Security

I Have a Clearpass deployment that consists of a Publisher and One subscriber.
For 802.1x authentications, is it possible to have both the Publisher and the Subscriber use the same Radius/EAP server certificate?

This issue with using two certs is that I have users that travel between sites where some sites have the Publisher as the Radius Server and other sites have the Subscriber. This results in the user constantly being prompted to trust the certificate.  If I could use a certificate that was common to both servers, this would not be an issue.

I have explored the option of using a service certificate but I would have to configure over 150 services to use that certificate and then reconfigure annually as the certificate expires and has to be re-issued.

Thanks in advance for any advice.

------------------------------
Senior Network Analyst
Ottawa Carleton District School Board
Ottawa ON
Canada
------------------------------

Yes just make sure the hostname of both nodes are in the SANs field.

What you describe though means the client does not trust the CA that signed your ClearPass certificate.  What is your ClearPass certificate?  Self-signed?  Private CA? Public CA? 

Also why do you have 150 different services?  What is your use-case?
Original Message:
Sent: Dec 02, 2022 11:43 AM
From: Unknown User
Subject: Radius/EAP Server certificates

I Have a Clearpass deployment that consists of a Publisher and One subscriber.
For 802.1x authentications, is it possible to have both the Publisher and the Subscriber use the same Radius/EAP server certificate?

This issue with using two certs is that I have users that travel between sites where some sites have the Publisher as the Radius Server and other sites have the Subscriber. This results in the user constantly being prompted to trust the certificate.  If I could use a certificate that was common to both servers, this would not be an issue.

I have explored the option of using a service certificate but I would have to configure over 150 services to use that certificate and then reconfigure annually as the certificate expires and has to be re-issued.

Thanks in advance for any advice.

------------------------------
Senior Network Analyst
Ottawa Carleton District School Board
Ottawa ON
Canada
------------------------------

I use the same radius cert on all cluster nodes and it’s different to the cert used for https so all you need to do is make sure the clients recognise the CA that issued the radius cert
I use another cert for https access and in that case make sure all cluster nodes fqdns are in the SaN fields
A

Sent from my iPhone


Original Message:
Sent: 12/2/2022 12:26:00 PM
From: ahollifield
Subject: RE: Radius/EAP Server certificates

Yes just make sure the hostname of both nodes are in the SANs field.

What you describe though means the client does not trust the CA that signed your ClearPass certificate.  What is your ClearPass certificate?  Self-signed?  Private CA? Public CA? 

Also why do you have 150 different services?  What is your use-case?
Original Message:
Sent: Dec 02, 2022 11:43 AM
From: Unknown User
Subject: Radius/EAP Server certificates

I Have a Clearpass deployment that consists of a Publisher and One subscriber.
For 802.1x authentications, is it possible to have both the Publisher and the Subscriber use the same Radius/EAP server certificate?

This issue with using two certs is that I have users that travel between sites where some sites have the Publisher as the Radius Server and other sites have the Subscriber. This results in the user constantly being prompted to trust the certificate.  If I could use a certificate that was common to both servers, this would not be an issue.

I have explored the option of using a service certificate but I would have to configure over 150 services to use that certificate and then reconfigure annually as the certificate expires and has to be re-issued.

Thanks in advance for any advice.

------------------------------
Senior Network Analyst
Ottawa Carleton District School Board
Ottawa ON
Canada
------------------------------

Thanks for this info.

Yeah, the 150 services is a bit of a chore but I have to have them. One for each Site / IAP Cluster. It all comes down to the accounting proxy target which is unique to each IAP Cluster.

------------------------------
Senior Network Analyst
Ottawa Carleton District School Board
Ottawa ON
Canada
------------------------------

Original Message:
Sent: Dec 02, 2022 12:25 PM
From: Unknown User
Subject: Radius/EAP Server certificates

Yes just make sure the hostname of both nodes are in the SANs field.

What you describe though means the client does not trust the CA that signed your ClearPass certificate.  What is your ClearPass certificate?  Self-signed?  Private CA? Public CA?

