Security

 View Only
  • 1.  Making ClearPass a Subscriber in 6.10

    Posted Aug 15, 2023 12:46 AM

    Hi 

    I like to ask about the requirements for making a ClearPass a subscriber in 6.10 version. Both ClearPass servers are of the same version. The current publisher has been available for a while and the second Clearpass is purchased recently with the intention to having redundancy.

    I make the new ClearPass as a subscriber but hit some problems: 

    • Wrong publisher IP
    • Wrong password
    • TCP port 5432 blocked
    • Invalid certificate

    The 1st three reasons have been verified correspondingly. Both ClearPass servers are on the same IP subnet with no firewall between them. That only leaves 'invalid certificate'. I like to ask what certificate is it referring: SSL Certificate or Database Certificate? The current publisher has a public wildcard certificate installed for SSL/HTTPS and a self-signed certificate for the Database Server. 

    Now, in 6.8 documentation in Making a Subscriber Node, there is a Caveat where it states errors will be seen if either conditions are present:

    • The certificate chain used is not present on both systems for the HTTPS and database certificates.

    • An IP address is not included in the database certificate's subject or the Subject Alternative Name (SAN) field.

    There is, however, no mention of the above caveat in 6.10 (or 6.9) documentation. It looks pretty simple: just select 'Make a Subscriber', enter the correct publisher IP address and appadmin password. 

    Therefore, my question: do we need to ensure both caveats as specified in 6.8 documentation are met for a successful subscriber join? 

    Thanks in advance. 

    Regards,

    Simon



  • 2.  RE: Making ClearPass a Subscriber in 6.10

    Posted Aug 15, 2023 02:04 AM

    The certificate for creating a cluster is the database certificate.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: Making ClearPass a Subscriber in 6.10

    Posted Aug 15, 2023 02:15 AM

    Hi Ari

    Thanks for the reply. In that case, does the two caveats in 6.8 still applies in 6.10? Thanks




  • 4.  RE: Making ClearPass a Subscriber in 6.10

    Posted Aug 15, 2023 02:33 AM

    Hi

    You still need to have the IP address in the database certificate as a SAN in the form DNS:10.11.12.13.

    For the https part the process has been simplified and the root certificate of the https certificate on the publisher will be added automatically.

    I prefer to add the root as trusted manually before I start the Make subscriber process.

    Export the root for the https certificate from the publisher and import it in the trust list. Add the usage Others.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: Making ClearPass a Subscriber in 6.10

    Posted Aug 15, 2023 02:38 AM

    Thanks for the confirmation, Jonas. 




  • 6.  RE: Making ClearPass a Subscriber in 6.10

    Posted Aug 15, 2023 07:36 AM

    https://www.arubanetworks.com/support-services/end-of-life/?utm_source=google&utm_medium=paidsearch&utm_campaign=Aru_FY23_Q2_ESP_GFD_NAAS_AMS_NAM_Agile_NaaS_-_2023&utm_geo=NAMER&gad=1&gclid=CjwKCAjwxOymBhAFEiwAnodBLEcxit-npgL19U7O8_Xmh8U7hJNiHf-Ym2fmVpltQ7zh34I0OMA_mhoCw7YQAvD_BwE#product=clearpass-software&version=0