ClearPass certificates - things to consider

- ClearPass Certificates 101 Technote

Radius Service
- use a private CA certificate for RADIUS
- use the same radius certificate on all your ClearPass servers
- subject could be: cn=ClearPass-Radius,ou=IT,O=your organisation,L=your location,ST=BW,C=DE
- Create Certificate Signing Request on first radius server > install the certificate on first radius server.
After installation > export the Radius certificate with the private key and save it to a file.
>> now import the saved file with certificate and private key to all other radius servers

HTTPS Service
- use a public certificate for https (guest + captive portal)
- wildcard or multi-san recommended
- decide to use ECC or not! disable on all subscribers
- subject should be: cn=*

- Administration > Certificates > Certificate Store
- HTTPS > ECC + RSA is available, if only a RSA is available disable the ECC certificate!
(why shold you use ECC - faster SSL handshakes - more speed and security)
- Import Certificate, maybe enable the CA Issuer

DNS names: (virtual ip) (publisher) (subscriber 1)

get root certificate for switches:
- DUR - downloadable user roles, root certificate is required on the switch
get the certificate from clearpass server:
on switch#: crypto pki ta-profile https-root
ta-certificate terminal
(you need to leave the ta-profile section)
show certificate:
show crypto pki ta-profile

Aruba ClearPass Workshop (2021) - Getting Started #3 - Installing the HTTPS Certificate on ClearPass

computer2know :: thank you for your visit :: have a nice day :: © 2022