Security

 View Only
last person joined: 10 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearpassOnboard Registartion Authority

This thread has been viewed 5 times
  • 1.  ClearpassOnboard Registartion Authority

    Posted Sep 04, 2024 11:26 AM

    Hi dear community,

    I wanted to test Onboard with my existing windows pki to issue EST-certificates to my switches.

    I used this good video to get me started: EST and RADSEC with ClearPass, AOS-CX, and AOS 10 Gateways (youtube.com)

    At first everything looked great and all as a requesting a cert from within clearpass worked fine (see screenshot below).

    The request is also shown under "issued certs" within the windows pki.

    But as soon as I tried to request a cert via est from a CX-switch problems startet.

    1: Within the est-profile the url wont allow ".local"-domains to be used. As my clearpass-cert is issued to a ".local"-domain I added the IPs of clearpass to the SAN and then this problem was resolved.

    --------------------------------------

    2: The real problem: The certificate-requests are not working as expected and the cert is always pending.

    The switch-log is not much help:

     certmgr[992]: Event|7717|LOG_ERR|UKWN|1|Failed to enroll certificate estcert with EST server est-enroll
     certmgr[992]: Event|7708|LOG_INFO|UKWN|1|Certificate *.aruba.local verified and accepted
     certmgr[992]: Event|7723|LOG_INFO|UKWN|1|Certificate *.aruba.local is cryptographically validated by CA certificate ArubaRootCA

    Also debug is also not of much help:

    |certmgr|LOG_ERR|UKWN|1|PKI|PKI_MGMT|Failed requesting /cacerts for EST profile est-enroll. If device still initializing, it is expected. It will try again at cert enrollment with this EST profile.

    Within Clearpass I can see the login of the user being a success.

    Within the CA there are the following certs issued (which are the CN used by clearpass for the SCEP process):

    What is the best way to troubleshoot all of this? Is there any obvious error you can see?



  • 2.  RE: ClearpassOnboard Registartion Authority

    EMPLOYEE
    Posted Sep 04, 2024 06:50 PM

    What does your EST profile look like in the switch?



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------