Implementing Aruba Network Security v24.41 (IANS)
Welcome to this weeks class (IANS)
navigate to https://rubbernecks-arubanetworks.blogspot.com
- the Podx Spreadsheet (ask me in class for your password)
Lab Notes
Tips on how to google our site for documentation
- googling for AOS-Switch-related topics
- site:hpe.com 16.09 -inurl:pdf -inurl:cx "dhcp-snooping"
- googling for AOS-CX-related topics
- site:arubanetworks.com -inurl:pdf inurl:AOS-CX inurl:10\.11 "dhcp-snooping"
- search option notes:
- site:x only searched that domain
- -inurl:x don't report links with this text in the URL
- inurl:x only report on links with text
- (ideal for finding specific version documentation)
Helpful Links
- about Aruba training and this course
- where to find more information
- aruba: Aruba Technical Product Documentation Portal
- here you find:
- Technology Briefs
- Validated Reference Designs
- Aruba Validated Designs
- Compliancy Documentation related to GDPR
- airheads: community.arubanetworks.com
- abc: Airheads Broadcasting Channel
- afp: Partner Technical Webinars
- aruba: Central Demo
- where to find online documentation
- techdocs: The CLI Bank (all products)
- asp: Central Latest Online Help
- aps: Central OnPrem_2.5.4 User Guide
- asp: ClearPass Device Insight Online Help
- airheads: ClearPass Policy Manager 6.11-release-notifications
- techdocs: ClearPass Policy Manager 6.11 Web_Help
- techdocs: ClearPass Policy Manager 6.10 Web_Help
- techdocs: ClearPass Policy Manager 6.9 Web_Help
- techdocs: ArubaOS_86_Web_Help
- aruba: EUBA Network Detection and Response (NDR) capabilities, delivered by Aruba Central
- where to find more information
- aruba: Aruba Technical Product Documentation Portal
- here you find:
- Technology Briefs
- Validated Reference Designs
- Aruba Validated Designs
- Compliancy Documentation related to GDPR
- airheads: community.arubanetworks.com
- abc: Airheads Broadcasting Channel
- afp: Partner Technical Webinars
- aruba: Central Demo
- where to find online documentation
- techdocs: The CLI Bank (all products)
- asp: Central Latest Online Help
- aps: Central OnPrem_2.5.4 User Guide
- asp: ClearPass Device Insight Online Help
- airheads: ClearPass Policy Manager 6.11-release-notifications
- techdocs: ClearPass Policy Manager 6.11 Web_Help
- techdocs: ClearPass Policy Manager 6.10 Web_Help
- techdocs: ClearPass Policy Manager 6.9 Web_Help
- techdocs: ArubaOS_86_Web_Help
- aruba: EUBA Network Detection and Response (NDR) capabilities, delivered by Aruba Central
- AOS-CX specific links
- AOS-CX specific links
- aruba: feature-navigator.arubanetworks.com
- asp: CX Documentation Portal
- asp: CX_10.13 EVPN VXLAN Guide
- asp: CX_10.13 IP Services Guide
- asp: CX_10.13 Security Guide
- asp: CX_10.13 NAE
- asp: CX_10.13 Monitoring Guide
- asp: CX_10.12 ACLs and Classifier Policies Guide - 6[34]00,81xx,8360
- asp: CX_10.13 CoPP Guide
- asp: CX_10.12 IP Routing
- asp: CX_10.13 Fundamentals Guide
- www.arubanetworks.com/assets/ds/DS_4100iSwitchSeries.pdf
- www.arubanetworks.com/assets/ds/DS_6000Series.pdf
- www.arubanetworks.com/assets/ds/DS_6100Series.pdf
- www.arubanetworks.com/assets/ds/DS_6200Series.pdf
- www.arubanetworks.com/assets/ds/DS_6300Series.pdf
- www.arubanetworks.com/assets/ds/DS_6400Series.pdf
- www.arubanetworks.com/assets/ds/DS_8100Series.pdf
- www.arubanetworks.com/assets/ds/DS_8320Series.pdf
- www.arubanetworks.com/assets/ds/DS_8325Series.pdf
- www.arubanetworks.com/assets/ds/DS_8360Series.pdf
- www.arubanetworks.com/assets/ds/DS_8400Series.pdf
- www.arubanetworks.com/assets/ds/DS_9300Series.pdf
- www.arubanetworks.com/assets/ds/DS_10000Series.pdf
- AP Datasheets
- aruba: feature-navigator.arubanetworks.com
- asp: CX Documentation Portal
- asp: CX_10.13 EVPN VXLAN Guide
- asp: CX_10.13 IP Services Guide
- asp: CX_10.13 Security Guide
- asp: CX_10.13 NAE
- asp: CX_10.13 Monitoring Guide
- asp: CX_10.12 ACLs and Classifier Policies Guide - 6[34]00,81xx,8360
- asp: CX_10.13 CoPP Guide
- asp: CX_10.12 IP Routing
- asp: CX_10.13 Fundamentals Guide
- www.arubanetworks.com/assets/ds/DS_4100iSwitchSeries.pdf
- www.arubanetworks.com/assets/ds/DS_6000Series.pdf
- www.arubanetworks.com/assets/ds/DS_6100Series.pdf
- www.arubanetworks.com/assets/ds/DS_6200Series.pdf
- www.arubanetworks.com/assets/ds/DS_6300Series.pdf
- www.arubanetworks.com/assets/ds/DS_6400Series.pdf
- www.arubanetworks.com/assets/ds/DS_8100Series.pdf
- www.arubanetworks.com/assets/ds/DS_8320Series.pdf
- www.arubanetworks.com/assets/ds/DS_8325Series.pdf
- www.arubanetworks.com/assets/ds/DS_8360Series.pdf
- www.arubanetworks.com/assets/ds/DS_8400Series.pdf
- www.arubanetworks.com/assets/ds/DS_9300Series.pdf
- www.arubanetworks.com/assets/ds/DS_10000Series.pdf
- AP Datasheets
- Indoor APs
- www.arubanetworks.com/assets/ds/DS_AP303Series.pdf
- www.arubanetworks.com/assets/ds/DS_AP503Series.pdf
- www.arubanetworks.com/assets/ds/DS_AP500Series.pdf
- www.arubanetworks.com/assets/ds/DS_AP510Series.pdf
- www.arubanetworks.com/assets/ds/DS_AP530Series.pdf
- www.arubanetworks.com/assets/ds/DS_AP550Series.pdf
- www.arubanetworks.com/assets/ds/DS_AP610Series.pdf
- www.arubanetworks.com/assets/ds/DS_AP630Series.pdf
- www.arubanetworks.com/assets/ds/DS_AP650Series.pdf
- Outdoor/Ruggedized APs
- www.arubanetworks.com/assets/ds/DS_AP360Series.pdf
- www.arubanetworks.com/assets/ds/DS_AP370Series.pdf
- www.arubanetworks.com/assets/ds/DS_AP518Series.pdf
- www.arubanetworks.com/assets/ds/DS_AP560Series.pdf
- www.arubanetworks.com/assets/ds/DS_AP570Series.pdf
- www.arubanetworks.com/assets/ds/DS_AP580Series.pdf
- www.arubanetworks.com/assets/ds/DS_AP670Series.pdf
- GW Datasheets
- Indoor APs
- www.arubanetworks.com/assets/ds/DS_AP303Series.pdf
- www.arubanetworks.com/assets/ds/DS_AP503Series.pdf
- www.arubanetworks.com/assets/ds/DS_AP500Series.pdf
- www.arubanetworks.com/assets/ds/DS_AP510Series.pdf
- www.arubanetworks.com/assets/ds/DS_AP530Series.pdf
- www.arubanetworks.com/assets/ds/DS_AP550Series.pdf
- www.arubanetworks.com/assets/ds/DS_AP610Series.pdf
- www.arubanetworks.com/assets/ds/DS_AP630Series.pdf
- www.arubanetworks.com/assets/ds/DS_AP650Series.pdf
- Outdoor/Ruggedized APs
- www.arubanetworks.com/assets/ds/DS_AP360Series.pdf
- www.arubanetworks.com/assets/ds/DS_AP370Series.pdf
- www.arubanetworks.com/assets/ds/DS_AP518Series.pdf
- www.arubanetworks.com/assets/ds/DS_AP560Series.pdf
- www.arubanetworks.com/assets/ds/DS_AP570Series.pdf
- www.arubanetworks.com/assets/ds/DS_AP580Series.pdf
- www.arubanetworks.com/assets/ds/DS_AP670Series.pdf
- GW Datasheets
Day 1 - Lecture Modules & Labs
M00: Course Introduction
M01: Aruba Security Strategy
Lab 0 - Aruba Remote Lab Instructions
- begins on pdf page 13 (page 5 on bottom of page)
- Important: follow instructions on how to login to Central
Lab 1 - Explore CPPM Services (50m)
- 1.1: Deploy your AP
