Advanced Network Security Troubleshooting and Solutions v24.41 (ANSTS)

Welcome to this week's class (ANSTS)

navigate to https://rubbernecks-arubanetworks.blogspot.com

Please be sure you have downloaded the learner guide and lab guide as per instructions you received from an email you would have received from HPE last week.  Check your email history, spam folder etc... for keyword "OnSecure" if you cannot find the email.

Please click here for this weeks lab access spreadsheet

• the Podx Spreadsheet (ask me in class for your password)

    Lab Notes

• webgate: how to copy and paste while doing the labs

Tips on how to google our site for documentation

• googling for AOS-Switch-related topics
• site:hpe.com 16.10 -inurl:pdf -inurl:cx "dhcp-snooping"

• googling for AOS-CX-related topics
• site:arubanetworks.com -inurl:pdf inurl:AOS-CX inurl:10\.14 "dhcp-snooping"

• search option notes:
• site:x only searched that domain
• -inurl:x don't report links with this text in the URL
• inurl:x only report on links with text
• (ideal for finding specific version documentation)

Helpful Links

• about Aruba training and this course

• aruba: HPE Aruba Networking Education Services Tracks
• datasheet: Aruba Certified Expert – Network Security (HPE6-A84)
• aruba: Advanced Network Security, Rev. 24.41 Self-Directed Labs

• where to find more information

• aruba: Aruba Technical Product Documentation Portal
• here you find:
• Technology Briefs
• Validated Reference Designs
• Aruba Validated Designs
• Compliancy Documentation related to GDPR
• aruba: techdocs/NAC/
• airheads: community.arubanetworks.com
• abc: Airheads Broadcasting Channel
• afp: Partner Technical Webinars
• aruba: Central Demo

• aruba: AOS-10 Hardening Guide
• asp: CX_10.13 Hardening Guide

• where to find online documentation

• techdocs: The CLI Bank (all products)
• asp: Central Latest Online Help
• aps: Central OnPrem_2.5.4 User Guide
• techdocs: ArubaOS_8.12_Web_Help
• aruba: EUBA Network Detection and Response (NDR) capabilities, delivered by Aruba Central

• ClearPass Policy Manager specific links

• asp: ClearPass Config/Integration/Solution/User Guides & Rel Notes
• asp: ClearPass Device Insight Online Help
• airheads: ClearPass Policy Manager 6.11-release-notifications
• techdocs: ClearPass Policy Manager 6.11 Web_Help
• datasheet: ClearPass OnBoard
• abc: ClearPass with Azure AD and Intune Integration (playlist)

• AOS-CX specific links

• aruba: feature-navigator.arubanetworks.com
• asp: CX Documentation Portal
• asp: CX_10.13 IP Services Guide
• asp: CX_10.13 Security Guide
• asp: CX_10.13 NAE
• asp: CX_10.13 Monitoring Guide
• asp: CX_10.12 ACLs and Classifier Policies Guide - 6[34]00,81xx,8360
• asp: CX_10.13 CoPP Guide
• asp: CX_10.13 Layer-2 Bridging Guide
• asp: CX_10.12 IP Routing
• asp: CX_10.13 Fundamentals Guide
• www.arubanetworks.com/assets/ds/DS_4100iSwitchSeries.pdf
• www.arubanetworks.com/assets/ds/DS_6000Series.pdf
• www.arubanetworks.com/assets/ds/DS_6100Series.pdf
• www.arubanetworks.com/assets/ds/DS_6200Series.pdf
• www.arubanetworks.com/assets/ds/DS_6300Series.pdf
• www.arubanetworks.com/assets/ds/DS_6400Series.pdf
• www.arubanetworks.com/assets/ds/DS_8100Series.pdf
• www.arubanetworks.com/assets/ds/DS_8320Series.pdf
• www.arubanetworks.com/assets/ds/DS_8325Series.pdf
• www.arubanetworks.com/assets/ds/DS_8360Series.pdf
• www.arubanetworks.com/assets/ds/DS_8400Series.pdf
• www.arubanetworks.com/assets/ds/DS_9300Series.pdf
• www.arubanetworks.com/assets/ds/DS_10000Series.pdf

• airheads: ArubaOS-CX ArubaOS Switch ComWare and Cisco IOS
• www.arubanetworks.com/resource/aruba-cx-10000-with-pensando-at-a-glance
• afp: AOS-CX_Enablement (login required)
• afp: Switching_Intelligent_Edge_Competitive_Videos (login required)

