Hi,
We had an interesting issue on our Clearpass cluster environment recently.
Little background about our current setup:
-4 node cluster (1 publisher, 3 subscriber) running 6.8.9 with the latest security updates
-About 20 different Service Certificates for Active Directory authentication sources
-About 60 different active Radius Services for serving wlan/lan/VPN solutions
One of our Service Certificates was expiring so we uploaded new Certificate to replace the expiring one.
We created new Service above the one with the expiring Service Certificate, so all the authentication requests would be handled by this new Service with the new Service Certificate (Service rules between these two were identical).
At this stage we didn't remove the Service with the soon to be expired certificate because the possibility of rollback during the transition phase (if not all computers had the certificate issued by this new CA).
This was few weeks ago and last week the certificate expired. This caused the Radius Service on all of our cluster nodes to stop.
Radius Service couldn't be started manually on any of the nodes. When trying to start the service following "error" was given:
(
Failed to start Radius server - Performing action start on Radius server [cpass-radius-server.service])
By looking through the event viewer log, we guessed the issue might be caused by the expired service certificate.
So we removed the old Service and the expired Service Certificate and Radius Service was started without problems on all of our cluster nodes.
We have an open TAC case regarding this issue. However the response from TAC seems to be that this is expected behavior and not a bug.
I realize that the best practice is to remove the expiring certificate when new one is imported.
Does anyone have any thoughts about this being "expected behavior"? I still can't understand how one expired service certificate can stop the whole Radius Service from functioning?
------------------------------
Emil Laitinen
------------------------------