on page 13 (1.1.3.f)it says"tableID": "XX"but should say"tableID": "y" (replace y with your table number, remove any leading zeros)on page 17 (1.1.9)ISSUE:it says the template you pasted will containwlan auth-server cppmip clearpassa.training.arubanetworks.comhowever the template you pasted actually sayswlan auth-server cppmip clearpass0%tableID%a.training.arubanetworks.comSOLUTION: change your text template to say (on line 97)wlan auth-server cppmip clearpassa.training.arubanetworks.com- 1.2: Add Network Devices in CPPM
- 1.3: View a CPPM Service and answer questions about it
- 1.4: Test the Service
- 1.5: Assess ways the Company can better implement ZTS
M02: Deploy Trusted Certificates to Aruba Solutions
- abc: Workshop #3 - Installing the HTTPS Certificate on ClearPass
- abc: Workshop #4 - Building a ClearPass Cluster
- web: regexr.com (learn regular expressions)
- use the following example to understand pattern matching as shown in the RADSEC portion of the lecture
- expression: aps[124]{0,1}.example.com
- text tests:
- aps.example.com
- aps1.example.com
- a.example.com
- ap.example.com
- aps2.example.com
- aps3.example.com
- aps4.example.com
Lab 2 - Install Certificates on Aruba Solutions (60m)
- 2.1: Manage the ClearPass Trust List
- 2.2: Install Certificates on ClearPass
- 2.3: Install Certificates on Future Subscribers
- 2.4: Install a Certificate on an Aruba AP
on page 67 (2.4.4.e)it saysclick "+" icon to add AP_captiveportal certificatethe issuethe certificate may already exist, it cannot be added again, it has likely been left over from a previous student sessionthe solutionclick the trash icon to delete the existing certificate, then you can go ahead and reinstall the certificate as the lab guide states- 2.5: Establish the Cluster
on page 72 (2.5.11) Configure Virtual IP Settingsthe ISSUEif you get an error while trying to establish your VIP, saying your certificates are expired, your CPPM2 http cert might be expiredthe solutionfrom CPPM1 > Certificates > Certificate Store >select CPPM1, usage HTTPS Server Certificateexport the HTTPS using the secret key @ruba123!it will create a pkcs12 format filefrom CPPM1 > Certificates > Certificate Store > Import CertificateSelect "server certificate"Server = CPPM2Usage = HTTPS Server CertificateUpload Method = PKCS#12select the file you previously downloadedenter your passphrase, click Importrepeat lab 2 task 5 step 11, it should work now
M03: Implementing Certificate-Based 802.1x (part 1 EAP-TLS & part 2 BYOD)
Lab 3.A - Authenticate Clients with EAP-TLS (30m)
- 3.1.1: Add Components that Make EAP-TLS More Secure
- 3.1.2: Add EAP-TLS to a ClearPass Policy Manager (CPPM) Service
- 3.1.3: Explore the Windows Domain Certificates
on page 72 (3.7.b) Double-click the "Apply TLS to the WLAN" file.ISSUE 1be sure the script is applied (it may complain the path is invalid)ISSUE 2there may be an error in the script, check the Desktop\Tools\Profiles\Wi-Fi-tls-0x-Corporate.xml filelook for "<ServerNames><random hostname goes here>.training.arubanetworks.com</ServerNames>"the solutionfrom CPPM1 > Certificates > Certificate Store >select CPPM1, usage RADIUS Server Certificatedetermine the CN, change your XML file to match
Day 2 - Lecture Modules & Labs
Lab 3.B - Onboard BYOD Devices (35m)
- 3.2.1: Configure ClearPass Onboard
- 3.2.2: Set up Onboard Services in CPPM
- 3.2.3: Set Up the Infrastructure for Onboarding
- 3.2.4: Test Onboarding
