With self-signed certificates on RADIUS, you can't properly validate the certificate against a root CA, and with 'don't validate' your should not ever deploy a network unless you don't care about any security and don't care about the PEAP usernames and passwords leaking out to anyone asking for it.
Many Apple devices in such a case remembered the current certificate and will not connect, or prompt the user to accept the new certificate if you are lucky.
My advice: don't use self-signed certificates for EAP, never disable certificate validation; and make sure that you properly configure your certificates and clients.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Apr 12, 2023 07:08 AM
From: fjulianom
Subject: Some doubts about CPPM certificates
Hi Herman,
Why not a self-signed certificate? Because of the warning? And yes, the clients currrently don't validate the certificate.
------------------------------
Regards,
Julian
Original Message:
Sent: Apr 12, 2023 04:33 AM
From: Herman Robers
Subject: Some doubts about CPPM certificates
For RADIUS, don't use a self-signed certificate. A private CA issued certificate is fine, but clients will need to validate the RADIUS certificate against a trusted root (as mentioned private root CA is fine for that).
If you currently really have a self-signed certificate for RADIUS, expect to reconfigure all of your clients as those will not trust the new RADIUS certificate. Some people still disable the server certificate validation in their clients, which brings risks to man-in-the-middle attacks or password attacks. How do you manage/configure your clients?
The replacement of the RADIUS certificate itself is seamless. There may be a few second outage of the ClearPass RADIUS process, but I never noticed that, so it is probably really short.
For RadSec, I think the message of an expired certificate is annoying, and you could install the RADIUS certificate for RadSec as well to get the warning cleared. But in theory, you could ignore the expiration.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Apr 12, 2023 02:25 AM
From: fjulianom
Subject: Some doubts about CPPM certificates
Hi experts,
Some of my certificates are going to expire and I have these doubts:
1. The Radius Server certificate is going to expire. We are using a CPPM self-signed certificate, so I am going to create a new one. When installing this new one Radius certificate, does CPPM need reboot? Does CPPM restart services? Will my users have an impact?
2. My RadSec Server certificate is going to expire too. If I am not using controllers I can ignore this certificate, right?
Many thanks in advance.
------------------------------
Regards,
Julian
------------------------------