Professional Documents
Culture Documents
CFG ClearPass Lab Guide Rev 23-13
CFG ClearPass Lab Guide Rev 23-13
Configuration
LAB GUIDE
Version: 23.13
Security Series
© Copyright 2023 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice.
The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accom-
panying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enter-
prise shall not be liable for technical or editorial errors or omissions contained herein.
Notices
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and
services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be con-
strued as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions
contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or copying. Consistent with
FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items
are licensed to the U.S. Government under vendor's standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard Enterprise has no control over
and is not responsible for information outside the Hewlett Packard Enterprise website.
Acknowledgments
All third-party marks are property of their respective owners.
2
Contents
Contents
Contents i
Lab 1: Testing Lab Connectivity 1
Device Access 1
Task 1-1: Aruba Training Lab Access 1
Objectives 1
Steps 1
Task 1-2: Aruba Training Lab Interface 2
Objectives 2
Task 1-3: Testing Connectivity 3
Objectives 3
CLI Console Access 4
Test the Wired MGMT Client Remote Desktop 4
Test Connectivity to the Wireless Client 7
Contents i
Task 2-5: Select Custom Attributes from Active Directory 22
Objectives 22
Steps 22
Task 2-6: Sign ClearPass EAP/RADIUS certificate with AD CA 26
Objectives 26
Steps 26
Task 2-7: Test Your Active Directory Authentication Source 32
Objectives 32
Steps 32
Lab Debrief 34
Lab 3: Configuring External Devices 35
Task 3-1: Configure Network Devices 35
Objectives 35
Steps 35
Task 3-2: Configure Device Attributes and Network Device Groups 37
Objectives 37
Steps 37
Task 3-3: Configure Email Server 39
Objectives 39
Steps 39
Task 3-4: Connecting ClearPass to the MDM Server 41
Objectives 41
Steps 41
Lab Debrief 43
Lab 4: Endpoint Profiling 45
Task 4-1: View Current Endpoints 45
Objectives 45
Steps 45
Task 4-2: Configure the Controller for Endpoint Profiling 49
Objectives 49
ii Contents
Contents
Steps 50
Task 4-3: Configure Profiling on ClearPass 54
Objectives 54
Steps 54
Task 4-4: Examine Endpoint Profile Data 55
Objectives 55
Steps 55
Lab Debrief 64
Task Questions Answered 64
Task 1 64
Contents iii
Task Questions Answered 89
Task 1 89
Task 6 91
iv Contents
Contents
Lab 8a: Guest Authentication 143
Task 8a-1: Create Web Login Page 143
Objectives 143
Steps 143
Task 8a-2: Create a Guest Account 147
Objectives 147
Steps 147
Task 8a-3: Create Services for Guest in Policy Manager 149
Objectives 149
Steps 149
Task 8a-4: Configure Aruba Controller for Guest 154
Objectives 154
Steps 154
Task 8a-5: Test the Web Login Page 155
Objectives 155
Steps 155
Lab Debrief 164
Task Questions Answered 164
Contents v
Lab 9: Guest Access with Self-registration 193
Task 9-1: Configure a Self-Registration Portal 193
Objectives 193
Steps 193
Task 9-2: Configure Aruba Controller for Self-Registration 205
Objectives 205
Steps 205
Task 9-3: Testing Self-Registration 207
Objectives 207
Steps 207
Lab Debrief 215
Task Questions Answered 216
Lab 10b: Wired Authentication With AOS-CX Switch (Optional Lab) 243
Task 10b-1: Configure the Service for Wired Authentication 244
Objectives 244
Steps 244
Task 10b-2: Configure the Switch Port for 802.1X 251
Objectives 251
vi Contents
Contents
Steps 252
Task 10b-3: Test the Wired Authentication Port 253
Objectives 253
Steps 253
Lab Debrief 265
Task Questions Answered 265
Contents vii
Task 12-4: Return the Configuration to Normal 310
Objectives 310
Steps 310
viii Contents
Contents
Steps 343
Task 14-3: Modify the Health Check Service 344
Objectives 344
Steps 344
Task 14-4: Testing 346
Objectives 346
Steps 346
Lab Debrief 359
Task Questions Answered 359
Contents ix
Task Questions Answered 396
x Contents
Contents
Task 18-2: Monitoring Clustering 444
Objectives 444
Steps 444
Task 18-3: Configure High Availability 449
Objectives 449
Steps 450
Task 18-4: Testing High Availability 457
Objectives 457
Steps 457
Lab Debrief 460
Lab 19: Administrative Access 461
Task 19-1: Guest Operator Login 461
Objectives 461
Steps 461
Task 19-2: Create a New Guest Admin Account 463
Objectives 463
Steps 463
Task 19-3: Test Guest Operator Login 464
Objectives 464
Steps 465
Task 19-4: Policy Manager Admin Access for AD Users 470
Objectives 470
Steps 470
Task 19-5: Policy Manager Administrator Privileges 476
Objectives 476
Steps 476
Task 19-6: TACACS+ Admin Access to Aruba Devices 485
Objectives 485
Steps 485
Lab Debrief 492
Contents xi
Task Questions Answered 492
xii Contents
Lab 1: Testing Lab Connectivity
Device Access
You have received pod and table number assignments that define your remote lab location. When con-
figuring your equipment, you must follow a naming and numbering plan based on your pod and table
numbers. In these labs, the value # is your pod number, and X is your table number.
