View Only
last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass Radius Service stopped working after service certificate expired

This thread has been viewed 10 times
  • 1.  Clearpass Radius Service stopped working after service certificate expired

    Posted Dec 01, 2021 03:04 PM
    We had an interesting issue on our Clearpass cluster environment recently. 
    Little background about our current setup:
    -4 node cluster (1 publisher, 3 subscriber) running 6.8.9 with the latest security updates
    -About 20 different Service Certificates for Active Directory authentication sources
    -About 60 different active Radius Services for serving wlan/lan/VPN solutions

    One of our Service Certificates was expiring so we uploaded new Certificate to replace the expiring one.
    We created new Service above the one with the expiring Service Certificate, so all the authentication requests would be handled by this new Service with the new Service Certificate (Service rules between these two were identical).
    At this stage we didn't remove the Service with the soon to be expired certificate because the possibility of rollback during the transition phase (if not all computers had the certificate issued by this new CA).

    This was few weeks ago and last week the certificate expired. This caused the Radius Service on all of our cluster nodes to stop. 
    Radius Service couldn't be started manually on any of the nodes. When trying to start the service following "error" was given:
    (Failed to start Radius server - Performing action start on Radius server [cpass-radius-server.service])

    By looking through the event viewer log, we guessed the issue might be caused by the expired service certificate. 
    So we removed the old Service and the expired Service Certificate and Radius Service was started without problems on all of our cluster nodes.

    We have an open TAC case regarding this issue. However the response from TAC seems to be that this is expected behavior and not a bug.

    I realize that the best practice is to remove the expiring certificate when new one is imported.

    Does anyone have any thoughts about this being "expected behavior"? I still can't understand how one expired service certificate can stop the whole Radius Service from functioning?

    Emil Laitinen

  • 2.  RE: Clearpass Radius Service stopped working after service certificate expired

    Posted Dec 02, 2021 04:38 AM

    I do have thoughts about this, but keep them for myself if you don't mind ;-). Are you in contact with your local Aruba SE? Please reach out to her/him and ask for help to bring this to the attention of the product team. Let me know (personal message reply) if you don't know who to contact, with your contact details (country, company, mail/phone, etc) so I can bring you in contact.

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.