• AP Datasheets

• Remote APs
• www.arubanetworks.com/assets/ds/DS_AP303H.pdf
• www.arubanetworks.com/assets/ds/DS_AP500HSeries.pdf
• www.arubanetworks.com/assets/ds/DS_AP500RSeries.pdf
• www.arubanetworks.com/assets/ds/DS_AP600HSeries.pdf
• www.arubanetworks.com/assets/ds/DS_AP600RSeries.pdf

• Indoor APs
• www.arubanetworks.com/assets/ds/DS_AP303Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP503Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP500Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP510Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP530Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP550Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP610Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP630Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP650Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP730Series.pdf

• Outdoor/Ruggedized APs
• www.arubanetworks.com/assets/ds/DS_AP360Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP370Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP518Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP560Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP570Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP580Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP670Series.pdf

• GW Datasheets

• www.arubanetworks.com/assets/ds/DS_7000Series.pdf
• www.arubanetworks.com/assets/ds/DS_7200Series.pdf
• www.arubanetworks.com/assets/ds/DS_9000Series.pdf
• www.arubanetworks.com/assets/ds/DS_9100Series.pdf
• www.arubanetworks.com/assets/ds/DS_9200Series.pdf

Day 1 - Lecture Modules & Labs 

M01: Introduction to the Scenario 

• aruba: what is SASE?
• web: BrightCloud WebRoot

M02: Harden Devices

• wiki: Common Address Redundancy Protocol (CARP)

• error in slide 11
• says:
• you should also add loop guard to prevent loops from occurring regardless of spanning tree settings
• issue: that is a description of loop-protect, not loop guard  
• should say: 
• you should also add loop-protect to prevent loops from occurring regardless of spanning tree settings
• references: 
• techdocs: spa-tre-loo-gua
• techdocs: cnf-loo-pro

Lab 0 - Lab Topology, Credentials, and General Instructions

• begins on pdf page 11 (page 1 on bottom of page)
• page 5
• when you login to arubatraininglab.computerdata.com be sure that the login page is fully loaded before you press submit
• page 6
• where it asks to use MPuTTy to connect to your switches, it will likely be prevented access due to the control-plane ACL not permitting SSH, you will address this issue in the LAB 2 errata, so you can safely ignore this issue for now 
• page 8
• be sure to click "SSO" before you try to login to Central

Lab 2 - Ensure That the Customer’s Network Complies with Local Policies

• 2.1: Check that the Mobility Infrastructure Complies with Security Policies
• on page 13 (1.1.3.f)
• it says
• "tableID": "XX"
• but should say
• "tableID": "y" (replace y with your table number, remove any leading zeros)
• 2.2: Ensure the AOS-CX Switch Complies with Security Policies
• on page 22 (2.2.1.h)
• it says
• Double - click switch to connect to the switch
• however
• the switch control-plane acl is likely blocking access
• you can confirm this with
• show access-list hitcounts control-plane vrf default
• add the following to fix this
• conf t
• access-list ip control-plane
• 60 permit tcp 10.254.1.0/24 any eq 22
• exit
• write mem
• Supplemental: Convert an IAP to a campus AP

M03: Deploy Certificates

• asp: ArubaOS 8 - Cluster Dynamic Authorization - Checklist
• abc: Workshop #4 - Building a ClearPass Cluster
• asp: CPPM Database Cert (1 vs 5 year discussion)
• asp: AOS-CX EST re-enrollment lead time directive

• web: regex.com
• examine the meaning of
• switch[0-9]{1,4}
• mc\.acnsxtest\.com 
• extra exercise
• expression: aps[124]{0,1}.example.com
• text block:
• aps.example.com
• aps1.example.com
• a.example.com
• ap.example.com
• aps2.example.com
• aps3.example.com
• aps4.example.com

Lab 3 - Managing Certificates

• 3.1: Identify Certificate Issues
• issue: 
• you get "Error processing request..." on lab 3 task 1 step 2, where you are attempting to install your clusters HTTPS cert on CPPM2
• solution:
• this may happen if you try to install the HTTPS cert from the CPPM2 web console, although this should work, try installing it instead from CPPM1
• 3.2: Install Certificates on MCs
• 3.3: Establish RadSec between the MCs and CPPM
• 3.4: Use RadSec for Admin Authentication
• 3.5: Configure ClearPass to Issue Certificates with EST
• 3.6: Configure the AOS-CX Switch to Obtain a Certificate with EST
• 3.7: Establish RadSec between the AOS-CX Switch and CPPM
• 3.8: Configure Admin Authentication for AOS-CX Switches

M04: Implement Certificate-Based Authentication and Access Control

• wiki: Subject Alternative Name
• web: Certificate Attributes and Extensions
• asp: What is "Strip Username Rules" on CPPM and how to use it
• rfc 7170: Tunnel Extensible Authentication Protocol Version 1  
• asp: ClearPass Workshop (2021) - Wireless TEAP Auth  

Lab 4 - Deploy Certificate-Based Authentication

• 4.1: Configure CPPM Authentication Methods and Authentication Sources
• 4.2: Configure the CPPM Policies and Service for Wireless 802.1X Authentication
• 4.3: Create a WLAN and Begin Testing Wireless 802.1X Authentication
• issue: 
• if your AOS8 AP is not advertising any SSID you might have any of the following issues:
1. your control-plane ACL is blocking DHCP
• bootrom: type "dhcp" to validate
• add as a temporary workaround:
• 1002 permit udp any any eq 67
2. your AP is running InstantOS 8 or 10
• login via serial terminal and type: "convert-aos-ap cap 10.1.16.101"
• to login first try admin/admin
• next, use mfginfo or central's ap details page to find the serial number of your AP (it might be the APs admin password)
• if you cannot login by serial console, check if the AP is connected to central, ensure it is not in the default group, then access its console through central
• bootrom: type "factory_reset"
• if you were specifically on 8.7, you will need to disable CPsec or the converted AP will be denied with certificate validation errors, after your AP connects and updates is code to match 8.10.02 firmware, you can reenable CPsec and it will work
• reference
• apboot> help
• boot    - boot the OS image
• clear   - clear the OS image or other information
• dhcp    - invoke DHCP client to obtain IP/boot params
• factory_reset- reset to factory defaults
• help    - print command description/usage
• mfginfo - show manufacturing info
• osinfo  - show the OS image version(s)
• ping    - send ICMP ECHO_REQUEST to network host
• printenv- print environment variables
• purgeenv- restore default environment variables
• reset   - Perform RESET of the CPU
• saveenv - save environment variables to persistent storage
• setenv  - set environment variables
• tftpboot- boot image via network using TFTP protocol
• upgrade - upgrade the APBoot or OS image
• version - print monitor, compiler and linker version
• 4.4: Configure Application and WebCC Rules on an AOS Firewall
• issue:
• when enabling firewall and DPI on VMC
• an extra reboot is likely required
• validate that both VMCs have L2-connected cluster state after a reboot
• 4.5: Configure AOS Firewall Aliases, Policies, and Roles
• 4.6: Send TEAP Usernames to Network Devices

Day 2 - Lecture Modules & Labs

M05: Enhance Certificate-Based Authentication and Access Control

• asp: CPPM EAP Chaining Tutorial

Lab 5.a - Apply Advanced Authentication and Access Controls

• 5.a.1: Add Custom Attributes and Filters to a CPPM Authentication Source
• 5.a.2: Meet the Customers' Security Requirements
• issue:
• table L5a-1 on page 218 and table L5a-3 on page 220 of solution guide 1 incorrectly shows rule 4 with an AND operator, note that the text based instructions on page 223 are correct
• solution: 
• replace the AND with and ANY (OR) operator
• 5.a.3: Test Your Solution
• 5.a.4: Assign Aruba-User-Roles Dynamically

Lab 5.b - Enforce Wired 802.1X

• 5.b.1: Configure AOS-CX DURs and Local Roles
• 5.b.2: Set Up Wired 802.1X Authentication
• 5.b.3: Test Wired 802.1X Authentication
• 5.b.4: Implement Dynamic Segmentation

M06: Implement Best Practices for RADIUS and 802.1X

Lab 6 - Implement Authentication Best Practices

• 6.1: Implement Other Best Practices for 802.1X Authentication
• 6.2: Configure and Test Dynamic Authorization

Day 3 - Lecture Modules & Labs

M07: Integrate with Cloud Mobility Device Management (MDM)

• IETF: RFC 8892 (SCEP)
• microsoft: Certificate profiles in Configuration Manager (AD)
• microsoft: Microsoft Entra Registered Devices
• abc: ClearPass with Azure AD and Intune Integration (playlist)
• techdocs: ClearPass Integration Guide Microsoft InTune (2023-01)

Lab 7.a - Enable Users to Register Devices in Microsoft Intune

• 7.a.1: Enable Secure Provisioning for New Wireless Devices
• 7.a.2: Test Wireless Redirection and Provisioning
• 7.a.3: Enable and Test Provisioning for Wired Clients
• 7.a.4: Integrate ClearPass Onboard and Microsoft Intune
• 7.a.5: Perform Intune Enrollment
• Workaround when Intune enrollment fails

