Clearpass Certificate Download to AOS-Switch



I learned this week that the FQDN of the Clearpass server should be used in the RADIUS Server configuration options.  I have updated this post to include that change.

Downloadable user roles are a great feature on Aruba controllers, switches, and even IAPs.  They allow Clearpass to be the true policy definition point for both the Aruba wired and wireless networks and allows the policy to be modified in a single location. The hardest part of the configuration was uploading the Clearpass certificate to each switch. The latest code release (16.08) eliminates this pain point.  The switch can now automatically download the certificate from Clearpass by modifying a single line of configuration.   Here is a breakdown of the process.

My lab switch already contained the needed certs so the first step to test the new feature was to delete all of the existing CA certs.  This can be accomplished using the “crypto pki zeroize” command.


Next I decided to default my switch configuration to make sure I was starting the configuration from scratch.


Once the switch rebooted I validated that the switch no longer had the certificate from my lab Clearpass server:


Basic switch configuration commands were added to ensure time is synchronized to make sure my certificates will be valid and also make any troubleshooting easier:

hostname <hostname>

ntp server <server ip>

time daylight-time-rule continental-us-and-canada

time timezone -240

password manager user-name <username> plaintext <password

The switch will need to be configured with a Clearpass user account to gain access to the certs and downloadable user roles.  I used a read-only account in my lab:


The final configuration step is to add the Clearpass server as a RADIUS server on the switch:

radius-server host <CPPM FQDN> clearpass

radius-server cppm identity <CPPM user> key <password>

radius-server host <CPPM FQDN> key <shared secret>

radius-server host <CPPM FQDN> dyn-authorization

radius-server host <CPPM FQDN> time-window plus-or-minus-time-window

radius-server host <CPPM FQDN> time-window 30

This configuration should look very familiar compared to previous code versions.  The only configuration that has changed is that I added “clearpass” to the end of the first command to indicate that this RADIUS server will be a Clearpass server. That is the command that triggers the auto-certificate download.

Here is my test switch configuration:

Once the RADIUS server configuration has been added you can check the switch security logs to see if the switch has checked in with the Clearpass server and received the server certificate.  I enabled security logging using the “debug security” command.  Here is the output of show log -r

To validate which certificates have been downloaded use the “show crypto pki ta-profile” command:


My lab Clearpass server is using a certificate from Comodo.

As you can see this process is much simpler than having to manually upload the certificate to every switch.  This process will also help eliminate extra steps when trying to utilize zero touch provisioning to roll out your switch infrastructure.


One response to “Clearpass Certificate Download to AOS-Switch”

  1. chadteal says :

    Just to be transparent, I updated this post on 2/15/19 to use FQDN instead of IP address in the RADIUS server configuration.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: