I have TAC ERT on a session with me now so I will bring this up during the session and report back.
Original Message:
Sent: May 05, 2023 01:17 PM
From: ahollifield
Subject: DUR Download Failed, Server Cert Invalid
So the switch talks to ClearPass via HTTPS to download the role. What certificate is assigned to the HTTPS process on your ClearPass node. Whatever CA that signed that certificate needs to be trusted by the switch through trust-point CLI Commands.
Original Message:
Sent: May 05, 2023 01:06 PM
From: cochranes
Subject: DUR Download Failed, Server Cert Invalid
I assume so, but how do I verify that for sure? My assumption was that the HTTPS cert signed by my public CA is the same server cert that is handed down to the switch using the "well known URL". Or better yet, how do I make it trust my CA assuming it does not?
Original Message:
Sent: May 05, 2023 12:58 PM
From: ahollifield
Subject: DUR Download Failed, Server Cert Invalid
Is the CA that signed the ClearPass HTTPS certificate trusted by the switch?
Original Message:
Sent: May 05, 2023 12:34 PM
From: cochranes
Subject: DUR Download Failed, Server Cert Invalid
I have been working with TAC on this but have not found a resolution yet. I am using EAP-TEAP to cert auth the client and MSCHAPv2 the user against a ClearPass service that is successfully profiling the attempt and handing down the DUR (see CP-RADIUS-Output attachment). However the switch appears to be refusing the role because of invalid cert:
ClearPass version 6.10.8
Switch versions 10.10.1010 and 10.10.1050
Only error is:
Port Access Client Status Details:<o:p></o:p>
<o:p> </o:p>
Client 28:f1:0e:15:3c:2a, anonymous<o:p></o:p>
===================================<o:p></o:p>
Session Details<o:p></o:p>
---------------<o:p></o:p>
Port : 1/1/13<o:p></o:p>
Session Time : 7245s<o:p></o:p>
IPv4 Address : <o:p></o:p>
IPv6 Address : <o:p></o:p>
Device Type : <o:p></o:p>
<o:p> </o:p>
VLAN Details<o:p></o:p>
------------<o:p></o:p>
VLAN Group Name : <o:p></o:p>
VLANs Assigned : 4011<o:p></o:p>
Access : 4011<o:p></o:p>
Native Untagged : <o:p></o:p>
Allowed Trunk : <o:p></o:p>
<o:p> </o:p>
Authentication Details<o:p></o:p>
----------------------<o:p></o:p>
Status : dot1x Authenticated<o:p></o:p>
Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted<o:p></o:p>
Auth History : dot1x - Authenticated, 7243s ago<o:p></o:p>
<o:p> </o:p>
MACsec Details<o:p></o:p>
--------------<o:p></o:p>
MKA Session Status : <o:p></o:p>
MACsec Status : <o:p></o:p>
<o:p> </o:p>
Authorization Details<o:p></o:p>
----------------------<o:p></o:p>
Role : ArubaPOC_DUR_CX_802_1x_Take2-3094-1<o:p></o:p>
Status : Download Failed<o:p></o:p>
<o:p> </o:p>
<o:p> </o:p>
Role Information:<o:p></o:p>
<o:p> </o:p>
Name : ArubaPOC_DUR_CX_802_1x_Take2-3094-1<o:p></o:p>
Type : clearpass<o:p></o:p>
Status: Failed, Server Certificate Invalid<o:p></o:p>
However the TA cert shows as valid:
Fabric-Access-GU-Test-01# show crypto pki ta-profile <o:p></o:p>
<o:p> </o:p>
TA Profile Name TA Certificate Revocation Check<o:p></o:p>
-------------------------------- -------------------- ----------------<o:p></o:p>
cppmdur Installed, valid disabled<o:p></o:p>
I have manually loaded the cert using the "well known URL" process as demonstrated in instructional videos. I have also attempted to manually create a full cert chain and load it, which was accepted but did not fix the problem.
I have also attached the DUR config summuary.
Any thoughts or suggestions?