问:
What do I need to do for EST enrollment in a RAP deployment?
A:
我们需要确保在MD和ClearPass之间的网络中可以路由分配给RAP的内部IP。
Following EST enrolment this will trigger the AP to reboot and then request a certificate from Clearpass.
(controller-1) #show ap database AP Database ----------- Name Group AP Type IP Address Status Flags Switch IP Standby IP ---- ----- ------- ---------- ------ ----- --------- ---------- 20:4c:03:b6:ac:ac RAP 505H 100.72.0.1 Enrolling EST certificate Rc2rID 172.17.12.22 0.0.0.0 After the RAP has obtained an EST certificate, the console logs on the RAP will show this as below AP rebooted Sun Aug 23 18:08:06 BST 2020; SAPD: Rebooting after EST enrollment. Need to open a secure channel(IPSEC) with EST certificate shutting down watchdog process (nanny will restart it)... EST is enabled. Reading EST certs ... The RAP will then form the IPSEC connection with the controller using the EST certificate. (controller-1) #show ap database AP Database ----------- Name Group AP Type IP Address Status Flags Switch IP Standby IP ---- ----- ------- ---------- ------ ----- --------- ---------- 20:4c:03:b6:ac:ac RAP 505H 100.72.0.1 Up 2m:20s Rc2ure 172.17.12.22 0.0.0.0 Flags: 1 = 802.1x authenticated AP use EAP-PEAP; 1+ = 802.1x use EST; 1- = 802.1x use factory cert; 2 = Using IKE version 2 B = Built-in AP; C = Cellular RAP; D = Dirty or no config E = Regulatory Domain Mismatch; F = AP failed 802.1x authentication G = No such group; I = Inactive; J = USB cert at AP; L = Unlicensed M = Mesh node N = Duplicate name; P = PPPoe AP; R = Remote AP; R- = Remote AP requires Auth; S = Standby-mode AP; U = Unprovisioned; X = Maintenance Mode Y = Mesh Recovery c = CERT-based RAP; e = Custom EST cert ; f = No Spectrum FFT support i = Indoor; o = Outdoor; s = LACP striping; u = Custom-Cert RAP; z = Datazone AP
我们可以看到Clearpass中的RAP颁发的证书。
Looking at the application logs in Clearpass we can see that the client ip is that of the inner-ip of the RAP, hence this address range must be routable in the network.
Note: EST configuration is beyond the scope of this article. Please refer to the User Guide for full details on how to confirgure,在这里。