Implementing Aruba Network Security v24.41 (IANS)

Welcome to this weeks class (IANS)

navigate to https://rubbernecks-arubanetworks.blogspot.com

IANS Lab Topology Notes

Please be sure you have downloaded the learner guide and lab guide as per the instructions you received from an email you would have received from HPE last week.  Check your email history, spam folder, etc... for the keyword "OnSecure" if you cannot find the email.

Please click here for this week's lab access spreadsheet(v1)

• the Podx Spreadsheet (ask me in class for your password)

    Lab Notes

• webgate: how to copy and paste while doing the labs

Tips on how to google our site for documentation

• googling for AOS-Switch-related topics
• site:hpe.com 16.09 -inurl:pdf -inurl:cx "dhcp-snooping"

• googling for AOS-CX-related topics
• site:arubanetworks.com -inurl:pdf inurl:AOS-CX inurl:10\.11 "dhcp-snooping"

• search option notes:
• site:x only searched that domain
• -inurl:x don't report links with this text in the URL
• inurl:x only report on links with text
• (ideal for finding specific version documentation)

Helpful Links

• about Aruba training and this course

• aruba: Aruba Worldwide Education Services training portal
• datasheet: Aruba Certified Professional - Network Security (HPE6-A83)
• hpe press: Aruba Certified Network Security Professional
• aruba: Self-Directed Remote Labs (IANS)

• where to find more information

• aruba: Aruba Technical Product Documentation Portal
• here you find:
• Technology Briefs
• Validated Reference Designs
• Aruba Validated Designs
• Compliancy Documentation related to GDPR
• airheads: community.arubanetworks.com
• abc: Airheads Broadcasting Channel
• afp: Partner Technical Webinars
• aruba: Central Demo

• aruba: AOS-10 Hardening Guide
• asp: CX_10.13 Hardening Guide

• where to find online documentation

• techdocs: The CLI Bank (all products)
• asp: Central Latest Online Help
• aps: Central OnPrem_2.5.4 User Guide
• asp: ClearPass Device Insight Online Help
• airheads: ClearPass Policy Manager 6.11-release-notifications
• techdocs: ClearPass Policy Manager 6.11 Web_Help
• techdocs: ClearPass Policy Manager 6.10 Web_Help
• techdocs: ClearPass Policy Manager 6.9 Web_Help
• techdocs: ArubaOS_86_Web_Help
• aruba: EUBA Network Detection and Response (NDR) capabilities, delivered by Aruba Central

• AOS-CX specific links

• aruba: feature-navigator.arubanetworks.com
• asp: CX Documentation Portal
• asp: CX_10.13 EVPN VXLAN Guide
• asp: CX_10.13 IP Services Guide
• asp: CX_10.13 Security Guide
• asp: CX_10.13 NAE
• asp: CX_10.13 Monitoring Guide
• asp: CX_10.12 ACLs and Classifier Policies Guide - 6[34]00,81xx,8360
• asp: CX_10.13 CoPP Guide
• asp: CX_10.12 IP Routing
• asp: CX_10.13 Fundamentals Guide
• www.arubanetworks.com/assets/ds/DS_4100iSwitchSeries.pdf
• www.arubanetworks.com/assets/ds/DS_6000Series.pdf
• www.arubanetworks.com/assets/ds/DS_6100Series.pdf
• www.arubanetworks.com/assets/ds/DS_6200Series.pdf
• www.arubanetworks.com/assets/ds/DS_6300Series.pdf
• www.arubanetworks.com/assets/ds/DS_6400Series.pdf
• www.arubanetworks.com/assets/ds/DS_8100Series.pdf
• www.arubanetworks.com/assets/ds/DS_8320Series.pdf
• www.arubanetworks.com/assets/ds/DS_8325Series.pdf
• www.arubanetworks.com/assets/ds/DS_8360Series.pdf
• www.arubanetworks.com/assets/ds/DS_8400Series.pdf
• www.arubanetworks.com/assets/ds/DS_9300Series.pdf
• www.arubanetworks.com/assets/ds/DS_10000Series.pdf

• airheads: ArubaOS-CX ArubaOS Switch ComWare and Cisco IOS
• www.arubanetworks.com/resource/aruba-cx-10000-with-pensando-at-a-glance
• afp: AOS-CX_Enablement (login required)
• afp: Switching_Intelligent_Edge_Competitive_Videos (login required)

• AP Datasheets

• Remote APs
• www.arubanetworks.com/assets/ds/DS_AP303H.pdf
• www.arubanetworks.com/assets/ds/DS_AP500HSeries.pdf
• www.arubanetworks.com/assets/ds/DS_AP500RSeries.pdf
• www.arubanetworks.com/assets/ds/DS_AP600HSeries.pdf
• www.arubanetworks.com/assets/ds/DS_AP600RSeries.pdf

