Wired

I have a virtual CX running 10.09.1000 and ClearPass 6.10. The ClearPass HTTPS certificate is signed by our internal CA (this is a Lab environment and we use this CA for all Lab PKI needs). When I created the CSR I left all the defaults which left the cert with a CN of the ClearPass name "cppm-01" and SAN of the IP 172.28.89.161. In the switch I have use a combination of radius-server commands using "cppm-01" and the IP but I still can not get the switch to trust the certificate for Downloadable user roles.

The log message is:

2022-12-08T14:06:42.489011+0000 port-accessd[6574] <WARN> Event|7709|LOG_WARN|AMM|1/1|Certificate cppm-01 rejected due to verification failure (20)

Is there something I am missing here? cppm-01 is resolvable to 172.28.89.161. I read someone else have this issue ad they rebooted to fix it. I rebooted as well to no avail. I have even deleted the ta-profile, re-added it, as well as regenerated a new certificate for the CPPM node. Any ideas what could be wrong?

Do you have in your switch configuration cppm-01 or the IP (172.28.89.161) for the RADIUS server configuration?
If you have cppm-01, you should have an HTTPS certificate on ClearPass with CN=cppm-01 and SAN DNS:cppm-01.
Normally you would use a FQDN, including the domain, not just the hostname.

What is most relevant is that the name that you use in the switch radius server command matches (one of) the SAN(s) of the ClearPass HTTPS certificate. The CN is not relevant anymore, but normally matches the first SAN.

You could add more SANs, including the IP:172.28.89.161 and DNS:cppm-01.your.domain and see if that works better, or just follow the rule in the previous line.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Dec 08, 2022 09:09 AM
From: Bryan Bartik
Subject: CPPM certificate still not trusted by switch after installing PKI profile

I have a virtual CX running 10.09.1000 and ClearPass 6.10. The ClearPass HTTPS certificate is signed by our internal CA (this is a Lab environment and we use this CA for all Lab PKI needs). When I created the CSR I left all the defaults which left the cert with a CN of the ClearPass name "cppm-01" and SAN of the IP 172.28.89.161. In the switch I have use a combination of radius-server commands using "cppm-01" and the IP but I still can not get the switch to trust the certificate for Downloadable user roles.

The log message is:

2022-12-08T14:06:42.489011+0000 port-accessd[6574] <WARN> Event|7709|LOG_WARN|AMM|1/1|Certificate cppm-01 rejected due to verification failure (20)

Is there something I am missing here? cppm-01 is resolvable to 172.28.89.161. I read someone else have this issue ad they rebooted to fix it. I rebooted as well to no avail. I have even deleted the ta-profile, re-added it, as well as regenerated a new certificate for the CPPM node. Any ideas what could be wrong?

Thanks Herman, that worked! I created the CSR and modified the DNS entry to be cppm-01. Earlier I had tried to use only IPs in CN/SAN and the config and that did not seem to work. Now I have "cppm-01" in the CN, SAN and all the radius parts of the config on the switch. Thanks!
Original Message:
Sent: Dec 08, 2022 09:48 AM
From: Herman Robers
Subject: CPPM certificate still not trusted by switch after installing PKI profile

Do you have in your switch configuration cppm-01 or the IP (172.28.89.161) for the RADIUS server configuration?
If you have cppm-01, you should have an HTTPS certificate on ClearPass with CN=cppm-01 and SAN DNS:cppm-01.
Normally you would use a FQDN, including the domain, not just the hostname.

What is most relevant is that the name that you use in the switch radius server command matches (one of) the SAN(s) of the ClearPass HTTPS certificate. The CN is not relevant anymore, but normally matches the first SAN.

You could add more SANs, including the IP:172.28.89.161 and DNS:cppm-01.your.domain and see if that works better, or just follow the rule in the previous line.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 08, 2022 09:09 AM
From: Bryan Bartik
Subject: CPPM certificate still not trusted by switch after installing PKI profile

I have a virtual CX running 10.09.1000 and ClearPass 6.10. The ClearPass HTTPS certificate is signed by our internal CA (this is a Lab environment and we use this CA for all Lab PKI needs). When I created the CSR I left all the defaults which left the cert with a CN of the ClearPass name "cppm-01" and SAN of the IP 172.28.89.161. In the switch I have use a combination of radius-server commands using "cppm-01" and the IP but I still can not get the switch to trust the certificate for Downloadable user roles.

The log message is:

2022-12-08T14:06:42.489011+0000 port-accessd[6574] <WARN> Event|7709|LOG_WARN|AMM|1/1|Certificate cppm-01 rejected due to verification failure (20)

Is there something I am missing here? cppm-01 is resolvable to 172.28.89.161. I read someone else have this issue ad they rebooted to fix it. I rebooted as well to no avail. I have even deleted the ta-profile, re-added it, as well as regenerated a new certificate for the CPPM node. Any ideas what could be wrong?

Hi,

I'm getting this exact error also.

dns is place (fqdn used on the certificate and the san also sitting on the switch as an entry)

certificate ITS-N-CPASS-02 rejected due to verification failure (20)

All reference on the switch are resolvable to the fqdn, am i missing something else ?

TIA

Original Message:
Sent: Dec 08, 2022 10:20 AM
From: bbartik
Subject: CPPM certificate still not trusted by switch after installing PKI profile

Thanks Herman, that worked! I created the CSR and modified the DNS entry to be cppm-01. Earlier I had tried to use only IPs in CN/SAN and the config and that did not seem to work. Now I have "cppm-01" in the CN, SAN and all the radius parts of the config on the switch. Thanks!
Original Message:
Sent: Dec 08, 2022 09:48 AM
From: Herman Robers
Subject: CPPM certificate still not trusted by switch after installing PKI profile

Do you have in your switch configuration cppm-01 or the IP (172.28.89.161) for the RADIUS server configuration?
If you have cppm-01, you should have an HTTPS certificate on ClearPass with CN=cppm-01 and SAN DNS:cppm-01.
Normally you would use a FQDN, including the domain, not just the hostname.

What is most relevant is that the name that you use in the switch radius server command matches (one of) the SAN(s) of the ClearPass HTTPS certificate. The CN is not relevant anymore, but normally matches the first SAN.

You could add more SANs, including the IP:172.28.89.161 and DNS:cppm-01.your.domain and see if that works better, or just follow the rule in the previous line.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 08, 2022 09:09 AM
From: Bryan Bartik
Subject: CPPM certificate still not trusted by switch after installing PKI profile

I have a virtual CX running 10.09.1000 and ClearPass 6.10. The ClearPass HTTPS certificate is signed by our internal CA (this is a Lab environment and we use this CA for all Lab PKI needs). When I created the CSR I left all the defaults which left the cert with a CN of the ClearPass name "cppm-01" and SAN of the IP 172.28.89.161. In the switch I have use a combination of radius-server commands using "cppm-01" and the IP but I still can not get the switch to trust the certificate for Downloadable user roles.

The log message is:

2022-12-08T14:06:42.489011+0000 port-accessd[6574] <WARN> Event|7709|LOG_WARN|AMM|1/1|Certificate cppm-01 rejected due to verification failure (20)

Is there something I am missing here? cppm-01 is resolvable to 172.28.89.161. I read someone else have this issue ad they rebooted to fix it. I rebooted as well to no avail. I have even deleted the ta-profile, re-added it, as well as regenerated a new certificate for the CPPM node. Any ideas what could be wrong?