09-23-2019 07:45 AM
I have imported the Subordinate CA into clearpass, as well as the SSL certificate so that HTTPS successfully works. I now need to import the CA onto the access switch (3810M) to enable the downloadable user role function.
I have followed the guide (Wired Policy Enforcement) and created the ta- profile. However the guide then says to use tftp or sftp to import the certificate, however this is not feasable as the cusotmer will not open the required ports on their DC firewalls. Is there another way to get the certificate onto the switch?
Thanks in advance.
Solved! Go to Solution.
09-23-2019 10:45 AM - edited 09-23-2019 10:47 AM
You can use the usb port, or connect locally to the switch and uplink via a direct connected ethernet port.
There is no need for manual installation anymore.
From the manual:
To improve the ease of deployment, Aruba switch allows automatic downloading of the root CA certificate of ClearPass servers. As a part of the ZTP process, if the configuration of the switch is provided with an additional keyword ClearPass in RADIUS configuration, the switch will contact ClearPass and download the root CA certificates. This simplifies use cases such as Downloadable User Roles as well as Device Fingerprinting with ClearPass
Please read the latest Access Security Guide for ArubaOS-Switch guide,you will need certain firmware levels on both switch and clearpass.
# radius-server host <IP> clearpass # crypto ca-download usage clearpass retry 3
- - - - Aruba ACCX #748, ACDX #758, ACMP, ACEAP | HPE Master ASE - - - -
- - - - - - - Feel free to give kudos or accept as a solution! - - - - - - - - -
Re: Importing Certificate to 3810M to enable Downloadable Roles for ClearPass
09-24-2019 05:54 AM
Thanks Fabian, I was going to use a USB but couldn't figure out how to associate it with the ta-profile. I will upgrade my switch and give the automatic download a go!