Security

Hello  guys I ran into the following issue recently 

I have a CA in Country A

I have a different CA in country B which is in another domain

The client wants that went their managers to go from country A to country B so they can connect with the same SSID 

If they had the same CA I do think that would be an issue but they have different CAs  with different domains 

Each country has its clearpass, and I just can sign the Clearpass with one of the CAs I cannot use them with 2 CAs so I'm not sure what I can do here or how can i manage this situation

Has anyone run into this situation? if you have, how did you manage it?

We are using EAP TLS

Thanks

Hi

If I understand right the two servers are not part of a cluster, so they are stand alone servers?

If that's the case you must install the CA certificates of domain A on ClearPass server B and the CA certificate B on server A.

Are the domains reachable between the countries? In thatcase you should configure lookup of users in domain B from server A and domain A from server B. Also make sure the CRL or OCSP is reachable between the two countries.

It shouldn't be a problem to solve the authentication of users from the other domain as long as the communication works. If you don't have connection between the domains/countries you can still trust the root from the other side, but not perform AD lookup and revocation check. In that case you may prefer to assign a limited role for devices from the other country.

Only limitation is if both root CA certificates have the exact same common name. In that case ClearPass can't authenticate users from both domains.

I have rised a feature request to change the behavior of ClearPass to work in situations where there are multiple roots with the same common name, as the case is with intermediate certificates. https://innovate.arubanetworks.com/ideas/SEC-I-2038

------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Jan 29, 2024 12:07 AM
From: cdelarosa
Subject: Clearpasses in different countries with different CAs

Hello  guys I ran into the following issue recently 

I have a CA in Country A

I have a different CA in country B which is in another domain

The client wants that went their managers to go from country A to country B so they can connect with the same SSID 

If they had the same CA I do think that would be an issue but they have different CAs  with different domains 

Each country has its clearpass, and I just can sign the Clearpass with one of the CAs I cannot use them with 2 CAs so I'm not sure what I can do here or how can i manage this situation

Has anyone run into this situation? if you have, how did you manage it?

We are using EAP TLS

Thanks

Hello jonas hope you are doing great

Right now they have like i said 2 differente domains and each domain has different CAs and each countries has a clearpass cluster

Each clearpass from  each country can reach both domains thats not a problem

Each country has their own domain and their own users country A its on  a.domain .local  and country b its on b.domain.local.  Clearpass of country A has requested  the CA of clearpass A so usersr from CA a in domain a.domain.local can  authenticate on clearpass a with no issues and its working fine that part the same is for coutnry B

Now the problems comes when a manager in country B wants to travel to country A, he has different CA and he works with different domain.  How do i install i request a certificate of country B for clearpass and install it? if i do and install it on the certificate store, that deletes the certificate A that is stored on the certificate store and my users that are local in the country will stop working with the EAP tls.   Thats the problem im trying to overcome

Unless i didnt understand what you mean? if i didnt please correct me 

Managers from country A should travel to country B and viceversa.  The SSID should be the same in each country  thats the  request  let say the SSID its ARUBA in each country with EAP TLS but the different is that its on a different domain with different CA, but the domains  are reachable from both clearpases in each countries

The part i lost you is where you said i can install the certificate in each country but if i do ill lose my other certificate that i need, can you explain to me that part? how it will work if i loose that certificate? at least for the local users

Thanks

Hi

If I understand right the two servers are not part of a cluster, so they are stand alone servers?

If that's the case you must install the CA certificates of domain A on ClearPass server B and the CA certificate B on server A.

Are the domains reachable between the countries? In thatcase you should configure lookup of users in domain B from server A and domain A from server B. Also make sure the CRL or OCSP is reachable between the two countries.

It shouldn't be a problem to solve the authentication of users from the other domain as long as the communication works. If you don't have connection between the domains/countries you can still trust the root from the other side, but not perform AD lookup and revocation check. In that case you may prefer to assign a limited role for devices from the other country.

Only limitation is if both root CA certificates have the exact same common name. In that case ClearPass can't authenticate users from both domains.

