Aruba Network Security Fundamentals v24.41 (ANSF)

 Welcome to this week's class


Be sure you have downloaded the course learner guide as per the instructions you received in an email from HPE last week.  Check your email history, spam folder, etc... for the keyword "OnSecure" if you cannot find the email.  You only have 10 days to print this learner guide (PDF or paper).

    Lab Notes

    • Tips on how to google our site for documentation
      • googling for AOS-Switch-related topics
        • site:hpe.com 16.09 -inurl:pdf -inurl:cx "dhcp-snooping"
      • googling for AOS-CX-related topics
        • site:arubanetworks.com -inurl:pdf inurl:AOS-CX inurl:10\.11 "dhcp-snooping"
      • notes:
        • site:xxx.xxx only searched that domain
        • -inurl:xxx don't report links with this text in the URL
        • inurl:xxx only report on links with this text in the URL
          • (ideal for finding specific version documentation)

    •  About Aruba training and this course

      • where to find more information
      • Mobility Controller specific links

      • Central and ClearPass links

      • AOS-CX specific links

        Day 1 - Lecture Modules & Labs

        M00: Course Introduction

          • Lab 0 - Introduction
            • Topology and Credentials 

        M01: Security Threats and the Aruba Security Strategy

          • Lab 1 - Explore Threats
            • 1.1: Determine how to protect companies from phishing email messages
            • 1.2: Create a Plan to Educate Users

        M02: Security Technologies

          • Lab 2 - Explore Certificates
            • 2.1: Install the Domain CA Root Certificate
            • 2.2: Explore the Windows Certificate Stores
            • 2.3: Use OpenSSL to Generate a CSR
            • 2.4: Generate a Certificate
            • 2.5: Create a PFX File
            • 2.6: Evaluate the Role of Certificates

        M03: Hardening Switches

            • Lab 3 - Harden Aruba Switches
              • 3.1: Configure Authenticated NTP
              • 3.2: Restrict Management Access to an AOS-CX Switch
              • 3.3: Configure Manager Authentication for SSH
              • 3.4: Install Certificates
                • on page 64, step 5 it says:
                  • crypto pki ta-profile arubatraining
                    • issue
                      • the arubatraining ta-profile may already exist, if so it will refuse to create it again
                    • solution:  
                      • you can ignore this error, simply run the copy command to overwrite the ta-profile with the updated certificate
                  • copy sftp ta-certificate arubatraining student@10.1.X0.90 ArubaTrainingCA.cer
                    • if that copy fails, double check your windows host level firewall is disabled
                • on page 65, step 6 it says:
                  • crypto pki create-csr certificate-name os-switch ta-profile arubatraining key-type rsa key-size 2048 usage all valid-start <yesterday> valid-end <2 years from now>
                    • issue:
                      • if the os-switch profile already exists, the command will fail indicating the profile already exists.
                    • solution: 
                      • delete the existing switch cert with the following command and try the command again
                  • crypto pki clear certificate-name os-switch
                  • crypto pki create-csr certificate-name os-switch ta-profile arubatraining key-type rsa key-size 2048 usage all valid-start 06/12/2023 valid-end 06/12/2025
              • Appendix: Loading a Certificate on an AOS-CX switch

          Day 2 - Lecture Modules & Labs

          M04: Hardening the ArubaOS

            • Lab 4 - Harden an ArubaOS Mobility Controller (MC)
              • 4.1: Install Certificates on the MC
                • on page 80, step j it says:
                  • to submit a form that imports the ArubaTrainingCA cert into the TrustedCA store.
                    • issue:
                        • this cert may already exist however it does not show up in the list of installed certs, consider it a known bug in this version of the firmware
                      • solution:
                        • use the name ArubaTrainingCA1 on the import form
                • 4.2: Configure External Admin Authentication on the MC
                • 4.3: Authorize the AP and Establish Secure Communications with It
                • 4.4: Configure Authenticated NTP
                • 4.5: Consider Further Protection Strategies
                • Appendix: Configuring Global Firewall Settings and the Control Plane Firewall Rules

                ---------------- Lunch BreaK ----------------

            M05: Secure LAN Protocols

            M06: Network Authentication and Encryption Technologies

              • Lab 6 - Explore Preparing Clients for 802.1X and EAP-TLS
                • 6.1: Connect the Test Client to the Lab Network
                • 6.2: Use Aruba ClearPass Onboard to Start Setting up the Wired/Wireless Test Client
                • 6.3: Configure 802.1X Connection Properties Manually
                  • on page 120, step 3 it says:
                    • Click the Authentication tab.
                      • issue:
                          • wired authentication on Windows platform does not by default support 802.1x, so the authentication tab will not be present.
                        • solution:
                          • open cmd.com and type "services.msc", find "Wired AutoConfig" in the list of services, right-click it and select start, now the authentication tab will show up as expected.
                  • 6.4: Discuss EAP-TLS Considerations

              Day 3 - Lecture Modules & Labs

              M07: Enforce Edge Security with an Aruba Infrastructure

                • Lab 7.A - Configure Basic Employee Authentication
                  • 7.A.1: Enable Firewall Visibility
                  • 7.A.2: Create WPA3-Enterprise WLAN
                  • 7.A.3: Add the WirelessUsers VLAN to an MC Port
                  • 7.A.4: Add RadSec to the RADIUS Authentication Server Settings
                  • 7.A.5: Connect a Wireless Client to the WLAN
                • Lab 7.B - Configure 802.1X on Aruba Switches
                  • 7.B.1: Configure 802.1X on the AOS-CX Switch
                  • 7.B.2: Connect the Client to the AOS-CX Switch
                  • 7.B.3: Configure RADSEC

