Hi,
We have a working Clearpass production environment with 1 publisher and 2 subscribers, running code 6.8.9.120997.
The past few days I've been battling adding a third subscriber. The issues I first discovered was with a controller contacting the new subscriber for downloadable user roles. The role would end up in error state on the controller, with the controller logging:
Sep 23 13:48:18 authmgr[3623]: <124830> <3623> <ERRS> |authmgr| Dldb Role 2012_B2_A_Veni-3161-15: Users dequeued, role in incomplete state
Sep 23 13:48:18 authmgr[3623]: <199802> <3623> <ERRS> |authmgr| auth_cppm_api.c, auth_curl_perform:123: Dldb Role 2012_B2_A_Veni-3161-15: Curl response with HTTP code: 401
We have a GlobalSign public HTTPS cert for captive portal. This issues is trusted on all nodes. After a bit of troubleshooting we attempted to generate a new self-signed DB cert on the new subscriber, including
DNS:<IP of Publisher>,DNS:<IP of Subscriber>
This resulted in downloadable roles from the new subscriber working, but apparently broke part of the database connection (although all authentication were seemingly working fine).
We reinstalled the subscriber and re-joined, so now we're back to start. I am finding a lot on conflicting information regarding best practice for database certificate handling, so my questions is what is the correct approach? My impression now is that it should be handled automatically by the cluster. I believe we were impacted by the 1 year expiry DB-certs in a previous version, but should be fixed now.
A second issue we've encountered is self-registration for guests towards the new subscriber. The subscriber can handle the captive portal page as well as do mac-auth, however we need to point the
dot1x-server-group in the captive portal profile to the publisher. Otherwise, the endpoint is "not found" when user clicks login after registration, and he/she is directed back to registration portal. Could there be some sort of delay in the endpoint database sync? If we just wait a little and reconnect the client, the mac-auth brings the device online just fine. The two other subscribers handle all guest related traffic individually without issues. Latency is not an issue on this new site, better connection than any of the existing subscribers.
Any help greatly appreciated! Will contact TAC next week if I can't progress.