Wired Intelligent Edge (Campus Switching and Routing)

Problem:

The following error messages are being reported in the log file.

W 03/18/20 06:25:45 05620 dca: 8021X client 000C2921E66B on port 18 assigned to
            initial role as downloading failed for user role
            Role_Based___Dyni....

W 03/18/20 06:25:45 05204 dca: Failed to apply user role
            Role_Based___Dynimic_SW__User_Role-3050-2_7Z4q to 8021X client
            000C2921E66B on port 18: user role is invalid.

When a switch is configured for downloadable User-Roles, the role is transferred using SSL protocol. These messages are reported when the switch is unable to download a role from a ClearPass server as a result of the HTTPS invalid certificate.

Verification of the HTPPS certificate transfer can be done by enabling debugging and executing the following CLI commands.

Core-Switch# debug destination session
Core-Switch# debug event
Core-Switch# show debug

 Debug Logging

  Source IP Selection: Outgoing Interface
  Origin identifier: Outgoing Interface IP
  Destination:
   Session

  Time-stamp: System-Uptime

  Enabled debug types:
   event

Core-Switch(config)# show running-config | include clearpass
radius-server host 10.0.106.101 clearpass

Core-Switch(config)# radius-server host 10.0.106.101 clearpass

I 03/18/20 06:49:00 05811 CADownload: Successfully downloaded the certificate
            from 10.0.106.101 server

Verification of the certificate validation failure can be done by enabling debugging with the following commands.

Core-Switch# debug destination session
Core-Switch# debug security crypto

Core-Switch# show debug

 Debug Logging

  Source IP Selection: Outgoing Interface
  Origin identifier: Outgoing Interface IP
  Destination:
   Session

  Time-stamp: System-Uptime

  Enabled debug types:
   security crypto

0044:19:11:52.15 CRYP mcppmTask:Unable to find root certificate to validate
   certificate against.

Core-Switch# debug destination session
Core-Switch# debug security ssl

Core-Switch# show debug

 Debug Logging

  Source IP Selection: Outgoing Interface
  Origin identifier: Outgoing Interface IP
  Destination:
   Session

  Time-stamp: System-Uptime

  Enabled debug types:
   security ssl

0044:19:13:55.70 SSL  mcppmTask:0
0044:19:13:55.74 SSL  mcppmTask:124059808
0044:19:13:55.78 SSL  mcppmTask:0
0044:19:13:55.82 SSL  mcppmTask:0
0044:19:13:55.85 SSL  mcppmTask:1
0044:19:13:55.89 SSL  mcppmTask:0
0044:19:13:55.93 SSL  mcppmTask:0
0044:19:13:55.96 SSL  mcppmTask:0
0044:19:13:56.00 SSL  mcppmTask:0
0044:19:13:56.04 SSL  mcppmTask:SSL_HANDSHAKE status:
0044:19:13:56.09 SSL  mcppmTask:0
0044:19:13:56.13 SSL  mcppmTask:SSL version =
0044:19:13:56.18 SSL  mcppmTask:3
0044:19:13:56.22 SSL  mcppmTask:
0044:19:13:56.25 SSL  mcppmTask:

0044:19:13:56.29 SSL  mcppmTask:0
0044:19:13:56.33 SSL  mcppmTask: (CLIENT)
0044:19:13:56.37 SSL  mcppmTask: Client Hello
0044:19:13:56.43 SSL  mcppmTask:

0044:19:13:56.46 SSL  mcppmTask:0
0044:19:13:56.50 SSL  mcppmTask: (CLIENT)
0044:19:13:56.54 SSL  mcppmTask: Server hello
0044:19:13:56.59 SSL  mcppmTask:

0044:19:13:56.63 SSL  mcppmTask:0
0044:19:13:56.67 SSL  mcppmTask:0
0044:19:13:56.70 SSL  mcppmTask:0
0044:19:13:56.74 SSL  mcppmTask:0
0044:19:13:56.78 SSL  mcppmTask:0
0044:19:13:56.81 SSL  mcppmTask:0
0044:19:13:56.85 SSL  mcppmTask:SSL_HANDSHAKE status:
0044:19:13:56.91 SSL  mcppmTask:0
0044:19:13:56.94 SSL  mcppmTask:handleClientHandshakeMessages() returns status =
0044:19:13:57.03 SSL  mcppmTask:ERR_CERT_CHAIN_NO_TRUST_ANCHOR
0044:19:13:57.10 SSL  mcppmTask:SSL_SOCK_receive() returns status =
0044:19:13:57.17 SSL  mcppmTask:ERR_CERT_CHAIN_NO_TRUST_ANCHOR
0044:19:13:57.24 SSL  mcppmTask:SSL:doProtocol() returns status =
0044:19:13:57.31 SSL  mcppmTask:ERR_CERT_CHAIN_NO_TRUST_ANCHOR
0044:19:13:57.37 SSL  mcppmTask:SSL_negotiateConnection() returns status =
0044:19:13:57.45 SSL  mcppmTask:ERR_CERT_CHAIN_NO_TRUST_ANCHOR
0044:19:13:57.52 SSL  mcppmTask:SSL_closeConnection() from AppType:
0044:19:13:57.59 SSL  mcppmTask:4
0044:19:13:57.63 SSL  mcppmTask:0