Problem:
The following error messages are being reported in the log file.
W 03/18/20 06:25:45 05620 dca: 8021X client 000C2921E66B on port 18 assigned to
initial role as downloading failed for user role
Role_Based___Dyni....
W 03/18/20 06:25:45 05204 dca: Failed to apply user role
Role_Based___Dynimic_SW__User_Role-3050-2_7Z4q to 8021X client
000C2921E66B on port 18: user role is invalid.
Diagnostics:When a switch is configured for downloadable User-Roles, the role is transferred using SSL protocol. These messages are reported when the switch is unable to download a role from a ClearPass server as a result of the HTTPS invalid certificate.
SolutionVerification of the HTPPS certificate transfer can be done by enabling debugging and executing the following CLI commands.
Core-Switch# debug destination session
Core-Switch# debug event
Core-Switch# show debug
Debug Logging
Source IP Selection: Outgoing Interface
Origin identifier: Outgoing Interface IP
Destination:
Session
Time-stamp: System-Uptime
Enabled debug types:
event
Core-Switch(config)# show running-config | include clearpass
radius-server host 10.0.106.101 clearpass
Core-Switch(config)# radius-server host 10.0.106.101 clearpass
I 03/18/20 06:49:00 05811 CADownload: Successfully downloaded the certificate
from 10.0.106.101 server
Verification of the certificate validation failure can be done by enabling debugging with the following commands.
Core-Switch# debug destination session
Core-Switch# debug security crypto
Core-Switch# show debug
Debug Logging
Source IP Selection: Outgoing Interface
Origin identifier: Outgoing Interface IP
Destination:
Session
Time-stamp: System-Uptime
Enabled debug types:
security crypto
0044:19:11:52.15 CRYP mcppmTask:Unable to find root certificate to validate
certificate against.
Core-Switch# debug destination session
Core-Switch# debug security ssl
Core-Switch# show debug
Debug Logging
Source IP Selection: Outgoing Interface
Origin identifier: Outgoing Interface IP
Destination:
Session
Time-stamp: System-Uptime
Enabled debug types:
security ssl
0044:19:13:55.70 SSL mcppmTask:0
0044:19:13:55.74 SSL mcppmTask:124059808
0044:19:13:55.78 SSL mcppmTask:0
0044:19:13:55.82 SSL mcppmTask:0
0044:19:13:55.85 SSL mcppmTask:1
0044:19:13:55.89 SSL mcppmTask:0
0044:19:13:55.93 SSL mcppmTask:0
0044:19:13:55.96 SSL mcppmTask:0
0044:19:13:56.00 SSL mcppmTask:0
0044:19:13:56.04 SSL mcppmTask:SSL_HANDSHAKE status:
0044:19:13:56.09 SSL mcppmTask:0
0044:19:13:56.13 SSL mcppmTask:SSL version =
0044:19:13:56.18 SSL mcppmTask:3
0044:19:13:56.22 SSL mcppmTask:
0044:19:13:56.25 SSL mcppmTask:
0044:19:13:56.29 SSL mcppmTask:0
0044:19:13:56.33 SSL mcppmTask: (CLIENT)
0044:19:13:56.37 SSL mcppmTask: Client Hello
0044:19:13:56.43 SSL mcppmTask:
0044:19:13:56.46 SSL mcppmTask:0
0044:19:13:56.50 SSL mcppmTask: (CLIENT)
0044:19:13:56.54 SSL mcppmTask: Server hello
0044:19:13:56.59 SSL mcppmTask:
0044:19:13:56.63 SSL mcppmTask:0
0044:19:13:56.67 SSL mcppmTask:0
0044:19:13:56.70 SSL mcppmTask:0
0044:19:13:56.74 SSL mcppmTask:0
0044:19:13:56.78 SSL mcppmTask:0
0044:19:13:56.81 SSL mcppmTask:0
0044:19:13:56.85 SSL mcppmTask:SSL_HANDSHAKE status:
0044:19:13:56.91 SSL mcppmTask:0
0044:19:13:56.94 SSL mcppmTask:handleClientHandshakeMessages() returns status =
0044:19:13:57.03 SSL mcppmTask:ERR_CERT_CHAIN_NO_TRUST_ANCHOR
0044:19:13:57.10 SSL mcppmTask:SSL_SOCK_receive() returns status =
0044:19:13:57.17 SSL mcppmTask:ERR_CERT_CHAIN_NO_TRUST_ANCHOR
0044:19:13:57.24 SSL mcppmTask:SSL:doProtocol() returns status =
0044:19:13:57.31 SSL mcppmTask:ERR_CERT_CHAIN_NO_TRUST_ANCHOR
0044:19:13:57.37 SSL mcppmTask:SSL_negotiateConnection() returns status =
0044:19:13:57.45 SSL mcppmTask:ERR_CERT_CHAIN_NO_TRUST_ANCHOR
0044:19:13:57.52 SSL mcppmTask:SSL_closeConnection() from AppType:
0044:19:13:57.59 SSL mcppmTask:4
0044:19:13:57.63 SSL mcppmTask:0