The table below lists the remote lab equipment. In the “My Device IP” column, write the IP address
assigned to your devices. (Your instructor may provide an IP address sheet.)
Steps
1. On your local computer, launch a web browser, and enter to the Aruba Training Lab web portal at
the URL:https://arubatraininglab.computerdata.com.
It may take a few minutes for the Wired MGMT Client desktop to come up. Also, if
your Aruba Training Lab has been idle for a while after you log in, you may need to
log out of the lab interface and log back in and then launch the desktop again.
4. On the Wired MGMT Client desktop, launch the Google chrome browser.
5. Type the IP of your ClearPass1 server in the browser address bar. (refer to the lab diagram for
the correct IP)
6. Accept the certificate error.
7. Click on the ClearPass Policy Manager link to navigate to the Policy Manager login page.
If there are no wireless networks, notify your instructor, or if you are working on this
lab as part of a self-paced course, contact the support email you were given. Remem-
ber, you will not need the wireless client until Lab 6.
Steps
1. From your local computer, log in to your Aruba Training Lab, and open the remote desktop for
Wired MGMT Client.
2. In the remote desktop, open a google chrome web browser, and navigate to the IP address of
ClearPass1.
You can check the lab diagram in the Aruba Training Lab Dashboard to get the IP
address.
3. Once at the ClearPass portal landing page, click on ClearPass Policy Manager to open the
administration login page.
4. Log into the Policy Manager with the credentials admin/eTIPS123.
Find the option for License Usage in the sidebar menu click and drag it on top of the panel for
All Requests.
5. In the upper right-hand corner of the Dashboard, below the menu option, click the drop-down
box with the word Default in it, and select the option for 3x3. Another dashboard with nine smal-
ler panels in it will appear.
7. On the sidebar menu, click the header Monitoring. You will spend a lot of time in the monitoring
screens while doing troubleshooting in your labs. The most notable tool is Access Tracker.
9. Expand the sections for Authentication and Identity under the Configuration sidebar menu.
10. On the sidebar menu, click the header for Administration to expand it.
11. Below Administration, expand Users and Privileges and Server Manager.
12. Look in the upper right corner of the ClearPass screen and expand the Menu option.
13. In the drop-down menu, click the option for Help. You may need to allow pop-ups to open the
built-in help page.
Steps
1. Navigate to Administration > Certificates > Trust List
2. Click the Add button in the upper right corner to add a new trust bundle
4. Browse to the Desktop > Table X Student Folder > Certificates > start.aruba-training.com.
5. Select the file: star.Aruba – training.com.ca–bundle and click Open.
You may see a Security warning page in your browser. Just ignore it.
Notice that the security warning is no longer displayed, and the lock icon indicates a secure con-
nection was established. If you still see the certificate warning, wait a couple more minutes while
ClearPass loads the new certificate.
23. Log into the Policy Manager with the credentials admin/eTIPS123.
Steps
1. In the sidebar menu, expand Administration: Server Manager, and click on Server Con-
figuration.
2. In the upper right corner the workspace, click on Set Date and Time.
3. Click the Cancel button to close the Change Date and Time window.
4. In the Server Configuration workspace, click on your ClearPass1 server to open its con-
figuration.
Sources
Objectives
To set up and configure an Authentication Source in ClearPass to use the Active Directory to verify the
credentials of your network users.
Steps
1. In the sidebar menu, expand Configuration, and then the Authentication submenu.
2. Under Authentication, click on Sources.
3. In the upper right hand corner of the workspace, click Add.
4. On the General tab of the Authentication Sources workspace, enter the following information:
The Search Base Dn option does two things for you: test the validity of your settings
and allow you to set the starting point in the directory tree for the search.
Steps
1. Open the Authentication Sources workspace.
2. Sort through the list, and click to open Remote Lab AD for editing.
3. Click the Attributes tab.
Sources
7. To add new options to the list of attributes collected by ClearPass, scroll through Alice’s AD
attribute box on the right side of the window, and find countryCode.
10. Edit the alias name to be “Home Country.” Then, click the Save icon at the end of the line.
Steps
1. Navigate to the Certificate Store page, Administration > Certificates > Certificate Store.
2. Select RADIUS/EAP Server certificate at the Select Usage drop-down menu.
3. Notice that, by default, ClearPass has a self-signed certificate for RADIUS.
4. Click Create a Certificate Signing Request to create a CSR file.
5. At the overlay window, enter the following configuration that ClearPass will use to generate the
CSR file:
a. Common Name: TT-CPPM1.aruba-training.com
b. Organization: Aruba Networks
c. Location: San Jose
d. State: CA
15. At the Active Directory Certificate Service page, select Request a certificate.
Steps
1. Expand the Configuration sidebar menu, and click on Policy Simulation.
2. To add a new simulation, select Add in the upper right corner.
3. In the Policy Simulation workspace, enter the following information:
a. Name: Active Directory Test
b. Type: Active Directory Authentication
c. Active Directory Domain: TRAINING
d. Username: employee
e. Password: aruba123
4. Click Save.
Lab Debrief
In Task 1 of this lab, you became familiar with the web user interface in ClearPass, and you should now
know how to move around to access the different screens and modules.
In Task 2, you have installed an HTTPS RSA certificate, allowing the secure management of your
ClearPass server.
In Task 3, you added ClearPass to the Active Directory domain, which you needed, because you will be
using EAP-PEAP authentication with mschapv2. This requires ClearPass to be joined to the domain.
In Task 4, you created an Authentication Source pointing to the Active Directory server that you will
use to process user credentials when you build services. If you were going to authenticate your users
with EAP-TLS only, you would not have needed to join the Active Directory domain with ClearPass.
However, you would still have created an Authentication Source pointing to the Active Directory server.
In Task 5, you selected two AD LDAP attributes that were not in the default Authentication Source fil-
ter and enabled these as attributes that ClearPass will collect.
In Task 6, you have generated a CSR (Certificate Sign Request) and used the local AD CA to sign the
certificate. After that, you installed the new certificate on ClearPass to be used for EAP/RADIUS ser-
vice.
Finally, in Task 7, you used the Policy Simulator to test your Active Directory Authentication Source.
There are quite a few policy simulations that you can run including service categorization, role map-
ping, enforcement policies, and authentication tests.
34 Lab Debrief
Lab 3: Configuring External Devices
In this task, you will configure the ClearPass half of Network Devices setup. The Authentic-
ation Source configuration on the Controller, and switch in the lab are already completed.
Configuration of the individual Network Access Device hardware will vary depending on
vendor and is beyond the scope of this lab.
Steps
1. Log into your Aruba Training Lab, and open the remote desktop for Wired MGMT Client.
2. In the remote desktop, open a web browser, and browse to the IP address of ClearPass1.
3. Log in to the Policy Manager (https://TT-cppm1.aruba-training.com) with the credentials
admin / eTIPS123.
For example, https://t14-cppm1.aruba-training.com -> T equals your table #.
4. Navigate to the Configuration menu, and expand the Network submenu.
5. Click on Devices.
6. In the Network Devices workspace, click on Add in the upper right corner.
7. In the Add Device window, configure the following settings:
a. Name: Aruba Controller
b. IP or Subnet Address: the IP address of your Controller
c. RADIUS Shared Secret: aruba123
d. TACACS+ Shared Secret: aruba123
TIP: The IP addresses of all your devices are listed on the Aruba Training Lab dia-
gram interface.
TIP: The IP addresses of all your devices are listed on the Aruba Training Lab dia-
gram interface.
Steps
1. In the Network Devices workspace, click the device named Aruba Controller to open it for edit-
ing.
5. For the Value, type “Wireless Controller,” and click the Save icon .
6. To save the Device Details, click Save.
7. Repeat for the AOS-S Switch, and set the Device Type value to Network Switch.
For this lab, device groups really do not make sense because you only have two
devices, and there is little similarity between them, so logically, it really does not mat-
ter if you have them grouped. This section is just an example of how to create a
device group.
9. In the Network Device Groups workspace, click Add in the upper right corner.
10. Give the device group the name “My Devices.”
11. To see a list of your network devices, select Format: List.
12. Under Available Devices, highlight your two network devices from the list and move them to the
Selected Devices column.
