Security

 View Only

  • 1.  Radius Server Certificate Creation Using ClearPass Onboard CA.

    Posted Nov 03, 2025 02:27 AM

    Hi,

    We have used the CP onboard CA as internal CA. and created a CP Radius Server Certificate by generating new CSR and upload csr to onboard CA and signed, downloaded the cert and imported to CP server.

    but after creating the trusted certificate using onboard CA, during the certificate export there are options to export in .crt, pem formats. which format we need to use to export? tried to export using .pem with include intermediate CA.  is that correct or need to export both Root and Intermediate CA's?

    Any advice or recommendations would be greatly appreciated. 



    -------------------------------------------


  • 2.  RE: Radius Server Certificate Creation Using ClearPass Onboard CA.

    Posted Nov 04, 2025 06:37 AM

    You should not use the ClearPass CA for this. Deploy an enterprise CA instead. Are you actually using OnBoard? If so why? What's the use-case for allowing unsecure/unknown/unmanaged endpoints onto the protected network? Why not use an MDM? How will you deal with certificate trust?

    -------------------------------------------

    Original Message


  • 3.  RE: Radius Server Certificate Creation Using ClearPass Onboard CA.

    Posted Nov 04, 2025 09:19 PM

    Hi,

    HPE Experts recommended that, we can use Onboard CA as internal CA. created new certificate authority and exported the root and intermediate cert, push these 2 certs via Intune Policies to the windows/macbook devices.  and create a new CSR and submitted to Onboard CA authority to sign/issue. Then downloaded cert and imported to ClearPass as Radius Server Certificate. it was working fine for few months till we generate new radius server certificate to troubleshoot Macbook Wi-Fi issues. 

    When we use onboard CA as internal CA , the certificate trust will be automatically added to the certificate store and enbled for EAP,RadSec,Others

    -------------------------------------------

    Original Message


  • 4.  RE: Radius Server Certificate Creation Using ClearPass Onboard CA.

    Posted Nov 04, 2025 10:38 PM

    Who are "HPE Experts"? Personally, I would never advocate for anyone to use the built in CAs in an NAC platform. A true enterprise PKI or a PKIaaS should always be positioned instead. How is any of this properly automated? How are you handling certificate renewal?

    -------------------------------------------

    Original Message


  • 5.  RE: Radius Server Certificate Creation Using ClearPass Onboard CA.

    Posted Nov 05, 2025 10:03 PM

    You don't provide all the information, like what is the authentication method, and how do you provision your clients.

    The setup and operations of a CA comes quite exact, and if you don't do the things exact right, you will get all kinds of unpredictable behavior. If you fully understand what you need to do, it should just work. Renewing/replacing the RADIUS server certificate can be challenging and should be carefully planned and tested.

    With the information that you provided, it's not possible to tell why you see what you see. If things suddenly break there is a reason for that, but it's much easier for someone with access to the configuration, design, workflows, devices to find the root cause.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 6.  RE: Radius Server Certificate Creation Using ClearPass Onboard CA.

    Posted Nov 05, 2025 10:19 PM

    Hi Herman,

    Here are the details. 

    • * ClearPass Server - 2 Nodes - Publisher/Subscriber
    • * Onboard CA - for Root CA and Intermediate CA, TLS Client Certificates(SCEP User Certificates)
    • Microsoft Intune - Extensions integration with Azure for Endpoint Repository
    • Intune SCEP - Extension integration for SCEP User Certificates and SCEP server
    • Root CA,Intermediate CA, SCEP User Profile, Wi-Fi Profile are pushed from Intune to endpoints like Windows,MacOS
    • SCEP User Profile configured with onboard SCEP Server URL to communicate and fetch user certificate based on the attributes configured like UPN and https://intunedeviceid
    • We have used Onboard CA to Sign the CSR for Radius server certificate that is created with CN=FQDN and DNS:FQDN of the CPPM
    • Authentication for both wi-fi and wired is EAP-TLS with No auth source
    • Authorization source is Azure Entra for the users to get the groups name to assign dynamic vlan.
    • on CPPM Certificate Trust List, Onboard Root CA and Intermediate CA added and enabled for EAP, others 
    • and imported radius server certificate and enabled EAP, others

    Thank you

    -------------------------------------------

    Original Message


Related Content