• Indoor APs
• www.arubanetworks.com/assets/ds/DS_AP303Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP503Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP500Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP510Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP530Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP550Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP610Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP630Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP650Series.pdf

• Outdoor/Ruggedized APs
• www.arubanetworks.com/assets/ds/DS_AP360Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP370Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP518Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP560Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP570Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP580Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP670Series.pdf

• GW Datasheets

• www.arubanetworks.com/assets/ds/DS_7000Series.pdf
• www.arubanetworks.com/assets/ds/DS_7200Series.pdf
• www.arubanetworks.com/assets/ds/DS_9000Series.pdf
• www.arubanetworks.com/assets/ds/DS_9100Series.pdf
• www.arubanetworks.com/assets/ds/DS_9200Series.pdf

Day 1 - Lecture Modules & Labs

M00: Course Introduction

M01: Aruba Security Strategy

• nist: SP 800-207 Zero Trust Architecture
• techdocs: CPPM namespaces
• web: forrester.com The definition of Modern Zero Trust
• cisa.gov: cybersecurity-advisories State Sponsored Threats

Lab 0 - Aruba Remote Lab Instructions

• begins on pdf page 13 (page 5 on bottom of page)
• Important: follow instructions on how to login to Central

Lab 1 - Explore CPPM Services (50m)

• 1.1: Deploy your AP
• on page 13 (1.1.3.f)
• it says
• "tableID": "XX"
• but should say
• "tableID": "y" (replace y with your table number, remove any leading zeros)
• on page 17 (1.1.9)
• ISSUE:
• it says the template you pasted will contain
• wlan auth-server cppm
•    ip clearpassa.training.arubanetworks.com
• however the template you pasted actually says
• wlan auth-server cppm
•    ip clearpass0%tableID%a.training.arubanetworks.com
• SOLUTION: change your text template to say (on line 97)
• wlan auth-server cppm
•    ip clearpassa.training.arubanetworks.com
• 1.2: Add Network Devices in CPPM
• 1.3: View a CPPM Service and answer questions about it
• 1.4: Test the Service
• 1.5: Assess ways the Company can better implement ZTS

M02: Deploy Trusted Certificates to Aruba Solutions

• abc: Workshop #3 - Installing the HTTPS Certificate on ClearPass
• abc: Workshop #4 - Building a ClearPass Cluster
• web: regexr.com (learn regular expressions)
• use the following example to understand pattern matching as shown in the RADSEC portion of the lecture
• expression: aps[124]{0,1}.example.com
• text tests:
• aps.example.com
• aps1.example.com
• a.example.com
• ap.example.com
• aps2.example.com
• aps3.example.com
• aps4.example.com

Lab 2 - Install Certificates on Aruba Solutions (60m)

• 2.1: Manage the ClearPass Trust List
• 2.2: Install Certificates on ClearPass
• 2.3: Install Certificates on Future Subscribers
• 2.4: Install a Certificate on an Aruba AP
• on page 67 (2.4.4.e)
• it says
• click "+" icon to add AP_captiveportal certificate
• the issue
• the certificate may already exist, it cannot be added again, it has likely been left over from a previous student session
• the solution
• click the trash icon to delete the existing certificate, then you can go ahead and reinstall the certificate as the lab guide states
• 2.5: Establish the Cluster
• on page 72 (2.5.11) Configure Virtual IP Settings
• the ISSUE
• if you get an error while trying to establish your VIP, saying your certificates are expired, your CPPM2 http cert might be expired
• the solution
• from CPPM1 > Certificates > Certificate Store > 
• select CPPM1, usage HTTPS Server Certificate
• export the HTTPS using the secret key @ruba123!
• it will create a pkcs12 format file
• from CPPM1 > Certificates > Certificate Store > Import Certificate
• Select "server certificate"
• Server = CPPM2
• Usage = HTTPS Server Certificate
• Upload Method = PKCS#12
• select the file you previously downloaded
• enter your passphrase, click Import
• repeat lab 2 task 5 step 11, it should work now

M03: Implementing Certificate-Based 802.1x (part 1 EAP-TLS & part 2 BYOD)

Lab 3.A - Authenticate Clients with EAP-TLS (30m)