13. To save your new device group, click the Save button.
If your email settings are correct, the test email will send even if the send to address
is bogus. The test checks the ability of ClearPass to communicate with the mail
server and pass off the message. In a live system, it is the mail server’s responsibility
to actually deliver the email message, and you would need to confirm receipt of the
message for a full test.
3. Confirm that you wish to poll the MDM server by clicking the Trigger button in the popup win-
dow.
4. To see the results of the poll, click on your MDM server in the External Context Server list to
open the Modify Endpoint Context Server window.
Lab Debrief
In this lab, you learned how to configure Network Access Devices in ClearPass. You will need to do this
for every device that will send a request to ClearPass. In a production deployment you will need to con-
figure the Network Access Devices to use ClearPass as an authentication source. You also configured
an email relay for ClearPass to use while sending notifications and an Endpoint Context Server
(MobileIron) server for profiling in ClearPass.
Lab Debrief 43
[This page intentionally left blank]
44 Lab Debrief
Lab 4: Endpoint Profiling
Steps
1. Log in to the Aruba Training Lab, and open the remote desktop for Wired MGMT Client.
2. In the remote desktop, open a web browser, and navigate to ClearPass1 (https://-TT-
CPPM1.aruba-training.com)
3. You should now be at the ClearPass Policy Manager Login page.
4. Log into the Policy Manager with the credentials admin / eTIPS123.
5. In the sidebar menu, expand Configuration, and then expand the submenu Identity.
6. Click on Endpoints.
n Under the heading Profiled, are any of your endpoints not profiled?
7. To open the Edit Endpoint screen, click one of the Smart Devices listed.
Take a few moments to explore some of the other endpoints in your list. Note the dif-
ference in attributes, between the MDM-sourced ones and those that are not. For
example, look at an endpoint with the device category of computer or server.
To configure the Aruba Networks Mobility Controller for DHCP Relay and IF-MAP.
3. Click the X1 VLAN, and expand the lower section of the screen.
4. Click the header IPv4.
7. To add ClearPass IP address and DHCP server IP address, click the + sign under DHCP helpers.
8. Add the following:
Steps
1. Log in to your Aruba Training Lab, and open the remote desktop for Wired MGMT Client.
2. In the remote desktop, open a web browser, and navigate to ClearPass1.
3. Log into the Policy Manager.
4. In the sidebar menu, expand Administration > Server Manager.
5. Select Server Configuration.
6. Select Cluster-Wide-Parameters in the upper righthand corner of the server configuration work-
space.
Steps
1. In the ClearPass WEB UI, expand the Dashboard sidebar menu.
2. In the list of available dashboard widgets, find the following, and drag them onto the dashboard:
a. Endpoint Profiler Summary
b. Device Category
c. Device Family
d. MDM Discovery Summary
3. Spend a little time exploring the options in the dashboard widgets. Each of the elements is active,
so you can click on images and modify the element view.
4. In the sidebar menu, expand Monitoring, and expand Profile and Network Scan.
5. Click on the submenu option for Endpoint Profiler. Lab 4: Endpoint Profiling
8. In the upper righthand corner of the screen, click the Toggle Dashboard View link.
9. Scroll down, and take note of the new view.
3. To add a new fingerprint, click the Add button in the upper right corner of the workspace.
6. Scroll through the fingerprint list, and find your new fingerprint – look at the end of the access
points list.
In a live environment, you would use this to categorize devices that are showing up
as unknown in the profiler. In this lab, you will re-categorize your ClearPass server as
an example of how to apply a custom endpoint device fingerprint. Note that once you
have applied a custom endpoint device fingerprint, ClearPass will continue to profile
all similar devices with the new device fingerprint.
2. In the endpoints list, select the checkbox for your ClearPass server – you may need to Clear Fil-
ter to view the complete list.
3. In the bottom of the Endpoints workspace select the option for Update Fingerprint.
Lab 4: Endpoint Profiling
5. Click your ClearPass server in the endpoints list, and open the Edit Endpoint page.
64 Lab Debrief
n What are some of the listed fingerprints for your selected endpoint?
l On live endpoints, the fingerprints will reflect how ClearPass discovered the endpoint and
what context data it has gathered, which may differ depending on the fingerprints dis-
covered.
n Why do these attributes seem generic?
l These attributes are simple attributes gathered from MDM server, which is why they seem
so generic.
The answers for the questions are in the appendix at the end of this lab. It is recommended
that you take some time to work through this exercise and do not just go look at the
answers.
Questions
1. What authentication sources will you be using?
2. How will you know what type device the user has?
6. How will you handle Endpoints that have not been profiled yet?
Steps
1. Log in to the Aruba Training Lab and open the remote desktop for Wired MGMT Client.
2. In the remote desktop, open a web browser and navigate to the IP address of ClearPass1.
3. Log into the Policy Manager with the credentials admin / eTIPS123.
4. Expand the Configuration sidebar menu.
5. Expand the Identity submenu, and click on Local Users.
6. To create a new user, click Add in the upper right corner of the Local Users workspace.
7. In the Add Local User pop-up window, configure the following settings:
a. User ID: contractUser
b. Name: Temp User
c. Password: aruba
d. Role: [Contractor]
2. To add a new role, click the Add link in the upper right corner of the Roles workspace.
3. In the Add New Role window, type in the following:
a. Name: corporate_user
b. Description: this is a corporate user
4. Click Save.
5. Repeat the above steps for the remaining user roles:
Steps
1. Navigate to Configuration > Identity and select Role Mappings in the sidebar.
2. To add a new role mapping, click the Add link in the upper right corner of the workspace.
b. Rule #2
i. Type: Authentication
ii. Name: Source
iii. Operator: EQUALS
iv. Value: [Local User Repository]
v. Role Name: temp_user
d. Rule #4
i. Type: Authorization: [Endpoints Repository]
ii. Name: Category
iii. Operator: EQUALS
iv. Value: SmartDevice
v. Role Name: smart_phone
Steps
1. Navigate to Configuration and the Enforcement submenu.
2. Click on Profiles, and then click on Add in the upper right-hand corner.
WARNING: The role names in the Enforcement Profiles must exactly match the User
Role names in the Controller and are case sensitive. If the name value assigned does
not match the User Role in the Controller exactly, the Controller will assign the
default 802.1X User Role.
Consider naming conventions when you are building your enforcement profiles. A
proper naming convention will help make your enforcement policy rules much more
readable. Consider that while reading the enforcement policy rules that call up the
above named profiles you can easily tell what each profile does from its name.
Steps
1. In the sidebar menu, select Configuration > Enforcement > Policies.
2. To create a new enforcement policy, click the Add link in the upper right-hand corner.
3. On the Enforcement tab, enter the following settings:
a. Name: Aruba wireless enforcement policy
b. Description: Aruba wireless enforcement policy
c. Enforcement Type: RADIUS
d. Default Profile: [Deny Access Profile]
Compare the enforcement rules in the above example to the IF – THEN statement.
Internally, ClearPass refers to roles and posture as a type labeled “Tips.” The
acronym “TIPS” refers to the original Avenda product called the Trust and Identity
Policy System.
Condition 3
IF ClearPass role equals “temp_user” AND “computer,”
THEN assign Aruba_User_Role “temp_access.”
3. In the rules editor, create two lines:
a. Rule #1
i. Type: Tips
ii. Name: Role
iii. Operator: EQUALS
iv. Value: temp_user
b. Rule #2
i. Type: Tips
ii. Name: Role
iii. Operator: EQUALS
iv. Value: computer
4. For Profile Names, select to add: [RADIUS] assign temp access role.
9. As a good practice, you should move the “not profiled” enforcement rule to the top of the list. To
do this, highlight the “(Authorization: Endpoints Repository: category NOT_EXISTS)” rule and
use the Move Up button.
Lab Debrief
During this lab, you started with a design exercise to help plan the roles and enforcement you would
build. From this plan, you defined the required ClearPass Roles and Role Mapping Policies. You also
defined the correct Enforcement Profiles that would properly assign the User Roles to the clients when
they connect to the Wireless SSID. Finally, you defined the Enforcement Policy rules required to imple-
ment the access logic requirements.
88 Lab Debrief
Lab 5: Roles and Enforcement
Task Questions Answered
Task 1
n What authentication sources will you be using?
l Remote lab AD
l Local Users Database
n How will you know what type device the user has?
l You will need to gather the device category profile information about the user’s device
before you can evaluate the enforcement policy properly.
n Will you need to add authorization sources? If yes, list them.
l Yes, you will need authorization sources. You will need to add the endpoints database to
the authorization source for the service.
n Write out your Role Mapping rules.
l IF the user is a member of the Active Directory domain users group,
THEN assign corporate_user role.
l IF the user authenticated with the Local User database,
THEN assign temp_user role.
l IF Endpoint Device category equals “Computer,”
THEN assign computer role.
l IF Endpoint Device category equals “SmartDevice,”
THEN assign smart_phone role.
n Will you need to add any new ClearPass Roles?
l corporate_user
l temp_user
l computer
l smart_phone
n How will you handle endpoints that have not been profiled in ClearPass?
l You can evaluate that the endpoints category equals NOT_EXIST to indicate endpoints
that have not been properly profiled yet. The endpoints that do not have profile context
you will redirect into the “profile_only” role to allow ClearPass to collect profile data, in this
case DHCP options. This evaluation should be done in the enforcement policy rules not by
Roles.
n Write out your Enforcement Policy rules.
Lab Debrief 89
l Enforcement policy default profile to assign Aruba_User_Role “deny_all.”
o IF Endpoint: Category does not exist,
THEN assign Aruba_User_Role “profile_only.”
o IF ClearPass user role equal “corporate_user” AND “computer,”
THEN assign Aruba_User_Role “employee_full.”
o IF ClearPass user role equal “corporate_user” AND “smart_phone,”
THEN assign Aruba_User_Role “employee_smart.”
o IF ClearPass user role equal “temp_user” AND “computer,”
THEN assign Aruba_User_Role “temp_access.”
o IF ClearPass user role equal “temp_user” AND “smart_phone,”
THEN assign Aruba_User_Role “deny_all.”
n Define your Enforcement Profiles.
l Rule #1
o Name = assign deny all role
o Template = Aruba RADIUS enforcement
o Attribute = RADIUS: Aruba Aruba–User–Role = “deny_all”
l Rule #2
o Name = assign employee full role
o Template = Aruba RADIUS enforcement
o Attribute = RADIUS: Aruba Aruba–User–Role = “employee_full”
l Rule #3
o Name = assign employee smart role
o Template = Aruba RADIUS enforcement
o Attribute = RADIUS: Aruba Aruba–User–Role = “employee_smart”
l Rule #4
o Name = assign temp access role
o Template = Aruba RADIUS enforcement
o Attribute = RADIUS: Aruba Aruba–User–Role = “temp_access”
l Rule #5
o Name = assign profile only role
o Template = Aruba RADIUS enforcement
o Attribute = RADIUS: Aruba Aruba–User–Role = “profile_only”
90 Lab Debrief
Lab 5: Roles and Enforcement
Task 6
n What enforcement profile would be assigned if a user attempted to connect a client that
was assigned a different Endpoint àCategory than computer or smart device?
l The client would not match any of the rules in the enforcement policy and would be
assigned the “default profile.” You set the default profile to “deny access,” which sends a
RADIUS reject message to the NAD.
n What is the advantage to using the “Endpoints Category Exist” rule?
l The “IS_Profiled” flag can be ambiguous. It gets set as true anytime any profile data is writ-
ten for the endpoint. The data you are evaluating may not exist but other profile data that
you do not care about may have set the flag.
Lab Debrief 91
[This page intentionally left blank]
92 Lab Debrief
Lab 6: Configuring Services
The answers for the questions are in the appendix at the end of this lab. Aruba recom-
mends that you take some time to work through this exercise and do not just go look at the
answers.
Questions
1. What type of a service will you be creating?
2. What service selection rules will you need for this service?
Steps
1. To open the Services workspace, expand Configuration in the sidebar menu, and click Services.
2. To add a new service, click the Add link in the upper right corner.
3. In the Services window, select Aruba 802.1X Wireless for the type.
4. In the name field, type: “Aruba 802.1X Secure Wireless.”
5. In the Service Rules, change line 3:
a. From: RADIUS: Aruba Aruba-Essid-name EXISTS
b. To: RADIUS: Aruba Aruba-Essid-name CONTAINS “secure”
Take note of the fact that both the Remote Lab AD and the Local User Repository
are already part of the Authorization Sources. This is because ClearPass will always
attempt to gather authorization attributes from any servers placed in the additional
authentication source list.
During this task, you will not get a successful authentication. The point of this task is to
lead you through some of the troubleshooting tools that you will use.
Steps
1. To disable the Aruba Controller’s access in ClearPass, navigate to Configuration > Network, and
click Devices.
5. On your Wired MGMT Client desktop, open a new browser tab to the IP address of your Aruba
Controller (10.1.X0.100, where X is your table number).
6. Log into the Controller with your admin credentials: admin / admin1.
7. In the sidebar menu of the Mobility Controller, expand Diagnostics and the submenu Tools.
8. In the workspace, select the AAA Server Test tab.
9. Pull down the Server Name menu, and select ClearPass.
10. For the username and password, type in user / password.
11. To submit, click Test.
12. In the bottom portion of the test screen, take a look at the Attribute Value Pairs in Response
section.
The Controller has a new feature that will show you the RADIUS attributes that were sent with
this test request. In the first section of attribute value pairs consider your service selection rules,
specifically NAS-port-type and Service Type.
16. In the Event Viewer workspace, look for recent RADIUS error messages.
17. Open one of the messages by clicking on it. You should see that ClearPass rejected the test
RADIUS request from due to a possible shared secret mismatch error.
