43 AM
    The database certificate is used to secure/encrypt the database replication traffic between ClearPass nodes.  It is best practice not to replace this certificate and use the certificate that is generated automatically during the ClearPass installation process.  You should only replace this if you have an audit/security requirement to eliminate all self-signed certificates.

    No.  The RADIUS certificate only lives on ClearPass (but must be trusted by all endpoints) and is used for EAP transactions.
    Original Message


  • 10.  RE: Certificates on Clearpass

    Posted Oct 02, 2022 10:56 AM

    Thanks again.

    This was very informative.





    ------------------------------
    Best regards,
    Alon Haber
    ------------------------------

    Original Message


  • 11.  RE: Certificates on Clearpass

    Posted Oct 17, 2022 02:17 PM
    Hi Sir,

    My customer definitely has this audit requirement to avoid using the self-signed cert at the ClearPass, so they have asked me to use their CA.
    I generated the CSR but without me realizing, the private key expired after 8 days (according to TAC), and 15 days (according to Aruba doc). <-- first issue.

    Secondly, if I do not have the "verify server certificate" at the Windows endpoint configured, I do not need to worry about changing the RADIUS/EAP cert at all, correct ? For example, temporarily I have a self-signed cert installed, but then later I need to change it to their CA-signed cert.

    Third, due to the audit, db cert I need to change, but I am worried about breaking the cluster after I install the CA-signed from them. What are the pre-cautions I need to be aware of ?

    Thanks in advance.

    PS: I have already disabled the ECC https cert and only use the RSA one. Will change radius/eap, https(rsa), and db cert to their CA-signed.
    CP version still 6.10.5.
    Original Message


  • 12.  RE: Certificates on Clearpass

    Posted Oct 17, 2022 02:53 PM
    1. Yes, the automatic cleanup interval is 7 days.
    2. You should enable validate server certificate.  If you don't do this you are opening yourself up to MITM attacks.  IIRC, the RADIUS/EAP server will not properly start without a valid certificate.  
    3. I would work with TAC for a DB certificate change. Aruba best practice typically doesn't recommend changing them.

    Original Message