Thanks for letting us know. While less convenient, you may configure your own certificate for RadSec as well, either manually (with just a few switches) or more automated through EST.
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Apr 24, 2024 01:49 AM
From: Thomas
Subject: ClearPass RADSEC Error
Hello all,
I've got reply form TAC:
he cause is clearly the cryptic SAN entry for certain switches. Clearpass 6.11 now includes a RedHat Linux with the corresponding SSL library. This no longer accepts this cryptic/incorrect SAN entry. The Ubuntu of Clearpass 6.10 ignored it. The Clearpass TAC says that this can probably be customised deep down in the OS, but they cannot ensure that this will not be overwritten with a future update. So this customisation is not supported. So there is nothing more Clearpass can do. Clearpass or the RedHat Linux and its SSL library does what it should.
The device identity certificate used by the switch is hardcoded and protected by the TPM chip.
Original Message:
Sent: Apr 08, 2024 03:34 AM
From: Thomas
Subject: ClearPass RADSEC Error
Thanks for the hint. I've contact TAC and update the Post.
Original Message:
Sent: Apr 05, 2024 06:59 PM
From: Ariya Parsamanesh
Subject: ClearPass RADSEC Error
the only other difference is that in JL659A it has
X509v3 Subject Alternative Name:
othername:<unsupported>
while JL666A is something else. I think you should reach-out to TAC.
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: Apr 05, 2024 12:35 PM
From: ahollifield
Subject: ClearPass RADSEC Error
So you want to use RADSEC or not?
Original Message:
Sent: Apr 05, 2024 09:31 AM
From: Thomas
Subject: ClearPass RADSEC Error
Yes of course, both Switches have the same Software version.
And yes, I also really consider using RADSEC. But it would be nice, otherwise I must reconfigure almost 100 Switches.
Original Message:
Sent: Apr 05, 2024 09:18 AM
From: Unknown User
Subject: ClearPass RADSEC Error
Same version of AOS-CX? Do you actually want to use RADSEC?
Original Message:
Sent: Apr 05, 2024 02:43 AM
From: Thomas
Subject: ClearPass RADSEC Error
Hello to all,
We are in the migration form ClearPass 6.10 to 6.11. We successfully Installed the new cluster with the version 6.11.7.257550. Then we want for tesing migrat some CX Switchtes to the new ClearPass. First, we started with an JL659A and everything went well. Then we add an JL666A and then strange things happened. Radus services on ClearPass stopped working and the following error messing appeared.
As soon as I configured the Radus on the JL666A the Radius Servis on ClearPass came Back to life.
The "show crypto pki certificate device-identity" on the JL666A:
Certificate Name: device-identity
Associated Applications:
radsec-client
Certificate Status: installed
EST Status: n/a
Certificate Type: regular
Intermediates:
Subject: CN = HP Device Intermediate CA 103, OU = HP Networking, O = Hewlett-Packard Development Company, ST = CA, C = US
Issuer: CN = Device Intermediate CA 01, OU = HP Networking EVPG, O = Hewlett-Packard Development Company, ST = CA, C = US
Serial Number: 0xC75ED972416647E883AD3D2F8A10C4D6
Subject: CN = Device Intermediate CA 01, OU = HP Networking EVPG, O = Hewlett-Packard Development Company, ST = CA, C = US
