Understanding PKI
Public key infrastructure is something that establishes and manages public key encryption and digital signature services.
Below three entities form a PKI
Client: Needs to connect securely or verify an identity.
Server: Needs to prove its identity
Certificate Authority: Validate Identities and generates certificates.
Examples:
PKI for www
Client: Web Browsers (chorme)
Server: HTTPS Website (Google.com, Twitter.com)
Certificate Authority: DigiCert, Sectigo, IdenTrust
PKI for Internal Corporate
Client: Employee (Work PCs/Phones)
Server: Corporate Resources (HR Portals, ticketing systems)
Certificate Authority: Corporate Internal CA
Any instance of a set of Client / Server / CA is a PKI
The ClearPass Policy Manager Certificate Store provides four types of server certificates.
RADIUS/EAP Server Certificate
HTTPS Server Certificate
RadSec Server Certificate
Database Server Certificate
RADIUS/EAP Certificate:
Used by Radius Server to authenticate clients with certificates signed by a private Windows CA.
802.1X supplicants do not trust wildcards. So don’t use wildcard for Certificate common name.
“Server Authentication” EKU is required.
Usually issued by the Windows CA / Private CA.
HTTPS Certificate:
Used by ClearPass for all web related functions, including its WebUI and its Guest/Onboard pages.
SAN is required for HTTPS Certificate. SAN is required for every FQDN used by ClearPass. (DNS SAN for each server FQDN, DNS SAN for virtual address shared by the server, DNS SAN for FQDN of onboard and guest, incase they are external/different.
“Server Authentication” EKU is required
Issuer of HTTPS cert needs to be public CA. (Guest and Onboarding personal devices needs to trust the web portal)
RadSec Certificate:
Used by CPPM to authenticate to network infrastructure devices and establish the RadSec session where control traffic is encrypted.
Make sure that the RadSec certificate has a CN and/or SAN that matches the CN and/or one of the SANs in the HTTPS Certificate.
Reason:
The switches use a single RADIUS server hostname/IP address and validates both RadSec and HTTPS cert with same RADIUS server name.
The switches validates the CPPM Server RadSec certificate when setting up the RadSec tunnel, but validates the CPPM Server HTTPS certificate when obtaining the DURs.
“Server Authentication” and “Client Authentication” EKU are required.
Issued by Windows CA / Private CA.
Database Certificate:
Use Descriptive CN
Can use Server’s IP address for DNS-type SAN.
Windows CA can issue this certificate.
Deploy Appropriate certificates on Aruba Solutions:
Considerations for ClearPass Clusters:
When servers in a cluster share a virtual IP address, they should also typically share the same HTTPS, RADIUS/EAP and Radsec certificates.
Each server in the cluster has its own database and database certificate.
Certificate Requirements for Network Infrastructure devices implementing Captive Portal Redirect
During the redirect, the network infrastructure devices briefly acts as HTTPS Servers.
They need a captive portal certificate to support this function.
This certificate CN and SAN must match the FQDN the Aruba network infrastucture devices use to redirect cleint’s traffic.
Certificate Requirements for Network Infrastructure devices implementing RadSec.
Network Infrastructure devices require RadSec to authenticate to CPPM. (This way control traffic will be encrypted)
These certificates need Client Authentication EKU to support the RadSec client functions (Mostly Switches and Gateways) and Server Authentication EKU to support the Web UI functions. (Mostly Gateways and Mobility Conductors).
The Network infrastructure devices could also use the certificates installed in their Trusted Platform Module (TPM) at the factory for RadSec.
These certiticates are signed by secure CA maintained by HPE and Aruba.
The certificates EKU include Client Authentication, making them appropriate for RadSec clients.
How to install certificates on Network devices
Certificates can be installed on Network devices manually or Installed with EST (Enrollment over Secure Transport).
You can use ClearPass Onboard CA as an EST Server under the company’s private CA. (Create an Onboard CA that is intermediate to the Windows domain CA).
You will then setup EST profiles on the switches, which let the switches automatically contact Onboard and obtain signed certificates.
You do not want the Onboard CA to issue these certificates (which will be valid for RadSec) to any user in the Guest repository.
ClearPass can perform authorization checks on username in AD.
A ClearPass service is required to process this request. Use Aruba Application Authentication type with a rule, “Application Name EQUALS EST”.
Acronyms:
CA – Certificate Authority
AD – Active Directory
PKI – Public key infrastructure
EKU – Extended Key Usage
EST – Enrollment over Secure Transport
CPPM – ClearPass Policy Manager
Networking & Security 