• 3.1.1: Add Components that Make EAP-TLS More Secure
• 3.1.2: Add EAP-TLS to a ClearPass Policy Manager (CPPM) Service
• 3.1.3: Explore the Windows Domain Certificates
• on page 72 (3.7.b) Double-click the "Apply TLS to the WLAN" file.
• ISSUE 1
• be sure the script is applied (it may complain the path is invalid)
• ISSUE 2
• there may be an error in the script, check the Desktop\Tools\Profiles\Wi-Fi-tls-0x-Corporate.xml file
• look for "<ServerNames><random hostname goes here>.training.arubanetworks.com</ServerNames>"
• the solution
• from CPPM1 > Certificates > Certificate Store > 
• select CPPM1, usage RADIUS Server Certificate
• determine the CN, change your XML file to match

Day 2 - Lecture Modules & Labs

Lab 3.B - Onboard BYOD Devices (35m)

• 3.2.1: Configure ClearPass Onboard
• 3.2.2: Set up Onboard Services in CPPM
• 3.2.3: Set Up the Infrastructure for Onboarding
• 3.2.4: Test Onboarding 

M03: Implementing Certificate-Based 802.1x (part 3)

• techdocs: CPPM 6.11 TEAP Authentication Method
• asp: CPPM EAP Chaining Tutorial

Lab 3.C - Authenticate Clients with EAP-TEAP (30m)

• 3.3.1: Use EAP-TEAP in a ClearPass Policy Manager (CPPM) Service
• 3.3.2: Test the New Scenario

Appendix - Configure EAP-TEAP on Windows

M04: Implement Advanced Policies on the Role-Based ArubaOS Firewall

Lab 4.a - Use CPPM to Assign Users to Roles (40m)

• 4.a.1: Create a Role Mapping Policy
• 4.a.2: Configure an Enforcement Policy
• 4.a.3: Edit the Wireless 802.1X Service
• 4.a.4: Enforce AOS Firewall Role Assignment

Lab 4.b - Analyze and Apply AOS Firewall Policies (45m)

• 4.b.1: Create a Role Mapping Policy
• 4.b.2: Configure an Enforcement Policy

M05: Evaluate Endpoint Posture

• techdocs: CPPM 6.11 Nessus Audit Server
• microsoft: Endpoint Manager (Intune)
• airheads: CPPM Config, Solution, Integration, User Guides, Release Notes
• airheads: Microsoft Intune Integration Guide

Lab 5 - Evaluate and Enforce Endpoint Posture with ClearPass OnGuard (60m)

• 5.1: Create an OnGuard Posture Policy
• 5.2: Create Enforcement Profiles and Policies
• 5.3: Create a Service to Process SHV Reports
• 5.4: Modify the Existing 802.1X Service
• 5.5: Configure and Install OnGuard Persistent Agent
• 5.6: Test the OnGuard Persistent Agent

M06: Implement a Trusted Network Infrastructure

• Implement Secure Management of Aruba Devices

Lab 6.a - Implement Manager Authentication on CX Switches (35m)

• 6.a.1: Configure TACACS+ Authentication on an AOS-CX Switch
• 6.a.2: Set Up TACACS+ on CPPM
• 6.a.3: Configure Per-Command Authorization in a TACACS+ Policy
• 6.a.4: Configure Public Key SSH Authentication 

Day 3 - Lecture Modules & Labs

M06: Implement a Trusted Network Infrastructure

• Secure L2 and L3 Protocols

• asp: CX 10.10 L2 Bridging Guide > STP
• asp: CX 10.10 L2 Bridging Guide > STP > BPDU protection
• asp: CX 10.10 IP Services > DHCP snooping
• asp: CX 10.10 IP Services > ARP Inspection
• asp: CX 10.10 IP Services > IP Source Lockdown
• asp: CX 10.09 Fundamentals Guide - NTP commands
• asp: CX 10.09 CoPP Guide

Lab 6.b - Implement DHCP and ARP Protection (15m)

• 6.b.1: Configure DHCP Snooping
• 6.b.2: Configure ARP Inspection
• 6.b.3: Test ARP Inspection

M07: Implement 802.1X and Role-Based Access Control on CX

• abc: Aruba ClearPass Workshop - Wired #4 - Dynamic Access List (dACL)
• shows how to implement IETF NAS-FILTER-RULES
• abc: AOS-CX_10.07 User Based Tunnel Enhancements
• asp: CX_10.11 Security Guide - Port Access General Commands (Special Roles)
• asp: CX_10.10 CLI Guide - port-access fallback-role
• asp: CX_10.10 Security Guide - Port Access Policies (Class and Actions)
• techdocs: Central_Latest - 802.1X Authentication on Uplink Ports of an AP

• CX - New Features (10.08)
• automatically create VLANs when assigned to a user by role
• port access auto-vlan

