Cloud Managed Networks

I'm having problems with setting up wired authentication from a CX 6100 to Central NAC. I have configured all the policies and profiles, but I never see authentication attempts. 

If I go to the switch and run "show radius-server detail" I see the following output:

Server-Name                     : euw1.cloudguest.central.arubanetworks.com
Auth-Port                       : 2083
Accounting-Port                 : 2083
VRF                             : default
TLS Enabled                     : Yes
TLS Connection Status           : tls_connection_failed
Initial TLS Connection Timeout  : 30 seconds 
Timeout                         : 20 seconds 
Auth-Type                       : pap
Resolved-Address                : 3.126.68.5
Server-Group:Priority           : sys_central_nac:1
Tracking                        : disabled
Tracking-Mode                   : any
Tracking-Method                 : access-request
Reachability-Status             : unknown
Tracking-Last-Attempted         : N/A
Next-Tracking-Request           : N/A
Port-Access Session             : keep-alive

So it appears that the TLS connection for the RadSec between switch and Central is failing, but how could this be if this is supposedly done automatically and with the correct certificates?

Is TCP port 2083 allowed on the network to the Central NAC servers?

Can you share the output of the command show events -r and show crypto pki certificate device-identity (maybe best in a DM)

I'm having problems with setting up wired authentication from a CX 6100 to Central NAC. I have configured all the policies and profiles, but I never see authentication attempts. 

If I go to the switch and run "show radius-server detail" I see the following output:

Server-Name                     : euw1.cloudguest.central.arubanetworks.com
Auth-Port                       : 2083
Accounting-Port                 : 2083
VRF                             : default
TLS Enabled                     : Yes
TLS Connection Status           : tls_connection_failed
Initial TLS Connection Timeout  : 30 seconds 
Timeout                         : 20 seconds 
Auth-Type                       : pap
Resolved-Address                : 3.126.68.5
Server-Group:Priority           : sys_central_nac:1
Tracking                        : disabled
Tracking-Mode                   : any
Tracking-Method                 : access-request
Reachability-Status             : unknown
Tracking-Last-Attempted         : N/A
Next-Tracking-Request           : N/A
Port-Access Session             : keep-alive

So it appears that the TLS connection for the RadSec between switch and Central is failing, but how could this be if this is supposedly done automatically and with the correct certificates?

In show events -r I'm seeing a lot of entries like this one:

2026-05-29T10:44:53.208866+02:00 6000 port-accessd[20937]: Event|7709|LOG_WARN|UMM|-|Certificate *.cloudguest.central.arubanetworks.com rejected due to verification failure (30)

Is there a problem there?

Is TCP port 2083 allowed on the network to the Central NAC servers?

Can you share the output of the command show events -r and show crypto pki certificate device-identity (maybe best in a DM)

I'm having problems with setting up wired authentication from a CX 6100 to Central NAC. I have configured all the policies and profiles, but I never see authentication attempts. 

If I go to the switch and run "show radius-server detail" I see the following output:

Server-Name                     : euw1.cloudguest.central.arubanetworks.com
Auth-Port                       : 2083
Accounting-Port                 : 2083
VRF                             : default
TLS Enabled                     : Yes
TLS Connection Status           : tls_connection_failed
Initial TLS Connection Timeout  : 30 seconds 
Timeout                         : 20 seconds 
Auth-Type                       : pap
Resolved-Address                : 3.126.68.5
Server-Group:Priority           : sys_central_nac:1
Tracking                        : disabled
Tracking-Mode                   : any
Tracking-Method                 : access-request
Reachability-Status             : unknown
Tracking-Last-Attempted         : N/A
Next-Tracking-Request           : N/A
Port-Access Session             : keep-alive

So it appears that the TLS connection for the RadSec between switch and Central is failing, but how could this be if this is supposedly done automatically and with the correct certificates?

I think so. Please share the output of the command show crypto pki certificate device-identity via a DM

In show events -r I'm seeing a lot of entries like this one:

2026-05-29T10:44:53.208866+02:00 6000 port-accessd[20937]: Event|7709|LOG_WARN|UMM|-|Certificate *.cloudguest.central.arubanetworks.com rejected due to verification failure (30)

Is there a problem there?

Is TCP port 2083 allowed on the network to the Central NAC servers?

Can you share the output of the command show events -r and show crypto pki certificate device-identity (maybe best in a DM)

I'm having problems with setting up wired authentication from a CX 6100 to Central NAC. I have configured all the policies and profiles, but I never see authentication attempts. 

If I go to the switch and run "show radius-server detail" I see the following output:

Server-Name                     : euw1.cloudguest.central.arubanetworks.com
Auth-Port                       : 2083
Accounting-Port                 : 2083
VRF                             : default
TLS Enabled                     : Yes
TLS Connection Status           : tls_connection_failed
Initial TLS Connection Timeout  : 30 seconds 
Timeout                         : 20 seconds 
Auth-Type                       : pap
Resolved-Address                : 3.126.68.5
Server-Group:Priority           : sys_central_nac:1
Tracking                        : disabled
Tracking-Mode                   : any
Tracking-Method                 : access-request
Reachability-Status             : unknown
Tracking-Last-Attempted         : N/A
Next-Tracking-Request           : N/A
Port-Access Session             : keep-alive

So it appears that the TLS connection for the RadSec between switch and Central is failing, but how could this be if this is supposedly done automatically and with the correct certificates?

