Security

Hi,

We have a working Clearpass production environment with 1 publisher and 2 subscribers, running code 6.8.9.120997.

The past few days I've been battling adding a third subscriber. The issues I first discovered was with a controller contacting the new subscriber for downloadable user roles. The role would end up in error state on the controller, with the controller logging:

Sep 23 13:48:18 authmgr[3623]: <124830> <3623> <ERRS> |authmgr| Dldb Role 2012_B2_A_Veni-3161-15: Users dequeued, role in incomplete state
Sep 23 13:48:18 authmgr[3623]: <199802> <3623> <ERRS> |authmgr| auth_cppm_api.c, auth_curl_perform:123: Dldb Role 2012_B2_A_Veni-3161-15: Curl response with HTTP code: 401

We have a GlobalSign public HTTPS cert for captive portal. This issues is trusted on all nodes. After a bit of troubleshooting we attempted to generate a new self-signed DB cert on the new subscriber, including

DNS:<IP of Publisher>,DNS:<IP of Subscriber>

This resulted in downloadable roles from the new subscriber working, but apparently broke part of the database connection (although all authentication were seemingly working fine).


We reinstalled the subscriber and re-joined, so now we're back to start. I am finding a lot on conflicting information regarding best practice for database certificate handling, so my questions is what is the correct approach? My impression now is that it should be handled automatically by the cluster. I believe we were impacted by the 1 year expiry DB-certs in a previous version, but should be fixed now.


A second issue we've encountered is self-registration for guests towards the new subscriber. The subscriber can handle the captive portal page as well as do mac-auth, however we need to point the dot1x-server-group in the captive portal profile to the publisher. Otherwise, the endpoint is "not found" when user clicks login after registration, and he/she is directed back to registration portal. Could there be some sort of delay in the endpoint database sync? If we just wait a little and reconnect the client, the mac-auth brings the device online just fine. The two other subscribers handle all guest related traffic individually without issues. Latency is not an issue on this new site, better connection than any of the existing subscribers.

Any help greatly appreciated! Will contact TAC next week if I can't progress.

Did you upgrade your new subscriber to the same hotfix level as your publisher? Please be aware that ClearPass 6.8 is end-of-life, consider upgrading to 6.9 or 6.10.

The database certificate should be valid for 5 years, according to this documentation.

There is a delay in the database sync between the publisher and the subscriber. Database updates, like new users, are done at the subscriber and may take a few seconds to be synced to the subscriber. If you have a login delay of 5-10 seconds in the web login page, that is fine in most cases.

If you struggle with your certificates, it may be best to work with support to get all configured correctly.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Sep 23, 2022 09:01 AM
From: Christoffer Augdahl
Subject: Clearpass Database certificate issues

Hi,

We have a working Clearpass production environment with 1 publisher and 2 subscribers, running code 6.8.9.120997.

The past few days I've been battling adding a third subscriber. The issues I first discovered was with a controller contacting the new subscriber for downloadable user roles. The role would end up in error state on the controller, with the controller logging:

Sep 23 13:48:18 authmgr[3623]: <124830> <3623> <ERRS> |authmgr| Dldb Role 2012_B2_A_Veni-3161-15: Users dequeued, role in incomplete state
Sep 23 13:48:18 authmgr[3623]: <199802> <3623> <ERRS> |authmgr| auth_cppm_api.c, auth_curl_perform:123: Dldb Role 2012_B2_A_Veni-3161-15: Curl response with HTTP code: 401

We have a GlobalSign public HTTPS cert for captive portal. This issues is trusted on all nodes. After a bit of troubleshooting we attempted to generate a new self-signed DB cert on the new subscriber, including

DNS:<IP of Publisher>,DNS:<IP of Subscriber>

This resulted in downloadable roles from the new subscriber working, but apparently broke part of the database connection (although all authentication were seemingly working fine).

We reinstalled the subscriber and re-joined, so now we're back to start. I am finding a lot on conflicting information regarding best practice for database certificate handling, so my questions is what is the correct approach? My impression now is that it should be handled automatically by the cluster. I believe we were impacted by the 1 year expiry DB-certs in a previous version, but should be fixed now.


A second issue we've encountered is self-registration for guests towards the new subscriber. The subscriber can handle the captive portal page as well as do mac-auth, however we need to point the dot1x-server-group in the captive portal profile to the publisher. Otherwise, the endpoint is "not found" when user clicks login after registration, and he/she is directed back to registration portal. Could there be some sort of delay in the endpoint database sync? If we just wait a little and reconnect the client, the mac-auth brings the device online just fine. The two other subscribers handle all guest related traffic individually without issues. Latency is not an issue on this new site, better connection than any of the existing subscribers.

Any help greatly appreciated! Will contact TAC next week if I can't progress.