HPE ANW ClearPass Advanced Configuration v25.23 (CPA2)
Welcome to this week's class
Navigate to https://rubbernecks-arubanetworks.blogspot.com
Please be sure you have downloaded the learner guide and lab guide as per instructions you received from an email you would have received from HPE last week. Check your email history, spam folder etc... for keyword "OnSecure" if you cannot find the email.
- Click here for this week's lab access spreadsheet
- ask me for the password
Lab Notes
- Lab Dependancies
- Labs 1–4 must be done in order
- Labs 5–6 optional (must follow order if done)
- Lab 7 optional after Labs 1–4
- Labs 8.1 & 8.2 after Labs 1–4
- Tips on how to google our site for documentation
- googling for AOS-Switch-related topics
- site:hpe.com 16.10 -inurl:pdf -inurl:cx "dhcp-snooping"
- googling for AOS-CX-related topics
- site:arubanetworks.com -inurl:pdf inurl:AOS-CX inurl:10\.14 "dhcp-snooping"
- search option notes:
- site:x only searched that domain
- -inurl:x don't report links with this text in the URL
- inurl:x only report on links with text
- (ideal for finding specific version documentation)
Helpful Links
- about Aruba training and this course
- where to find more information
- techdocs: NAC
- aruba: Aruba Technical Product Documentation Portal
- here you find:
- Technology Briefs
- Validated Reference Designs
- Aruba Validated Designs
- Compliancy Documentation related to GDPR
- airheads: community.arubanetworks.com
- abc: Airheads Broadcasting Channel
- afp: Partner Technical Webinars
- aruba: HPE Aruba Networking Central demo
- where to find documentation
- ClearPass Policy Manager specific links
- AOS-CX specific links
Day 1 - Lecture Modules & Labs
M00: Introduction
Lab 00 - Testing Remote Lab Connectivity
M01: Cluster
- Topics Include:
- ZTS
- Cluster components, operations, licensing
- HA
- CPPM Insight
- cluster specific links
Lab 01 - ClearPass Cluster
- 1.1: ClearPass Clustering
- issue: 1.1.26 says:
- Add subscriber Node using 10.1.19.11/aruba123
- althought these credentials are correct, in rare circumstances the operation does not work
- if that happens to you, reboot cppm1 and cppm2, try again.
- 1.2: Cluster Monitoring and fine-tuning
- 1.3: Configure High Availability
- 1.4: Testing HA
M02: Public Key Infrastructure
- Topics Include:
- PKI & Digital Signatures
- PKI system, components & operations
- CPPM Certificate formats
Lab 02 - Public Key Infrastructure
- 2.1: Install an HTTPS Certificate on the ClearPass server
- issue: 2.1.9-2.2.35 (unconfirmed cppm2 CSR issue)
- ignore this unless you have an issue related to CSR lab steps
bug - private key must be specified even if the csr was generateduse csrgenerator.com to generate csr for cppmor simply upload cppm2 cert to the serveror export the cert from a working cppm- issue: 2.1.31 says:
- Select the file Desktop\Student Folder\Certificates\aruba-training.com\HTTPS cppm2\cppm2.aruba-training.com.cer ...
- it should say
- Select the file Desktop\Student Folder\Certificates\HTTPS cppm2\cppm2.aruba-training.com.cer ...