I have rised a feature request to change the behavior of ClearPass to work in situations where there are multiple roots with the same common name, as the case is with intermediate certificates. https://innovate.arubanetworks.com/ideas/SEC-I-2038

Hello  guys I ran into the following issue recently 

I have a CA in Country A

I have a different CA in country B which is in another domain

The client wants that went their managers to go from country A to country B so they can connect with the same SSID 

If they had the same CA I do think that would be an issue but they have different CAs  with different domains 

Each country has its clearpass, and I just can sign the Clearpass with one of the CAs I cannot use them with 2 CAs so I'm not sure what I can do here or how can i manage this situation

Has anyone run into this situation? if you have, how did you manage it?

We are using EAP TLS

Thanks

Hi

You should not touch the certificates on the clients.

In ClearPass A install the root and any intermediate certificates from domain B under Administration\Certificate\Trust list and enable usage EAP and AD/LDAP Server.

On ClearPass B install the same from domain A.

If you need to apply roles based on the different user groups from B in when a person visiting country A you also need to create a matching LDAP connection from ClearPass A to domain B to be able to read the AD groups. In that case you also need to update the role mapping and enforcement policies accordingly. The same must also be done on on the other side.

If all users visiting A from B should be in the same role, you will just need a single line in the role mapping policy to assign that role based on the issuing CA in domain B.

Hello jonas hope you are doing great

Right now they have like i said 2 differente domains and each domain has different CAs and each countries has a clearpass cluster

Each clearpass from  each country can reach both domains thats not a problem

Each country has their own domain and their own users country A its on  a.domain .local  and country b its on b.domain.local.  Clearpass of country A has requested  the CA of clearpass A so usersr from CA a in domain a.domain.local can  authenticate on clearpass a with no issues and its working fine that part the same is for coutnry B

Now the problems comes when a manager in country B wants to travel to country A, he has different CA and he works with different domain.  How do i install i request a certificate of country B for clearpass and install it? if i do and install it on the certificate store, that deletes the certificate A that is stored on the certificate store and my users that are local in the country will stop working with the EAP tls.   Thats the problem im trying to overcome

Unless i didnt understand what you mean? if i didnt please correct me 

Managers from country A should travel to country B and viceversa.  The SSID should be the same in each country  thats the  request  let say the SSID its ARUBA in each country with EAP TLS but the different is that its on a different domain with different CA, but the domains  are reachable from both clearpases in each countries

The part i lost you is where you said i can install the certificate in each country but if i do ill lose my other certificate that i need, can you explain to me that part? how it will work if i loose that certificate? at least for the local users

Thanks

Hi

If I understand right the two servers are not part of a cluster, so they are stand alone servers?

If that's the case you must install the CA certificates of domain A on ClearPass server B and the CA certificate B on server A.

Are the domains reachable between the countries? In thatcase you should configure lookup of users in domain B from server A and domain A from server B. Also make sure the CRL or OCSP is reachable between the two countries.

It shouldn't be a problem to solve the authentication of users from the other domain as long as the communication works. If you don't have connection between the domains/countries you can still trust the root from the other side, but not perform AD lookup and revocation check. In that case you may prefer to assign a limited role for devices from the other country.

Only limitation is if both root CA certificates have the exact same common name. In that case ClearPass can't authenticate users from both domains.

I have rised a feature request to change the behavior of ClearPass to work in situations where there are multiple roots with the same common name, as the case is with intermediate certificates. https://innovate.arubanetworks.com/ideas/SEC-I-2038

Hello  guys I ran into the following issue recently 

I have a CA in Country A

I have a different CA in country B which is in another domain

The client wants that went their managers to go from country A to country B so they can connect with the same SSID 

If they had the same CA I do think that would be an issue but they have different CAs  with different domains 

Each country has its clearpass, and I just can sign the Clearpass with one of the CAs I cannot use them with 2 CAs so I'm not sure what I can do here or how can i manage this situation

Has anyone run into this situation? if you have, how did you manage it?

We are using EAP TLS

Thanks

Hello

I can do that with no issues but wouldn't I need the certificate on the certificate store in the radius part of the select usage of the domain B also?

That will not bring me issues of did not complete eap transaction, because it is from another domain.