You will use the Event Viewer to investigate system events or errors. In this case, the
system rejected the authentication request from the Mobility Controller, so it made
an entry in the Event Viewer. The Event Viewer is the go-to when you do not see
requests logged into Access Tracker.
2. Click the Aruba Controller to open the Edit Device Details screen.
3. In the edit device details screen, change the RADIUS shared secret to “aruba123.”
This test will fail. In this case, the test will fail because ClearPass cannot find a service
to process the request. The Aruba Controller tags the test request as a wireless type
request, but it does not send an Aruba-ESSID -Name attribute. The service you built
must have an ESSID name that contains “secure.”
7. Return to the browser window for ClearPass, and log in again, if necessary.
12. Take notice that the reason this request was rejected is a “Service Categorization Failed” error.
This means that there was no service configured for the characteristics of this request.
The RADIUS Request section exposes the actual RADIUS attributes sent by the Net-
work Access Device. Often, you can use the information exposed here to fine-tune
your Service Selection Rules. Notice that this request failed because it did not contain
an Aruba-ESSID-Name, and that is one of the requirements for your service selection
rules in the service you created.
This lab is designed to test role assignments and profile capabilities. To make this cleaner
you will want to delete all of the current endpoints at the beginning of the lab, so that you
start with a clean un-profiled endpoint.
Steps
The next time that ClearPass polls the MDM server, it will pull in all of the MDM man-
aged endpoints again. This is okay. It was easier to delete everything rather than to
search for a single MAC address.
22. Click OK, then OK, and then Close to finish and save the settings.
You should see two entries for your authentication. If you only have one entry in
Access Tracker, return to Wireless Test Client to make sure the client is still con-
nected. If it is not, reconnect.
n Username:
n Authentication Source:
n Roles:
You will want to pay extra attention to the Roles for troubleshooting.
5. Click the Alerts tab.
a. What is significant about the alert: “Failed to get value for attributes = [Category]”?
6. Click the RADIUS Dynamic Authorization tab, and take note of the status message. It should
show as successful for the client.
Take note of the Aruba-specific RADIUS information that is now part of this access
tracker entry.
8. Click the Output tab and expand the RADIUS Response section.
8. On the Input tab, scroll down, and expand the Endpoint Attributes section. Scrolling through
the endpoints attributes, you will see all of the endpoint profiler information as well as the fin-
gerprints for this client.
Lab Debrief
Task Questions Answered
Task 1
n What type of a service will you be creating?
802.1X Wireless or Aruba 802.1X Wireless
n What service selection rules will you need for this service?
RADIUS: IETF NAS-Port-Type = Wireless
RADIUS: IETF Service-Type = Login-User
RADIUS: Aruba Aruba – ESSID – name contains “secure”
n What authentication sources will you need to list? List these in order.
Remote lab AD
Local Users Database
Task 4
n Step 26 – Take note of the following data:
Login Status: ACCEPT
Username: contractUser
Service: Aruba 802.1X Secure Wireless
Authentication Source: Local:localhost
Roles: [Contractor], [User Authenticated], temp_user
Enforcement
Profiles: assign profile only role
n Step 27 – What is significant about the alert: “Failed to get value for attributes = [Cat-
egory]”?
This alert fired because the service was not able to recover the endpoint attribute “category.”
This is essentially an indicator that the endpoint had not been profiled when this service request
ran.
n Step 33 – Why is there the authorization attributes section on this request but not on the
previous request?
Steps
1. Log in to the Aruba Training Lab, and open the remote desktop for Wired MGMT Client.
2. In the remote desktop, open a web browser, and navigate to ClearPass1 to open the launch
page.
3. On the launch page, select the button for ClearPass Guest.
2. Click the Choose Files button, and look in the Table X Student Folder > Images on the desktop
of Wired MGMT Client for a file called cpe_6.7.jpg.
3. Click Upload Content.
4. Expand the newly uploaded file in the menu, and click Quick View.
Steps
1. Expand Configuration on the sidebar menu, and then expand the submenu Pages.
2. Click Web Pages.
3. Click the menu listing for the Service Unavailable page, and expand.
4. Click Edit to view the current applied skin.
5. Scroll down the page, and under the option for *Skin select ClearPass Guest Skin
Using the Galleria Skin might adversely impact performance on the wireless client. If
you notice that your client is not responsive when testing the Captive Portal, you can
change the skin to default.
The Galleria Skin contains high-resolution graphics backgrounds. If you have a slow
internet link or long ping times to the lab, you will notice after installing the Galleria
Skin that the browser window slows considerably. If this occurs change to one of the
other skin, such as the “Aruba Guest Skin.”
