Security

I have been working with TAC on this but have not found a resolution yet. I am using EAP-TEAP to cert auth the client and MSCHAPv2 the user against a ClearPass service that is successfully profiling the attempt and handing down the DUR (see CP-RADIUS-Output attachment). However the switch appears to be refusing the role because of invalid cert:

ClearPass version 6.10.8
Switch versions 10.10.1010 and 10.10.1050

Only error is:
Port Access Client Status Details:

Client 28:f1:0e:15:3c:2a, anonymous

===================================

  Session Details

  ---------------

    Port         : 1/1/13

    Session Time : 7245s

    IPv4 Address :

    IPv6 Address :

    Device Type  :

  VLAN Details

  ------------

    VLAN Group Name :

    VLANs Assigned  : 4011

      Access          : 4011

      Native Untagged :

      Allowed Trunk   :

  Authentication Details

  ----------------------

    Status          : dot1x Authenticated

    Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted

    Auth History    : dot1x - Authenticated, 7243s ago

  MACsec Details

  --------------

    MKA Session Status :

    MACsec Status      :

  Authorization Details

  ----------------------

    Role   : ArubaPOC_DUR_CX_802_1x_Take2-3094-1

    Status : Download Failed

Role Information:

Name  : ArubaPOC_DUR_CX_802_1x_Take2-3094-1

Type  : clearpass

Status: Failed, Server Certificate Invalid

However the TA cert shows as valid:
Fabric-Access-GU-Test-01# show crypto pki ta-profile

TA Profile Name                  TA Certificate       Revocation Check

-------------------------------- -------------------- ----------------

cppmdur                          Installed, valid     disabled

I have manually loaded the cert using the "well known URL" process as demonstrated in instructional videos. I have also attempted to manually create a full cert chain and load it, which was accepted but did not fix the problem.

I have also attached the DUR config summuary.
Any thoughts or suggestions?

Is the CA that signed the ClearPass HTTPS certificate trusted by the switch?

I assume so, but how do I verify that for sure? My assumption was that the HTTPS cert signed by my public CA is the same server cert that is handed down to the switch using the "well known URL".  Or better yet, how do I make it trust my CA assuming it does not?

So the switch talks to ClearPass via HTTPS to download the role.  What certificate is assigned to the HTTPS process on your ClearPass node.  Whatever CA that signed that certificate needs to be trusted by the switch through trust-point CLI Commands.

I have TAC ERT on a session with me now so I will bring this up during the session and report back. 

Wanted to update you. It turns out that the ClearPass default gateway is the core router and the default gateway for the switch is the firewall. Traffic initiated from the switch was sent through firewall and returned by ClearPass through the core router creating asymmetric routing. The thing that we still do not understand is, why has ssh from the switches being routed the same way been working the whole time?