If not, I would like to know why I installed that certificate in the first place then, i thought i needed it so it worked properly, the certificate in the trust list and the certificate on the select usage on the certificate store,  but it seems for at least the users from the other countries don't need it when they are on another domain.

I'm just trying to understand what I'm doing, sorry about so many questions

I

Hi

You should not touch the certificates on the clients.

In ClearPass A install the root and any intermediate certificates from domain B under Administration\Certificate\Trust list and enable usage EAP and AD/LDAP Server.

On ClearPass B install the same from domain A.

If you need to apply roles based on the different user groups from B in when a person visiting country A you also need to create a matching LDAP connection from ClearPass A to domain B to be able to read the AD groups. In that case you also need to update the role mapping and enforcement policies accordingly. The same must also be done on on the other side.

If all users visiting A from B should be in the same role, you will just need a single line in the role mapping policy to assign that role based on the issuing CA in domain B.

Hello jonas hope you are doing great

Right now they have like i said 2 differente domains and each domain has different CAs and each countries has a clearpass cluster

Each clearpass from  each country can reach both domains thats not a problem

Each country has their own domain and their own users country A its on  a.domain .local  and country b its on b.domain.local.  Clearpass of country A has requested  the CA of clearpass A so usersr from CA a in domain a.domain.local can  authenticate on clearpass a with no issues and its working fine that part the same is for coutnry B

Now the problems comes when a manager in country B wants to travel to country A, he has different CA and he works with different domain.  How do i install i request a certificate of country B for clearpass and install it? if i do and install it on the certificate store, that deletes the certificate A that is stored on the certificate store and my users that are local in the country will stop working with the EAP tls.   Thats the problem im trying to overcome

Unless i didnt understand what you mean? if i didnt please correct me 

Managers from country A should travel to country B and viceversa.  The SSID should be the same in each country  thats the  request  let say the SSID its ARUBA in each country with EAP TLS but the different is that its on a different domain with different CA, but the domains  are reachable from both clearpases in each countries

The part i lost you is where you said i can install the certificate in each country but if i do ill lose my other certificate that i need, can you explain to me that part? how it will work if i loose that certificate? at least for the local users

Thanks

Hi

If I understand right the two servers are not part of a cluster, so they are stand alone servers?

If that's the case you must install the CA certificates of domain A on ClearPass server B and the CA certificate B on server A.

Are the domains reachable between the countries? In thatcase you should configure lookup of users in domain B from server A and domain A from server B. Also make sure the CRL or OCSP is reachable between the two countries.

It shouldn't be a problem to solve the authentication of users from the other domain as long as the communication works. If you don't have connection between the domains/countries you can still trust the root from the other side, but not perform AD lookup and revocation check. In that case you may prefer to assign a limited role for devices from the other country.

Only limitation is if both root CA certificates have the exact same common name. In that case ClearPass can't authenticate users from both domains.

I have rised a feature request to change the behavior of ClearPass to work in situations where there are multiple roots with the same common name, as the case is with intermediate certificates. https://innovate.arubanetworks.com/ideas/SEC-I-2038

Hello  guys I ran into the following issue recently 

I have a CA in Country A

I have a different CA in country B which is in another domain

The client wants that went their managers to go from country A to country B so they can connect with the same SSID 

If they had the same CA I do think that would be an issue but they have different CAs  with different domains 

Each country has its clearpass, and I just can sign the Clearpass with one of the CAs I cannot use them with 2 CAs so I'm not sure what I can do here or how can i manage this situation

Has anyone run into this situation? if you have, how did you manage it?

We are using EAP TLS

Thanks

The clients must trust the other domain PKI as well, and in the 802.1x GPO you should also mark the root of the other domain's PKI as trusted for EAP.

In my last answer I referred to the changes needed on the ClearPass server side.

Certificates are often a complex topic where you need to trust the issuer of the certificates and also configure the 802.1x policies on the clients.

Your case is a bit of a special case with a lot of additional parameters to consider. I would recommend to contact an Aruba partner or Aruba SE to get assistance to look into the specific questions you have.