Lab 7.b - Configure Intune Integration

• 7.b.1: Integrate ClearPass with Intune
• 7.b.2: Use Intune Attributes as Criteria to Control Wireless Clients’ Access
• 7.b.3: Test the Solution
• 7.b.4: Use Intune Attributes as Criteria to Control Wired Clients's Access
• 7.b.5: Test the Solution

M08: Implement Compliance-Based Controls

• aruba: ClearPass Third-Party Interoperability
• microsoft: Configure Microsoft Defender for Endpoint in Intune
• microsoft: graph.microsoft.com (Microsoft Rest API)
• web: What is OAuth 2.0? 

Lab 8 - Use HPE Aruba Networking to Help Enforce Compliance

• 8.1: Enforce Intune Compliance-Based Policies
• 8.2: Support Timely Restoration for Newly Compliant Clients
• 8.3: (Optional) Automate Triggers of a Resync
• 8.4: (Optional) Validate the Solution

M09: Implement Device-Based Authentication and Access Control

• UBT on CX
• abc: AOS-CX_10.07 User Based Tunnel Enhancements

Lab 9 - Enforce Authentication for Non-802.1X Capable Devices

• 9.1: Enable Profiling
• 9.2: Configure a MAC-Auth Service on CPPM
• 9.3: Configure MAC-Auth on AOS-CX Switches
• 9.4: Import Endpoints
• 9.5: Validate the Solution
• on page 463.3.a
• it says
• On the BYOD client, open the Network Connections shortcut
• issue: 
• the missing lab 7.1 task 4, step 4 has you install BYOD EAP-TLS certificates
• this cert is required for this authentication to work
• solution: option 1 or 2 will work
1. user your Domain client instead (it has domain certs)
2. ask me how to find the missing 7.1.4.4 lab steps where you will enrole your client with Intune
• on page 467.k
• it says
• auth-status 19 client
• user port 20 instead, if you did enroll your BYOD client with Intune (in lab 7.1.4.4)
• auth-status 20 client

M10: Use Custom NAE Scripts and Agents

• developer: NAE - Getting Started
• asp: CX_10.14 NAE
• abc: all ABC videos related to NAE
• ase: NAE scrips on Aruba Solution Exchange

Lab 10 - Use Custom Network Analytics Engine (NAE) Agents

• 10.1: Review a Custom NAE Script
• on page 470.d
• it says
• id = 1/1/20
• issue
• be sure this port is in "no shutdown" state
• 10.2: Install the Custom NAE Script
• 10.3: Validate BYOD client for future labs

Day 4 - Lecture Modules & Labs

M11: Secure an AOS 10 Architecture

• aruba: ClearPass 360 Security Exchange Partner Finder

Lab 11 - Implement Security Features in HPE Aruba Networking Central

• 11.1:Transition to the Central Configuration
• 11.1.1 BGW ZTP issue:
• for BGW setup to succeed smoothly
• CX: conf
• CX: int 1/1/16/1/1/23
• CX:     shut
• this is to ensure the BGW will be easy to static-activate
• on page 480.3 says:
• Access your branch gateway (BGW) 1 console port.
• if you don't see a menu of provisioning options
• login to the console and write erase all, to ensure stable lab results, you must static provision both BGWs, instructions are in the lab 11 appendix
• the BGW login credential may be one of the following:
• admin/(usual password)
• branchsupport/(bgw mac address recorded in central)
• after you static-activate, no-shut 1/1/16,1/1/23
• if they ZTP provisioned, you will likely have to
• shut their ports, wait for them to go offline
• delete their records in Central
• login using branchsupport, write erase all
• static-activate them, no shut their ports
• 11.1.12 Creating your "creds.txt" file
• be sure there are no blank lines or blank spaces at the ends of lines or you are likely to get script errors
• 11.2: Configure Certificates
• 11.3: Validate Your Gateway and Assign New System IP
• 11.4: Set up a Cluster that Supports Dynamic CoAs
• on page 517.3 says:
• "show ubt state" will now show the registered state
• if you have a registering state
• reboot your GWs
• you will see related errors from the following"
• CX: debug ubt all, show debug buffer
• GW: show tunneled-node-mgr trace-buf count 10
• 11.5: Configure Firewall and IDS/IPS Settings
• 11.6: Ensure Visibility into Client Traffic and Behavior
• 11.7: Start Traffic Generation

