HPE ANW ClearPass Advanced Configuration v25.23

Welcome to this week's class (CPA2)

Navigate to https://rubbernecks-arubanetworks.blogspot.com

Please be sure you have downloaded the learner guide and lab guide as per instructions you received from an email you would have received from HPE last week. Check your email history, spam folder etc... for keyword "OnSecure" if you cannot find the email.

Click here for this week's lab access spreadsheet

ask me for the link password

Lab Notes

Lab Dependencies
Lab 1-4 must be done in order and cannot be skipped
Lab 5-6 can be skipped but if completed must be done in order
Lab 7 can be done after labs 1-4 are completed
Lab 8-1 and 8-2 can be done after labs 1-4 are completed
webgate: how to copy and paste while doing the labs

Tips on how to google our site for documentation

googling for AOS-Switch-related topics

site:hpe.com 16.10 -inurl:pdf -inurl:cx "dhcp-snooping"

googling for AOS-CX-related topics

site:arubanetworks.com -inurl:pdf inurl:AOS-CX inurl:10\.14 "dhcp-snooping"

search option notes:

site:x only searched that domain
-inurl:x don't report links with this text in the URL
inurl:x only report on links with text

(ideal for finding specific version documentation)

Helpful Links

about Aruba training and this course

aruba: Aruba Worldwide Education Services training portal
aruba: Self-Directed Remote Labs (update this link)
where to find more information
vsg: ESP Campus Deploy (update this link)
aruba: Aruba Technical Product Documentation Portal
here you find:
Technology Briefs
Validated Reference Designs
Aruba Validated Designs
Compliancy Documentation related to GDPR
airheads: community.arubanetworks.com
abc: Airheads Broadcasting Channel
afp: Partner Technical Webinars
aruba: Central Demo
where to find online documentation
asp: Aruba Documentation Portal (all products)
techdocs: The CLI Bank (all products)
asp: Central Latest Online Help
asp: Central TroubleShooting Guide (2.5.8)
techdocs: The CLI Bank (all products)
aps: Central OnPrem_2.5.8 User Guide
asp: ClearPass Device Insight Online Help
techdocs: ArubaOS_8.12_Web_Help
aruba: EUBA Network Detection and Response (NDR) capabilities, delivered by Aruba Central

ClearPass Policy Manager specific links
asp: ClearPass Config/Integration/Solution/User Guides & Rel Notes
asp: ClearPass Device Insight Online Help
airheads: ClearPass Policy Manager 6.11-release-notifications
techdocs: ClearPass Policy Manager 6.11 Web_Help
datasheet: ClearPass OnBoard
abc: ClearPass with Azure AD and Intune Integration (playlist)

AOS-CX specific links

airheads: ArubaOS-CX ArubaOS Switch ComWare and Cisco IOS
Manage and Monitor Hybrid IT Infrastructure
hpe: OpsRamp: AIOps Powered IT Operations

Day 1 - Lecture Modules & Labs

M00: Introduction

Lab 00 - Testing Remote Lab Connectivity

M01: Cluster

Topics Include:

ZTS
Cluster Components, operations, licensing
HA
CPPM Insight

cluster specific

other interesting links

Lab 01 - ClearPass Cluster

1.1: ClearPass Clustering
1.2: Cluster Monitoring and fine-tuning
1.3: Configure High Availability
1.4: Testing High Availability

M02: Public Key Infrastructure

Topics Include:

PKI & Digital Signatures
PKI system, components & operation
CPPM certificate formats

airheads: use OpenSSL to create CA, server, and public certificates

Lab 02: Public Key Infrastructure

2.1: Install an HTTPS Certificate on the ClearPass server
2.2: Install EAP RADIUS certificate on the ClearPass server
2.3: Configuring Intermediate CA in ClearPass Onboard
2.4: Issuing a Certificate in Onboard

Day 2 - Lecture Modules & Labs

M03: RadSec & EST

Topics Include:

Explain, Configure & Troubleshoot

EST
RadSec

https://regexr.com
test the following pattern: 10\.([0-9]{1,3})\.10\.[0-9][0-9][2-4]

Lab 03-1: Enrollment over Secure Transport

3.1.1: Enrollment over Secure Transport Server
url https://vip-cppm.aruba-training.com/.well-known/est/ca:2
3.1.2: Creating ClearPass Service for EST Enrollment
3.1.3: Enrollment of Networking Devices
3.1.4: Monitoring EST

Lab 03-2: RadSec

3.2.1: Import the Certificate for ClearPass RadSe
3.2.2: Enable RadSec on the AOS-CX Switch

M04: RADIUS Services

Topics Include:

RADIUS Service elements
DHCP profiling
Access Tracker
RADIUS accounting

DHCP fingerprinting links

Cisco fingerprinting links

Lab 04: Manual Service Configuration

4.1: Design the RADIUS Service
4.2 Configure the Active Directory server as an authentication source
4.3: Configure DHCP Relay on the AOS-CX switch
4.4: Configure ClearPass Roles and Role Mapping Policy
4.5: Configure Enforcement
4.6: Configure ClearPass Service
4.7: Configure 802.1X Secure SSID
4.8: Test Your Solution
4.9: Fine-Tune ClearPass Service Selection Rules

Day 3 - Lecture Modules & Labs

M05: Advanced Services

Topics Include:
PEAP and EAP-TLS
TEAP
Microsoft Entra ID
Onguard

techdoc: Microsoft Entra ID as an Authsource
m$: Microsoft Entra UserPrincipalName population
article: machine-authentication-and-user-authentication