This is (hopefully) list of all that must be configured on both sides:

• Each ClearPass server must trust the PKI in the other domain
• Possibly LDAP connection to the other AD, if group membership should be utilized
• ClearPass must have configuration in the EAP-TLS service to handle the clients from the other domain
• Clients must trust the PKI in the other domain
• Clients should only have certificate for client authentication from the own domain
• Clients should have a 802.1x configured by GPO
• In the GPO the root certificates from both PKI's should be selected as trusted for 802.1x (in the picture below both root certificates should be selected)
• In the GPO the client may need to configure how to select the client authentication certificate under the Advanced settings in this dialogue where the client should only select certificates based on the root in the own domain.

Hello

I can do that with no issues but wouldn't I need the certificate on the certificate store in the radius part of the select usage of the domain B also?

That will not bring me issues of did not complete eap transaction, because it is from another domain.

If not, I would like to know why I installed that certificate in the first place then, i thought i needed it so it worked properly, the certificate in the trust list and the certificate on the select usage on the certificate store,  but it seems for at least the users from the other countries don't need it when they are on another domain.

I'm just trying to understand what I'm doing, sorry about so many questions

I

Hi

You should not touch the certificates on the clients.

In ClearPass A install the root and any intermediate certificates from domain B under Administration\Certificate\Trust list and enable usage EAP and AD/LDAP Server.

On ClearPass B install the same from domain A.

If you need to apply roles based on the different user groups from B in when a person visiting country A you also need to create a matching LDAP connection from ClearPass A to domain B to be able to read the AD groups. In that case you also need to update the role mapping and enforcement policies accordingly. The same must also be done on on the other side.

If all users visiting A from B should be in the same role, you will just need a single line in the role mapping policy to assign that role based on the issuing CA in domain B.

Hello jonas hope you are doing great

Right now they have like i said 2 differente domains and each domain has different CAs and each countries has a clearpass cluster

Each clearpass from  each country can reach both domains thats not a problem

Each country has their own domain and their own users country A its on  a.domain .local  and country b its on b.domain.local.  Clearpass of country A has requested  the CA of clearpass A so usersr from CA a in domain a.domain.local can  authenticate on clearpass a with no issues and its working fine that part the same is for coutnry B

Now the problems comes when a manager in country B wants to travel to country A, he has different CA and he works with different domain.  How do i install i request a certificate of country B for clearpass and install it? if i do and install it on the certificate store, that deletes the certificate A that is stored on the certificate store and my users that are local in the country will stop working with the EAP tls.   Thats the problem im trying to overcome

Unless i didnt understand what you mean? if i didnt please correct me 

Managers from country A should travel to country B and viceversa.  The SSID should be the same in each country  thats the  request  let say the SSID its ARUBA in each country with EAP TLS but the different is that its on a different domain with different CA, but the domains  are reachable from both clearpases in each countries

The part i lost you is where you said i can install the certificate in each country but if i do ill lose my other certificate that i need, can you explain to me that part? how it will work if i loose that certificate? at least for the local users

Thanks

Hi

If I understand right the two servers are not part of a cluster, so they are stand alone servers?

If that's the case you must install the CA certificates of domain A on ClearPass server B and the CA certificate B on server A.

Are the domains reachable between the countries? In thatcase you should configure lookup of users in domain B from server A and domain A from server B. Also make sure the CRL or OCSP is reachable between the two countries.

It shouldn't be a problem to solve the authentication of users from the other domain as long as the communication works. If you don't have connection between the domains/countries you can still trust the root from the other side, but not perform AD lookup and revocation check. In that case you may prefer to assign a limited role for devices from the other country.

Only limitation is if both root CA certificates have the exact same common name. In that case ClearPass can't authenticate users from both domains.

I have rised a feature request to change the behavior of ClearPass to work in situations where there are multiple roots with the same common name, as the case is with intermediate certificates. https://innovate.arubanetworks.com/ideas/SEC-I-2038

Hello  guys I ran into the following issue recently 

I have a CA in Country A

I have a different CA in country B which is in another domain

The client wants that went their managers to go from country A to country B so they can connect with the same SSID 

If they had the same CA I do think that would be an issue but they have different CAs  with different domains 

Each country has its clearpass, and I just can sign the Clearpass with one of the CAs I cannot use them with 2 CAs so I'm not sure what I can do here or how can i manage this situation

Has anyone run into this situation? if you have, how did you manage it?

We are using EAP TLS

Thanks

Okay I got it

"The clients must trust the other domain PKI"

This is the part I was missing

That is something the client must work on in their pkis.  Right now I believe that's not happening.  Both PKIs are independent and are not being trusted.  I will have to ask.

Thank you very much for explaining this to me 

Kudos!

The clients must trust the other domain PKI as well, and in the 802.1x GPO you should also mark the root of the other domain's PKI as trusted for EAP.

In my last answer I referred to the changes needed on the ClearPass server side.

Certificates are often a complex topic where you need to trust the issuer of the certificates and also configure the 802.1x policies on the clients.

Your case is a bit of a special case with a lot of additional parameters to consider. I would recommend to contact an Aruba partner or Aruba SE to get assistance to look into the specific questions you have.

This is (hopefully) list of all that must be configured on both sides:

• Each ClearPass server must trust the PKI in the other domain
• Possibly LDAP connection to the other AD, if group membership should be utilized
• ClearPass must have configuration in the EAP-TLS service to handle the clients from the other domain
• Clients must trust the PKI in the other domain
• Clients should only have certificate for client authentication from the own domain
• Clients should have a 802.1x configured by GPO
• In the GPO the root certificates from both PKI's should be selected as trusted for 802.1x (in the picture below both root certificates should be selected)
• In the GPO the client may need to configure how to select the client authentication certificate under the Advanced settings in this dialogue where the client should only select certificates based on the root in the own domain.

Hello

I can do that with no issues but wouldn't I need the certificate on the certificate store in the radius part of the select usage of the domain B also?

That will not bring me issues of did not complete eap transaction, because it is from another domain.

If not, I would like to know why I installed that certificate in the first place then, i thought i needed it so it worked properly, the certificate in the trust list and the certificate on the select usage on the certificate store,  but it seems for at least the users from the other countries don't need it when they are on another domain.

I'm just trying to understand what I'm doing, sorry about so many questions

I

Hi

You should not touch the certificates on the clients.

In ClearPass A install the root and any intermediate certificates from domain B under Administration\Certificate\Trust list and enable usage EAP and AD/LDAP Server.

On ClearPass B install the same from domain A.

If you need to apply roles based on the different user groups from B in when a person visiting country A you also need to create a matching LDAP connection from ClearPass A to domain B to be able to read the AD groups. In that case you also need to update the role mapping and enforcement policies accordingly. The same must also be done on on the other side.

If all users visiting A from B should be in the same role, you will just need a single line in the role mapping policy to assign that role based on the issuing CA in domain B.

Hello jonas hope you are doing great

Right now they have like i said 2 differente domains and each domain has different CAs and each countries has a clearpass cluster

Each clearpass from  each country can reach both domains thats not a problem

Each country has their own domain and their own users country A its on  a.domain .local  and country b its on b.domain.local.  Clearpass of country A has requested  the CA of clearpass A so usersr from CA a in domain a.domain.local can  authenticate on clearpass a with no issues and its working fine that part the same is for coutnry B

Now the problems comes when a manager in country B wants to travel to country A, he has different CA and he works with different domain.  How do i install i request a certificate of country B for clearpass and install it? if i do and install it on the certificate store, that deletes the certificate A that is stored on the certificate store and my users that are local in the country will stop working with the EAP tls.   Thats the problem im trying to overcome

Unless i didnt understand what you mean? if i didnt please correct me 

Managers from country A should travel to country B and viceversa.  The SSID should be the same in each country  thats the  request  let say the SSID its ARUBA in each country with EAP TLS but the different is that its on a different domain with different CA, but the domains  are reachable from both clearpases in each countries

The part i lost you is where you said i can install the certificate in each country but if i do ill lose my other certificate that i need, can you explain to me that part? how it will work if i loose that certificate? at least for the local users

Thanks

Hi

If I understand right the two servers are not part of a cluster, so they are stand alone servers?

If that's the case you must install the CA certificates of domain A on ClearPass server B and the CA certificate B on server A.

Are the domains reachable between the countries? In thatcase you should configure lookup of users in domain B from server A and domain A from server B. Also make sure the CRL or OCSP is reachable between the two countries.

