Security

Hi,

I have imported the Subordinate CA into clearpass, as well as the SSL certificate so that HTTPS successfully works. I now need to import the CA onto the access switch (3810M) to enable the downloadable user role function.

I have followed the guide (Wired Policy Enforcement) and created the ta- profile. However the guide then says to use tftp or sftp to import the certificate, however this is not feasable as the cusotmer will not open the required ports on their DC firewalls. Is there another way to get the certificate onto the switch?

Thanks in advance. 

You can use the usb port, or connect locally to the switch and uplink via a direct connected ethernet port.

BUT...

There is no need for manual installation anymore.

From the manual:
To improve the ease of deployment, Aruba switch allows automatic downloading of the root CA certificate of ClearPass servers. As a part of the ZTP process, if the configuration of the switch is provided with an additional keyword ClearPass in RADIUS configuration, the switch will contact ClearPass and download the root CA certificates. This simplifies use cases such as Downloadable User Roles as well as Device Fingerprinting with ClearPass

Please read the latest Access Security Guide for ArubaOS-Switch guide,you will need certain firmware levels on both switch and clearpass.

Config Example:
# radius-server host <IP> clearpass
# crypto ca-download usage clearpass retry 3

Thanks Fabian, I was going to use a USB but couldn't figure out how to associate it with the ta-profile. I will upgrade my switch and give the automatic download a go!

Thanks.