Issuer: CN = HP Devices CA 01, O = Hewlett-Packard Development Company, ST = CA, C = US
Serial Number: 0x17E5BFDA38654585BA7F1F3442F6BB8F
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:0b:01:c9:74:c2:f2:40:ea:af:3b:5c:b9:df:21:0a:14
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=HP Device Intermediate CA 103, OU=HP Networking, O=Hewlett-Packard Development Company, ST=CA, C=US
Validity
Not Before: Nov 17 02:12:04 2020 GMT
Not After : Jan 26 01:55:09 2031 GMT
Subject: OU=HP Networking EVPG, O=Hewlett-Packard Development Company, ST=CA, C=US, CN=JL666A/serialNumber=SG0AKN500H, BaseMAC 64E881-471100
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9f:9c:13:a0:a6:de:6a:db:1b:eb:8e:a2:97:32:
8f:8c:be:47:13:d7:60:ff:c6:f7:8d:6c:73:c2:4e:
bc:6b:cb:a9:b0:e7:56:7e:65:c3:12:c3:af:cb:a1:
89:9b:1e:9b:09:af:db:c6:1b:c9:5f:4c:40:62:92:
1b:37:0c:e4:99:cf:a2:12:2b:aa:85:2b:22:70:b1:
41:7c:a4:85:83:02:7c:83:ed:eb:67:9c:81:f5:92:
31:0e:78:70:1b:ec:3b:4a:9d:0b:e0:52:f8:32:30:
a6:27:df:75:d3:85:a2:0a:c2:6c:f4:25:92:fd:93:
19:b3:28:08:2c:c1:c0:64:77:cd:47:51:5f:d7:ea:
a1:02:77:df:e9:9c:d5:59:0d:a9:13:b3:e6:bd:d3:
0c:5e:e6:0c:df:af:ed:61:9f:43:7f:c1:17:00:0f:
ff:62:4f:89:a9:eb:9f:e5:26:aa:88:5c:81:e2:13:
a8:e9:d5:18:c3:83:fd:19:a5:86:ea:37:c0:63:5b:
98:4a:50:02:34:68:92:11:28:86:82:e9:4f:48:77:
dc:52:3f:f4:a4:61:fb:f5:0c:86:dc:7b:0a:0b:77:
3d:af:f2:f4:0f:ae:c2:9f:ca:0e:ed:b8:c4:76:82:
60:ca:fa:39:74:5b:36:67:f0:1c:db:a6:6f:b8:8a:
e7:bb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Key Identifier:
21:2F:C6:8E:C0:17:ED:09:C2:5D:80:63:50:BF:8A:BB:78:D0:A0:7C
X509v3 Authority Key Identifier:
keyid:C6:1A:A7:F4:87:99:2D:EC:83:6A:B3:0F:EE:C5:32:EE:84:5B:24:03
DirName:/CN=Device Intermediate CA 01/OU=HP Networking EVPG/O=Hewlett-Packard Development Company/ST=CA/C=US
serial:C7:5E:D9:72:41:66:47:E8:83:AD:3D:2F:8A:10:C4:D6
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.14823.4.2.4
Policy: 2.23.133.6.1.2
X509v3 Subject Alternative Name:
0". ..0....@.. @l....H......\*.9....
Signature Algorithm: sha256WithRSAEncryption
04:b5:0e:43:47:75:0b:80:b7:73:2a:1a:02:5e:49:aa:34:a2:
d2:ab:7a:45:c6:76:fd:f6:d4:a8:e3:4c:70:db:18:a5:85:50:
b3:5a:97:93:55:1c:4f:4f:89:1b:b0:d2:b8:11:14:92:4a:06:
44:44:c4:cb:b4:f3:c2:ef:26:b9:7d:dd:1a:2c:c0:a1:fa:91:
36:f9:0a:55:dd:49:85:40:60:b5:dd:6d:61:fe:15:89:71:2c:
ed:36:df:52:b7:97:99:5f:bc:e5:5c:31:87:b8:6f:fb:8d:48:
55:9c:36:21:5e:3d:9f:67:6e:46:e4:b3:62:88:0c:b0:da:b1:
cb:e4:c6:0b:27:4f:b5:5f:91:2f:ac:00:03:5a:99:be:99:11:
6b:21:f5:4e:9d:7a:5c:f6:90:76:ec:6f:d0:9e:ed:8f:2e:26:
56:a2:3a:16:06:20:83:e4:29:03:00:1a:bc:36:c1:04:12:9d:
d0:e5:7a:77:3c:69:82:67:1c:63:96:29:be:75:10:11:cd:a7:
3b:02:c7:2d:65:02:df:93:b7:86:75:d6:34:43:b2:ae:bf:c0:
5a:0a:79:74:a4:bf:93:a9:b6:30:0e:d9:50:06:ce:04:63:66:
1a:93:91:0e:7a:db:e7:01:b7:7a:d4:23:02:2c:b6:22:a6:ce:
d1:fb:1e:db
The "show crypto pki certificate device-identity" on the JL659A:
Certificate Name: device-identity
Associated Applications:
radsec-client
Certificate Status: installed
EST Status: n/a
Certificate Type: regular
Intermediates:
Subject: CN = HP Device Intermediate CA 103, OU = HP Networking, O = Hewlett-Packard Development Company, ST = CA, C = US
