Security

I have been struggling with adding and enrolling CA to aruba AOS-CX swith to connect to clearpass. It's all done in lab environment. 

What have I done and tried for so far: 

1. Created CA sertificate on Clearpass under onboard. Tried both 2048 and 4096 rsa keys. As read somewhere that no all switches can support 4096. Enabled EST on certificate.
2. There is screens from CA : https://prnt.sc/7wAeEc9_jyOb
3. There is screens from switch : https://prnt.sc/hF2pbuDAxdvC

I can't get certificate on switch and start to use TACACS+ or RADIUS as a login etc option, because switch refuse to accept.

Commands used:

1. TA profils

commands:

* crypto pki ta-profile {profile name}

                * ta-certificate {copy CA, push ctrl + D}

                * exit

2. crypto pki est-profile {profile name}

                * vrf default

                * url https://{IP or dns name}/.well-known/est/ca:6

                * username {login} password plaintext {password}

                * exit

3. crypto pki certificate {cert name}

                * subject common-name {CN from cert} org {ORG from cert} org-unit {OU from cert} state-or-province {State from cert} locality {Location from cert}

                                I even tried to only use CN

                * key-type rsa key-size  (tried both 2048 and 4096)

                * enroll enroll est-profile {profile name}

                * exit

I'm pretty new to clear pass and aruba networking. Could I be doing something wrong or anybody have some suggestions where are I'm lacking?

Would appreciate any help.

-------------------------------------------

It would be better to show the screenshots of the Onboard CA that you have configure and the access tracker out of the failing EST request.

Ensure  NTP is configured on CX switches, and the FQDN part of OCSP url is changed to "localhost on the ClearPass onboard CA side.

What is the EST auth method that you are using? it should be "HTTP basic ..." 

Lastly I take it that you have added username/password that the CX switch uses for EST to ClearPass guest account. 

You can also refer to this Tutorial "Using ClearPass as an EST server and configuring RADSEC on CX and AOS 10 Gateways" by mike.gallagher2@hpe.com" data-itemmentionkey="f0952b1a-67fb-410b-aaed-ded67894cd76" biobubblekey="mentione3bfd702-6f2f-4dbc-a229-8ddfb40a893a" href="https://airheads.hpe.com/profile?UserKey=e3bfd702-6f2f-4dbc-a229-8ddfb40a893a" data-can-remove="False">@mike.gallagher2@hpe.com

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Hello and thank you for answer. 

That turtorial what was linked, I watched it and did step by step before even posting. Same issue. 

There is screenshot of my CA: https://prnt.sc/t43ajspeS0oO

And I have crated, added user in guest section. 

-------------------------------------------

Original Message:
Sent: Dec 27, 2025 07:18 PM
From: ariyap
Subject: aruba switch to clearpass using est issues.

It wold be better to show the screenshots of the Onboard CA that you have configure and the access tracker out of the failing EST request.

Ensure  NTP is configured on CX switches, and the FQDN part of OCSP url is changed to "localhost on the ClearPass onboard CA side.

What is the EST auth method that you are using? it should be "HTTP basic ..." 

Lastly I take it that you have added username/password that the CX switch uses for EST to ClearPass guest account. 

You can also refer to this Tutorial "Using ClearPass as an EST server and configuring RADSEC on CX and AOS 10 Gateways" by mike.gallagher2@hpe.com" data-itemmentionkey="f0952b1a-67fb-410b-aaed-ded67894cd76" biobubblekey="mentione3bfd702-6f2f-4dbc-a229-8ddfb40a893a" href="https://airheads.hpe.com/profile?UserKey=e3bfd702-6f2f-4dbc-a229-8ddfb40a893a" data-can-remove="False">@mike.gallagher2@hpe.com

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

I suggest to use FQDN for your EST URL

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Original Message:
Sent: Dec 29, 2025 02:07 AM
From: EK
Subject: aruba switch to clearpass using est issues.

Hello and thank you for answer. 

That turtorial what was linked, I watched it and did step by step before even posting. Same issue. 

There is screenshot of my CA: https://prnt.sc/t43ajspeS0oO

And I have crated, added user in guest section. 

fixed my issue with https cert and now it works. thenks for trying to help me. 

-------------------------------------------

Original Message:
Sent: Dec 29, 2025 04:58 PM
From: ariyap
Subject: aruba switch to clearpass using est issues.

I suggest to use FQDN for your EST URL

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------


Original Message:
Sent: Dec 29, 2025 02:07 AM
From: EK
Subject: aruba switch to clearpass using est issues.

Hello and thank you for answer. 

That turtorial what was linked, I watched it and did step by step before even posting. Same issue. 

There is screenshot of my CA: https://prnt.sc/t43ajspeS0oO

And I have crated, added user in guest section. 

Original Message:
Sent: Dec 27, 2025 07:18 PM
From: ariyap
Subject: aruba switch to clearpass using est issues.

It wold be better to show the screenshots of the Onboard CA that you have configure and the access tracker out of the failing EST request.

Ensure  NTP is configured on CX switches, and the FQDN part of OCSP url is changed to "localhost on the ClearPass onboard CA side.

What is the EST auth method that you are using? it should be "HTTP basic ..." 

Lastly I take it that you have added username/password that the CX switch uses for EST to ClearPass guest account. 

You can also refer to this Tutorial "Using ClearPass as an EST server and configuring RADSEC on CX and AOS 10 Gateways" by mike.gallagher2@hpe.com" data-itemmentionkey="f0952b1a-67fb-410b-aaed-ded67894cd76" biobubblekey="mentione3bfd702-6f2f-4dbc-a229-8ddfb40a893a" href="https://airheads.hpe.com/profile?UserKey=e3bfd702-6f2f-4dbc-a229-8ddfb40a893a" data-can-remove="False">@mike.gallagher2@hpe.com

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

good to hear, please do share what was the issue with the certs.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Original Message:
Sent: Jan 05, 2026 05:58 AM
From: EK
Subject: aruba switch to clearpass using est issues.

fixed my issue with https cert and now it works. thenks for trying to help me. 

Original Message:
Sent: Dec 29, 2025 04:58 PM
From: ariyap
Subject: aruba switch to clearpass using est issues.

I suggest to use FQDN for your EST URL

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.


Original Message:
Sent: Dec 29, 2025 02:07 AM
From: EK
Subject: aruba switch to clearpass using est issues.

Hello and thank you for answer. 

That turtorial what was linked, I watched it and did step by step before even posting. Same issue. 

There is screenshot of my CA: https://prnt.sc/t43ajspeS0oO

And I have crated, added user in guest section.