M03: Implementing Certificate-Based 802.1x (part 3)
Lab 3.C - Authenticate Clients with EAP-TEAP (30m)
- 3.3.1: Use EAP-TEAP in a ClearPass Policy Manager (CPPM) Service
- 3.3.2: Test the New Scenario
Appendix - Configure EAP-TEAP on Windows
M04: Implement Advanced Policies on the Role-Based ArubaOS Firewall
Lab 4.a - Use CPPM to Assign Users to Roles (40m)
- 4.a.1: Create a Role Mapping Policy
- 4.a.2: Configure an Enforcement Policy
- 4.a.3: Edit the Wireless 802.1X Service
- 4.a.4: Enforce AOS Firewall Role Assignment
Lab 4.b - Analyze and Apply AOS Firewall Policies (45m)
- 4.b.1: Create a Role Mapping Policy
- 4.b.2: Configure an Enforcement Policy
M05: Evaluate Endpoint Posture
Lab 5 - Evaluate and Enforce Endpoint Posture with ClearPass OnGuard (60m)
- 5.1: Create an OnGuard Posture Policy
- 5.2: Create Enforcement Profiles and Policies
- 5.3: Create a Service to Process SHV Reports
- 5.4: Modify the Existing 802.1X Service
- 5.5: Configure and Install OnGuard Persistent Agent
- 5.6: Test the OnGuard Persistent Agent
M06: Implement a Trusted Network Infrastructure
- Implement Secure Management of Aruba Devices
- Implement Secure Management of Aruba Devices
Lab 6.a - Implement Manager Authentication on CX Switches (35m)
- 6.a.1: Configure TACACS+ Authentication on an AOS-CX Switch
- 6.a.2: Set Up TACACS+ on CPPM
- 6.a.3: Configure Per-Command Authorization in a TACACS+ Policy
- 6.a.4: Configure Public Key SSH Authentication
Day 3 - Lecture Modules & Labs
M06: Implement a Trusted Network Infrastructure
- Secure L2 and L3 Protocols
- Secure L2 and L3 Protocols
Lab 6.b - Implement DHCP and ARP Protection (15m)
- 6.b.1: Configure DHCP Snooping
- 6.b.2: Configure ARP Inspection
- 6.b.3: Test ARP Inspection
M07: Implement 802.1X and Role-Based Access Control on CX
- abc: Aruba ClearPass Workshop - Wired #4 - Dynamic Access List (dACL)
- shows how to implement IETF NAS-FILTER-RULES
- abc: AOS-CX_10.07 User Based Tunnel Enhancements
- asp: CX_10.11 Security Guide - Port Access General Commands (Special Roles)
- asp: CX_10.10 CLI Guide - port-access fallback-role
- asp: CX_10.10 Security Guide - Port Access Policies (Class and Actions)
- techdocs: Central_Latest - 802.1X Authentication on Uplink Ports of an AP
- CX - New Features (10.08)
- automatically create VLANs when assigned to a user by role
- port access auto-vlan
- abc: Aruba ClearPass Workshop - Wired #4 - Dynamic Access List (dACL)
- shows how to implement IETF NAS-FILTER-RULES
- abc: AOS-CX_10.07 User Based Tunnel Enhancements
- asp: CX_10.11 Security Guide - Port Access General Commands (Special Roles)
- asp: CX_10.10 CLI Guide - port-access fallback-role
- asp: CX_10.10 Security Guide - Port Access Policies (Class and Actions)
- techdocs: Central_Latest - 802.1X Authentication on Uplink Ports of an AP
- CX - New Features (10.08)
- automatically create VLANs when assigned to a user by role
- port access auto-vlan
Lab 7 - Implement Wired 802.1X with VLAN Steering (45m)
- 7.1: Setup Downloadable Enforcement Profiles on CPPM
- 7.2: Use Downloadable Enforcement Profiles in an Enforcement Policy
- 7.3: Create a Wired 802.1X Service
- 7.4: Configure the AOS-CX Switch to Enforce 802.1X to CPPM
- 7.5: Test Authentication
M08: Implement Dynamic Segmentation on AOX-CX
- dealing with dormant client issues (Eric Lim)
- Aruba AOS-CX 10.10 - UBT Silent Device
- https://www.youtube.com/watch?v=_QXYN27KRgE
