Question: Why am I not able to map a new certificate to 802.1x profile on the backup or standby controller?
Environment: This article applies to all the controller models and OS versions
Usually, we create and upload separate certificates for master and the standby controllers so that the 802.1x clients can be served by the standby controller in case the master goes down. Both controller needs to have individual certificates mapped in the 802.1x profile controllers for authentication purpose.
However, majority of the configuration on the standby controller is pushed from the master including certificate mapping in the 802.1x profile. We cannot map a different certificate from the backup controller’s WebUI or CLI (the fields will be greyed out). As a result, if certificates on the master and the backup are with different names, master would not have the certificate that needs to be mapped on the backup controller.
Let us understand this with an example:
We have certificates with different names for master and backup controller-
Certificate name for master controller - MasterCert.pem
Certificate name for standby controller – BackupCert.pem
Now, since the certificate needs to be mapped to the 802.1x profile only through the master controller (the same config gets pushed to the standby controller), we can map only one certificate name in the 802.1x profile for both master and the backup controller.
However, as we have a certificate with different name uploaded on the backup controller, this certificate will not be used for 802.1x authentication on the backup controller.
In order to use the certificate on backup controller (BackupCert.pem), we would need to upload it with the same certificate name as that on the master controller (MasterCert.pem).
Rename the backup certificate’s name to match to the master certificate’s name and upload it on the standby controller.