I am configuring secure LDAP connection and during authentication attempt Clearpass complains that it is not able to establish connection with LDAP server:
2021-09-01 09:27:56,920 [Th 42 Req 981 SessId R00000226-01-612f479c] ERROR RadiusServer.Radius - rlm_ldap: CN=xxx,OU=xxx-xx,O=xxx bind to xxx.xxx.com:636 failed: Can't contact LDAP server
2021-09-01 09:27:56,920 [Th 42 Req 981 SessId R00000226-01-612f479c] ERROR RadiusServer.Radius - rlm_ldap: (re)connection attempt failed
2021-09-01 09:27:56,920 [Th 42 Req 981 SessId R00000226-01-612f479c] ERROR RadiusServer.Radius - rlm_ldap: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)
Packet capture confirms that Clearpass rejects LDAP cert.
The self signed LDAP cert is imported in the trust list and it has the following usage assigned - AD/LDAP Servers, EAP, Others.
Does Clearpass allow self signed cert usage on LDAP server for LDAP over SSL?
Thank you for your comments!
I was not keen to open TAC case because my recent experience with TAC is not encouraging to say the least. Your answers came much faster that I would receive anything from TAC. However, TAC is totally different topic.
As Aruba partner we have to work with what the customer has. If customer does not have its own CA and it is out of the project scope, the best we can do is improvise. This particular customer has no AD. Instead they use e-directory. I am not sure what CA functionality options in any there. For just a few certs I might use XCA tool.
I would like to summarize things.
We made it work by replacing the default self-signed LDAP certificate with "CA" signed. I used XCA tool as CA. Anybody can use his/her favorite search engine to find it. Basically, it is a free opensource GUI tool for certificate manipulation. This was far faster than dealing with TAC or investigating why self-signed is not working. A message for Clearpass guys. There is a problem either with documentation or log messages. Please fix either one. The documentation does not say that self-signed certificates cannot be used or what certificate parameters are checked. If self-signed certs are accepted, log messages are misleading.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.