- https://www.arubanetworks.com/techdocs/AOS-CX/10.10/HTML/cli_6200/Content/Chp_Dyn_Seg/UBT_cmds/wol-en-vlan.htm
- session timeout in radius helped solve this problem where the reauth timer on the switch did not help
- dealing with dormant client issues (Eric Lim)
- Aruba AOS-CX 10.10 - UBT Silent Device
- https://www.youtube.com/watch?v=_QXYN27KRgE
- https://www.arubanetworks.com/techdocs/AOS-CX/10.10/HTML/cli_6200/Content/Chp_Dyn_Seg/UBT_cmds/wol-en-vlan.htm
- session timeout in radius helped solve this problem where the reauth timer on the switch did not help
Lab 8.a - Implement User-Based Tunneling (40m)
- 8.a.1: Provision 9x00 Series Gateways
- 8.a.2: Use a Template to Load Base Settings on the BGWs
- 8.a.3: Establish a Tunnel between CX and an Aruba Gateway
- 8.a.4: Configure the Gateway Settings
on page 313 (8.a.4.6)it says.... you can copy the commands from below or from Lab-BGW-cluster.txt in your Central filesif you copy from the PDF, be sure the lines are indented as shown int the PDF file, the indents probably will not paste as expectedthe issueif you copy the text from the pdf, it only works if you are on table 10 through 12the solutionuse the template file provided which is correct...or add a leading 0 as shown below highlighted in yellow!lc-cluster group-profile lab0%tableID%-cluster- 8.a.5: Create a DUR on CPPM that Uses UBT
- 8.a.6: Validate the Configuration
Lab 8.b - Optional - Implement Virtual Network-Based Tunneling (was removed)
- 8.b.1: Validate the Underlay Network
- 8.b.2: Configure VXLAN on the AOS-CX Switches
- 8.b.3: Configure EVPN
- 8.b.4: Validate Connectivity for Clients Using VNBT
M09: Monitor with Network Analytics Engine
Lab 9 - Use the AOS-CX NAE (20m)
- 9.1: Install an NAE Agent Script
- 9.2: Create an NAE Agent
- 9.3: View the NAE Agent in Action
M10: Implement WIDS/WIPS
Lab 10 - Implement Aruba WIDS (20m)
- 10.1: Set up a Central Group and Site
- 10.2: Configure WIDS/WIPS
- 10.3: Observe Rogue AP Detection
Day 4 - Lecture Modules & Labs
M11: Use CPPM and 3rd Party Integration to Mitigate Threats
Lab 11 - Integrate CPPM with a 3rd-Party Device (40m)
- 11.1: Configure Ingress Event Processing
on pages 19 and 24 it says Jupiter but should say Juniperit says%{Event:Jupiter-SRX-TS:application-name}but should say%{Event:Juniper-SRX-TS:application-name}- 11.2: Configure the Event Enforcement Service
- 11.3: Adjust an 802.1X Service to Deal with Compromised Devices
- 11.4: Test the Solution
M12: Implement Device Profiling with CPPM
Lab 12.a - Explore the CPPM Device Profiler (30m)
- 12.a.1: View the Endpoints Repository
- 12.a.2: Run Insight Reports
- 12.a.3: Create a Custom Fingerprint
Lab 12.b - Use Device Profiles in CPPM Services (40m)
- 12.b.1: Create a Service That Uses Profiling
- 12.b.2: Validate the Policy
M13: Overview of Device Profiling with Aruba Central Applications
- techdocs: ClearPass Device Insight
- note that the CPDI Application is currently available on the following clusters
- US-2, WS-West-4, EU-1, EU-2
Lab 13 - Use Client Profiling in Central Network Operations (15m)
- 13.1: Ensure Clients are Discovered in Central
- 13.2: Explore Device Profiles
M14: Deploy ClearPass Device Insight
Lab 14 - None
M15: Integrate CPDI with CPPM
Day 5 - Lecture Modules & Labs
Lab 15 - CPPM Device Insight Integration (25m)
- 15.1: Enable Device Insight Integration on CPPM
- 15.2: Use Device Insight Tags in CPPM
