last person joined: yesterday 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

DUP on CX switch

Jump to Best Answer
  • 1.  DUP on CX switch

    Posted Oct 13, 2020 04:20 AM

    When working with a "normal"  ArubaOs switch ( provision on steroids) the radius-server host a.b.c.g clearpass command  automagically stores the root CA of the https cert on the cppm server  so that the switch can validate the cppm https cert when pulling down downloadable user proflles ( using a pre-defined userid an password)


    In CX, although  you can specify a clearpass user and password haven;t found a simple way of doing the same


    Event|7709|LOG_WARN|MSTR|1|Certificate cppmnd2.sharaz.info rejected due to verification failure (20)


    used te crypto pki ta-profile


    command to create a profile and uploaded  the lets encrypt root onto the switch from the command line but  didn;t seem to make much difference.


    If someone could point me at the section inthe apropriate manual  would be much appreciated

  • 2.  RE: DUP on CX switch
    Best Answer

    Posted Oct 13, 2020 06:46 AM



    Just add the certificates to the switch, and ensure the ClearPass certificate subject name does match the server fqdn you set on the switch. Make sure you add both root CA and intermediate CAs certificates:


    crypto pki ta-profile <root>
      certificate of the root
    crypto pki ta-profile <intermediate>
      certificate of the intermediate


    I also did the following, to ensure no race condition happens when I reboot the switch:


    ip dns host cppm.mydomain.com







  • 3.  RE: DUP on CX switch

    Posted Oct 13, 2020 10:36 AM


    Well did most of that, and didn;t work. What I didn't do was set up an FQDN for the cppm server, used an ip address.


    Added an FQDN entry and still didn;t work. Rebooted switch and it all sprang into life


    Many thanks


  • 4.  RE: DUP on CX switch

    Posted Oct 13, 2020 12:59 PM

    IP would only work if you had the IP address on your ClearPass certificate (highly unlikely).

    So, the server must be added with FQDN, not IP.

    The IP dns entry just makes it so that you don't depend on your DNS servers to be reachable.


    Unsure why you required a reboot though.


  • 5.  RE: DUP on CX switch

    Posted Oct 13, 2020 02:13 PM
    Certainly all works now, just assumed it would follow on from an ArubaOS switch which is far more user friendly From the cert installation point of view
    On that learning curve

    Sent from my iPhone

  • 6.  RE: DUP on CX switch

    Posted 25 days ago
    Hello, after a lot of troubleshooting, we found the fix to this exact issue.

    In regards to the Issue: Event|7709|LOG_WARN|MSTR|1|Certificate cppmnd2.sharaz.info rejected due to verification failure (20)

    The Common Name of the certificate MUST match the radius-server host DNS entry in the switch.

    We originally used the same HTTPS certificate with multiple SANs of all of our appliance names which no longer work when using UBT with ArubaOS-CX.

    In our large deployment, we ended up having to generate individual certificates for each ClearPass appliance as the Common Name and then used the same SANs to assist us with WebUI management and captive-portal redirections.

    Changing the ClearPass Hostname and or FQDN did not change the outcome in our testing.

    Hope this helps the next!


    Mat Lehn