Issuer: CN = Device Intermediate CA 01, OU = HP Networking EVPG, O = Hewlett-Packard Development Company, ST = CA, C = US
Serial Number: 0xC75ED972416647E883AD3D2F8A10C4D6
Subject: CN = Device Intermediate CA 01, OU = HP Networking EVPG, O = Hewlett-Packard Development Company, ST = CA, C = US
Issuer: CN = HP Devices CA 01, O = Hewlett-Packard Development Company, ST = CA, C = US
Serial Number: 0x17E5BFDA38654585BA7F1F3442F6BB8F
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:e8:a4:27:64:9b:58:4f:f8:b3:74:4f:36:c3:40:93:9e
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=HP Device Intermediate CA 103, OU=HP Networking, O=Hewlett-Packard Development Company, ST=CA, C=US
Validity
Not Before: Mar 11 02:23:39 2021 GMT
Not After : Jan 26 01:55:09 2031 GMT
Subject: OU=HP Networking EVPG, O=Hewlett-Packard Development Company, ST=CA, C=US, CN=JL659A/serialNumber=SG13KMY0P2, BaseMAC 3810F0-620700
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d6:f2:4f:9d:f7:29:ef:3c:51:bc:5f:94:bf:8d:
37:04:57:88:51:5b:f6:0d:bb:6b:ae:e6:22:63:8c:
16:94:a3:2e:38:e7:1e:af:a8:58:80:25:89:cc:39:
a0:f6:be:e2:8d:14:fd:7a:9e:83:11:e3:15:b2:e8:
44:c1:23:78:59:9b:5a:9c:ea:1b:c7:61:7e:c4:5a:
54:16:b5:f0:4d:c2:93:fd:24:80:b6:57:78:28:a4:
8b:ed:c2:ac:55:e7:71:86:83:3e:e7:ae:42:7d:f5:
57:1b:bf:f4:d4:00:47:ed:27:00:7c:ca:eb:ce:14:
9b:5f:c7:53:51:d1:61:dc:91:3e:35:6b:78:aa:bb:
f5:da:c9:74:e0:c5:8e:75:0b:8f:0a:0e:14:b7:b1:
8f:a4:73:77:1b:20:a0:d9:55:c5:6a:1b:7f:5b:55:
f2:67:5c:c0:51:37:ab:d1:98:b1:7e:03:34:28:9a:
af:44:c4:a8:b4:02:01:f5:9b:51:13:01:77:ef:e4:
e6:a8:28:b7:be:a1:7a:8a:83:3f:2b:35:8d:2e:08:
77:d4:e9:d1:c5:f2:95:97:2e:7c:7a:f7:53:ca:5e:
ed:38:54:28:77:ef:a3:35:96:b7:a2:e7:15:2f:0d:
54:ee:0a:53:15:59:68:83:06:f0:7b:ef:84:d3:63:
90:07
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Key Identifier:
A1:60:11:CF:F4:DD:88:27:79:48:B4:1E:14:5E:AC:09:61:EC:3C:01
X509v3 Authority Key Identifier:
keyid:C6:1A:A7:F4:87:99:2D:EC:83:6A:B3:0F:EE:C5:32:EE:84:5B:24:03
DirName:/CN=Device Intermediate CA 01/OU=HP Networking EVPG/O=Hewlett-Packard Development Company/ST=CA/C=US
serial:C7:5E:D9:72:41:66:47:E8:83:AD:3D:2F:8A:10:C4:D6
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.14823.4.2.4
Policy: 2.23.133.6.1.2
X509v3 Subject Alternative Name:
othername:<unsupported>
Signature Algorithm: sha256WithRSAEncryption
6b:e1:b4:f4:c6:22:e8:8e:d8:cd:b4:b5:a4:aa:c6:c7:b2:d0:
a4:89:f1:7d:47:7a:42:a6:72:2a:eb:a4:16:df:5f:15:5a:6d:
88:25:f9:b8:8f:f2:58:6c:ce:80:d8:ff:f5:c7:23:56:39:1a:
45:f5:7c:0d:02:56:91:ec:63:48:8b:07:02:7c:4d:74:92:e9:
35:98:bc:39:4c:22:c0:ba:f6:d2:d1:f7:cd:f3:3d:8d:cc:61:
06:e9:46:e4:30:c7:72:b9:3f:d3:67:61:2f:89:33:72:26:93:
06:9e:e1:75:ff:96:4f:62:6a:1f:36:4f:14:66:c0:92:d8:7d:
a7:54:da:0f:8e:ed:99:10:cb:f8:63:85:25:75:74:52:98:8f:
09:97:d1:79:0b:8f:68:bb:a5:6c:f6:e0:41:9b:fa:80:fa:ab:
d4:36:48:43:26:c0:0b:01:4f:7f:9d:f2:18:ae:7e:de:c5:d7:
75:63:74:63:12:31:39:97:1a:8e:6e:11:8b:27:23:f2:cc:41:
32:d8:83:be:e7:10:51:af:3f:74:82:1b:bb:0f:79:f5:eb:80:
fb:37:10:c5:6d:6c:4d:54:3d:d2:92:86:03:80:70:cd:a4:41:
15:5e:7f:85:ca:62:d3:20:bd:27:a4:71:1c:b2:a6:bd:ce:7f:
70:c4:f0:92
For me they look quite identical or at least they use the same Issuer Cert. But why do I have this issue on ClearPass on the JL666A?
Many Thanks for any suggestion.