Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted

DUP on CX switch

When working with a "normal"  ArubaOs switch ( provision on steroids) the radius-server host a.b.c.g clearpass command  automagically stores the root CA of the https cert on the cppm server  so that the switch can validate the cppm https cert when pulling down downloadable user proflles ( using a pre-defined userid an password)

 

In CX, although  you can specify a clearpass user and password haven;t found a simple way of doing the same

 

Event|7709|LOG_WARN|MSTR|1|Certificate cppmnd2.sharaz.info rejected due to verification failure (20)

 

used te crypto pki ta-profile

 

command to create a profile and uploaded  the lets encrypt root onto the switch from the command line but  didn;t seem to make much difference.

 

If someone could point me at the section inthe apropriate manual  would be much appreciated


Accepted Solutions
Highlighted
Regular Contributor II

Re: DUP on CX switch

 

 

Just add the certificates to the switch, and ensure the ClearPass certificate subject name does match the server fqdn you set on the switch. Make sure you add both root CA and intermediate CAs certificates:

 

crypto pki ta-profile <root>
  certificate of the root
crypto pki ta-profile <intermediate>
  certificate of the intermediate

 

I also did the following, to ensure no race condition happens when I reboot the switch:

 

ip dns host cppm.mydomain.com 192.168.1.1

 

 

 

 

 

 

View solution in original post


All Replies
Highlighted
Regular Contributor II

Re: DUP on CX switch

 

 

Just add the certificates to the switch, and ensure the ClearPass certificate subject name does match the server fqdn you set on the switch. Make sure you add both root CA and intermediate CAs certificates:

 

crypto pki ta-profile <root>
  certificate of the root
crypto pki ta-profile <intermediate>
  certificate of the intermediate

 

I also did the following, to ensure no race condition happens when I reboot the switch:

 

ip dns host cppm.mydomain.com 192.168.1.1

 

 

 

 

 

 

View solution in original post

Highlighted

Re: DUP on CX switch

Hi,

Well did most of that, and didn;t work. What I didn't do was set up an FQDN for the cppm server, used an ip address.

 

Added an FQDN entry and still didn;t work. Rebooted switch and it all sprang into life

 

Many thanks

Alex

Highlighted
Regular Contributor II

Re: DUP on CX switch

IP would only work if you had the IP address on your ClearPass certificate (highly unlikely).

So, the server must be added with FQDN, not IP.

The IP dns entry just makes it so that you don't depend on your DNS servers to be reachable.

 

Unsure why you required a reboot though.

 

Highlighted

Re: DUP on CX switch

Certainly all works now, just assumed it would follow on from an ArubaOS switch which is far more user friendly From the cert installation point of view
On that learning curve
A

Sent from my iPhone
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: