Implementing Aruba Network Security v24.41 (IANS)

Welcome to this weeks class (IANS)

navigate to https://rubbernecks-arubanetworks.blogspot.com

Please be sure you have downloaded the learner guide and lab guide as per the instructions you received from an email you would have received from HPE last week.  Check your email history, spam folder, etc... for the keyword "OnSecure" if you cannot find the email.

• Click here for this week's lab access spreadsheet
• ask me for the link password

• in this spreadsheet you will find the links for:
• My Contact Details
• Course Evaluation Link
• Lab Access Login Details
• Lab Guide 1 & 2

    Lab Notes

• webgate: how to copy and paste while doing the labs

Tips on how to google our site for documentation

• googling for AOS-Switch-related topics
• site:hpe.com 16.09 -inurl:pdf -inurl:cx "dhcp-snooping"

• googling for AOS-CX-related topics
• site:arubanetworks.com -inurl:pdf inurl:AOS-CX inurl:10\.11 "dhcp-snooping"

• search option notes:
• site:x only searched that domain
• -inurl:x don't report links with this text in the URL
• inurl:x only report on links with text
• (ideal for finding specific version documentation)

Helpful Links

• about Aruba training and this course

• aruba: Aruba Worldwide Education Services training portal
• datasheet: Aruba Certified Professional - Network Security COURSE (HPE7-A02)
• datasheet: Aruba Certified Professional - Network Security EXAM (HPE7-A10)
• hpe press: Aruba Certified Network Security Professional
• aruba: Self-Directed Remote Labs

• where to find more information

• aruba: Aruba Technical Product Documentation Portal
• here you find:
• Technology Briefs
• Validated Reference Designs
• Aruba Validated Designs
• Compliancy Documentation related to GDPR
• aruba: techdocs/NAC/
• airheads: community.arubanetworks.com
• abc: Airheads Broadcasting Channel
• afp: Partner Technical Webinars
• aruba: Central Demo

• aruba: AOS-10 Hardening Guide
• asp: CX_10.13 Hardening Guide

• where to find online documentation

• techdocs: The CLI Bank (all products)
• asp: Central Latest Online Help
• aps: Central OnPrem_2.5.4 User Guide
• asp: ClearPass Device Insight Online Help
• airheads: ClearPass Policy Manager 6.11-release-notifications
• techdocs: ClearPass Policy Manager 6.11 Web_Help
• techdocs: ArubaOS_8.12_Web_Help
• aruba: EUBA Network Detection and Response (NDR) capabilities, delivered by Aruba Central

• Manage and Monitor Hybrid IT Infrastructure
• hpe: OpsRamp: AIOps Powered IT Operations

• AOS-CX specific links

• aruba: feature-navigator.arubanetworks.com
• aruba: HPE ArubaNetworking 3D Catalog
• abc: AOS-CX Software Release Technical Update
• asp: CX Documentation Portal
• asp: CX_10.13 EVPN VXLAN Guide
• asp: CX_10.13 IP Services Guide
• asp: CX_10.13 Security Guide
• asp: CX_10.13 NAE
• asp: CX_10.13 Monitoring Guide
• asp: CX_10.13 ACLs and Classifier Policies Guide - 6[34]00,81xx,8360
• asp: CX_10.13 CoPP Guide
• asp: CX_10.13 IP Routing
• asp: CX_10.13 Fundamentals Guide
• hpe: DS_4100i Series
• hpe: DS_5420 Series
• hpe: DS_6000 Series
• hpe: DS_6100 Series
• hpe: DS_6200 Series
• hpe: DS_6300 Series
• hpe: DS_6400 Series
• hpe: DS_8100 Series
• hpe: DS_8320 Series
• hpe: DS_8325 Series
• hpe: DS_8360 Series V2
• hpe: DS_8400 Series
• hpe: DS_9300 Series
• hpe: DS_10000 Series

• airheads: ArubaOS-CX ArubaOS Switch ComWare and Cisco IOS
• www.arubanetworks.com/resource/aruba-cx-10000-with-pensando-at-a-glance
• afp: AOS-CX_Enablement (login required)
• afp: Switching_Intelligent_Edge_Competitive_Videos (login required)

• AP Datasheets

• Remote APs
• www.arubanetworks.com/assets/ds/DS_AP303H.pdf
• www.arubanetworks.com/assets/ds/DS_AP500HSeries.pdf
• www.arubanetworks.com/assets/ds/DS_AP500RSeries.pdf
• www.arubanetworks.com/assets/ds/DS_AP600HSeries.pdf
• www.arubanetworks.com/assets/ds/DS_AP600RSeries.pdf

• Indoor APs
• www.arubanetworks.com/assets/ds/DS_AP303Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP503Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP500Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP510Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP530Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP550Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP610Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP630Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP650Series.pdf

• Outdoor/Ruggedized APs
• www.arubanetworks.com/assets/ds/DS_AP360Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP370Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP518Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP560Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP570Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP580Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP670Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP730Series.pdf

• GW Datasheets

• www.arubanetworks.com/assets/ds/DS_7000Series.pdf
• www.arubanetworks.com/assets/ds/DS_7200Series.pdf
• www.arubanetworks.com/assets/ds/DS_9000Series.pdf
• www.arubanetworks.com/assets/ds/DS_9100Series.pdf
• www.arubanetworks.com/assets/ds/DS_9200Series.pdf

Day 1 - Lecture Modules & Labs

M00: Course Introduction

M01: Aruba Security Strategy

• nist: SP 800-207 Zero Trust Architecture
• techdocs: CPPM namespaces
• web: forrester.com The definition of Modern Zero Trust

• fbi: Threat to U.S. Critical Infrastructure
• fbi: Cyberthreat to Threat to Entire Nation
• cisa.gov: cybersecurity-advisories State Sponsored Threats
• abc: threat of quantum computers (quantum resistant algorithms)
• web: Big Four Bank Data Lost in HWL Ebsworth Cyber-Attack
• web: Every bank is being cyber attacked 'all the time'

Lab 0 - Aruba Remote Lab Instructions

• Important: follow instructions on how to log in to Central
• pdf page 16, (page 8 on bottom of page) 
• step 3, click SSO, everyone misses this!!!
• pdf page 17, (page 9 on bottom of page) 
• step 6 says: 
• If your instructor has told you to use a certain region, select it. 
• solution:
• Choose US-West

• pdf page 26, (page 18, top of page)
• when you run the lab01-central-setup.py script
• note: if you are table 1, use "1" not "01"
• issue: when you run the script you get the following error
• C:\Users\student\Desktop\Tools\Central>lab01-central-setup.py
  Enter your table number: 6
  Creating the lab-branch group
  The method is not allowed for the requested URL.
  Applying the country code to the lab-branch group
  The method is not allowed for the requested URL.
  Applying the AP configuration to the group
  The method is not allowed for the requested URL.
  Finding your APs
  Success
  Traceback (most recent call last):
    File "C:\Users\student\Desktop\Tools\Central\lab01-central-setup.py", line 245, in <module>
      all_ap_list = response['devices']
  KeyError: 'devices'
• solution: be sure you're base_url ends with ".com" (you may have forgotten to remove /swagger/apps/nms/"

• pdf page 26, (page 18 on bottom of page) 
• step 13 says: 
• validate your AP in the lab-branch group is in subnet 10.1.16
• issue: your AP might be in 10.1.15
• solution:
• Use Central > Organization > Groups to move the 10.1.15 AP back to group "default", move the 10.1.16 AP to the group "lab-branch" before continuing your lab

Lab 1 - Explore CPPM Services (50m)

• 1.1: Deploy your AP
• on page 13 (1.1.3.f)
• it says
• "tableID": "XX"
• but should say
• "tableID": "y" (replace y with your table number, remove any leading zeros)
• on page 17 (1.1.9)
• ISSUE:
• it says the template you pasted will contain
• wlan auth-server cppm
•    ip clearpassa.training.arubanetworks.com
• however the template you pasted actually says
• wlan auth-server cppm
•    ip clearpass0%tableID%a.training.arubanetworks.com
• SOLUTION: change your text template to say (on line 97)
• wlan auth-server cppm
•    ip clearpassa.training.arubanetworks.com
• 1.2: Add Network Devices in CPPM
• 1.3: View a CPPM Service and answer questions about it
• 1.4: Test the Service
• 1.5: Assess ways the Company can better implement ZTS

M02: Deploy Trusted Certificates to Aruba Solutions

• abc: Workshop #3 - Installing the HTTPS Certificate on ClearPass
• abc: Workshop #4 - Building a ClearPass Cluster
• web: regexr.com (learn regular expressions)
• use the following example to understand pattern matching as shown in the RADSEC portion of the lecture
• expression: aps[124]{0,1}.example.com
• text tests:
• aps.example.com
• aps1.example.com
• a.example.com
• ap.example.com
• aps2.example.com
• aps3.example.com
• aps4.example.com

Lab 2 - Install Certificates on Aruba Solutions (60m)

• 2.1: Manage the ClearPass Trust List
• 2.2: Install Certificates on ClearPass
• 2.3: Install Certificates on Future Subscribers
• 2.4: Install a Certificate on an AP
• on page 67 (2.4.4.e)
• it says
• click "+" icon to add AP_captiveportal certificate
• the issue
• the certificate may already exist, it cannot be added again, it has likely been left over from a previous student session
• the solution
• click the trash icon to delete the existing certificate, then you can go ahead and reinstall the certificate as the lab guide states
• 2.5: Establish the ClearPass Cluster
• on page 72 (2.5.11) Configure Virtual IP Settings
• the ISSUE
• if you get an error while trying to establish your VIP, saying your certificates are expired, your CPPM2 http cert might be expired
• the solution
• from CPPM1 > Certificates > Certificate Store > 
• select CPPM1, usage HTTPS Server Certificate
• export the HTTPS using the secret key @ruba123!
• it will create a pkcs12 format file
• from CPPM1 > Certificates > Certificate Store > Import Certificate
• Select "server certificate"
• Server = CPPM2
• Usage = HTTPS Server Certificate
• Upload Method = PKCS#12
• select the file you previously downloaded
• enter your passphrase, click Import
• repeat lab 2 task 5 step 11, it should work now

M03: Implementing Certificate-Based 802.1x (part 1 EAP-TLS & part 2 BYOD)

Lab 3.A - Authenticate Clients with EAP-TLS (30m)

• 3.1.1: Add Components that Make EAP-TLS More Secure
• 3.1.2: Add EAP-TLS to a ClearPass Policy Manager (CPPM) Service
• 3.1.3: Explore the Windows Domain Certificates
• on page 72 (3.7.b) Double-click the "Apply TLS to the WLAN" file.
• ISSUE 1
• be sure the script is applied (it may complain the path is invalid)
• ISSUE 2
• there may be an error in the script, check the Desktop\Tools\Profiles\Wi-Fi-tls-0x-Corporate.xml file
• look for "<ServerNames><random hostname goes here>.training.arubanetworks.com</ServerNames>"
• the solution
• from CPPM1 > Certificates > Certificate Store > 
• select CPPM1, usage RADIUS Server Certificate
• determine the CN, change your XML file to match

• pdf page 111, (page 103 on bottom of page) 
• step f says: 
• right-click "Lab-NC - 6300" and disable it
• issue: you get asked for admin privileges
• solution:
• use account cpadmin & password @ruba123!

Day 2 - Lecture Modules & Labs

Lab 3.B - Onboard BYOD Devices (35m)

• 3.2.1: Configure ClearPass Onboard
• 3.2.2: Set up Onboard Services in CPPM
• 3.2.3: Set Up the Infrastructure for Onboarding
• 3.2.4: Test Onboarding 

M03: Implementing Certificate-Based 802.1x (part 3)

• techdocs: CPPM 6.11 TEAP Authentication Method
• asp: CPPM EAP Chaining Tutorial

Lab 3.C - Authenticate Clients with EAP-TEAP (30m)

• 3.3.1: Use EAP-TEAP in a ClearPass Policy Manager (CPPM) Service
• 3.3.2: Test the New Scenario

Appendix - Configure EAP-TEAP on Windows

M04: Implement Advanced Policies on the Role-Based ArubaOS Firewall

Lab 4.a - Use CPPM to Assign Users to Roles (40m)

• 4.a.1: Create a Role Mapping Policy
• 4.a.2: Configure an Enforcement Policy
• 4.a.3: Edit the Wireless 802.1X Service
• 4.a.4: Enforce AOS Firewall Role Assignment

Lab 4.b - Analyze and Apply AOS Firewall Policies (45m)

• 4.b.1: Analyze an ACL
• 4.b.2: Apply Extended ACL Actions

M05: Evaluate Endpoint Posture

• techdocs: CPPM 6.11 Nessus Audit Server
• microsoft: Endpoint Manager (Intune)
• airheads: CPPM Config, Solution, Integration, User Guides, Release Notes
• airheads: Microsoft Intune Integration Guide

Lab 5 - Evaluate and Enforce Endpoint Posture with ClearPass OnGuard (60m)

• 5.1: Create an OnGuard Posture Policy
• 5.2: Create Enforcement Profiles and Policies
• 5.3: Create a Service to Process SHV Reports
• 5.4: Modify the Existing 802.1X Service
• 5.5: Configure and Install OnGuard Persistent Agent
• 5.6: Test the OnGuard Persistent Agent

M06: Implement a Trusted Network Infrastructure

• Implement Secure Management of Aruba Devices

Lab 6.a - Implement Manager Authentication on CX Switches (35m)

• 6.a.1: Configure TACACS+ Authentication on an AOS-CX Switch
• 6.a.2: Set Up TACACS+ on CPPM
• 6.a.3: Configure Per-Command Authorization in a TACACS+ Policy
• 6.a.4: Configure Public Key SSH Authentication 

Day 3 - Lecture Modules & Labs

M06: Implement a Trusted Network Infrastructure

• Secure L2 and L3 Protocols

• asp: CX 10.10 L2 Bridging Guide > STP
• asp: CX 10.10 L2 Bridging Guide > STP > BPDU protection
• asp: CX 10.10 IP Services > DHCP snooping
• asp: CX 10.10 IP Services > ARP Inspection
• asp: CX 10.10 IP Services > IP Source Lockdown
• asp: CX 10.09 Fundamentals Guide - NTP commands
• asp: CX 10.09 CoPP Guide

Lab 6.b - Implement DHCP and ARP Protection (15m)

• 6.b.1: Configure DHCP Snooping
• 6.b.2: Configure ARP Inspection
• 6.b.3: Test ARP Inspection

M07: Implement 802.1X and Role-Based Access Control on CX

• abc: Aruba ClearPass Workshop - Wired #4 - Dynamic Access List (dACL)
• shows how to implement IETF NAS-FILTER-RULES
• abc: AOS-CX_10.07 User Based Tunnel Enhancements
• asp: CX_10.11 Security Guide - Port Access General Commands (Special Roles)
• asp: CX_10.10 CLI Guide - port-access fallback-role
• asp: CX_10.10 Security Guide - Port Access Policies (Class and Actions)
• techdocs: Central_Latest - 802.1X Authentication on Uplink Ports of an AP

• CX - New Features (10.08)
• automatically create VLANs when assigned to a user by role
• port access auto-vlan

Lab 7 - Implement Wired 802.1X with VLAN Steering (45m)

• 7.1: Setup Downloadable Enforcement Profiles on CPPM
• 7.2: Use Downloadable Enforcement Profiles in an Enforcement Policy
• 7.3: Create a Wired 802.1X Service
• 7.4: Configure the AOS-CX Switch to Enforce 802.1X to CPPM
• 7.5: Test Authentication

M08: Implement Dynamic Segmentation on AOX-CX

• UBT on CX
• asp: Central Latest - Gateway Cluster Architecture
  
• abc: AOS-CX_10.07 User Based Tunnel Enhancements
• airheads: QUIC or ECH with Brightcloud Opentext

• dealing with dormant client issues (Eric Lim)
• Aruba AOS-CX 10.10 - UBT Silent Device
• https://www.youtube.com/watch?v=_QXYN27KRgE
• https://www.arubanetworks.com/techdocs/AOS-CX/10.10/HTML/cli_6200/Content/Chp_Dyn_Seg/UBT_cmds/wol-en-vlan.htm
• session timeout in radius helped solve this problem where the reauth timer on the switch did not help

• VNBT on CX
• asp: CX_10.10 EVPN VXLAN Guide
• techdocs: Aruba Fabric Composer_Web_Help

Lab 8.a - Implement User-Based Tunneling (40m)

• 8.a.1: Provision 9x00 Series Gateways
• 8.a.2: Use a Script to Load Base Settings on the BGWs
• 8.a.3: Establish a Tunnel between CX and a Gateway
• 8.a.4: Configure the Gateway Settings
• on page 313 (8.a.4.6)
• it says
• .... you can copy the commands from below or from Lab-BGW-cluster.txt in your Central files
• if you copy from the PDF, be sure the lines are indented as shown int the PDF file, the indents probably will not paste as expected
• the issue
• if you copy the text from the pdf, it only works if you are on table 10 through 12
• the solution
• use the template file provided which is correct...
•  or add a leading 0 as shown below highlighted in yellow
• !lc-cluster group-profile lab0%tableID%-cluster
• 8.a.5: Create a DUR on CPPM that Uses UBT
• 8.a.6: Validate the Configuration

M09: Monitor with Network Analytics Engine

• developer: NAE - Getting Started
• asp: CX_10.10 NAE

Lab 9 - Use the AOS-CX NAE (20m)

• 9.1: Install an NAE Agent Script
• on page 326 (9.1.2)
• it says
• Click the Aruba Solutions Exchange square (note: it may take a minute to populate).
• the issue
• ASE has been depreciated, that link may not work
• the solution
• go to the following link:
• https://github.com/aruba/nae-scripts/blob/master/recommended_scripts/copp/copp.py
• click the RAW download link, upload it manually
• 9.2: Create an NAE Agent
• 9.3: View the NAE Agent in Action

M10: Implement WIDS/WIPS

Lab 10 - Implement WIDS (20m)

• 10.1:  Set up a Central Group and Site
• 10.2: Configure WIDS/WIPS
• 10.3: Observe Rogue AP Detection

Day 4 - Lecture Modules & Labs

M11: Use CPPM and 3rd Party Integration to Mitigate Threats

• aruba: ClearPass 360 Security Exchange Partner Finder
• web: What are Syslog Facilities and Levels?

Lab 11 - Integrate CPPM with a 3rd-Party Device (40m)

• 11.1: Configure Ingress Event Processing
• on pages 19 and 24 it says Jupiter but should say Juniper
• it says
• %{Event:Jupiter-SRX-TS:application-name}
• but should say
• %{Event:Juniper-SRX-TS:application-name}
• 11.2: Configure the Event Enforcement Service
• 11.3: Adjust an 802.1X Service to Deal with Compromised Devices
• 11.4: Test the Solution

M12: Implement Device Profiling with CPPM

• technote: DEVICE FINGERPRINTING AOS-S Version 16.06

Lab 12.a - Explore the CPPM Device Profiler (30m)

• 12.a.1: View the Endpoints Repository
• 12.a.2: Run Insight Reports
• 12.a.3: Create a Custom Fingerprint

Lab 12.b - Use Device Profiles in CPPM Services (40m)

• 12.b.1: Create a Service That Uses Profiling
• 12.b.2: Validate the Policy

M13: Overview of Device Profiling with Aruba Central Applications

• techdocs: ClearPass Device Insight
• note that the CPDI Application is currently available on the following clusters
• US-2, WS-West-4, EU-1, EU-2

Lab 13 - Use Client Profiling in Central Network Operations (15m)

• 13.1: Ensure Clients are Discovered in Central
• 13.2: Explore Device Profiles

M14: Deploy ClearPass Device Insight

• techdocs: CPDI - Creating Subnet Segments (slide 31)
• techdocs: CPDI - Managing Augmentation Methods (slide 32)

• nsa: Technical Cyber Threat Framework v2
• web: nist.gov - national vulnerability database (slide 60)
• web: first.org (Common Vulnerability Scoring System SIG)
• web: mitre.org (Common Vulnerability & Exposures)
• web: cve.org (new site)

Lab 14 - None

M15: Integrate CPDI with CPPM

Day 5 - Lecture Modules & Labs

Lab 15 - CPPM Device Insight Integration (25m)

• 15.1: Enable Device Insight Integration on CPPM
• 15.2: Use Device Insight Tags in CPPM

M16: Use Packet Captures to Investigate Security Issues

• asp: Central - Clients Live-Events
• asp: CX_10.10 Monitoring Guide - Mirroring
• asp: CX_10.10 ACLs and Classifier Policies Guide

• how to tcpdump in different VRF on AOS-CX
• sudo ip netsh exec <swns | VRF_#> your_command
• meanings:
• swns       = default VRF    
• VRF_1      = mgmt VRF
• VRF_2...   = any of the user created VRFs
• your_command, an example
• tcpdump -vv -i any port 3799
• https://www.tcpdump.org/manpages/tcpdump.1.html

Lab 16 - Create and Analyze Packet Captures (25m)

• 16.1: Capture Network Traffic and View in Wireshark
• 16.2: Analyse Packets
• 16.3: Analyse More Packets

M17: Secure Remote and Branch Access (SSE)

• wiki: System for Cross-domain Identity Management
• web: SCIM 2, the open API for managing identities is now complete and published under the IETF
• axis: SSE documentation from Axis
• vsg: HPE Aruba Networking Secure Service Edge (SSE) 

Lab 17.a - Configure SSE (?m)

• 17.a.1: Deploy SSE Workspace
• 17.a.2: Setup the internal IdP
• 17.a.3: Configure Networking ZTNA
• 17.a.4: Prepare the Client for SWG
• 17.a.5: Configure SWG

Lab 17.b - Optional - Deploy SD-Branch Solution

• 17.b.1: Deploy the VPNC
• 17.b.2: Configure the VPNC
• 17.b.3: Configure the Branch Gateways (BGWs)
• 17.b.4: View the Tunnels
• 17.b.5: Disable SD-WAN Orchestration

M18: Configure Aruba Gateway IDS/IPS

• techdocs: SaaS Express
• techdocs: IDS/IPS Threat Categories
• nist.gov: Intrusion Detection and Prevention Systems - TSAPPS at NIST

• 7xxx & 9xxx UTM technology
• partner: brightcloud webroot (WEB-CC)

• 9xxx UTM technology / CPDI (IDS/IPS)
• partner: www.first.org/cvss/
• partner: cve.mitre.org
• partner: cve.org

Lab 18 - Implement Aruba Gateway IDS/IPS (10m)

• 18.1: Configure Aruba Gateway IDS/IPS
• 18.2: Simulate a Threat

M19: Use Aruba Central Alerts to Investigate Security Issues

• techdocs: AP Security Alerts
• techdocs: Configuring IDS Paramaters

Lab 19 - Configure and Monitor Aruba Central Alerts (20m)

• 19.1: Configure Central Alerts and Notifications
• 19.2: View Alerts

Appendix

References for Appendix Chapters

• asp: How to configure VIA ikev2 with EAP-TLS authentication

Acronyms or Key terms

• SCIM: system for cross-domain identity management
• ESP: Encapsulating Security Payload
• provides encryption, authentication, integrity and confidentiality for IP packets
• based on protocol 50, but can be UDP encapsulated with dport 4500 when deployed in NAT-T mode
• IPsec:
• protocol suite that provides security services for IP packets, such as encryption, authentication, integrity and confidentiality
• ISAKMP:
• defines how to establish, negotiate, modify and delete security associations (SAs) for IPsec
• ISAKMP configuration method:
• allows a VPNC to push configuration such as IP addresses, DNS, WINS settings to a client after IKE phase 1 is established
• nonce:
• random / semi-random number generated for cryptographic communication 
• mechanism helps to protect against replay attacks
• the term stands for "number used once"
• SA: Security Association
• a relationship between two or more entities that describes how the entities will use security services to communicate securely
• SPI: Security Parameter Index
• identification tag added to the header while using IPsec for tunneling the IP traffic. 
• This tag helps the kernel discern between two traffic streams where different encryption rules and algorithms may be in use
• Xauth:
• extended authentication for IPsec remote access users, requested by a VPNC after the establishment of IKE phase 1 SA.
• it typically supports RADIUS, SecureID, user/password

Labs Summary

• oneDrive: IANS Lab Steps Summary

Lab Access Errata

• when experiencing any problems with remote lab access (WebGate):
• be sure your browser is in private (incognito) mode
• restart your browser and clear your cache and cookies
• do not try to login unless you are 100 percent sure the login page is fully loaded (the tab favicon will look similar to an orange triangle)
• during login to Central, did you select the SSO option?