Hello to all,
We are in the migration form ClearPass 6.10 to 6.11. We successfully Installed the new cluster with the version 6.11.7.257550. Then we want for tesing migrat some CX Switchtes to the new ClearPass. First, we started with an JL659A and everything went well. Then we add an JL666A and then strange things happened. Radus services on ClearPass stopped working and the following error messing appeared.
As soon as I configured the Radus on the JL666A the Radius Servis on ClearPass came Back to life.
The "show crypto pki certificate device-identity" on the JL666A:
Certificate Name: device-identity
Associated Applications:
radsec-client
Certificate Status: installed
EST Status: n/a
Certificate Type: regular
Intermediates:
Subject: CN = HP Device Intermediate CA 103, OU = HP Networking, O = Hewlett-Packard Development Company, ST = CA, C = US
Issuer: CN = Device Intermediate CA 01, OU = HP Networking EVPG, O = Hewlett-Packard Development Company, ST = CA, C = US
Serial Number: 0xC75ED972416647E883AD3D2F8A10C4D6
Subject: CN = Device Intermediate CA 01, OU = HP Networking EVPG, O = Hewlett-Packard Development Company, ST = CA, C = US
Issuer: CN = HP Devices CA 01, O = Hewlett-Packard Development Company, ST = CA, C = US
Serial Number: 0x17E5BFDA38654585BA7F1F3442F6BB8F
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:0b:01:c9:74:c2:f2:40:ea:af:3b:5c:b9:df:21:0a:14
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=HP Device Intermediate CA 103, OU=HP Networking, O=Hewlett-Packard Development Company, ST=CA, C=US
Validity
Not Before: Nov 17 02:12:04 2020 GMT
Not After : Jan 26 01:55:09 2031 GMT
Subject: OU=HP Networking EVPG, O=Hewlett-Packard Development Company, ST=CA, C=US, CN=JL666A/serialNumber=SG0AKN500H, BaseMAC 64E881-471100
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9f:9c:13:a0:a6:de:6a:db:1b:eb:8e:a2:97:32:
8f:8c:be:47:13:d7:60:ff:c6:f7:8d:6c:73:c2:4e:
bc:6b:cb:a9:b0:e7:56:7e:65:c3:12:c3:af:cb:a1:
89:9b:1e:9b:09:af:db:c6:1b:c9:5f:4c:40:62:92:
1b:37:0c:e4:99:cf:a2:12:2b:aa:85:2b:22:70:b1:
41:7c:a4:85:83:02:7c:83:ed:eb:67:9c:81:f5:92:
31:0e:78:70:1b:ec:3b:4a:9d:0b:e0:52:f8:32:30:
a6:27:df:75:d3:85:a2:0a:c2:6c:f4:25:92:fd:93:
19:b3:28:08:2c:c1:c0:64:77:cd:47:51:5f:d7:ea:
a1:02:77:df:e9:9c:d5:59:0d:a9:13:b3:e6:bd:d3:
0c:5e:e6:0c:df:af:ed:61:9f:43:7f:c1:17:00:0f:
ff:62:4f:89:a9:eb:9f:e5:26:aa:88:5c:81:e2:13:
a8:e9:d5:18:c3:83:fd:19:a5:86:ea:37:c0:63:5b:
98:4a:50:02:34:68:92:11:28:86:82:e9:4f:48:77:
dc:52:3f:f4:a4:61:fb:f5:0c:86:dc:7b:0a:0b:77:
3d:af:f2:f4:0f:ae:c2:9f:ca:0e:ed:b8:c4:76:82:
60:ca:fa:39:74:5b:36:67:f0:1c:db:a6:6f:b8:8a:
e7:bb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Key Identifier:
21:2F:C6:8E:C0:17:ED:09:C2:5D:80:63:50:BF:8A:BB:78:D0:A0:7C
X509v3 Authority Key Identifier:
keyid:C6:1A:A7:F4:87:99:2D:EC:83:6A:B3:0F:EE:C5:32:EE:84:5B:24:03
DirName:/CN=Device Intermediate CA 01/OU=HP Networking EVPG/O=Hewlett-Packard Development Company/ST=CA/C=US
serial:C7:5E:D9:72:41:66:47:E8:83:AD:3D:2F:8A:10:C4:D6
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.14823.4.2.4
Policy: 2.23.133.6.1.2
X509v3 Subject Alternative Name:
0". ..0....@.. @l....H......\*.9....
