Controllerless Networks

Reply
Highlighted

CPPM cert validation for DUR

In Instant 8.7 guide ....

 

When a ClearPass Policy Manager server is configured as the domain for RADIUS authentication for downloading user roles, in order to validate the ClearPass Policy Manager customized CA, Instant APs are required to publish the root CA for the HTTPS server to the well-known URI (http://<clearpass- fqdn>/.well-known/aruba/clearpass/https-root.pem). The Instant AP must ensure that an FQDN is defined in the above URI for the RADIUS server and then attempt to fetch the trust anchor by using the RADIUS FQDN.

Upon configuring the domain of the ClearPass Policy Manager server for RADIUS authentication along with a username and password, the Instant AP tries to retrieve the CA from the above well-known URI and store it in flash memory. However, if there is more than one ClearPass Policy Manager server configured for authentication, the CA must be uploaded manually.

The following CLI command retrieves the CA from the ClearPass Policy Manager FQDN:

(Instant AP)# download-cert clearpassca <url> format pem

 

So on the "master controller" in my instant cluster

show clearpassca

gives me a null response

 

When I try and obtain the cert manually the clearpassca option to the download-cert command isn't there

Kitchen# download-cert ?
ap1x
ap1xca

so I was qwondering ... the text above says

"Upon configuring the domain of the ClearPass Policy Manager server for RADIUS authentication along with a username and password, the Instant AP tries to retrieve the CA from the above well known URI"

 

So I've created a clearpass server auth server  with a cppm username / password and am doing mac/dot1 auth successfully. 

 

Is there something else I need to do to make the clearpassca option appear ?

 

 

 

 

 

 


Accepted Solutions
Highlighted
MVP Guru

Re: CPPM cert validation for DUR

Alex,

 

Thanks for pointing this out, I'll take this to the documentation writers as there is some mix-up between old and new versions here.

 

For 8.7.0.0:

  • Make sure DNS and NTP is working
  • Configure the RADIUS server like:
    # conf t
    (config) # wlan auth-server cppm
    (Auth Server "cppm") # ip cppm.arubalab.com
    (Auth Server "cppm") # cppm username enter-username-here password and-password-here
    (Auth Server "cppm") # exit
    (config) # exit
    # commit apply
    committing configuration...
    configuration committed.

    Or use the WebUI equivalents.

  • Then after some time (seconds, minutes), the CA will be downloaded:
    AP303H# show clearpassca
    <if empty wait a few seconds>
    
    AP303H# show clearpassca
    
    Default clearpass CA Certificate:
    Version       :2
    Serial Number :44AFB080D6A327BA893039862EF8406B
    Issuer        :/O=Digital Signature Trust Co./CN=DST Root CA X3
    Subject       :/O=Digital Signature Trust Co./CN=DST Root CA X3
    Issued On     :Sep 30 21:12:19 2000 GMT
    Expires On    :Sep 30 14:01:15 2021 GMT
    RSA Key size  :2048 bits
    Signed Using  :RSA-SHA1
    ​

So there is no need to trigger the download, and as you found out that command no longer works. I'll report this back.

 

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).

View solution in original post


All Replies
Highlighted
MVP Guru

Re: CPPM cert validation for DUR

Alex,

 

Thanks for pointing this out, I'll take this to the documentation writers as there is some mix-up between old and new versions here.

 

For 8.7.0.0:

  • Make sure DNS and NTP is working
  • Configure the RADIUS server like:
    # conf t
    (config) # wlan auth-server cppm
    (Auth Server "cppm") # ip cppm.arubalab.com
    (Auth Server "cppm") # cppm username enter-username-here password and-password-here
    (Auth Server "cppm") # exit
    (config) # exit
    # commit apply
    committing configuration...
    configuration committed.

    Or use the WebUI equivalents.

  • Then after some time (seconds, minutes), the CA will be downloaded:
    AP303H# show clearpassca
    <if empty wait a few seconds>
    
    AP303H# show clearpassca
    
    Default clearpass CA Certificate:
    Version       :2
    Serial Number :44AFB080D6A327BA893039862EF8406B
    Issuer        :/O=Digital Signature Trust Co./CN=DST Root CA X3
    Subject       :/O=Digital Signature Trust Co./CN=DST Root CA X3
    Issued On     :Sep 30 21:12:19 2000 GMT
    Expires On    :Sep 30 14:01:15 2021 GMT
    RSA Key size  :2048 bits
    Signed Using  :RSA-SHA1
    ​

So there is no need to trigger the download, and as you found out that command no longer works. I'll report this back.

 

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).

View solution in original post

Highlighted

Re: CPPM cert validation for DUR

Many thanks for the response.

o.k. don't know what I did wrong last time,

entered ip <fqdn> again and it all just worked, including the show clearpassca command

 

Rgds

Alex

 

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: