Answer :
Pre AOS 6.1, intermediate or root CA certificate can be used as CA-Certificate for client certificate verification.Starting from AOS 6.2, only root CA certificate can be used as CA-Certificate for client certificate verification.Below is the sample output of show auth-tracebuf when intermediate CA certificate is used as CA-Certificate in AOS 6.2 and above.show auth-tracebuf mac 3c:a9:f4:3d:d3:20Jun 13 17:23:00 station-down * 3c:a9:f4:3d:d3:20 00:24:6c:80:74:a0 - - Jun 13 17:23:04 station-up * 3c:a9:f4:3d:d3:20 00:24:6c:80:74:a8 - - wpa2 aesJun 13 17:23:04 station-term-start * 3c:a9:f4:3d:d3:20 00:24:6c:80:74:a8 1 - Jun 13 17:23:04 eap-term-start -> 3c:a9:f4:3d:d3:20 00:24:6c:80:74:a8/dot1x_prof-ctg54 - - Jun 13 17:23:04 station-term-start * 3c:a9:f4:3d:d3:20 00:24:6c:80:74:a8 1 - Jun 13 17:23:07 client-cert -> 3c:a9:f4:3d:d3:20 00:24:6c:80:74:a8/dot1x_prof-ctg54 1477 3300 Jun 13 17:23:07 client-cert -> 3c:a9:f4:3d:d3:20 00:24:6c:80:74:a8/dot1x_prof-ctg54 1486 3300 Jun 13 17:23:07 client-cert -> 3c:a9:f4:3d:d3:20 00:24:6c:80:74:a8/dot1x_prof-ctg54 337 3300 Jun 13 17:23:07 client-finish -> 3c:a9:f4:3d:d3:20 00:24:6c:80:74:a8/dot1x_prof-ctg54 - - client cert verification failed In the show log errorlog, we can see the below messageJun 13 17:23:07 authmgr[2386]: <132200> <ERRS> |authmgr| Received TLS Client Finish but the client certificate 3c:a9:f4:3d:d3:2000:24:6c:80:74:a8 is not verifiedWhile upgrading from Pre AOS 6.1 to 6.2 & above, consider changing the CA-Cerificate to Root CA if intermediate CA is used for client cerificate verification or if the CA-Certificate has chained with Root and intermediate CA then the client certificate verification will be successful.Note : This applies only if the termination is enabled in the Aruba Controller.
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.