When setting up a ClearPass cluster, it is critical to ensure secure communication between the cluster nodes and the client devices. For this purpose, certain certificates must be properly configured.
1. Why HTTPS Requires a CA-Signed Certificate?
HTTPS communication is used for inter-cluster communication and for the web-based user interface that administrators use to manage the ClearPass cluster.
Before joining the cluster, it is strongly recommended to install a CA-signed HTTPS certificate on the Subscriber to ensure secure communication and prevent warnings/errors due to untrusted certificates.
Without a CA-signed certificate, the Subscriber might use a self-signed certificate, leading to security risks and lack of trust validation.
2. Analysis of Other Certificate Types
B. Database:
Incorrect: Database communications within ClearPass clusters are secured using internal certificates or keys. These are not user-facing and do not require a CA-signed certificate before joining the cluster.
C. RADIUS/EAP:
Incorrect: RADIUS/EAP certificates are important for client authentication, but they are not required on the Subscriber prior to cluster joining. These can be configured after the Subscriber is part of the cluster.
D. RadSec:
Incorrect: RadSec is an optional feature for secure RADIUS communication over TLS, and its certificate configuration is typically performed post-cluster setup.
Final Recommendation
To ensure secure cluster operations and seamless web-based management, a CA-signed HTTPS certificate should be installed on the Subscriber before it joins the ClearPass cluster.
References
ClearPass Deployment Guide for Version 6.9.
Best Practices for Certificate Management in ClearPass Clusters.
HPE Aruba ClearPass Cluster Configuration Guide.
