Your RADIUS certificate is usually going to be an old-school standard single host certificate with the single SAN matching the CN. The important thing is that the FQDN really shouldn't have a DNS entry.
Original Message:
Sent: Mar 09, 2026 11:23 AM
From: kb1
Subject: CPPM - Two VIPs and Certificates
Ok, so sounds like DNS wouldn't be required for the VIP in my scenario then.
Just to confirm, my radius entries will suffice, no need to add any specific host/vips in the SAN for those?
Original Message:
Sent: Mar 05, 2026 09:26 AM
From: chulcher
Subject: CPPM - Two VIPs and Certificates
I suppose you could, but the reason to use a VIP is to simplify the move of an IP address which is useful when the NAD only uses an IP address to define a server. DUR, using the FQDN...just change the DNS mapping should that become a requirement. Which you'd probably end up having to do anyways.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Mar 05, 2026 02:36 AM
From: kb1
Subject: CPPM - Two VIPs and Certificates
Thanks @chulcher.
I think you've swayed me to 2xVIPs :)
In this scenario, would the VIP FQDN not be used for DUR?
Original Message:
Sent: Mar 04, 2026 05:49 PM
From: chulcher
Subject: CPPM - Two VIPs and Certificates
The VIPs make replacement of appliances easier as you don't have to worry about the actual IP address of the appliance should you need to change that for some reason (e.g., deploying new appliances because of an upgrade requirement ala 6.10 to 6.11) or should you be dealing with a NAD that doesn't have the concept of a server group.
You can probably ignore the VIP FQDN, shouldn't ever be using those to access ClearPass as you always want to be on the Publisher. Only reason to have a SAN for a FQDN associated with a VIP is if you need such for captive portal. Otherwise you look good to go.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Mar 04, 2026 10:11 AM
From: kb1
Subject: CPPM - Two VIPs and Certificates
Hi,
Currently deploying a 2 node cluster. It will mainly be used for RADIUS/EAP and TACACS.
I'm thinking to go down the 2 VIP route as mentioned on Hermans youtube series for the more efficient failover, not for any web requirements (still considering whether this is a bit of an overcomplication in my scenario)
I've been doing a fair bit of reading up on certificates but I just wanted to make sure I've got this right.
As their is no plan for guest/onboarding, I believe the HTTPS certificate will only be used to join the pub and sub, when browsing to the CPPM GUI, and also for DUR if i go down that route with the CX switches. So i need both HTTPS and RADIUS/EAP certificates.
I'm thinking I'd rather use one cert to cover both servers for each service so 2 certs in total, one for EAP on both servers, and one for HTTPS.
The HTTPS cert would be formatted as follows:
- CN:
- web.cppm.[domain].local ###DNS record doesn't exist - not sure about this, if it does need to exist, what IP would it need to point at???
- SAN:
- DNS: web.cppm.[domain].local
- DNS: cppmvip1-cppm.[domain].local ###DNS record exists
- DNS: cppmvip2-cppm.[domain].local ###DNS record exists
- DNS: cppm-pub ###actual name of cppm pub server, DNS record exists
- DNS: cppm-sub ### actual name of cppm sub server, DNS record exists
The RADIUS cert would be formatted as follows:
- CN:
- auth.cppm.[domain].local ###DNS record doesn't exist
- SAN:
- DNS: auth.cppm.[domain].local
Does the above look right?
-------------------------------------------