Security

Hi all,

I am working on getting UPT to work on my 2930F & Clearpass.
Currently, I got stuck with downloading my user role.
The authentication of my test-client works fine and the following radius-response is sent to the switch.
Nevertheless, when running "show user-role downloaded" no user role is listed and no tunnel to the controller is established.
When debugging SSL security I discovered that my certificate is marked as expired. My certificate is the root certificate from my windows testing pki.

As of my thinking the certificate should be valid, because it expires in 2521:


Is there another problem or is my root certificate the real problem?

Best regards
Michael

------------------------------
Michael
Michael
------------------------------

Did you create the Clearpass login user for the switch to login to clearpass and perform an HTTP GET to retrieve the role information? Also, your switch needs to trust the certificate chain from Clearpass.

------------------------------
Dustin Burns
------------------------------

Original Message:
Sent: Apr 07, 2021 03:12 AM
From: Michael Höflmaier
Subject: DUR not downloaded | ssl error

Hi all,

I am working on getting UPT to work on my 2930F & Clearpass.
Currently, I got stuck with downloading my user role.
The authentication of my test-client works fine and the following radius-response is sent to the switch.
Nevertheless, when running "show user-role downloaded" no user role is listed and no tunnel to the controller is established.
When debugging SSL security I discovered that my certificate is marked as expired. My certificate is the root certificate from my windows testing pki.

As of my thinking the certificate should be valid, because it expires in 2521:


Is there another problem or is my root certificate the real problem?

Best regards
Michael

------------------------------
Michael
Michael
------------------------------

You can't use the root certificate itself for ClearPass, instead, issue a certificate from that root for your ClearPass. Role downloads require the server certificate to be issued by another CA, the root itself is self-signed (by definition).

The expiration time of 500 years might be an issue as well, but first, make sure you are not using the root CA itself as ClearPass server certificate.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Apr 07, 2021 03:12 AM
From: Michael Höflmaier
Subject: DUR not downloaded | ssl error

Hi all,

I am working on getting UPT to work on my 2930F & Clearpass.
Currently, I got stuck with downloading my user role.
The authentication of my test-client works fine and the following radius-response is sent to the switch.
Nevertheless, when running "show user-role downloaded" no user role is listed and no tunnel to the controller is established.
When debugging SSL security I discovered that my certificate is marked as expired. My certificate is the root certificate from my windows testing pki.

As of my thinking the certificate should be valid, because it expires in 2521:


Is there another problem or is my root certificate the real problem?

Best regards
Michael

------------------------------
Michael
Michael
------------------------------

My error was that I had the switch listed within Clearpass with a wrong IP address...

------------------------------
Michael
------------------------------

Original Message:
Sent: Apr 07, 2021 08:22 AM
From: Herman Robers
Subject: DUR not downloaded | ssl error

You can't use the root certificate itself for ClearPass, instead, issue a certificate from that root for your ClearPass. Role downloads require the server certificate to be issued by another CA, the root itself is self-signed (by definition).

The expiration time of 500 years might be an issue as well, but first, make sure you are not using the root CA itself as ClearPass server certificate.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Apr 07, 2021 03:12 AM
From: Michael Höflmaier
Subject: DUR not downloaded | ssl error

Hi all,

I am working on getting UPT to work on my 2930F & Clearpass.
Currently, I got stuck with downloading my user role.
The authentication of my test-client works fine and the following radius-response is sent to the switch.
Nevertheless, when running "show user-role downloaded" no user role is listed and no tunnel to the controller is established.
When debugging SSL security I discovered that my certificate is marked as expired. My certificate is the root certificate from my windows testing pki.

As of my thinking the certificate should be valid, because it expires in 2521:


Is there another problem or is my root certificate the real problem?

Best regards
Michael

------------------------------
Michael
Michael
------------------------------