Security

Got a small issue with a CX switch and downloadable user roles

I created a radius group called CPPM_RADIUS which should. have had 2 FQDNs relating to CPPM VIPS in it. Unfortunately it also had  the ip addresses of the cppm. VIPS in there before the FQDNs.

I also have the command

aaa accounting port-access start-stop interim 900 group CPPM_RADIUS

So when. the switch tries to download the DUR, its downloading  it from an IP address and not a FQDN and fails

a show port-access roles  shows that its failed because  Server  Certificate Invalid.

The server cert has a CN of cppm.x.y and. a number of SANs as defined in the radius. group. Using  the ip address results in the CN being returned which doesnt have ethe ip address in it.

Cant delete the DUR

Tried deleting the IP addresses from the group .. .caching somewhere so its still generting the same error

Tried creating another group CPPM_NAC with correct settings  and adjusting the  above accounting command to  use that group .... sill happens.

Short of rebooting the switch stack, how can i force the switch to  download a version ? ( guess could make a small change at cppm, but  that would get pushed to the CX estate 

Normally the switch retries to download the XML file that contains the data. However, I think you might hit this issue (fixed in 10.13.1050 / 10.14.1010 / 10.15.0005).

Can you try the workaround?

https://arubanetworking.hpe.com/techdocs/AOS-CX/Consolidated_RNs/HTML-6300-6400/Content/10_15/0005/fixes.htm

Got a small issue with a CX switch and downloadable user roles

I created a radius group called CPPM_RADIUS which should. have had 2 FQDNs relating to CPPM VIPS in it. Unfortunately it also had  the ip addresses of the cppm. VIPS in there before the FQDNs.

I also have the command

aaa accounting port-access start-stop interim 900 group CPPM_RADIUS

So when. the switch tries to download the DUR, its downloading  it from an IP address and not a FQDN and fails

a show port-access roles  shows that its failed because  Server  Certificate Invalid.

The server cert has a CN of cppm.x.y and. a number of SANs as defined in the radius. group. Using  the ip address results in the CN being returned which doesnt have ethe ip address in it.

Cant delete the DUR

Tried deleting the IP addresses from the group .. .caching somewhere so its still generting the same error

Tried creating another group CPPM_NAC with correct settings  and adjusting the  above accounting command to  use that group .... sill happens.

Short of rebooting the switch stack, how can i force the switch to  download a version ? ( guess could make a small change at cppm, but  that would get pushed to the CX estate 

Normally the switch retries to download the XML file that contains the data. However, I think you might hit this issue (fixed in 10.13.1050 / 10.14.1010 / 10.15.0005).

Can you try the workaround?

https://arubanetworking.hpe.com/techdocs/AOS-CX/Consolidated_RNs/HTML-6300-6400/Content/10_15/0005/fixes.htm

Got a small issue with a CX switch and downloadable user roles

I created a radius group called CPPM_RADIUS which should. have had 2 FQDNs relating to CPPM VIPS in it. Unfortunately it also had  the ip addresses of the cppm. VIPS in there before the FQDNs.

I also have the command

aaa accounting port-access start-stop interim 900 group CPPM_RADIUS

So when. the switch tries to download the DUR, its downloading  it from an IP address and not a FQDN and fails

a show port-access roles  shows that its failed because  Server  Certificate Invalid.

The server cert has a CN of cppm.x.y and. a number of SANs as defined in the radius. group. Using  the ip address results in the CN being returned which doesnt have ethe ip address in it.

Cant delete the DUR

Tried deleting the IP addresses from the group .. .caching somewhere so its still generting the same error

Tried creating another group CPPM_NAC with correct settings  and adjusting the  above accounting command to  use that group .... sill happens.

Short of rebooting the switch stack, how can i force the switch to  download a version ? ( guess could make a small change at cppm, but  that would get pushed to the CX estate