Lab 05: Advanced Services

5.1: Enable RADIUS Accounting
5.2: Analyze Accounting Logs in the ClearPass Server
5.3: Authenticate Clients with EAP-TEAP

M06: Onboarding

Topics Include:

BYOD security requirements
using CPPM Onboard for BYOD
Onboard & Access Tracker

Lab 06: Dual SSID Onboarding

6.1: Setup a Guest Network
6.2: Enabling Onboarding
6.3: Test Dual SSID Onboarding
6.4: Enable Onboard Self-Service Portal

Day 4 - Lecture Modules & Labs

M07: MPSK

Topics Include:

MPSK use case, modes, device registration
device registration portal
Configure and verify MPSK service

techdoc: Configuring MPSK
techdoc: Operator Profiles

Lab 07: Implementing MPSK

7.1: Set Up IoT Registration Profile for ClearPass Guest
7.2: Configure the ClearPass Service for the IoT SSID
7.3: Configure MPSK SSID
7.4: Testing Your Solution

M08: Wired Services

Topics Include:

Colorless Ports
LUR and DUR
DUR prerequisites
Colorless with different authentication options
Benefits of UBT

explain Local vs Extended VLAN mode

techdoc: User-based tunneling

Lab 08-1: Wired Services

8.1.1: Setup the AOS-CX Switch and ClearPass for DUR
8.1.2: Setup AOS-CX and Mobility Gateway for UBT
8.1.3: Setup MAC Authentication Service in ClearPass
8.1.4: Test Wired Guest Access
8.1.5: Configure ClearPass for Wired Onboarding
8.1.6: Test the Onboarding

Lab 08-2: Implementing Wired IoT

8.2.1: Set up the ClearPass service for IoT devices
8.2.2: Test IoT access
8.2.3: Detecting and Preventing MAC Spoofing Attacks
8.2.4: Test MAC address spoofing

Day 5 - Lecture Modules & Labs

M09: Cluster Design & Administration

Topics Include:

Cluster scalability issues
use zones for efficiency and resilience
design considerations & best practices
CPPM Insight placement considerations
software and cluster updates

Appendix

Acronyms or Key Terms

2.5.29.19 - Basic Constraints: (X.509 Certificate Extension)

This extension indicates if the subject may act as a CA, with the certified public key being used to verify certificate signatures
This is required for Cluster DB Certificates as of CPPM >= 6.8

Icon Key

icon key slide from pptx

download if you want to copy the images

Lab Access Errata

if experiencing any problems with remote lab access (WebGate):

be sure your browser is in private (incognito) mode
restart your browser and clear your cache and cookies
do not try to log in unless you are 100 percent sure the login page is fully loaded
during login to Central, did you select the SSO option?
if you need to restart your Windows host

in cmd.com, type "shutdown /r /t 0"

Legacy (Ignore this section)

~~cluster certificates FIELD ADVISORY CLUSTERING IN 6.8~~

~~The process of clustering CPPM requires 2 certificate validations~~

~~HTTPS certificate validation~~

~~6.8 mandates the validation of HTTPS certificate between cluster nodes~~

~~self signed certs will cause subscribers to fail with~~

~~make subscriber failed, “GET failed, Will retry”~~

~~solution 1: recommended~~

~~CPPM nodes are signed by a Public CA.~~
~~A wildcard or a cert containing the FQDN for all the nodes in the cluster within the SAN signed by a known Public CA can be used~~
~~Ensure the entire chain including the Root and Intermediates of the Signing Certificate Authority (CA) are enabled in the Trust list of the Publisher.~~

~~To enable a trusted CA, navigate to Administration > Certificates > Trust List.~~
~~Enable the CA to be trusted for “Usage = Others”.~~

~~solution 2: not recommended (it ignores trust validation for the nodes joining the cluster)~~

~~Login to the CLI of the CPPM node to be added as a subscriber using the appadmin credentials.~~

~~Once logged in, issue the command as shown below:~~
~~[appadmin@CPPM2]# cluster make-subscriber -i <Publisher IP> -V~~

~~Expiration of HTTPS certificate does not affect the existing cluster.~~
~~This works on relaxing HTTPS certificate requirements, but not Database certificate requirements~~

~~Database certificate validation~~

~~you can use self-signed DB cert on your publisher, it's SAN field will be DNS:x.x.x.x (ip address of self)~~

~~however, you must export that cert, then import that cert into the new cluster nodes trust list before it can join your publisher as a subscriber~~

~~see the end of lab 18 for instructions on how to:~~

~~export the cert in p12 format~~
~~use openssl.exe to convert the p12 to PEM format which can be imported into the new cluster nodes trust list~~

~~but, best practice is to use a public CA to create certs for each cluster node, be sure the SAN for each is set to DNS:x.x.x.x (ip address of node it is installed on)~~

~~it cannot use the SAN IP:x.x.x.x format~~
~~be sure to install your CA's public cert the cluster's root chain of trust~~

~~this means you no longer need to install your trust anchors public certs in your nodes before you have them join your cluster~~

~~Lab 18: Cluster~~

~~18.1: Enabling Clustering~~

~~18.1.20: (on page 490)~~

after completing step 18.1.20 you MUST go to page 513 and complete all steps from the paragraph titled "Certificate conversion process from .p12 to .pem", then return to page 490 and continue from step 21

~~18.2: Monitoring Clustering~~
~~18.3: Configuring High Availability~~
~~18.4: Testing High Availability~~