                  ---------------- Lunch BreaK ----------------

              M08: Enforce Role-Based Authentication and Access Control

                • Lab 8.A - Set Up Role-Based Access on the WLAN
                  • 8.A.1: Discuss Approaches to Role-Based Access Control
                  • 8.A.2: Create a Basic Firewall Role and Policy
                  • 8.A.3: Adjust the WLAN
                  • 8.A.4: Test Access
                  • 8.A.5: Create Aliases and More Complex Policies
                  • 8.A.6: Test Access
                • Lab 8.B - Set Up Role-Based Access in the LAN
                  • 8.B.1: Configure Role-Based Authorization on AOS-CX Switches
                    • on page 191, step 8.a it says:
                      • Open the Tools folder. Right-click the “Apply NIC profile.ps1” file and select Run with PowerShell.
                        • issue:
                            • this script sets your windows client supplicant radius host name validation to a FQDN but the radius cert CN might actually be 10.254.1.23
                          • solution:
                            • set your windows client supplicant radius host name validation field to 10.254.1.23, after you validate the CPPM radius cert CN is in ip format.
                      • on page 196, step 22 it might say:
                        • Change the 6300 hostname to let CPPM match access requests to a service that...
                        • hostname P05-TX-CX-Switch-Roles
                          • issue:
                              • the hostname is not correctly matching the CPPM Service 10 ruleset
                            • solution: use the following hostname instead
                              • hostname P05-TX-OS-CX-Switch-Roles
                                • note, TX should be T(table number), CX remains being CX as that is part of a model number.
                      • 8.B.2: Set up Downloadable User Roles (DURs)
                      • 8.B.3: Set Up the MC for Tunneled Node
                      • 8.B.4: Set Up Dynamic Segmentation on AOS-CX Switch

                  M09: Identify and Classify Endpoints

                    • Complete Lab 9 in the morning of day 4

                  Day 4 - Lecture Modules & Labs

                    • Lab 9 - Configure the Network Infrastructure to Support ClearPass Device Profiling
                      • 9.1: Discuss Purposes and Benefits of Profiling
                      • 9.2: Create Firewall Roles and Policies for the Profiling Scenario
                      • 9.3: Check Change of Authorization (CoA) Settings
                      • 9.4: Observe CPPM Assigning the Profiling Role
                      • 9.5: Relay DHCP to CPPM
                      • 9.6: Observe CPPM Profiling the Client
                      • 9.7: Observe Profiling for Wired Clients (OPTIONAL)

                  M10: Branch Security

                  M11: Troubleshoot and Monitor

                    • Lab 11 - Collect Logs and Troubleshoot
                      • 11.1: Explore Logging
                      • 11.2: Configure Logging
                      • 11.3: Troubleshoot an Issue

                  M12: Implement Threat Detection and Forensics

                    • Lab 12 - View and Respond to Detected Threats
                      • 12.1: Enable the RF Protect License
                      • 12.2: Interpret Security Events
                      • 12.3: Respond to Unauthorized Devices
                      • 12.4: Detect Missassociations

                  Appendix

                  Acronyms or Key terms

                    • ESP: Encapsulating Security Payload
                    • SA: Security Association
                      • a relationship between two or more entities that describes how the entities will use security services to communicate securely
                    • SPI: Security Parameter Index
                      • identification tag added to the header while using IPsec for tunneling the IP traffic. 
                      • This tag helps the kernel discern between two traffic streams where different encryption rules and algorithms may be in use
                    • nonce:
                      • random / semi-random number generated for cryptographic communication 
                      • mechanism helps to protect against replay attacks
                      • the term stands for "number used once"
                  Neal Vadekar, SME, ACEX, ACSX, ACMX, ACDX, ACCP, ACNSP, ADCNS

                  Comments

                  Post a Comment

                  Popular posts from this blog

                  Arubanetworks Webgate - Copy and Paste instructions

                  Copy/Paste Text from local to remote  Copy/Paste from local to remote  You need to copy the text between local and remote devices as follows: Copy the text from your local machine as usual Press Ctrl+Alt+Shift to get the menu (don't do this on the network diagram, only on telnet / RDP sessions) on macOS, type Co ntrol+Option+Shift Paste the text in the box that shows on the menu (this copies the text to the remote server) Press Ctrl+Alt+Shift to close the menu (or do this after the next step) Right-click on the device to paste in telnet or paste normally in the remote RDP session Copy/Paste from remote to local To copy to your local machine from the remote switch reverse this: Select the text like you would with Putty Press Ctrl+Alt+Shift to get the menu (don't do this on the network diagram, only on telnet / RDP sessions) Copy text from box on menu Press Ctrl+Alt+Shift to close the menu (or do this after the next step) Paste as usual on your local PC Copy/Paste an Archive of ...
                  Read more

                  Instructor PPTX VBA - Standardize the PPTX Slide Deck "Title" position, font, width and other formatting settings

                  Image
                  Dealing with PowerPoint slide deck "Title" Insanity Here is a script that will: loop through each slide you have selected in your presentation detects all shapes with TextFrames it attempts to characterize them for the probability one is actually the intended title it uses font size, frame width, height and proximity to the top of the slide sometimes a slides will not have a textFrame with the name "title" or worse... will have multiple TextFrames with the name "title" but are not a title but an integral part of your slides presented data, and cannot be moved once a probable title has been detected, the script will relocate and apply consistent formatting across all selected slides Sub positionTitleTxtBoxallslide()     Dim oSld As Slide     Dim oShp As Shape          For Each oSld In ActiveWindow.Selection.SlideRange         Dim x As Long         For x = oSld.Shapes.Count To 1 Step -1     ...
                  Read more