Controllerless Networks

last person joined: yesterday 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

CPPM cert validation for DUR

This thread has been viewed 22 times

  • 1.  CPPM cert validation for DUR

    Posted Jul 08, 2020 04:42 AM

    In Instant 8.7 guide ....

     

    When a ClearPass Policy Manager server is configured as the domain for RADIUS authentication for downloading user roles, in order to validate the ClearPass Policy Manager customized CA, Instant APs are required to publish the root CA for the HTTPS server to the well-known URI (http://<clearpass- fqdn>/.well-known/aruba/clearpass/https-root.pem). The Instant AP must ensure that an FQDN is defined in the above URI for the RADIUS server and then attempt to fetch the trust anchor by using the RADIUS FQDN.

    Upon configuring the domain of the ClearPass Policy Manager server for RADIUS authentication along with a username and password, the Instant AP tries to retrieve the CA from the above well-known URI and store it in flash memory. However, if there is more than one ClearPass Policy Manager server configured for authentication, the CA must be uploaded manually.

    The following CLI command retrieves the CA from the ClearPass Policy Manager FQDN:

    (Instant AP)# download-cert clearpassca <url> format pem

     

    So on the "master controller" in my instant cluster

    show clearpassca

    gives me a null response

     

    When I try and obtain the cert manually the clearpassca option to the download-cert command isn't there

    Kitchen# download-cert ?
    ap1x
    ap1xca

    so I was qwondering ... the text above says

    "Upon configuring the domain of the ClearPass Policy Manager server for RADIUS authentication along with a username and password, the Instant AP tries to retrieve the CA from the above well known URI"

     

    So I've created a clearpass server auth server  with a cppm username / password and am doing mac/dot1 auth successfully. 

     

    Is there something else I need to do to make the clearpassca option appear ?

     

     

     

     

     

     



  • 2.  RE: CPPM cert validation for DUR
    Best Answer

    EMPLOYEE
    Posted Jul 09, 2020 08:21 AM

    Alex,

     

    Thanks for pointing this out, I'll take this to the documentation writers as there is some mix-up between old and new versions here.

     

    For 8.7.0.0:

    • Make sure DNS and NTP is working
    • Configure the RADIUS server like:
      # conf t
(config) # wlan auth-server cppm
(Auth Server "cppm") # ip cppm.arubalab.com
(Auth Server "cppm") # cppm username enter-username-here password and-password-here
(Auth Server "cppm") # exit
(config) # exit
# commit apply
committing configuration...
configuration committed.

      Or use the WebUI equivalents.

    • Then after some time (seconds, minutes), the CA will be downloaded:
      AP303H# show clearpassca
<if empty wait a few seconds>

AP303H# show clearpassca

Default clearpass CA Certificate:
Version       :2
Serial Number :44AFB080D6A327BA893039862EF8406B
Issuer        :/O=Digital Signature Trust Co./CN=DST Root CA X3
Subject       :/O=Digital Signature Trust Co./CN=DST Root CA X3
Issued On     :Sep 30 21:12:19 2000 GMT
Expires On    :Sep 30 14:01:15 2021 GMT
RSA Key size  :2048 bits
Signed Using  :RSA-SHA1
​

    So there is no need to trigger the download, and as you found out that command no longer works. I'll report this back.

     



  • 3.  RE: CPPM cert validation for DUR

    Posted Jul 09, 2020 10:11 AM

    Many thanks for the response.

    o.k. don't know what I did wrong last time,

    entered ip <fqdn> again and it all just worked, including the show clearpassca command

     

    Rgds

    Alex