Network Management

 View Only
last person joined: yesterday 

Keep an informative eye on your network with HPE Aruba Networking network management solutions
Back to discussions
Expand all | Collapse all

Airwave / Clearpass CA

This thread has been viewed 29 times

  • 1.  Airwave / Clearpass CA

    Posted Aug 17, 2021 08:49 AM
    I am having an issue with Airwave and Clearpass and Downloadable User Roles.  Our Instant APs are having an issue downloading the Clearpass CA automatically(Cert Error). BUT when I disconnect the APs from Airwave, upload the certificate, and set the clearpassca cert profile directly in the Instant, it works fine.

    I can't find a place in Airwave to force the clearpassca like you can from the command line.    I have attempted using a template, but I still have to upload the certificate on the instant, because certificates pushed from Airwave to an Instant aren't given a name apparently, so there is no way to assign it without uploading a certificate manually into the Instant.   When uploading a certificate manually, Airwave shows a Mismatched on the VC.

    Is there a way to force the certificate to the clearpassca in Airwave.  Have I missed something extremely obvious, or is Airwave just not capable of doing that.

    The TrustedCA in Airwave for the Instant APs has been added to the Trusted Cert list in Clearpass and enabled.  Also in Clearpass I set the certificate with all options enabled just in case.

    I hope someone out there understands my gibberish.

    Airwave Version 8.2.13.0
    Instant Version 8.7.1.4
    Clearpass Version 6.10.0

    ------------------------------
    Kenny Milan
    ------------------------------


  • 2.  RE: Airwave / Clearpass CA

    EMPLOYEE
    Posted Aug 17, 2021 09:53 AM

    After you upload a certificate to AirWave, the certificate file becomes available on additional pages where you can select certificate files, including AMP Setup > Authentication and Groups > Basic > Certificates. You can later choose this certificate for an IAP by navigating to the Group > Basic page for the device group that contains IAPs.

    Upload the ClearPass certificate as RADIUS or CP cert. Airwave Userguide details these options.



    ------------------------------
    Gowri Sankar Amujuri
    ------------------------------

    Original Message


  • 3.  RE: Airwave / Clearpass CA

    Posted Aug 17, 2021 05:08 PM
    Yes I understand all of the Certificates in Airwave.    That isn't an issue.   RADIUS / HTTPS work fine on airwave and clients and login etc. etc. etc.

    I did do more digging and found that

    http://10.66.3.252/.well-known/aruba/clearpass/https-root.pem

    Gives me a 404 error as opposed to the certificate.    When I browse to the subscriber I get the certificate.   Its the self signed one that came with clearpass, but at least it downloads something.   

    Any clues why I can't see the certificate from the link on my publisher?

    When I set the auth-server to the subscriber, the ap downloads the certificate and shows with show clearpassca on the instant. When I set the auth-server to the subscriber, it still fails to download the role with HTTP Code:  0 which I believe Hermann said was due to the cert not being trusted.    Which it isn't.  Not sure why it pulls that Cert instead of ones I have installed.

    ------------------------------
    Kenny Milan
    ------------------------------

    Original Message


  • 4.  RE: Airwave / Clearpass CA

    Posted Aug 18, 2021 04:56 PM
    Ok.   So I did a little testing of my own with this.   In Clearpass 6.10 there are two options for HTTPS Certificate ECC and RSA.   Best I can tell is that the Instants are trying to download the CA of the ECC Certificate setting in Clearpass.  I have ECC disabled at the moment on Clearpass 6.10

    I setup a test clearpass server with version 6.9 which only has one HTTPS option for certificates.   I setup a test Instant AP and pointed it at the clearpass test server and immediately it grabs the correct CA for clearpass and the role is downloaded successfully.

    So..   My new question is, Is there a way to tell the Instant to pull the RSA Certificate information as opposed to the ECC Certificate information?   We use a wildcard cert that is publicly signed.   I am reasonably sure that I can't have an RSA and ECC version of the certificate at the same time, but my knowledge on that is limited.

    Any help or advice would be appreciated.

    ------------------------------
    Kenny Milan
    ------------------------------

    Original Message


  • 5.  RE: Airwave / Clearpass CA

    Posted Aug 18, 2021 08:02 PM
    I finally put the right words together and found this about a bug in 6.10

    https://community.arubanetworks.com/community-home/digestviewer/viewthread?MessageKey=b1c4f5c3-90ea-48f1-b72f-398b7809a0e9&CommunityKey=2477474f-de43-4598-a465-c179d41fdd0b&tab=digestviewer

    Hopefully this helps if anyone stumbles across this thread.

    ------------------------------
    Kenny Milan
    ------------------------------

    Original Message


  • 6.  RE: Airwave / Clearpass CA

    EMPLOYEE
    Posted Aug 23, 2021 10:24 AM
    This issue was fixed in ClearPass 6.10.1, which is out for some time now.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message