Clearpass Certificate Download to AOS-Switch

Downloadable user roles are a great feature on Aruba controllers, switches, and even IAPs.  They allow Clearpass to be the true policy definition point for both the Aruba wired and wireless networks and allows the policy to be modified in a single location. The hardest part of the configuration was uploading the Clearpass certificate to each switch. The latest code release (16.08) eliminates this pain point.  The switch can now automatically download the certificate from Clearpass by modifying a single line of configuration.   Here is a breakdown of the process.

My lab switch already contained the needed certs so the first step to test the new feature was to delete all of the existing CA certs.  This can be accomplished using the “crypto pki zeroize” command.


Next I decided to default my switch configuration to make sure I was starting the configuration from scratch.


Once the switch rebooted I validated that the switch no longer had the certificate from my lab Clearpass server:


Basic switch configuration commands were added to ensure time is synchronized to make sure my certificates will be valid and also make any troubleshooting easier:

hostname <hostname>

ntp server <server ip>

time daylight-time-rule continental-us-and-canada

time timezone -240

password manager user-name <username> plaintext <password

The switch will need to be configured with a Clearpass user account to gain access to the certs and downloadable user roles.  I used a read-only account in my lab:


The final configuration step is to add the Clearpass server as a RADIUS server on the switch:

radius-server host <CPPM IP address> clearpass

radius-server cppm identity <CPPM user> key <password>

radius-server host <CPPM IP address> key <shared secret>

radius-server host <CPPM IP address> dyn-authorization

radius-server host <CPPM IP address> time-window plus-or-minus-time-window

radius-server host <CPPM IP address> time-window 30

This configuration should look very familiar compared to previous code versions.  The only configuration that has changed is that I added “clearpass” to the end of the first command to indicate that this RADIUS server will be a Clearpass server. That is the command that triggers the auto-certificate download.

Here is my test switch configuration:


Once the RADIUS server configuration has been added you can check the switch security logs to see if the switch has checked in with the Clearpass server and received the server certificate.  I enabled security logging using the “debug security” command.  Here is the output of show log -r


To validate which certificates have been downloaded use the “show crypto pki ta-profile” command:


My lab Clearpass server is using a certificate from Comodo.

As you can see this process is much simpler than having to manually upload the certificate to every switch.  This process will also help eliminate extra steps when trying to utilize zero touch provisioning to roll out your switch infrastructure.


Upgrade Code on a HPE Provision Switch

I’m currently having to dig into the HPE Provision line of switches.  Here are a few notes to document the process of upgrading the code on a HPE 2920.


Step 1 – Validate current code version using show version command:


Step 2 – Copy new code to flash using copy tftp flash command:


Once the file transfer is complete the system will validate the new code:


Step 3 – Verify the system is configured to boot of the partition with the new code installed using the show flash command:


Step 4 – Reboot the switch using the reboot command (make sure to save changes if needed)

Clearpass – Ports needed between CPPM and Active Directory

UDP 88 – Kerberos Auth

TCP 464 – Kerberos Password

UDP/TCP 135 – Domain Controller



UDP 53 – DNS

TCP 3268 – Global Catalog

TCP/UDP 3269 – Global Catalog over SSL

Clearpass – Ports Needed between Two CPPM servers

TCP 5432 – Database Replication


UDP 123 – NTP

TCP 80 – Change Status

Clearpass – Ports Needed between Client and CPPM server



TCP 6658 – OnGuard Agent

UDP 1812/1813 – RADIUS



UDP 161/162 – SNMP

UDP 5999 AirGroup RADIUS CoA

Where is the SSID that I just configured?

I was playing in my lab today and ran into an issue where my Aruba access point would not advertise my newly created SSID on my local controller. I started digging around and first noticed my AP was up but  was flagged inactive:


Next I checked to see if that access point was advertising a bss:


The next step was to check and see if I had any profile errors:


And there is the problem.  I configured my VLAN on my master controllers but forgot about the locals.  As soon as I added VLAN 100 to my local I could see  and connect to my SSID:


The point of this story is to not get in a hurry when configuring your controllers and make sure your networking config is solid on your local controllers.