Security

Hi folks

I have a weird one.  Background first for context

I upgraded our clearpass servers (1 publisher, 1 subscriber) to 6.9.4 from 6.8.x using the publisher first, then subscriber.  The plan we used was upgrade publisher to 6.9.0 and restart it - then upgrade subscriber to 6.9.0.  After they were both upgraded we'd repeat so they were both to 6.9.4.  However, when the subscriber upgraded - it lost it's configuration and attempts to rejoin it to the cluster failed with lock errors on the publisher.  Upgrading them both separately allowed me to rejoin the subscriber to the publisher.

While attempting to clean up I tried to add the RADIUS certificate back to the subscriber - by exporting the one from the publisher and importing it (p12 format).  When importing it I get the error "Certificate "OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US" in Trust List must have usage as "EAP"."

Any ideas on how to fix this?  It fails if the subscriber is in the cluster or not.  We'll be replacing the certificate in a few months anyway so if we have to get a different type then I'd rather know sooner rather than later.  The Certificate (if it isn't obvious) is a trusted one from godaddy.  I've not seen anything about certificate changes in change logs etc (but I could have easily missed it).

Thanks

------------------------------
Alan Wright
------------------------------

Your certificate is probably issued by Go Daddy Class 2 CA, and then during import that CA must be enabled in the Trust list. If it is an EAP certificate (note that it is not recommended to use a public certificate for EAP, but use a private CA one on most cases), it needs to be enabled to the 'Usage EAP' as the message mentions. Check this screenshot on how to do that:


------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Mar 12, 2021 04:48 PM
From: Alan Wright
Subject: Clearpass RADIUS Certificate install - EAP trust list Error

Hi folks

I have a weird one.  Background first for context

I upgraded our clearpass servers (1 publisher, 1 subscriber) to 6.9.4 from 6.8.x using the publisher first, then subscriber.  The plan we used was upgrade publisher to 6.9.0 and restart it - then upgrade subscriber to 6.9.0.  After they were both upgraded we'd repeat so they were both to 6.9.4.  However, when the subscriber upgraded - it lost it's configuration and attempts to rejoin it to the cluster failed with lock errors on the publisher.  Upgrading them both separately allowed me to rejoin the subscriber to the publisher.

While attempting to clean up I tried to add the RADIUS certificate back to the subscriber - by exporting the one from the publisher and importing it (p12 format).  When importing it I get the error "Certificate "OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US" in Trust List must have usage as "EAP"."

Any ideas on how to fix this?  It fails if the subscriber is in the cluster or not.  We'll be replacing the certificate in a few months anyway so if we have to get a different type then I'd rather know sooner rather than later.  The Certificate (if it isn't obvious) is a trusted one from godaddy.  I've not seen anything about certificate changes in change logs etc (but I could have easily missed it).

Thanks

------------------------------
Alan Wright
------------------------------

Bingo - that was it.

Thanks for the help and pointing me in the right direction.  It's been bugging me why it wasn't working.  We have to replace the cert in a couple of months so we'll look at using a private ca one.

Another piece of knowledge to add to my armoury.

------------------------------
Alan Wright
------------------------------

Original Message:
Sent: Mar 15, 2021 04:24 AM
From: Herman Robers
Subject: Clearpass RADIUS Certificate install - EAP trust list Error

Your certificate is probably issued by Go Daddy Class 2 CA, and then during import that CA must be enabled in the Trust list. If it is an EAP certificate (note that it is not recommended to use a public certificate for EAP, but use a private CA one on most cases), it needs to be enabled to the 'Usage EAP' as the message mentions. Check this screenshot on how to do that:


------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Mar 12, 2021 04:48 PM
From: Alan Wright
Subject: Clearpass RADIUS Certificate install - EAP trust list Error

Hi folks

I have a weird one.  Background first for context

I upgraded our clearpass servers (1 publisher, 1 subscriber) to 6.9.4 from 6.8.x using the publisher first, then subscriber.  The plan we used was upgrade publisher to 6.9.0 and restart it - then upgrade subscriber to 6.9.0.  After they were both upgraded we'd repeat so they were both to 6.9.4.  However, when the subscriber upgraded - it lost it's configuration and attempts to rejoin it to the cluster failed with lock errors on the publisher.  Upgrading them both separately allowed me to rejoin the subscriber to the publisher.

While attempting to clean up I tried to add the RADIUS certificate back to the subscriber - by exporting the one from the publisher and importing it (p12 format).  When importing it I get the error "Certificate "OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US" in Trust List must have usage as "EAP"."

Any ideas on how to fix this?  It fails if the subscriber is in the cluster or not.  We'll be replacing the certificate in a few months anyway so if we have to get a different type then I'd rather know sooner rather than later.  The Certificate (if it isn't obvious) is a trusted one from godaddy.  I've not seen anything about certificate changes in change logs etc (but I could have easily missed it).

Thanks

------------------------------
Alan Wright
------------------------------