In this blog post, we delve into the differences between adding root certificates on AOS and AOS-CX switches. On AOS switches, this task is automatic, while on AOS-CX switches, it involves Downloadable User Roles (DURs) for policy enforcement.
The utilization of DURs on AOS-CX switches centralizes policy definition and changes the enforcement delivery method. Complex role parameters are configured centrally on ClearPass, generating a complete CLI script for the user role. Unlike AOS switches, AOS-CX switches do not rely on a RADIUS VSA trigger but execute a REST API call over SSL to download the full role script when needed.
To enable secure API communication, the trust model shifts to certificate-based authentication, requiring NTP and DNS configuration and manual import of the ClearPass root certificate on the AOS-CX switch. A dedicated downloadable user role account must also be created with the necessary privileges for role downloads.
In our experience, issues arose when switches with outdated root certificates failed to trust ClearPass after reboots or port bounces. While ArubaOS switches could recover automatically, ArubaOS-CX switches, relying on manually imported trusted anchors, struggled to download required roles, leaving endpoints unable to connect.
