Portnox Cloud Status

NOTICE: CLEAR RADIUS Certificate Expiring from 2023-06-23 11:30 CDT to 2023-07-08 11:30 CDT

Scheduled maintenance Authentication Services (RADIUS) Europe Authentication Services (RADIUS)
2023-06-23 11:30 CDT · 2 weeks, 1 day

Updates

Resolved

The scheduled maintenance has been completed.

July 8, 2023 · 07:30 CDT
Started

Scheduled maintenance is currently in progress. We will provide updates as necessary.

June 23, 2023 · 07:30 CDT
Scheduled

On July 24th the RADIUS certificate used for Portnox RADIUS services issued to ‘clear-rad.portnox.com’ will expire. Throughout the course of the next few weeks, Portnox will be slowly migrating customers’ RADIUS services over to our new certificate. Depending on how or if certificate validation has been configured in your 802.1x settings, the expiration of this certificate could result in authentication failures. As a result, it is advised that all customers review the configuration of their 802.1x policies and revise them if necessary, prior to July 24th to avoid any potential disruption of service.

WHAT IS CHANGING & WHY?

On July 24th, the certificate issued to ‘clear-rad.portnox.com’ by the ‘DigiCert Global Root CA’ will expire. A new certificate issued to ‘clear-rad.portnox.com’ by ‘DigiCert Trusted Root G4’ will replace the expired certificate. This will be rolled out slowly in phases over the next several weeks. All customer’s RADIUS services will be fully migrated to this new certificate prior to July 24th.

WHO IS AFFECTED?

Customers who have defined within their wired or wireless 802.1x profiles for agentless devices to verify either the actual certificate itself issued to clear-rad.portnox.com, or the Root CA ‘DigiCert Global Root CA’ that the clear-rad.portnox.com certificate was issued by, will be directly impacted by this change.

These wired and wireless profiles may either be locally defined on each machine individually, or through a mass device configuration management solution such as Intune, Jamf, Kandji, or Active Directory Group Policy, to name only a few.

WHO WILL NOT BE AFFECTED?

Those customers who have configured their wired or wireless 802.1x profiles to verify only the name the certificate was issued to ‘clear-rad.portnox.com’ are also unaffected and will continue functioning normally without any action necessary.

Devices with AgentP installed are also unaffected by this change and require no action to be taken.

WHAT IS THE IMPACT?

Devices that are affected (see above) will fail to properly authenticate to the network. Within the Portnox Cloud Portal, you will see alerts such as “RADIUS failed to authenticate device due to EAP-TLS error”, “Unknown CA certificate” or “supplicant certificate not present or unreadable” for those affected devices as they attempt to authenticate to the network.

In addition, you may find “EXPIRED” messages appearing in the AAA Troubleshooting Logs.

WHAT DO I NEED TO DO?

If you have determined that you are affected by this change we strongly recommend taking one of the following actions immediately to ensure there is no interruption in service delivery. The options below are listed in order of complexity. Portnox advises that customers make their own determination about which option best suits the security requirements of their environment

  1. Update the list of Trusted Root Certificate Authorities to include both the existing ‘DigiCert Global Root CA’ as well as the new ‘DigiCert Trusted Root G4’. After July 24th, it will be safe to remove any reference to the previous ‘DigiCert Global Root CA’ from your 802.1x configuration profiles.

The DigiCert Global Root CA has been included in Windows since 2020, MacOS since Mavericks 10.4, in iOS 12 and later, and Android 12 and newer. If you are running an older operating system version, it is possible that the DigiCert Global Root CA is not included and will need to be added. The DigiCert Global Root CA certificate can be download here > https://portnox.box.com/v/trusted-root-ca

  1. Deploy AgentP to all devices which are supported. This includes Windows, MacOS, Linux, Android, and iOS. https://clear.portnox.com/agentinstall

  2. Update Wired and WIreless 802.1x configuration profiles to verify only the name that the certificate was issued to ‘clear-rad.portnox.com’, rather than the actual certificate or issuing certificate authority.

  3. Add our newly updated RADIUS certificate to your 802.1x configuration profiles. This certificate will be available through the Portnox Cloud portal once your tenant has been successfully updated. However, you can download this certificate from the following link prior to the update to minimize any impact to your service delivery. https://portnox.box.com/v/clear-rad-certificate

IMPROVEMENTS

The update to our RADIUS certificate increases the bit strength from 2048 to 4096. The signature algorithm also changes from SHA-256 to SHA-384.

HELP! I DON’T KNOW WHAT TO DO

If you find yourself confused and uncertain about what all this techy geek speak means to you and for your environment, fret not. We have outstanding support staff who can help determine if you are affected, and ensure you are taking the proper steps to mitigate any potential disruption of service. To open a case, simply visit the following URL > https://support.portnox.com

June 23, 2023 · 07:17 CDT

← Back