https://www.arubanetworks.com/support-services/end-of-life/?utm_source=google&utm_medium=paidsearch&utm_campaign=Aru_FY23_Q2_ESP_GFD_NAAS_AMS_NAM_Agile_NaaS_-_2023&utm_geo=NAMER&gad=1&gclid=CjwKCAjwxOymBhAFEiwAnodBLEcxit-npgL19U7O8_Xmh8U7hJNiHf-Ym2fmVpltQ7zh34I0OMA_mhoCw7YQAvD_BwE#product=clearpass-software&version=0
Original Message:
Sent: Aug 15, 2023 02:37 AM
From: simon168
Subject: Making ClearPass a Subscriber in 6.10
Thanks for the confirmation, Jonas.
Original Message:
Sent: Aug 15, 2023 02:33 AM
From: jonas.hammarback
Subject: Making ClearPass a Subscriber in 6.10
Hi
You still need to have the IP address in the database certificate as a SAN in the form DNS:10.11.12.13.
For the https part the process has been simplified and the root certificate of the https certificate on the publisher will be added automatically.
I prefer to add the root as trusted manually before I start the Make subscriber process.
Export the root for the https certificate from the publisher and import it in the trust list. Add the usage Others.
------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Aug 15, 2023 02:14 AM
From: simon168
Subject: Making ClearPass a Subscriber in 6.10
Hi Ari
Thanks for the reply. In that case, does the two caveats in 6.8 still applies in 6.10? Thanks
Original Message:
Sent: Aug 15, 2023 02:04 AM
From: ariyap
Subject: Making ClearPass a Subscriber in 6.10
The certificate for creating a cluster is the database certificate.
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: Aug 15, 2023 12:46 AM
From: simon168
Subject: Making ClearPass a Subscriber in 6.10
Hi
I like to ask about the requirements for making a ClearPass a subscriber in 6.10 version. Both ClearPass servers are of the same version. The current publisher has been available for a while and the second Clearpass is purchased recently with the intention to having redundancy.
I make the new ClearPass as a subscriber but hit some problems:
- Wrong publisher IP
- Wrong password
- TCP port 5432 blocked
- Invalid certificate
The 1st three reasons have been verified correspondingly. Both ClearPass servers are on the same IP subnet with no firewall between them. That only leaves 'invalid certificate'. I like to ask what certificate is it referring: SSL Certificate or Database Certificate? The current publisher has a public wildcard certificate installed for SSL/HTTPS and a self-signed certificate for the Database Server.
Now, in 6.8 documentation in Making a Subscriber Node, there is a Caveat where it states errors will be seen if either conditions are present:
The certificate chain used is not present on both systems for the HTTPS and database certificates.
An IP address is not included in the database certificate's subject or the Subject Alternative Name (SAN) field.
There is, however, no mention of the above caveat in 6.10 (or 6.9) documentation. It looks pretty simple: just select 'Make a Subscriber', enter the correct publisher IP address and appadmin password.
Therefore, my question: do we need to ensure both caveats as specified in 6.8 documentation are met for a successful subscriber join?
Thanks in advance.
Regards,
Simon