Signature Algorithm: sha256WithRSAEncryption
04:b5:0e:43:47:75:0b:80:b7:73:2a:1a:02:5e:49:aa:34:a2:
d2:ab:7a:45:c6:76:fd:f6:d4:a8:e3:4c:70:db:18:a5:85:50:
b3:5a:97:93:55:1c:4f:4f:89:1b:b0:d2:b8:11:14:92:4a:06:
44:44:c4:cb:b4:f3:c2:ef:26:b9:7d:dd:1a:2c:c0:a1:fa:91:
36:f9:0a:55:dd:49:85:40:60:b5:dd:6d:61:fe:15:89:71:2c:
ed:36:df:52:b7:97:99:5f:bc:e5:5c:31:87:b8:6f:fb:8d:48:
55:9c:36:21:5e:3d:9f:67:6e:46:e4:b3:62:88:0c:b0:da:b1:
cb:e4:c6:0b:27:4f:b5:5f:91:2f:ac:00:03:5a:99:be:99:11:
6b:21:f5:4e:9d:7a:5c:f6:90:76:ec:6f:d0:9e:ed:8f:2e:26:
56:a2:3a:16:06:20:83:e4:29:03:00:1a:bc:36:c1:04:12:9d:
d0:e5:7a:77:3c:69:82:67:1c:63:96:29:be:75:10:11:cd:a7:
3b:02:c7:2d:65:02:df:93:b7:86:75:d6:34:43:b2:ae:bf:c0:
5a:0a:79:74:a4:bf:93:a9:b6:30:0e:d9:50:06:ce:04:63:66:
1a:93:91:0e:7a:db:e7:01:b7:7a:d4:23:02:2c:b6:22:a6:ce:
d1:fb:1e:db
The "show crypto pki certificate device-identity" on the JL659A:
Certificate Name: device-identity
Associated Applications:
radsec-client
Certificate Status: installed
EST Status: n/a
Certificate Type: regular
Intermediates:
Subject: CN = HP Device Intermediate CA 103, OU = HP Networking, O = Hewlett-Packard Development Company, ST = CA, C = US
Issuer: CN = Device Intermediate CA 01, OU = HP Networking EVPG, O = Hewlett-Packard Development Company, ST = CA, C = US
Serial Number: 0xC75ED972416647E883AD3D2F8A10C4D6
Subject: CN = Device Intermediate CA 01, OU = HP Networking EVPG, O = Hewlett-Packard Development Company, ST = CA, C = US
Issuer: CN = HP Devices CA 01, O = Hewlett-Packard Development Company, ST = CA, C = US
Serial Number: 0x17E5BFDA38654585BA7F1F3442F6BB8F
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:e8:a4:27:64:9b:58:4f:f8:b3:74:4f:36:c3:40:93:9e
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=HP Device Intermediate CA 103, OU=HP Networking, O=Hewlett-Packard Development Company, ST=CA, C=US
Validity
Not Before: Mar 11 02:23:39 2021 GMT
Not After : Jan 26 01:55:09 2031 GMT
Subject: OU=HP Networking EVPG, O=Hewlett-Packard Development Company, ST=CA, C=US, CN=JL659A/serialNumber=SG13KMY0P2, BaseMAC 3810F0-620700
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d6:f2:4f:9d:f7:29:ef:3c:51:bc:5f:94:bf:8d:
37:04:57:88:51:5b:f6:0d:bb:6b:ae:e6:22:63:8c:
16:94:a3:2e:38:e7:1e:af:a8:58:80:25:89:cc:39:
a0:f6:be:e2:8d:14:fd:7a:9e:83:11:e3:15:b2:e8:
44:c1:23:78:59:9b:5a:9c:ea:1b:c7:61:7e:c4:5a:
54:16:b5:f0:4d:c2:93:fd:24:80:b6:57:78:28:a4:
8b:ed:c2:ac:55:e7:71:86:83:3e:e7:ae:42:7d:f5:
57:1b:bf:f4:d4:00:47:ed:27:00:7c:ca:eb:ce:14:
9b:5f:c7:53:51:d1:61:dc:91:3e:35:6b:78:aa:bb:
f5:da:c9:74:e0:c5:8e:75:0b:8f:0a:0e:14:b7:b1:
8f:a4:73:77:1b:20:a0:d9:55:c5:6a:1b:7f:5b:55:
f2:67:5c:c0:51:37:ab:d1:98:b1:7e:03:34:28:9a:
af:44:c4:a8:b4:02:01:f5:9b:51:13:01:77:ef:e4:
e6:a8:28:b7:be:a1:7a:8a:83:3f:2b:35:8d:2e:08:
77:d4:e9:d1:c5:f2:95:97:2e:7c:7a:f7:53:ca:5e:
ed:38:54:28:77:ef:a3:35:96:b7:a2:e7:15:2f:0d:
54:ee:0a:53:15:59:68:83:06:f0:7b:ef:84:d3:63:
90:07
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Key Identifier:
A1:60:11:CF:F4:DD:88:27:79:48:B4:1E:14:5E:AC:09:61:EC:3C:01
X509v3 Authority Key Identifier:
keyid:C6:1A:A7:F4:87:99:2D:EC:83:6A:B3:0F:EE:C5:32:EE:84:5B:24:03
DirName:/CN=Device Intermediate CA 01/OU=HP Networking EVPG/O=Hewlett-Packard Development Company/ST=CA/C=US
serial:C7:5E:D9:72:41:66:47:E8:83:AD:3D:2F:8A:10:C4:D6
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.14823.4.2.4
Policy: 2.23.133.6.1.2
X509v3 Subject Alternative Name:
othername:<unsupported>
Signature Algorithm: sha256WithRSAEncryption
6b:e1:b4:f4:c6:22:e8:8e:d8:cd:b4:b5:a4:aa:c6:c7:b2:d0:
a4:89:f1:7d:47:7a:42:a6:72:2a:eb:a4:16:df:5f:15:5a:6d:
88:25:f9:b8:8f:f2:58:6c:ce:80:d8:ff:f5:c7:23:56:39:1a:
45:f5:7c:0d:02:56:91:ec:63:48:8b:07:02:7c:4d:74:92:e9:
35:98:bc:39:4c:22:c0:ba:f6:d2:d1:f7:cd:f3:3d:8d:cc:61:
06:e9:46:e4:30:c7:72:b9:3f:d3:67:61:2f:89:33:72:26:93:
06:9e:e1:75:ff:96:4f:62:6a:1f:36:4f:14:66:c0:92:d8:7d:
a7:54:da:0f:8e:ed:99:10:cb:f8:63:85:25:75:74:52:98:8f:
09:97:d1:79:0b:8f:68:bb:a5:6c:f6:e0:41:9b:fa:80:fa:ab:
d4:36:48:43:26:c0:0b:01:4f:7f:9d:f2:18:ae:7e:de:c5:d7:
75:63:74:63:12:31:39:97:1a:8e:6e:11:8b:27:23:f2:cc:41:
32:d8:83:be:e7:10:51:af:3f:74:82:1b:bb:0f:79:f5:eb:80:
fb:37:10:c5:6d:6c:4d:54:3d:d2:92:86:03:80:70:cd:a4:41:
15:5e:7f:85:ca:62:d3:20:bd:27:a4:71:1c:b2:a6:bd:ce:7f:
70:c4:f0:92
For me they look quite identical or at least they use the same Issuer Cert. But why do I have this issue on ClearPass on the JL666A?
Many Thanks for any suggestion.