Most significantly, including the basis certificates on the AOS change is famous as an automatic task, which is a stark distinction as seen on AOS-CX.
In sharp distinction, the Aruba OS-CX change makes use of Downloadable Person Roles (DURs), which centralize the coverage definition and alter the enforcement supply technique totally. With DURs, all advanced position parameters, together with VLANs (e.g., VLAN 100, VLAN 120), lessons and insurance policies are configured centrally on ClearPass utilizing an in depth GUI. ClearPass generates the whole CLI script for the person position. To ship this coverage, the change doesn’t depend on a RADIUS VSA set off; as an alternative, the AOS-CX change should execute a REST API name over SSL to ClearPass to obtain the total position script when it’s required for an endpoint. Since DURs are downloaded as wanted, they’re unstable and saved solely in reminiscence, being eliminated upon reboot, which is a key distinction from the persistent LURs used on AOS switches.
To allow this safe API communication, the belief mannequin shifts from RADIUS shared secrets and techniques to certificate-based authentication, the change will need to have NTP and DNS configured, and the ClearPass root certificates have to be manually imported right into a trusted anchor profile (pki ta profile) on the AOS-CX switch. Moreover, a devoted downloadable person position account (e.g., duradmin) have to be created on the change and authenticated to ClearPass with the aruba person position obtain privilege stage, granting the change permission to execute the obtain.
This diagram summarizes the distinction:
What really occurred
In our case, all endpoint gadgets had already been up to date with the brand new Sectigo root certificates, and ClearPass itself was absolutely migrated from Entrust to Sectigo, so every part appeared aligned on the floor. The problem emerged solely the place there was port bounce or reboot on these switches, main for Re-auth once more for shoppers linked. As soon as ClearPass started presenting the brand new Sectigo chain, the switches not trusted its HTTPS id as they nonetheless had Entrust certificates on them, inflicting authentication failures. ArubaOS switches have been usually capable of get better routinely by redownloading the right certificates after reboot or throughout RADIUS communication, although a couple of required the RADIUS configuration to be eliminated and re-added to set off a contemporary certificates fetch.
Nonetheless, ArubaOS-CX switches couldn’t get better on their very own as a result of they depend on a manually imported trusted anchor, with the Entrust root now invalid; DUR downloads failed instantly after any reboot or port bounce. Endpoints may authenticate on the RADIUS stage, however the change couldn’t obtain their required roles, leaving them unable to affix the community.
