While public certificates work fine for RADIUS/EAP, the recommendation is to use a private CA. You can even use the Onboard CA for that if there is no internal CA in the customer.
Public certificates don't have much benefits, because for EAP/802.1X you will need to configure your clients to trust the certificate anyway. Public certificates have the 'issue' that they expire every year, and public CAs change their roots every now and then in which case you will need to touch all of your clients to get the new root trusted. If you use a private CA under your own control, you also control the certificate lifetime (can be longer than 1 year) and you can assure that your CA is still available when you need to renew.
If you are fine with that, as mentioned a public certificate will just work fine.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Sep 22, 2022 09:39 AM
From: Unknown User
Subject: Certificates on Clearpass
Yes Public certificates work fine for RADIUS/EAP.
Original Message:
Sent: Sep 22, 2022 05:39 AM
From: Alon Haber
Subject: Certificates on Clearpass
Hi Herman,
Thank you for replying.
I did see the first video of the HTTPs certificate.
About the RADIUS certificate, you suggest not using a public certificate.
But I have a customer that doesn't have CA in the organization. My question is if it is possible to use the public certificate I used for the HTTPS? (if it is even possible) or it is better to use a self-signed certificate in this case for the RADIUS certificate?
------------------------------
Best regards,
Alon Haber
Original Message:
Sent: Sep 21, 2022 10:04 AM
From: Herman Robers
Subject: Certificates on Clearpass
Please read the ClearPass Certificates 101 Tech Note. (bit old, but 'the spirit' still stands).
In general, for your HTTPS certificate take a public signed certificate that matches all of the names that you want to address your ClearPass on (multi-SAN, Wildcard). For EAP/RADIUS create a long living certificate issued from a private Certificate Authority; install the same EAP Certificate on all of your ClearPass nodes.
Here is a video on the HTTPS certificate and ClearPass. and another one for the RADIUS/EAP certificate.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Sep 21, 2022 08:35 AM
From: Unknown User
Subject: Certificates on Clearpass
Not sure what is the exact role of each one of them.
HTTPS is used for the Web Admin interface of ClearPass and all Portals (Guest, Onboard, etc.). RADIUS is used for EAP/802.1X.
And if the https certificate has to be public?
If you are doing guest portals where you do not control the endpoints yes. If not, then no. It could be an internal CA or self-signed.
In addition, if I want to form a cluster, which certificate is needed? and does it mandatory to install it before forming the cluster?
HTTPS is used. Along with the database certificate. You will be prompted when you form the cluster to trust the HTTPS certificate of the other node. I always make sure my Certificate Trust Lists and the actual Certificates on all cluster nodes are configured completely before joining together.
Original Message:
Sent: Sep 21, 2022 07:13 AM
From: Alon Haber
Subject: Certificates on Clearpass
Hi all,
I am working with Clearpass for a while.
I always had the infrastructure done before I step in and now for the first time I need to make it all from scratch.
I am having trouble understanding the certificate section on the initial setup.
I did understand there is HTTPS certificate and Radius certificate.
Not sure what is the exact role of each one of them.
And if the https certificate has to be public?
In addition, if I want to form a cluster, which certificate is needed? and does it mandatory to install it before forming the cluster?
I would appreciate an answer and just a link to some guides because I already went through a lot of them.