Wired Intelligent Edge

last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

DUP on CX switch

This thread has been viewed 46 times

  • 1.  DUP on CX switch

    Posted Oct 13, 2020 04:20 AM

    When working with a "normal"  ArubaOs switch ( provision on steroids) the radius-server host a.b.c.g clearpass command  automagically stores the root CA of the https cert on the cppm server  so that the switch can validate the cppm https cert when pulling down downloadable user proflles ( using a pre-defined userid an password)

     

    In CX, although  you can specify a clearpass user and password haven;t found a simple way of doing the same

     

    Event|7709|LOG_WARN|MSTR|1|Certificate cppmnd2.sharaz.info rejected due to verification failure (20)

     

    used te crypto pki ta-profile

     

    command to create a profile and uploaded  the lets encrypt root onto the switch from the command line but  didn;t seem to make much difference.

     

    If someone could point me at the section inthe apropriate manual  would be much appreciated



  • 2.  RE: DUP on CX switch
    Best Answer

    Posted Oct 13, 2020 06:46 AM

     

     

    Just add the certificates to the switch, and ensure the ClearPass certificate subject name does match the server fqdn you set on the switch. Make sure you add both root CA and intermediate CAs certificates:

     

    crypto pki ta-profile <root>
  certificate of the root
crypto pki ta-profile <intermediate>
  certificate of the intermediate

     

    I also did the following, to ensure no race condition happens when I reboot the switch:

     

    ip dns host cppm.mydomain.com 192.168.1.1

     

     

     

     

     

     



  • 3.  RE: DUP on CX switch

    Posted Oct 13, 2020 10:36 AM

    Hi,

    Well did most of that, and didn;t work. What I didn't do was set up an FQDN for the cppm server, used an ip address.

     

    Added an FQDN entry and still didn;t work. Rebooted switch and it all sprang into life

     

    Many thanks

    Alex



  • 4.  RE: DUP on CX switch

    Posted Oct 13, 2020 12:59 PM

    IP would only work if you had the IP address on your ClearPass certificate (highly unlikely).

    So, the server must be added with FQDN, not IP.

    The IP dns entry just makes it so that you don't depend on your DNS servers to be reachable.

     

    Unsure why you required a reboot though.

     



  • 5.  RE: DUP on CX switch

    Posted Oct 13, 2020 02:13 PM
    Certainly all works now, just assumed it would follow on from an ArubaOS switch which is far more user friendly From the cert installation point of view
    On that learning curve
    A

    Sent from my iPhone


  • 6.  RE: DUP on CX switch

    Posted Nov 03, 2020 05:47 PM
    Hello, after a lot of troubleshooting, we found the fix to this exact issue.

    In regards to the Issue: Event|7709|LOG_WARN|MSTR|1|Certificate cppmnd2.sharaz.info rejected due to verification failure (20)

    Resolution:
    The Common Name of the certificate MUST match the radius-server host DNS entry in the switch.


    We originally used the same HTTPS certificate with multiple SANs of all of our appliance names which no longer work when using UBT with ArubaOS-CX.

    In our large deployment, we ended up having to generate individual certificates for each ClearPass appliance as the Common Name and then used the same SANs to assist us with WebUI management and captive-portal redirections.

    Changing the ClearPass Hostname and or FQDN did not change the outcome in our testing.

    Hope this helps the next!

    -Mat

    ------------------------------
    Mat Lehn
    ------------------------------

    Original Message