I just did.

I think so. Please share the output of the command show crypto pki certificate device-identity via a DM

In show events -r I'm seeing a lot of entries like this one:

2026-05-29T10:44:53.208866+02:00 6000 port-accessd[20937]: Event|7709|LOG_WARN|UMM|-|Certificate *.cloudguest.central.arubanetworks.com rejected due to verification failure (30)

Is there a problem there?

Is TCP port 2083 allowed on the network to the Central NAC servers?

Can you share the output of the command show events -r and show crypto pki certificate device-identity (maybe best in a DM)

I'm having problems with setting up wired authentication from a CX 6100 to Central NAC. I have configured all the policies and profiles, but I never see authentication attempts. 

If I go to the switch and run "show radius-server detail" I see the following output:

Server-Name                     : euw1.cloudguest.central.arubanetworks.com
Auth-Port                       : 2083
Accounting-Port                 : 2083
VRF                             : default
TLS Enabled                     : Yes
TLS Connection Status           : tls_connection_failed
Initial TLS Connection Timeout  : 30 seconds 
Timeout                         : 20 seconds 
Auth-Type                       : pap
Resolved-Address                : 3.126.68.5
Server-Group:Priority           : sys_central_nac:1
Tracking                        : disabled
Tracking-Mode                   : any
Tracking-Method                 : access-request
Reachability-Status             : unknown
Tracking-Last-Attempted         : N/A
Next-Tracking-Request           : N/A
Port-Access Session             : keep-alive

So it appears that the TLS connection for the RadSec between switch and Central is failing, but how could this be if this is supposedly done automatically and with the correct certificates?

Looks all good. Please can you check if the TA profile is correctly pushed to the switch?

Config line starts with:

crypto pki ta-profile sys_central_nac

I just did.

I think so. Please share the output of the command show crypto pki certificate device-identity via a DM

In show events -r I'm seeing a lot of entries like this one:

2026-05-29T10:44:53.208866+02:00 6000 port-accessd[20937]: Event|7709|LOG_WARN|UMM|-|Certificate *.cloudguest.central.arubanetworks.com rejected due to verification failure (30)

Is there a problem there?

Is TCP port 2083 allowed on the network to the Central NAC servers?

Can you share the output of the command show events -r and show crypto pki certificate device-identity (maybe best in a DM)

I'm having problems with setting up wired authentication from a CX 6100 to Central NAC. I have configured all the policies and profiles, but I never see authentication attempts. 

If I go to the switch and run "show radius-server detail" I see the following output:

Server-Name                     : euw1.cloudguest.central.arubanetworks.com
Auth-Port                       : 2083
Accounting-Port                 : 2083
VRF                             : default
TLS Enabled                     : Yes
TLS Connection Status           : tls_connection_failed
Initial TLS Connection Timeout  : 30 seconds 
Timeout                         : 20 seconds 
Auth-Type                       : pap
Resolved-Address                : 3.126.68.5
Server-Group:Priority           : sys_central_nac:1
Tracking                        : disabled
Tracking-Mode                   : any
Tracking-Method                 : access-request
Reachability-Status             : unknown
Tracking-Last-Attempted         : N/A
Next-Tracking-Request           : N/A
Port-Access Session             : keep-alive

So it appears that the TLS connection for the RadSec between switch and Central is failing, but how could this be if this is supposedly done automatically and with the correct certificates?

No, I cannot find that line. What should I do in Central to push that?

Looks all good. Please can you check if the TA profile is correctly pushed to the switch?

Config line starts with:

crypto pki ta-profile sys_central_nac

I just did.

I think so. Please share the output of the command show crypto pki certificate device-identity via a DM

In show events -r I'm seeing a lot of entries like this one:

2026-05-29T10:44:53.208866+02:00 6000 port-accessd[20937]: Event|7709|LOG_WARN|UMM|-|Certificate *.cloudguest.central.arubanetworks.com rejected due to verification failure (30)

Is there a problem there?

Is TCP port 2083 allowed on the network to the Central NAC servers?

Can you share the output of the command show events -r and show crypto pki certificate device-identity (maybe best in a DM)

I'm having problems with setting up wired authentication from a CX 6100 to Central NAC. I have configured all the policies and profiles, but I never see authentication attempts. 

If I go to the switch and run "show radius-server detail" I see the following output:

Server-Name                     : euw1.cloudguest.central.arubanetworks.com
Auth-Port                       : 2083
Accounting-Port                 : 2083
VRF                             : default
TLS Enabled                     : Yes
TLS Connection Status           : tls_connection_failed
Initial TLS Connection Timeout  : 30 seconds 
Timeout                         : 20 seconds 
Auth-Type                       : pap
Resolved-Address                : 3.126.68.5
Server-Group:Priority           : sys_central_nac:1
Tracking                        : disabled
Tracking-Mode                   : any
Tracking-Method                 : access-request
Reachability-Status             : unknown
Tracking-Last-Attempted         : N/A
Next-Tracking-Request           : N/A
Port-Access Session             : keep-alive

So it appears that the TLS connection for the RadSec between switch and Central is failing, but how could this be if this is supposedly done automatically and with the correct certificates?