When a ClearPass Policy Manager server is configured as the domain for RADIUS authentication for downloading user roles, in order to validate the ClearPass Policy Manager customized CA, Instant APs are required to publish the root CA for the HTTPS server to the well-known URI (http://<clearpass- fqdn>/.well-known/aruba/clearpass/https-root.pem). The Instant AP must ensure that an FQDN is defined in the above URI for the RADIUS server and then attempt to fetch the trust anchor by using the RADIUS FQDN.
Upon configuring the domain of the ClearPass Policy Manager server for RADIUS authentication along with a username and password, the Instant AP tries to retrieve the CA from the above well-known URI and store it in flash memory. However, if there is more than one ClearPass Policy Manager server configured for authentication, the CA must be uploaded manually.
The following CLI command retrieves the CA from the ClearPass Policy Manager FQDN:
(Instant AP)# download-cert clearpassca <url> format pem
So on the "master controller" in my instant cluster
show clearpassca
gives me a null response
When I try and obtain the cert manually the clearpassca option to the download-cert command isn't there
Kitchen# download-cert ?
ap1x
ap1xca
so I was qwondering ... the text above says
"Upon configuring the domain of the ClearPass Policy Manager server for RADIUS authentication along with a username and password, the Instant AP tries to retrieve the CA from the above well known URI"
So I've created a clearpass server auth server with a cppm username / password and am doing mac/dot1 auth successfully.
Is there something else I need to do to make the clearpassca option appear ?