Also why do you have 150 different services?  What is your use-case?
Original Message:
Sent: Dec 02, 2022 11:43 AM
From: Unknown User
Subject: Radius/EAP Server certificates

I Have a Clearpass deployment that consists of a Publisher and One subscriber.
For 802.1x authentications, is it possible to have both the Publisher and the Subscriber use the same Radius/EAP server certificate?

This issue with using two certs is that I have users that travel between sites where some sites have the Publisher as the Radius Server and other sites have the Subscriber. This results in the user constantly being prompted to trust the certificate.  If I could use a certificate that was common to both servers, this would not be an issue.

I have explored the option of using a service certificate but I would have to configure over 150 services to use that certificate and then reconfigure annually as the certificate expires and has to be re-issued.

Thanks in advance for any advice.

------------------------------
Senior Network Analyst
Ottawa Carleton District School Board
Ottawa ON
Canada
------------------------------

Hi Tpelley,

Radius certificates don't require an FQDN that can be resolved by DNS (assuming your Radius certificate is separate to the HTTPS certificate). So it is fine to have a single certificate, e.g. clearpass.yourdomain.co, which can be installed on both ClearPass nodes. 

Make sure that this certificate is signed by a Certificate Authority (CA) and not self-signed. Both ClearPass servers will need to have the CA certificates in the trust store in order to install the certificate. The clients authenticating via ClearPass will also ideally have this CA certificate installed and marked as trusted. You are best to configure this trust along with identity (name) of ClearPass within the supplicant configuration so that users aren't prompted regarding trust. This might be done in Group Policy or an MDM profile.

Good luck.
Original Message:
Sent: Dec 02, 2022 11:43 AM
From: Unknown User
Subject: Radius/EAP Server certificates

I Have a Clearpass deployment that consists of a Publisher and One subscriber.
For 802.1x authentications, is it possible to have both the Publisher and the Subscriber use the same Radius/EAP server certificate?

This issue with using two certs is that I have users that travel between sites where some sites have the Publisher as the Radius Server and other sites have the Subscriber. This results in the user constantly being prompted to trust the certificate.  If I could use a certificate that was common to both servers, this would not be an issue.

I have explored the option of using a service certificate but I would have to configure over 150 services to use that certificate and then reconfigure annually as the certificate expires and has to be re-issued.

Thanks in advance for any advice.

------------------------------
Senior Network Analyst
Ottawa Carleton District School Board
Ottawa ON
Canada
------------------------------

Thank You

------------------------------
Senior Network Analyst
Ottawa Carleton District School Board
Ottawa ON
Canada
------------------------------

Original Message:
Sent: Dec 04, 2022 05:45 PM
From: Matthew Sutherland
Subject: Radius/EAP Server certificates

Hi Tpelley,

Radius certificates don't require an FQDN that can be resolved by DNS (assuming your Radius certificate is separate to the HTTPS certificate). So it is fine to have a single certificate, e.g. clearpass.yourdomain.co, which can be installed on both ClearPass nodes.

Make sure that this certificate is signed by a Certificate Authority (CA) and not self-signed. Both ClearPass servers will need to have the CA certificates in the trust store in order to install the certificate. The clients authenticating via ClearPass will also ideally have this CA certificate installed and marked as trusted. You are best to configure this trust along with identity (name) of ClearPass within the supplicant configuration so that users aren't prompted regarding trust. This might be done in Group Policy or an MDM profile.

Good luck.
Original Message:
Sent: Dec 02, 2022 11:43 AM
From: Unknown User
Subject: Radius/EAP Server certificates

I Have a Clearpass deployment that consists of a Publisher and One subscriber.
For 802.1x authentications, is it possible to have both the Publisher and the Subscriber use the same Radius/EAP server certificate?

This issue with using two certs is that I have users that travel between sites where some sites have the Publisher as the Radius Server and other sites have the Subscriber. This results in the user constantly being prompted to trust the certificate.  If I could use a certificate that was common to both servers, this would not be an issue.

I have explored the option of using a service certificate but I would have to configure over 150 services to use that certificate and then reconfigure annually as the certificate expires and has to be re-issued.

Thanks in advance for any advice.

------------------------------
Senior Network Analyst
Ottawa Carleton District School Board
Ottawa ON
Canada
------------------------------