Become a Member
Requirement:
DUR configuration is used in the switch to download the profile configuration sent from the RADIUS server and to apply this configuration within the role to the respective client port. The profile applied to the clients may include dynamic vlan/ACL/captive portal . These dynamic configurations will be removed from the port soon after the client session ends.
1. Add the radius sever in the switch using the host IP or using the FQDN 2.Enable mac authentication globally and for respective ports 3. Upload the root certificate used in Clearpass on the switch, this root certificate will be used during the DUR process as the switch needs to trust the root CA that signs the certificate in Clearpass 5. Configure the Clearpass with corresponding services , profiles and policies --Aruba Downloadable Role Enforcement --Role Configuration mode as Advanced --Product as Mobility Access Switch 6.Configure the below within the profile that will be applied to the client --Configure the Attribute Type as: Radius:Aruba --Name as Aruba-CPPM-Role --Value as (DUR commands) 7.Check the reachability of Clearpass from the switch and connect a client to the port with authentication enabled.
Switch configuration: radius-server host x.x.x.x key ciphertext AQBapVWcNJavUClNBQenFaJwwRrR+nWcJUvsQlHUbuaiOvlDCAAAAMCnYwT2Ful+ clearpass-username prakash clearpass-password ciphertext AQBapVWcNJavUClNBQenFaJwwRrR+nWcJUvsQlHUbuaiOvlDCAAAAMCnYwT2Ful+ aaa authentication allow-fail-through aaa group server radius cppm server x.x.x.x aaa authentication port-access dot1x authenticator radius server-group ARUBA aaa authentication port-access mac-auth radius server-group cppm enable interface 1/1/15 no shutdown no routing vlan access 1 aaa authentication port-access client-limit 2 aaa authentication port-access dot1x authenticator max-eapol-requests 1 enable aaa authentication port-access mac-auth enable Configuration in Clearpass: 1. Configure the service with appropriate service condition 2.Apply appropriate policy with the suitable conditions to match the client request to respective profile 3. DUR profile configuration
The user-role from the Clearpass will be downloaded in the switch and can be verified using below command Check the application of the role to respective port
Still does not work in 10.07 it appears.
Also, you do not need the ROOT CA imported. Only the Intermediate or issuing authority.
crypto pki ta-profile clearpass
ta-certificate
<paste in Intermediate CA in PEM format>
Once this was completed DURs started working again.EDIT:
If you use a wildcard certificate for HTTPs services in CPPM. Your CN/SAN does not need to match either. It seems to properly process that.
Example :
aaa group server radius CPPM-RADserver cppm1.arulab.chserver cppm2.arulab.chInstead of :aaa group server radius CPPM-RADserver x.x.x.xserver y.y.y.yEnjoy,
It works. (I Hope for you ;) )__Ck
Thanks for the post !I have the same issue about this error (tested with 6200F and 6300M in 10.06 version.) :
Hello, after a lot of troubleshooting, we found the fix to this exact issue.
In regards to the Issue: port-accessd[3300]: Event|7709|LOG_WARN|MSTR|1|Certificate cppm.tsclab.com.au rejected due to verification failure (20)Resolution:The Common Name of the certificate MUST match the radius-server host DNS entry in the switch. We originally used the same HTTPS certificate with multiple SANs of all of our appliance names which no longer work when using UBT with ArubaOS-CX.
In our large deployment, we ended up having to generate individual certificates for each ClearPass appliance as the Common Name and then used the same SANs to assist us with WebUI management and captive-portal redirections.Changing the ClearPass Hostname and or FQDN did not change the outcome in our testing.Hope this helps the next!-Mat
Hi,
I have a TAC running for this issue. When you enable debugging on the switch you get more insight:
To enable debug
debug portaccess role
debug portaccess dot1x all
debug portaccess radius
debug destination buffer
To view debug
show debug buffer
To disable debug
no debug portaccess role
no debug portaccess dot1x all
no debug portaccess radius
In my case debugging shows:
2020-10-01:08:56:14.669600|port-accessd|LOG_ERR|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|Certificate subject name doesn't match the expected peer's hostname.
Yeah I think the auto download only works with AOS, not ACX, not 100% sure on that. But, I only upload the root-CA to the switch as I'm not using an intermediate. You will probably need the Intermediate and the root-CA or the switch might think its invalid.
Hi
thanks for the feedback.
ntp will not be the problem.
but I believe dns will be.
I did configure to use the external dns. but I do have the impression that the switch wil not do name resolving. I test it with a ping to hostname. but nothing happens.
I will try it to user a dns host list on the switch.
question about the certificate. I am using release 10.05.00011. so I do have to install the certificate manually ?
I just need to install the intermediate CA certificate from the clearpass ?
regards
Hi dirkve, sorry i actually sorted out my problem. I had 2 issues. Time was not in sync which is required for certificate based stuff and second, I had to set the radius server on the switch using the DNS name, not the IP so it that it matched the CN/SAN on the certificate.
if you don't have DNS on the switch, set an 'ip dns host' entry so it can resolve the name without DNS.
I have the same issue as gfirth77.
have someone any idea's ?
Hi, I have been trying to get this going on a 6300M in my lab with no success. I have uploaded the root CA as the TA profile and setup the downloadable roles in ClearPass. I am getting this error;
port-accessd[3300]: Event|7709|LOG_WARN|MSTR|1|Certificate cppm.tsclab.com.au rejected due to verification failure (20)
And the output of the downloaded role on the switch;
Name : TSCLAB_802_1X_Wired_6300___302-3111-1Type : clearpassStatus: Failed, Server Certificate Invalid
The downloadable roles works fine on the 2930 series using the same root CA and the same ClearPass server. Unfortunately there is next to no information out there on the Aruba CX platform. Thanks.