Hi,
Currently deploying a 2 node cluster. It will mainly be used for RADIUS/EAP and TACACS.
I'm thinking to go down the 2 VIP route as mentioned on Hermans youtube series for the more efficient failover, not for any web requirements (still considering whether this is a bit of an overcomplication in my scenario)
I've been doing a fair bit of reading up on certificates but I just wanted to make sure I've got this right.
As their is no plan for guest/onboarding, I believe the HTTPS certificate will only be used to join the pub and sub, when browsing to the CPPM GUI, and also for DUR if i go down that route with the CX switches. So i need both HTTPS and RADIUS/EAP certificates.
I'm thinking I'd rather use one cert to cover both servers for each service so 2 certs in total, one for EAP on both servers, and one for HTTPS.
The HTTPS cert would be formatted as follows:
- CN:
- web.cppm.[domain].local ###DNS record doesn't exist - not sure about this, if it does need to exist, what IP would it need to point at???
- SAN:
- DNS: web.cppm.[domain].local
- DNS: cppmvip1-cppm.[domain].local ###DNS record exists
- DNS: cppmvip2-cppm.[domain].local ###DNS record exists
- DNS: cppm-pub ###actual name of cppm pub server, DNS record exists
- DNS: cppm-sub ### actual name of cppm sub server, DNS record exists
The RADIUS cert would be formatted as follows:
- CN:
- auth.cppm.[domain].local ###DNS record doesn't exist
- SAN:
- DNS: auth.cppm.[domain].local
Does the above look right?
-------------------------------------------