It shouldn't be a problem to solve the authentication of users from the other domain as long as the communication works. If you don't have connection between the domains/countries you can still trust the root from the other side, but not perform AD lookup and revocation check. In that case you may prefer to assign a limited role for devices from the other country.

Only limitation is if both root CA certificates have the exact same common name. In that case ClearPass can't authenticate users from both domains.

I have rised a feature request to change the behavior of ClearPass to work in situations where there are multiple roots with the same common name, as the case is with intermediate certificates. https://innovate.arubanetworks.com/ideas/SEC-I-2038

Hello  guys I ran into the following issue recently 

I have a CA in Country A

I have a different CA in country B which is in another domain

The client wants that went their managers to go from country A to country B so they can connect with the same SSID 

If they had the same CA I do think that would be an issue but they have different CAs  with different domains 

Each country has its clearpass, and I just can sign the Clearpass with one of the CAs I cannot use them with 2 CAs so I'm not sure what I can do here or how can i manage this situation

Has anyone run into this situation? if you have, how did you manage it?

We are using EAP TLS

Thanks

hello Jonas 

I read that in clearpass you can install multiple radius/EAP certificates and associate them to specific  service.  This feature seems to be useful if CPPM is authenticating users from multiple organizations ( i see multiple organizations as well yes its the same company but the name is a bit different and different CAs)  and well you can match the correct certificate with the service of each domain 

I was thinking this could work for me but then, they want to use the SAME SSID for the person that travel  if we could have a second SSID for all this users that travel i guess this could work?

For what you were telling me up there is for using it on a single SSID? using EAP TLS 

Thanks

Okay I got it

"The clients must trust the other domain PKI"

This is the part I was missing

That is something the client must work on in their pkis.  Right now I believe that's not happening.  Both PKIs are independent and are not being trusted.  I will have to ask.

Thank you very much for explaining this to me 

Kudos!

The clients must trust the other domain PKI as well, and in the 802.1x GPO you should also mark the root of the other domain's PKI as trusted for EAP.

In my last answer I referred to the changes needed on the ClearPass server side.

Certificates are often a complex topic where you need to trust the issuer of the certificates and also configure the 802.1x policies on the clients.

Your case is a bit of a special case with a lot of additional parameters to consider. I would recommend to contact an Aruba partner or Aruba SE to get assistance to look into the specific questions you have.

This is (hopefully) list of all that must be configured on both sides:

• Each ClearPass server must trust the PKI in the other domain
• Possibly LDAP connection to the other AD, if group membership should be utilized
• ClearPass must have configuration in the EAP-TLS service to handle the clients from the other domain
• Clients must trust the PKI in the other domain
• Clients should only have certificate for client authentication from the own domain
• Clients should have a 802.1x configured by GPO
• In the GPO the root certificates from both PKI's should be selected as trusted for 802.1x (in the picture below both root certificates should be selected)
• In the GPO the client may need to configure how to select the client authentication certificate under the Advanced settings in this dialogue where the client should only select certificates based on the root in the own domain.

Hello

I can do that with no issues but wouldn't I need the certificate on the certificate store in the radius part of the select usage of the domain B also?

That will not bring me issues of did not complete eap transaction, because it is from another domain.

If not, I would like to know why I installed that certificate in the first place then, i thought i needed it so it worked properly, the certificate in the trust list and the certificate on the select usage on the certificate store,  but it seems for at least the users from the other countries don't need it when they are on another domain.

I'm just trying to understand what I'm doing, sorry about so many questions

I

Hi

You should not touch the certificates on the clients.

In ClearPass A install the root and any intermediate certificates from domain B under Administration\Certificate\Trust list and enable usage EAP and AD/LDAP Server.

On ClearPass B install the same from domain A.

If you need to apply roles based on the different user groups from B in when a person visiting country A you also need to create a matching LDAP connection from ClearPass A to domain B to be able to read the AD groups. In that case you also need to update the role mapping and enforcement policies accordingly. The same must also be done on on the other side.

If all users visiting A from B should be in the same role, you will just need a single line in the role mapping policy to assign that role based on the issuing CA in domain B.

