Hello, after a lot of troubleshooting, we found the fix to this exact issue.
In regards to the Issue: Event|7709|LOG_WARN|MSTR|1|Certificate cppmnd2.sharaz.info rejected due to verification failure (20)
Resolution:
The Common Name of the certificate MUST match the radius-server host DNS entry in the switch.
We originally used the same HTTPS certificate with multiple SANs of all of our appliance names which no longer work when using UBT with ArubaOS-CX.
In our large deployment, we ended up having to generate individual certificates for each ClearPass appliance as the Common Name and then used the same SANs to assist us with WebUI management and captive-portal redirections.
Changing the ClearPass Hostname and or FQDN did not change the outcome in our testing.
Hope this helps the next!
-Mat
------------------------------
Mat Lehn
------------------------------
Original Message:
Sent: Oct 13, 2020 04:20 AM
From: Alex Sharaz
Subject: DUP on CX switch
When working with a "normal" ArubaOs switch ( provision on steroids) the radius-server host a.b.c.g clearpass command automagically stores the root CA of the https cert on the cppm server so that the switch can validate the cppm https cert when pulling down downloadable user proflles ( using a pre-defined userid an password)
In CX, although you can specify a clearpass user and password haven;t found a simple way of doing the same
Event|7709|LOG_WARN|MSTR|1|Certificate cppmnd2.sharaz.info rejected due to verification failure (20)
used te crypto pki ta-profile
command to create a profile and uploaded the lets encrypt root onto the switch from the command line but didn;t seem to make much difference.
If someone could point me at the section inthe apropriate manual would be much appreciated