- 2.2: Install EAP RADIUS certificate on the ClearPass server
- 2.3: Configuring Intermediate CA in ClearPass Onboard
- 2.4: Issuing a Certificate in Onboard
- issue: 2.4.9: the cert chain created in 2.3 does not work as it should
- solution:
- follow the alternative lab steps in my OneNote share 2.4.9-2.4.12
Day 2 - Lecture Modules & Labs
M03: RadSec & EST
- Topics Include:
- Explain, Configure & Troubleshoot
- EST
- RadSec
- web: https://regexr.com
- test the following pattern: 10\.([0-9]{1,3})\.10\.[0-9][0-9][2-4]
Lab 03.1 - Enrollment over Secure Transport
- 3.1.1: Enrollment over Secure Transport Server
- url https://vip-cppm.aruba-training.com/.well-known/est/ca:2
- 3.1.2: Creating ClearPass Service for EST Enrollment
- 3.1.3: Enrollment of Networking Devices
- issue: 3.1: when enrolling CX for a cert
- it may be rejected due to verification failure
- solution: double check you disabled HTTPs ECC in lab 2.1.36-38
- 3.1.4: Monitoring EST
Lab 03.2 - RadSec
- 3.2.1: Import the Certificate for ClearPass RadSec
- 3.2.1: Enable RadSec on the AOS-CX Switch
- issue: 3.2.28 says:
- decompress the dump.tar.gz file
- solution: you may need to:
- open CMD.com
- cd C:\Users\student\Downloads
- cd dump
- tar -xf dump.tar.gz
M04: RADIUS Services
- Topics Include:
- RADIUS Service elements
- DHCP profiling
- Access Tracker
- RADIUS Accounting
- DHCP fingerprinting links
- Cisco fingerprinting links
Lab 04 - Manual Service Configuration
- 4.1: Design the RADIUS Service
- 4.2 Configure the Active Directory server as an authentication source
- 4.3: Configure DHCP Relay on the AOS-CX switch
- 4.4: Configure ClearPass Roles and Role Mapping Policy
- 4.5: Configure Enforcement
- 4.6: Configure ClearPass Service
- 4.7: Configure 802.1X Secure SSID
- issue: 4.7.8: wlan wizard
- it may be missing Primary Server = Clearpass in the pull down menu
- solution: be sure you created ClearPass at the group level
- 4.8: Test Your Solution
- 4.9: Fine-Tune ClearPass Service Selection Rules
Day 3 - Lecture Modules & Labs
M05: Advanced Services
- Topics Include:
- PEAP / EAP-TLS
- TEAP
- Microsoft Entra ID
- OnGuard
- 5.1: Enable RADIUS Accounting
- 5.2: Analyze Accounting Logs in the ClearPass Server
- 5.3: Authenticate Clients with EAP-TEAP
Lab 05 - Advanced Services
M06: Onboarding
- Topics Include:
- BYOD security requirements
- using CPPM Onboard for BYOD
- Onboard & Access Tracker
Lab 06 - Dual SSID Onboarding
- 6.1: Setup a Guest Network
- 6.2: Enabling Onboarding
- 6.3: Test Dual SSID Onboarding
- 6.4: Enable Onboard Self-Service Portal
Day 4 – Lecture Modules & Labs
M07: MPSK
- Topics include:
- MPSK use cases, modes, and device registration
- Device registration portal
- Configure and verify MPSK service
Lab 07: Implementing MPSK
- 7.1: Set up IoT registration profile for ClearPass Guest
- 7.2: Configure the ClearPass Service for the IoT SSID
- 7.3: Configure MPSK SSID
- 7.4: Test Your Solution
M08: Wired Services
- Topics include:
- Colorless ports
- LUR and DUR
- DUR prerequisites
- Authentication options with colorless ports
- Benefits of UBT
- Local vs Extended VLAN mode
Lab 08-1: Wired Services
- 8.1.1: Setup AOS-CX switch and ClearPass for DUR
- 8.1.2: Setup AOS-CX and Mobility Gateway for UBT
- 8.1.3: Setup MAC Authentication Service in ClearPass
- 8.1.4: Test Wired Guest Access
- 8.1.5: Configure ClearPass for Wired onboarding
- 8.1.6: Test the Onboarding
Lab 08-2: Implementing Wired IoT
- 8.2.1: Setup ClearPass service for IoT devices
- 8.2.2: Test IoT access
- issue: 8.2: camera is generic device in endpoint db
- solutions:
- check fingerprint dictionary update status
- create a custom fingerprint as a workaround
- 8.2.3: Detect and Prevent MAC Spoofing Attacks
- 8.2.4: Test MAC address spoofing
- issue: 8.2.4: cppm does not show a profile conflict when spoofing the MAC
- unresovled
Day 5 – Lecture Modules & Labs
M09: Cluster Design & Administration
- Topics include:
- Cluster scalability issues
- Using zones for efficiency and resilience
- Design considerations & best practices
- CPPM Insight placement considerations
- Software and cluster updates
Appendix
- Acronyms / Key Terms
- 2.5.29.19 – Basic Constraints (X.509 Certificate Extension)
- Indicates whether the subject can act as a Certificate Authority (CA)
- Required for Cluster DB certificates (CPPM ≥ 6.8)
- Icon Key
- 2.5.29.19 – Basic Constraints (X.509 Certificate Extension)
- Indicates whether the subject can act as a Certificate Authority (CA)
- Required for Cluster DB certificates (CPPM ≥ 6.8)
- Icon key slide from PPTX
- Download if you want to reuse images
- Lab Access Errata
- Use private/incognito mode
- Restart browser and clear cache/cookies
- Ensure login page fully loads before logging in
- Select SSO option when logging into Central
- To restart Windows host:
- in cmd.com, type "shutdown /r /t 0"
Comments
Post a Comment