Hello jonas hope you are doing great

Right now they have like i said 2 differente domains and each domain has different CAs and each countries has a clearpass cluster

Each clearpass from  each country can reach both domains thats not a problem

Each country has their own domain and their own users country A its on  a.domain .local  and country b its on b.domain.local.  Clearpass of country A has requested  the CA of clearpass A so usersr from CA a in domain a.domain.local can  authenticate on clearpass a with no issues and its working fine that part the same is for coutnry B

Now the problems comes when a manager in country B wants to travel to country A, he has different CA and he works with different domain.  How do i install i request a certificate of country B for clearpass and install it? if i do and install it on the certificate store, that deletes the certificate A that is stored on the certificate store and my users that are local in the country will stop working with the EAP tls.   Thats the problem im trying to overcome

Unless i didnt understand what you mean? if i didnt please correct me 

Managers from country A should travel to country B and viceversa.  The SSID should be the same in each country  thats the  request  let say the SSID its ARUBA in each country with EAP TLS but the different is that its on a different domain with different CA, but the domains  are reachable from both clearpases in each countries

The part i lost you is where you said i can install the certificate in each country but if i do ill lose my other certificate that i need, can you explain to me that part? how it will work if i loose that certificate? at least for the local users

Thanks

Hi

If I understand right the two servers are not part of a cluster, so they are stand alone servers?

If that's the case you must install the CA certificates of domain A on ClearPass server B and the CA certificate B on server A.

Are the domains reachable between the countries? In thatcase you should configure lookup of users in domain B from server A and domain A from server B. Also make sure the CRL or OCSP is reachable between the two countries.

It shouldn't be a problem to solve the authentication of users from the other domain as long as the communication works. If you don't have connection between the domains/countries you can still trust the root from the other side, but not perform AD lookup and revocation check. In that case you may prefer to assign a limited role for devices from the other country.

Only limitation is if both root CA certificates have the exact same common name. In that case ClearPass can't authenticate users from both domains.

I have rised a feature request to change the behavior of ClearPass to work in situations where there are multiple roots with the same common name, as the case is with intermediate certificates. https://innovate.arubanetworks.com/ideas/SEC-I-2038

Hello  guys I ran into the following issue recently 

I have a CA in Country A

I have a different CA in country B which is in another domain

The client wants that went their managers to go from country A to country B so they can connect with the same SSID 

If they had the same CA I do think that would be an issue but they have different CAs  with different domains 

Each country has its clearpass, and I just can sign the Clearpass with one of the CAs I cannot use them with 2 CAs so I'm not sure what I can do here or how can i manage this situation

Has anyone run into this situation? if you have, how did you manage it?

We are using EAP TLS

Thanks

hello Jonas 

I read that in clearpass you can install multiple radius/EAP certificates and associate them to specific  service.  This feature seems to be useful if CPPM is authenticating users from multiple organizations ( i see multiple organizations as well yes its the same company but the name is a bit different and different CAs)  and well you can match the correct certificate with the service of each domain 

I was thinking this could work for me but then, they want to use the SAME SSID for the person that travel  if we could have a second SSID for all this users that travel i guess this could work?

For what you were telling me up there is for using it on a single SSID? using EAP TLS 

Thanks

Okay I got it

"The clients must trust the other domain PKI"

This is the part I was missing

That is something the client must work on in their pkis.  Right now I believe that's not happening.  Both PKIs are independent and are not being trusted.  I will have to ask.

Thank you very much for explaining this to me 

Kudos!

The clients must trust the other domain PKI as well, and in the 802.1x GPO you should also mark the root of the other domain's PKI as trusted for EAP.

In my last answer I referred to the changes needed on the ClearPass server side.

Certificates are often a complex topic where you need to trust the issuer of the certificates and also configure the 802.1x policies on the clients.

Your case is a bit of a special case with a lot of additional parameters to consider. I would recommend to contact an Aruba partner or Aruba SE to get assistance to look into the specific questions you have.

