ClearPass certificates - things to consider

- ClearPass Certificates 101 Technote
V1.2: https://support.hpe.com/hpesc/public/docDisplay?docId=a00100345en_us&docLocale=en_US

Radius Service
- use a private CA certificate for RADIUS
- use the same radius certificate on all your ClearPass servers
- subject could be: cn=ClearPass-Radius,ou=IT,O=your organisation,L=your location,ST=BW,C=DE
- Create Certificate Signing Request on first radius server > install the certificate on first radius server.
After installation > export the Radius certificate with the private key and save it to a file.
>> now import the saved file with certificate and private key to all other radius servers

HTTPS Service
- use a public certificate for https (guest + captive portal)
- wildcard or multi-san recommended
- decide to use ECC or not! disable on all subscribers
- subject should be: cn=*.your-org.com

Installation:
- Administration > Certificates > Certificate Store
- HTTPS > ECC + RSA is available, if only a RSA is available disable the ECC certificate!
(why shold you use ECC - faster SSL handshakes - more speed and security)
- Import Certificate, maybe enable the CA Issuer

DNS names:
cppm1.testdomain.de: 10.18.2.100 (virtual ip)
cppm1-pub.testdomain.de: 10.18.2.101 (publisher)
cppm1-sub.testdomain.de: 10.18.2.102 (subscriber 1)

get root certificate for switches:
- DUR - downloadable user roles, root certificate is required on the switch
get the certificate from clearpass server:
http://x.x.x.x/.well-known/aruba/clearpass/https-root.pem
on switch#: crypto pki ta-profile https-root
ta-certificate terminal
........
<ctrl>+D
(you need to leave the ta-profile section)
show certificate:
show crypto pki ta-profile

links:
Aruba ClearPass Workshop (2021) - Getting Started #3 - Installing the HTTPS Certificate on ClearPass
https://www.youtube.com/watch?v=S9J-1JQ1V4Q

computer2know :: thank you for your visit :: have a nice day :: © 2022