Lab 7 - Implement Wired 802.1X with VLAN Steering (45m)

• 7.1: Setup Downloadable Enforcement Profiles on CPPM
• 7.2: Use Downloadable Enforcement Profiles in an Enforcement Policy
• 7.3: Create a Wired 802.1X Service
• 7.4: Configure the AOS-CX Switch to Enforce 802.1X to CPPM
• 7.5: Test Authentication

M08: Implement Dynamic Segmentation on AOX-CX

• UBT on CX
• asp: Central Latest - Gateway Cluster Architecture
  
• abc: AOS-CX_10.07 User Based Tunnel Enhancements

• dealing with dormant client issues (Eric Lim)
• Aruba AOS-CX 10.10 - UBT Silent Device
• https://www.youtube.com/watch?v=_QXYN27KRgE
• https://www.arubanetworks.com/techdocs/AOS-CX/10.10/HTML/cli_6200/Content/Chp_Dyn_Seg/UBT_cmds/wol-en-vlan.htm
• session timeout in radius helped solve this problem where the reauth timer on the switch did not help

• VNBT on CX
• asp: CX_10.10 EVPN VXLAN Guide
• techdocs: Aruba Fabric Composer_Web_Help

Lab 8.a - Implement User-Based Tunneling (40m)

• 8.a.1: Provision 9x00 Series Gateways
• 8.a.2: Use a Template to Load Base Settings on the BGWs
• 8.a.3: Establish a Tunnel between CX and an Aruba Gateway
• 8.a.4: Configure the Gateway Settings
• on page 313 (8.a.4.6)
• it says
• .... you can copy the commands from below or from Lab-BGW-cluster.txt in your Central files
• if you copy from the PDF, be sure the lines are indented as shown int the PDF file, the indents probably will not paste as expected
• the issue
• if you copy the text from the pdf, it only works if you are on table 10 through 12
• the solution
• use the template file provided which is correct...
•  or add a leading 0 as shown below highlighted in yellow
• !lc-cluster group-profile lab0%tableID%-cluster
• 8.a.5: Create a DUR on CPPM that Uses UBT
• 8.a.6: Validate the Configuration

Lab 8.b - Optional - Implement Virtual Network-Based Tunneling (was removed)

• 8.b.1: Validate the Underlay Network
• 8.b.2: Configure VXLAN on the AOS-CX Switches
• 8.b.3: Configure EVPN
• 8.b.4: Validate Connectivity for Clients Using VNBT

M09: Monitor with Network Analytics Engine

• developer: NAE - Getting Started
• asp: CX_10.10 NAE

Lab 9 - Use the AOS-CX NAE (20m)

• 9.1: Install an NAE Agent Script
• 9.2: Create an NAE Agent
• 9.3: View the NAE Agent in Action

M10: Implement WIDS/WIPS

Lab 10 - Implement Aruba WIDS (20m)

• 10.1: Set up a Central Group and Site
• 10.2: Configure WIDS/WIPS
• 10.3: Observe Rogue AP Detection

Day 4 - Lecture Modules & Labs

M11: Use CPPM and 3rd Party Integration to Mitigate Threats

• aruba: ClearPass 360 Security Exchange Partner Finder
• web: What are Syslog Facilities and Levels?

Lab 11 - Integrate CPPM with a 3rd-Party Device (40m)

• 11.1: Configure Ingress Event Processing
• on pages 19 and 24 it says Jupiter but should say Juniper
• it says
• %{Event:Jupiter-SRX-TS:application-name}
• but should say
• %{Event:Juniper-SRX-TS:application-name}
• 11.2: Configure the Event Enforcement Service
• 11.3: Adjust an 802.1X Service to Deal with Compromised Devices
• 11.4: Test the Solution

M12: Implement Device Profiling with CPPM

• technote: DEVICE FINGERPRINTING AOS-S Version 16.06

Lab 12.a - Explore the CPPM Device Profiler (30m)

• 12.a.1: View the Endpoints Repository
• 12.a.2: Run Insight Reports
• 12.a.3: Create a Custom Fingerprint

Lab 12.b - Use Device Profiles in CPPM Services (40m)

• 12.b.1: Create a Service That Uses Profiling
• 12.b.2: Validate the Policy

M13: Overview of Device Profiling with Aruba Central Applications

• techdocs: ClearPass Device Insight
• note that the CPDI Application is currently available on the following clusters
• US-2, WS-West-4, EU-1, EU-2

Lab 13 - Use Client Profiling in Central Network Operations (15m)