M16: Use Packet Captures to Investigate Security Issues
- how to tcpdump in different VRF on AOS-CX
- sudo ip netsh exec <swns | VRF_#> your_command
- meanings:
- swns = default VRF
- VRF_1 = mgmt VRF
- VRF_2... = any of the user created VRFs
- your_command, an example
- tcpdump -vv -i any port 3799
- https://www.tcpdump.org/manpages/tcpdump.1.html
- how to tcpdump in different VRF on AOS-CX
- sudo ip netsh exec <swns | VRF_#> your_command
- meanings:
- swns = default VRF
- VRF_1 = mgmt VRF
- VRF_2... = any of the user created VRFs
- your_command, an example
- tcpdump -vv -i any port 3799
- https://www.tcpdump.org/manpages/tcpdump.1.html
Lab 16 - Create and Analyze Packet Captures (25m)
- 16.1: Capture Network Traffic and View in Wireshark
- 16.2: Port Classification - Trust Configuration
- 16.3: LLDP Device Profile for QOS Trust
M17: Establish a Secure WLAN and Secure Remote Access
Lab 17.a - Deploy VIA (50m)
- 17.a.1: Deploy the VPNC
- 17.a.2: Configure VIA Settings
- 17.a.3: Configure VIA Services on CPPM
- 17.a.4: Establish the VIA Connection
Lab 17.b - Optional - Deploy SD-Branch Solution(removed from lab guide)
- 17.b.1: Configure the VPNC
- 17.b.2: Configure the Branch Gateways (BGWs)
- 17.b.3: View the Tunnels
- 17.b.4: Disable SD-WAN Orchestration
M18: Configure Aruba Gateway IDS/IPS
- 7xxx & 9xxx UTM technology
- partner: brightcloud webroot (WEB-CC)
- 9xxx UTM technology / CPDI (IDS/IPS)
- partner: www.first.org/cvss/
- partner: cve.mitre.org
- partner: cve.org
- 7xxx & 9xxx UTM technology
- partner: brightcloud webroot (WEB-CC)
- 9xxx UTM technology / CPDI (IDS/IPS)
- partner: www.first.org/cvss/
- partner: cve.mitre.org
- partner: cve.org
Lab 18 - Implement Aruba Gateway IDS/IPS (10m)
- 18.1: Configure Aruba Gateway IDS/IPS
- 18.2: Simulate a Threat
M19: Use Aruba Central Alerts to Investigate Security Issues
Lab 19 - Configure and Monitor Aruba Central Alerts (20m)
- 19.1: Configure Central Alerts and Notifications
- 19.2: View Alerts
Appendix
Acronyms or Key terms
- ESP: Encapsulating Security Payload
- provides encryption, authentication, integrity and confidentiality for IP packets
- based on protocol 50, but can be UDP encapsulated with dport 4500 when deployed in NAT-T mode
- IPsec:
- protocol suite that provides security services for IP packets, such as encryption, authentication, integrity and confidentiality
- ISAKMP:
- defines how to establish, negotiate, modify and delete security associations (SAs) for IPsec
- ISAKMP configuration method:
- allows a VPNC to push configuration such as IP addresses, DNS, WINS settings to a client after IKE phase 1 is established
- nonce:
- random / semi-random number generated for cryptographic communication
- mechanism helps to protect against replay attacks
- the term stands for "number used once"
- SA: Security Association
- a relationship between two or more entities that describes how the entities will use security services to communicate securely
- SPI: Security Parameter Index
- identification tag added to the header while using IPsec for tunneling the IP traffic.
- This tag helps the kernel discern between two traffic streams where different encryption rules and algorithms may be in use
- Xauth:
- extended authentication for IPsec remote access users, requested by a VPNC after the establishment of IKE phase 1 SA.
- it typically supports RADIUS, SecureID, user/password
Labs Summary
Lab Access Errata
Comments
Post a Comment