M12: Investigate Threats and Vulnerabilities

• asp: Aruba AOS-CX 10.11: Edge Insight
• wiki: Ransomware as a service (RaaS)
• web: Tor Browser (torproject.org)
• web: Common-DNS-Request-Types
• wiki: Dynamic DNS

Lab 12.a - Investigate Threats

• 12.a.1: Detect, Document, and Investigate a Threat

Lab 12.b - Mitigate Threats

• 12.b.1: Identify Vulnerabilities
• 12.b.2: Mitigate Threats
• 12.b.3: Validate Your Solutions

M13: Integrate HPE Aruba Networking SASE Solutions

• vsg: HPE Aruba Networking SSE Integration
• vsg: Securing Internet for Remote Users
• aruba: sd-branch-orchestrator

Extra: Useful links to learn about Cloud Auth     

• techdocs: Cloud Authentication and Policy Overview
• developer: OAuth APIs for Access Token
• techdocs: Configuring Cloud Authentication and Policy
• techdocs: ClearPass Device Insight

• HowTo: Cloud Auth, User Group to Client Role & Passpoint
• abc: Aruba Cloud Auth - Aruba Wired & Wireless Network Setup
• abc: Aruba Cloud Auth - Onboarding & Certificate Management

Day 5 - Lecture Modules & Labs

M14: Mock Exam

Lab 14 - Mock Exam with Answers (all day)

• Introduction to the Scenario for Tasks 1-12
• note: 
• IMPORTANT: many students forget to backup their \Desktop\Tools\Central\supporting\creds.txt file, be sure to backup its content on your own PC before starting the "Start of Mock Exam" script.
• it takes up to 15 minutes for the lab reset script to complete
• your AOS8 AP may still be managed by Central, if so:
• disable cpsec on all your MCs until after your AP is up running 8.10.0.2 firmware
•  connect to its console through central and run the following command:

• convert-aos-ap cap 10.1.16.101

• be sure to provision your gateways with static-activate
• when you are installing certificates, if you see they are already installed, use the existing certificates

• are all of your APs on AOS8 MCs?
• if you need to convert an AOS8 MC AP to central, from the MC console you can use the following command:

• ap redeploy controller-less ?

• for the week of may 6, 2024
• cppm password = admin/Aruba123!
• Introduction to the Scenario for Tasks 13-19
• Appendix: Central Setup for the Mock Exam

Task 8

• on page 702
• is says
• Permitted access to DNS services from training-ad.acnsxtest.com and no other server
• issue
• the correct domain name is: traininglab-ad.acnsxtest.com

          preperation for Task 13

• on page 771
• you will need to run the mockexam_central script, goto page 832
• the script will fail, to fix:
• copy the folder "supporting" from \tools\Central\ and paste it to \tools\Mock Exam\ 

Appendix

Acronyms or Key terms

• SCIM: system for cross-domain identity management
• ESP: Encapsulating Security Payload
• provides encryption, authentication, integrity and confidentiality for IP packets
• based on protocol 50, but can be UDP encapsulated with dport 4500 when deployed in NAT-T mode
• IPsec:
• protocol suite that provides security services for IP packets, such as encryption, authentication, integrity and confidentiality
• ISAKMP:
• defines how to establish, negotiate, modify and delete security associations (SAs) for IPsec
• ISAKMP configuration method:
• allows a VPNC to push configuration such as IP addresses, DNS, WINS settings to a client after IKE phase 1 is established
• nonce:
• random / semi-random number generated for cryptographic communication 
• mechanism helps to protect against replay attacks
• the term stands for "number used once"
• SA: Security Association
• a relationship between two or more entities that describes how the entities will use security services to communicate securely
• SPI: Security Parameter Index
• identification tag added to the header while using IPsec for tunneling the IP traffic. 
• This tag helps the kernel discern between two traffic streams where different encryption rules and algorithms may be in use
• Xauth:
• extended authentication for IPsec remote access users, requested by a VPNC after the establishment of IKE phase 1 SA.
• it typically supports RADIUS, SecureID, user/password

    Lab Access Errata

• when experiencing any problems with remote lab access (WebGate):
• be sure your browser is in private (incognito) mode
• restart your browser and clear your cache and cookies
• do not try to login unless you are 100 percent sure the login page is fully loaded (the tab favicon will look similar to an orange triangle)
• during login to Central, did you select the SSO option?
• if you need to restart your windows host
• in cmd.com type "shutdown /r /t 0"