• 13.1: Ensure Clients are Discovered in Central
• 13.2: Explore Device Profiles

M14: Deploy ClearPass Device Insight

• techdocs: CPDI - Creating Subnet Segments (slide 31)
• techdocs: CPDI - Managing Augmentation Methods (slide 32)

• nsa: Technical Cyber Threat Framework v2
• web: nist.gov - national vulnerability database (slide 60)
• web: first.org (Common Vulnerability Scoring System SIG)
• web: mitre.org (Common Vulnerability & Exposures)
• web: cve.org (new site)

Lab 14 - None

M15: Integrate CPDI with CPPM

Day 5 - Lecture Modules & Labs

Lab 15 - CPPM Device Insight Integration (25m)

• 15.1: Enable Device Insight Integration on CPPM
• 15.2: Use Device Insight Tags in CPPM

M16: Use Packet Captures to Investigate Security Issues

• asp: Central - Clients Live-Events
• asp: CX_10.10 Monitoring Guide - Mirroring
• asp: CX_10.10 ACLs and Classifier Policies Guide

• how to tcpdump in different VRF on AOS-CX
• sudo ip netsh exec <swns | VRF_#> your_command
• meanings:
• swns       = default VRF    
• VRF_1      = mgmt VRF
• VRF_2...   = any of the user created VRFs
• your_command, an example
• tcpdump -vv -i any port 3799
• https://www.tcpdump.org/manpages/tcpdump.1.html

Lab 16 - Create and Analyze Packet Captures (25m)

• 16.1: Capture Network Traffic and View in Wireshark
• 16.2: Port Classification - Trust Configuration
• 16.3: LLDP Device Profile for QOS Trust

M17: Establish a Secure WLAN and Secure Remote Access

• asp: How to configure VIA ikev2 with EAP-TLS authentication

Lab 17.a - Deploy VIA (50m)

• 17.a.1: Deploy the VPNC
• 17.a.2: Configure VIA Settings
• 17.a.3: Configure VIA Services on CPPM
• 17.a.4: Establish the VIA Connection

Lab 17.b - Optional - Deploy SD-Branch Solution (removed from lab guide)

• 17.b.1: Configure the VPNC
• 17.b.2: Configure the Branch Gateways (BGWs)
• 17.b.3: View the Tunnels
• 17.b.4: Disable SD-WAN Orchestration

M18: Configure Aruba Gateway IDS/IPS

• techdocs: SaaS Express
• techdocs: IDS/IPS Threat Categories
• nist.gov: Intrusion Detection and Prevention Systems - TSAPPS at NIST

• 7xxx & 9xxx UTM technology
• partner: brightcloud webroot (WEB-CC)

• 9xxx UTM technology / CPDI (IDS/IPS)
• partner: www.first.org/cvss/
• partner: cve.mitre.org
• partner: cve.org

Lab 18 - Implement Aruba Gateway IDS/IPS (10m)

• 18.1: Configure Aruba Gateway IDS/IPS
• 18.2: Simulate a Threat

M19: Use Aruba Central Alerts to Investigate Security Issues

• techdocs: AP Security Alerts
• techdocs: Configuring IDS Paramaters

Lab 19 - Configure and Monitor Aruba Central Alerts (20m)

• 19.1: Configure Central Alerts and Notifications
• 19.2: View Alerts

Appendix

Acronyms or Key terms

• ESP: Encapsulating Security Payload
• provides encryption, authentication, integrity and confidentiality for IP packets
• based on protocol 50, but can be UDP encapsulated with dport 4500 when deployed in NAT-T mode
• IPsec:
• protocol suite that provides security services for IP packets, such as encryption, authentication, integrity and confidentiality
• ISAKMP:
• defines how to establish, negotiate, modify and delete security associations (SAs) for IPsec
• ISAKMP configuration method:
• allows a VPNC to push configuration such as IP addresses, DNS, WINS settings to a client after IKE phase 1 is established
• nonce:
• random / semi-random number generated for cryptographic communication 
• mechanism helps to protect against replay attacks
• the term stands for "number used once"
• SA: Security Association
• a relationship between two or more entities that describes how the entities will use security services to communicate securely
• SPI: Security Parameter Index
• identification tag added to the header while using IPsec for tunneling the IP traffic. 
• This tag helps the kernel discern between two traffic streams where different encryption rules and algorithms may be in use
• Xauth:
• extended authentication for IPsec remote access users, requested by a VPNC after the establishment of IKE phase 1 SA.
• it typically supports RADIUS, SecureID, user/password

Labs Summary

• oneDrive: IANS Lab Steps Summary

Lab Access Errata

• if you get this error message in the lab, click "home", "+" beside your pod/table, find the actual device you were using in the list, double click it.