Device Cert EPA Scan fails in the following scenario:

LB Vserver is pointing to AAA Vserver for authentication and on AAA Vserver, Device Cert EPA scan policy is bound.
AND
Root CA and Subordinate CA Cert is bound on AAA Vserver under "CA for Device Certificate"  section (when the device certs are signed by Subordinate CA)

 

The fix will be available in
Version 13.0 [2019 Q4 FR]
Version 12.1.55.x [2019 Q4 MR]

Work-around-1: 
1. Add a Gateway Vserver and using Authentication Profile bind it to the AAA Vserver (can be non-addressable)
2. Add the Root CA and Subordinate CA certs in the "CA for Device Certificate" section on Gateway vserver
3. Point the LB Vserver at the Gateway Vserver for authentication.

Work-around-2: 
Bind the Root CA cert and Subordinate CA for device cert check on AAA Vserver using CLI using the right delimiter. Note - If changes are made to AAA Vserver from GUI it will again default back to using the wrong delimiter.
====
unset authentication vserver non_add_test -certkeyNames
set authentication vserver non_add_test -certkeyNames "sub_ca_cert,ca_cert"
# Here sub_ca_cert and ca_cert are the cert key names used (when importing on ADC) of Subordinate CA certificate and root CA certificate respectively
====


 

---

Problem Cause

When LB Vserver (Auth Enabled) is pointing to AAA Vserver for authentication, and the AAA Vserver is bound with the Root CA and Subordinate CA Certs to verify the device cert presented by client. (This binding is done in the "CA for Device Certificate" section)

While biding the Root CA and the Subordinate CA via GUI a wrong delimiter ";" is used,  the right delimiter is "," [IssueID: NSHELP-20598]