This is (hopefully) list of all that must be configured on both sides:

• Each ClearPass server must trust the PKI in the other domain
• Possibly LDAP connection to the other AD, if group membership should be utilized
• ClearPass must have configuration in the EAP-TLS service to handle the clients from the other domain
• Clients must trust the PKI in the other domain
• Clients should only have certificate for client authentication from the own domain
• Clients should have a 802.1x configured by GPO
• In the GPO the root certificates from both PKI's should be selected as trusted for 802.1x (in the picture below both root certificates should be selected)
• In the GPO the client may need to configure how to select the client authentication certificate under the Advanced settings in this dialogue where the client should only select certificates based on the root in the own domain.

Hello

I can do that with no issues but wouldn't I need the certificate on the certificate store in the radius part of the select usage of the domain B also?

That will not bring me issues of did not complete eap transaction, because it is from another domain.

If not, I would like to know why I installed that certificate in the first place then, i thought i needed it so it worked properly, the certificate in the trust list and the certificate on the select usage on the certificate store,  but it seems for at least the users from the other countries don't need it when they are on another domain.

I'm just trying to understand what I'm doing, sorry about so many questions

I

Hi

You should not touch the certificates on the clients.

In ClearPass A install the root and any intermediate certificates from domain B under Administration\Certificate\Trust list and enable usage EAP and AD/LDAP Server.

On ClearPass B install the same from domain A.

If you need to apply roles based on the different user groups from B in when a person visiting country A you also need to create a matching LDAP connection from ClearPass A to domain B to be able to read the AD groups. In that case you also need to update the role mapping and enforcement policies accordingly. The same must also be done on on the other side.

If all users visiting A from B should be in the same role, you will just need a single line in the role mapping policy to assign that role based on the issuing CA in domain B.

Hello jonas hope you are doing great

Right now they have like i said 2 differente domains and each domain has different CAs and each countries has a clearpass cluster

Each clearpass from  each country can reach both domains thats not a problem

Each country has their own domain and their own users country A its on  a.domain .local  and country b its on b.domain.local.  Clearpass of country A has requested  the CA of clearpass A so usersr from CA a in domain a.domain.local can  authenticate on clearpass a with no issues and its working fine that part the same is for coutnry B

Now the problems comes when a manager in country B wants to travel to country A, he has different CA and he works with different domain.  How do i install i request a certificate of country B for clearpass and install it? if i do and install it on the certificate store, that deletes the certificate A that is stored on the certificate store and my users that are local in the country will stop working with the EAP tls.   Thats the problem im trying to overcome

Unless i didnt understand what you mean? if i didnt please correct me 

Managers from country A should travel to country B and viceversa.  The SSID should be the same in each country  thats the  request  let say the SSID its ARUBA in each country with EAP TLS but the different is that its on a different domain with different CA, but the domains  are reachable from both clearpases in each countries

The part i lost you is where you said i can install the certificate in each country but if i do ill lose my other certificate that i need, can you explain to me that part? how it will work if i loose that certificate? at least for the local users

Thanks

Hi

If I understand right the two servers are not part of a cluster, so they are stand alone servers?

If that's the case you must install the CA certificates of domain A on ClearPass server B and the CA certificate B on server A.

Are the domains reachable between the countries? In thatcase you should configure lookup of users in domain B from server A and domain A from server B. Also make sure the CRL or OCSP is reachable between the two countries.

It shouldn't be a problem to solve the authentication of users from the other domain as long as the communication works. If you don't have connection between the domains/countries you can still trust the root from the other side, but not perform AD lookup and revocation check. In that case you may prefer to assign a limited role for devices from the other country.

Only limitation is if both root CA certificates have the exact same common name. In that case ClearPass can't authenticate users from both domains.

I have rised a feature request to change the behavior of ClearPass to work in situations where there are multiple roots with the same common name, as the case is with intermediate certificates. https://innovate.arubanetworks.com/ideas/SEC-I-2038

Hello  guys I ran into the following issue recently 

I have a CA in Country A

I have a different CA in country B which is in another domain

The client wants that went their managers to go from country A to country B so they can connect with the same SSID 

If they had the same CA I do think that would be an issue but they have different CAs  with different domains 

Each country has its clearpass, and I just can sign the Clearpass with one of the CAs I cannot use them with 2 CAs so I'm not sure what I can do here or how can i manage this situation

Has anyone run into this situation? if you have, how did you manage it?

We are using EAP TLS

Thanks