You probably don't need to have different services. If you keep the same server certificate on the ClearPass EAP service, by adding both Client CAs in the ClearPass Trust List, you can authenticate clients from either client CA. In you policy you CAN check which is the issuing CA and return a different role policy, but in most transitions you don't want that except maybe close to the end find clients that are still using the old certificates.
For EAP-TLS, you don't need the server certificate to be from the same CA/PKI as the client certificate. Client must trust the root of the server certificate, Server/ClearPass needs to trust the client certificate by having it added to the Trust List with purpose EAP and enabled.
Changing the server certificate to one issued by a new RootCA is much harder than changing the client CA.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Oct 07, 2025 10:45 AM
From: SCunningham
Subject: How to handle multiple CAs for one SSID during a CA migration
We are using ClearPass today.
How would we use it to differentiate the logic needed between certificates being presented when the client certificate is being presented after the server certificate? Our devices are dumber in nature where they can't support sending different certificates based on what ClearPass provides, so we need to have a way to distinguish up front.
Original Message:
Sent: Oct 06, 2025 05:19 AM
From: shpat
Subject: How to handle multiple CAs for one SSID during a CA migration
You need to have a NAC (Network Access Controller) in place to differentiate access logic. As @ariyap mentioned, you can do this using Clearpass.
------------------------------
Shpat | ACEP | ACMP | ACCP | ACDP
Just an Aruba enthusiast and contributor by cases
If you find my comment helpful, KUDOS are appreciated.
Original Message:
Sent: Oct 03, 2025 12:31 PM
From: SCunningham
Subject: How to handle multiple CAs for one SSID during a CA migration
Hey all,
My team is encountering a situation where we are migrating from an onsite Certificate Authority (CA A) that will be retired to a cloud Certificate Authority (CA B) that will replace it.
Our goal is to support all of our clients under one SSID. We utilize EAP TLS as our authentication method.
During this transition, there will be client devices that are of various levels of configurability with many being older and only able to support certificates issued by either CA A or CA B but not both.
We are encountering a reality where a service rule can only support one service certificate issued by either CA A or CA B, but not both.
Our challenge is finding a way to supporting both CAs with the same SSID for authentication. We are finding it challenging to find criteria that would distinguish devices by what certificate they present since the Server Certificate is presented first in the EAP transaction before the Client Certificate and our clients are very diverse in nature and eventually will all be on CA B.
Does anybody have advice on how to handle multiple CAs in an environment undergoing a rolling migration between CAs?
Summary:
- Environment: Wireless using EAP-TLS
- Goal: One SSID
- Clients can only have one CA at a time
- Need to migrate from CA A to CA B, and clients are already starting to use CA B.
Thank you!
-------------------------------------------