AAA, NAC, Guest Access & BYOD

LDAP search fails with error: ssl3_get_server_certificate:certificate verify failed over port 636
Problem:

LDAP search fails with the below error:

 

2016-10-07 14:18:52,822    [Th 49 Req 4374 SessId R0000034d-01-57f8032c] INFO RadiusServer.Radius - rlm_ldap: searching for user test in AD:ad2012.aruba.com
2016-10-07 14:18:52,826    [Th 49 Req 4374 SessId R0000034d-01-57f8032c] ERROR RadiusServer.Radius - rlm_ldap: administrator@jacobsenconstruction.com bind to ad2012.aruba.com:636 failed: Can't contact LDAP server
2016-10-07 14:18:52,826    [Th 49 Req 4374 SessId R0000034d-01-57f8032c] ERROR RadiusServer.Radius - rlm_ldap: (re)connection attempt failed
2016-10-07 14:18:52,826    [Th 49 Req 4374 SessId R0000034d-01-57f8032c] ERROR RadiusServer.Radius - rlm_ldap: error:14090086Smiley FrustratedSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get issuer certificate)

 

The intermediate CA and root CA of LDAP/AD server is included in the trust list of ClearPass, yet ClearPass fails to verify the certificate.



Diagnostics:

While doing a LDAP search over port 636, it was observed that ClearPass failed to establish a TLS session with LDAP/AD server with Unknown CA error

 

Confirmed that the intermediate and root CA of LDAP/AD server is under the trust list of the ClearPass server. The trust list of ClearPass can be viewed by navigating to Administration->Certificates->Trust list as shown below:

 

 

 



Solution

From 6.6 version, it is required to import the server certificate of AD/LDAP server in addition to intermediate and root CA into the trust list of ClearPass server to do an LDAP search over port 636(AD over SSL).

 

After importing the server certificate of AD/LDAP server into the trust list of ClearPass, ClearPass was able to establish TLS session with LDAP/AD server over port 636 for LDAP search.

Version history
Revision #:
3 of 3
Last update:
‎06-01-2017 08:04 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.