Security

 View Only
last person joined: 18 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

DUR Download Failed, Server Cert Invalid

This thread has been viewed 25 times
  • 1.  DUR Download Failed, Server Cert Invalid

    Posted May 05, 2023 12:34 PM

    I have been working with TAC on this but have not found a resolution yet. I am using EAP-TEAP to cert auth the client and MSCHAPv2 the user against a ClearPass service that is successfully profiling the attempt and handing down the DUR (see CP-RADIUS-Output attachment). However the switch appears to be refusing the role because of invalid cert:

    ClearPass version 6.10.8
    Switch versions 10.10.1010 and 10.10.1050

    Only error is:
    Port Access Client Status Details:

    Client 28:f1:0e:15:3c:2a, anonymous

    ===================================

      Session Details

      ---------------

        Port         : 1/1/13

        Session Time : 7245s

        IPv4 Address :

        IPv6 Address :

        Device Type  :

      VLAN Details

      ------------

        VLAN Group Name :

        VLANs Assigned  : 4011

          Access          : 4011

          Native Untagged :

          Allowed Trunk   :

      Authentication Details

      ----------------------

        Status          : dot1x Authenticated

        Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted

        Auth History    : dot1x - Authenticated, 7243s ago

      MACsec Details

      --------------

        MKA Session Status :

        MACsec Status      :

      Authorization Details

      ----------------------

        Role   : ArubaPOC_DUR_CX_802_1x_Take2-3094-1

        Status : Download Failed

    Role Information:

    Name  : ArubaPOC_DUR_CX_802_1x_Take2-3094-1

    Type  : clearpass

    Status: Failed, Server Certificate Invalid

    However the TA cert shows as valid:
    Fabric-Access-GU-Test-01# show crypto pki ta-profile

    TA Profile Name                  TA Certificate       Revocation Check

    -------------------------------- -------------------- ----------------

    cppmdur                          Installed, valid     disabled




    I have manually loaded the cert using the "well known URL" process as demonstrated in instructional videos. I have also attempted to manually create a full cert chain and load it, which was accepted but did not fix the problem.

    I have also attached the DUR config summuary.
    Any thoughts or suggestions?



  • 2.  RE: DUR Download Failed, Server Cert Invalid

    Posted May 05, 2023 12:59 PM

    Is the CA that signed the ClearPass HTTPS certificate trusted by the switch?




  • 3.  RE: DUR Download Failed, Server Cert Invalid

    Posted May 05, 2023 01:07 PM

    I assume so, but how do I verify that for sure? My assumption was that the HTTPS cert signed by my public CA is the same server cert that is handed down to the switch using the "well known URL".  Or better yet, how do I make it trust my CA assuming it does not?




  • 4.  RE: DUR Download Failed, Server Cert Invalid

    Posted May 05, 2023 01:17 PM

    So the switch talks to ClearPass via HTTPS to download the role.  What certificate is assigned to the HTTPS process on your ClearPass node.  Whatever CA that signed that certificate needs to be trusted by the switch through trust-point CLI Commands.




  • 5.  RE: DUR Download Failed, Server Cert Invalid

    Posted May 05, 2023 01:56 PM

    I have TAC ERT on a session with me now so I will bring this up during the session and report back. 




  • 6.  RE: DUR Download Failed, Server Cert Invalid

    Posted May 05, 2023 06:00 PM

    Wanted to update you. It turns out that the ClearPass default gateway is the core router and the default gateway for the switch is the firewall. Traffic initiated from the switch was sent through firewall and returned by ClearPass through the core router creating asymmetric routing. The thing that we still do not understand is, why has ssh from the switches being routed the same way been working the whole time?