I just built RadSec in my lab, and you don't absolutely need a certificate on the IAP, you can also use the factory certificate which is in the TPM of the AP as the client certificate (and if you imported one already you can remove it with the command 'clear-cert radsec' on the CLI).
Also during the testing got the same message: TLS connection couldn't connect for 192.168.33.160: Errors: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca; at which point I did not have the Root CA for the client cert that the IAP is using enabled for Radsec in the Trust List.
For the AP hardware certificate, that is CN=Aruba Networks Trusted Computing Root CA 1.0,C=US,O=Aruba Networks,OU=Operations,OU=DeviceTrust; and it needs to be enabled for the Usage type RadSec.
I tested as well with a Client certificate issued by the Onboard module. If you deployed your own client certificate, the Root CA for that needs to be enabled for RadSec.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
------------------------------
Original Message:
Sent: Dec 02, 2020 04:25 AM
From: Herman Robers
Subject: IAP515 Home Broadband Connection
For Radsec you need to have a certificate on the AP/VC/controller as well for Radsec and that certificate should be trusted by ClearPass (root and intermediates should be in Trust List and enabled for RadSec). You can use a public certificate, I did not try a wildcard for Radsec on the client side, but more common is to get a certificate from a private CA, like AD Certificate services or ClearPass Onboard should work as well.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
Original Message:
Sent: Dec 02, 2020 04:05 AM
From: Jeremy Smith
Subject: IAP515 Home Broadband Connection
Hi Herman
I am trying to use the same cert that i am using for https which is a Sectigo wildcard cert. I have exported and imported for radsec in clearpass and the intermediate and root is already trusted. I then imported this as a CA in Central. Would i need to get a new client cert for the VC to use for radsec?
Thanks
------------------------------
Jeremy Smith
Original Message:
Sent: Dec 01, 2020 04:58 AM
From: Herman Robers
Subject: IAP515 Home Broadband Connection
What type of certificates have you installed for Radsec on the ClearPass and IAP (like sourced from which CA)? Have you enabled the root (and intermediates) that issued the IAP Radsec certificate to the Trust list on ClearPass and enabled for Radsec? Does the IAP trust the ClearPass Radsec certificate?
Message says that the root is not trusted, it's not fully clear where you collected that log and if it is the IAP not trusting ClearPass or vice-versa.
For Radsec, having the certificates right is critical to make it work. That is also why it is typically not common to have Radsec deployed internally.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
Original Message:
Sent: Dec 01, 2020 04:50 AM
From: Jeremy Smith
Subject: IAP515 Home Broadband Connection
Sorry, forgot to add that we are using radsec for the communication over the internet to clearpass but having lots of issues with certificates and CA. We see the radsec comms but getting:
TLS connection couldn't connect for *.*.*.*: Errors: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
------------------------------
Jeremy Smith
Original Message:
Sent: Dec 01, 2020 04:41 AM
From: Herman Robers
Subject: IAP515 Home Broadband Connection
How is the RADIUS traffic supposed to reach your Clearpass server? It is not recommended to send that (unencrypted) over the internet but rather set up a VPN or use another connection that allows secure connectivity without NAT.
How did you conclude that the traffic is not reaching the ClearPass? Did you capture the traffic?
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
Original Message:
Sent: Nov 30, 2020 04:26 AM
From: Jeremy Smith
Subject: IAP515 Home Broadband Connection
Hi
We are potentially looking to use the external Clearpass interface for all radius authentications for our Office IAP's. To test this i have a IAP515 connected to a home broadband router and Aruba Central has detected and connected to it. We hsve deployed our Azure OAuth SSID but i am not seeing any Radius attempts coming from this IAP hitting our CPPM external interface. Is they anything specific that i am missing in the setup to get this working from a home broadband setup?
------------------------------
Jeremy Smith
------------------------------