When working with a "normal" ArubaOs switch ( provision on steroids) the radius-server host a.b.c.g clearpass command automagically stores the root CA of the https cert on the cppm server so that the switch can validate the cppm https cert when pulling down downloadable user proflles ( using a pre-defined userid an password)
In CX, although you can specify a clearpass user and password haven;t found a simple way of doing the same
Event|7709|LOG_WARN|MSTR|1|Certificate cppmnd2.sharaz.info rejected due to verification failure (20)
used te crypto pki ta-profile
command to create a profile and uploaded the lets encrypt root onto the switch from the command line but didn;t seem to make much difference.
If someone could point me at the section inthe apropriate manual would be much appreciated
Just add the certificates to the switch, and ensure the ClearPass certificate subject name does match the server fqdn you set on the switch. Make sure you add both root CA and intermediate CAs certificates:
crypto pki ta-profile <root>
certificate of the root
crypto pki ta-profile <intermediate>
certificate of the intermediate
I also did the following, to ensure no race condition happens when I reboot the switch:
ip dns host cppm.mydomain.com 192.168.1.1
Well did most of that, and didn;t work. What I didn't do was set up an FQDN for the cppm server, used an ip address.
Added an FQDN entry and still didn;t work. Rebooted switch and it all sprang into life
IP would only work if you had the IP address on your ClearPass certificate (highly unlikely).
So, the server must be added with FQDN, not IP.
The IP dns entry just makes it so that you don't depend on your DNS servers to be reachable.
Unsure why you required a reboot though.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.