10. Scroll down to the Guest Content Header: section, and change the first line of text to: Guest
Access. This will change the text in the page header.
11. Scroll to the bottom of the page, and click Save Configuration.
Steps
1. Navigate to Configuration > Pages > Web Pages.
2. Expand the menu for Service Unavailable.
3. Click the link for Edit.
4. Scroll down to the HTML edit box.
5. Insert the following text just before the closing “div” tag (</div>).
<p>
<strong>This is some extra text added to the page</strong>
</p>
Lab Debrief
During this lab exercise, you got a feel for how you can modify ClearPass web services using the Con-
Steps
1. Log in to Aruba Training Lab, and open the remote desktop for Wired MGMT Client.
2. In the remote desktop, open a web browser, and browse to the IP address of ClearPass1 to open
the launch page.
3. On the launch page, select the button for ClearPass Guest.
7. Configure as follows:
a. Name: Guest Network
b. Page Name: arubalogin (This will set the URL for login to: https://<your ClearPass server-
>/guest/arubalogin.php)
c. Vendor Settings: Aruba
d. Address: captiveportal-login.arubatraininglab.com
The address change is required because, in the lab environment, the Controller has a
new wildcard certificate for the domain arubatraininglab.com. If you were using a cer-
tificate with a fully qualified common name, you would place that name in the
address field. This is required to properly facilitate the credentials post operation
where the client’s browser sends the credentials to the Controller using this address.
As good practice, you should normally enable pre-auth checks to insure a good user
experience. The default application-based pre-auth check requires an application ser-
vice to process it. By changing to a RADIUS pre-auth check, the same service that pro-
cesses the guest login will also process the pre-auth check.
9. Below the ‘Login Page’ heading you can customize the look of the page:
Using the Galleria Skin might adversely impact performance on the wireless client. If
you notice that your client is unresponsive when testing the captive portal, you can
change the skin to default.
10. Scroll to the bottom of the page, and click Save Changes to commit the configuration of the web
login page. This could take a minute or so as ClearPass generates your new pages in the web
server.
11. Now you should see your new web login page created.
12. Click Launch to view the page.
13. This should open a new tab in your browser that shows the completed guest web login page.
This is the page that users will see when they log in.
Steps
1. Navigate to Guest > Create Account.
3. Click the Create New Guest Account button to save the new guest account:
Steps
1. Use the Menu in the upper right corner of the Guest Workspace to navigate to ClearPass Policy
Manager.
2. Log in with admin / eTIPS123, if required.
The Service Template creates several Enforcement Profiles to assign to users, includ-
ing Lab 8 session timeout, Lab 8 bandwidth limit, etc. All of these Enforcement Pro-
files serve different purposes, such as setting session time limits and bandwidth
limits for guests on the network.
5. Click Next.
6. On the Attributes tab, under Value, click the words Enter Role Here. Enter the role name
“guest” (note that this is case-sensitive).
11. In the rules editor, select the RADIUS Assign Guest Role profile, and add it to the list in Profile
Names.
NOTE: Ignore the warning “Note: This Service is created by Service Template.”
Steps
1. On Wired MGMT Client, open a web browser, and access your Mobility Controller’s web inter-
face at: http://10.1.X0.100 (where X is your table number).
2. Log in with admin / admin1
3. Navigate to Configuration > Authentication in the sidebar menu.
4. Select the L3 Authentication tab in the workspace.
5. Click the + next to Captive Portal Authentication Profile to expand.
6. Click Guest#-X-cp_prof to edit.
Steps
Set Up a “Wireless Network Profile” on the Wireless Client
In this lab, you will manually set up a wireless network connection in Windows 10. This will
make it easier to find your guest network in the list.
1. From the Aruba Training Labs control panel, open the Wireless Test Client.
2. Click the Network Icon in the tool tray, and open Network and Internet Settings.
TIP: If the browser connects to 10.254.1.21 and displays a Microsoft IIS splash page,
Go back to the “Change Adaptor settings” in Network and Sharing Center and check
to make sure that Lab NIC is disabled
n How can you prevent guests from seeing this certificate error in your deployment?
7. Click the lower RADIUS request in the list to open the Request Details.
8. Answer the following questions
Lab Debrief
During this lab, you configured a guest logon page, including modified vendor settings because the
Aruba Controller has a wildcard certificate installed. You also configured the captive portal profile in
the Aruba Controller to redirect pre-authenticated guest users to your web login page and built a ser-
vice to handle the authentication request from the Controller. Finally, you tested your captive portal
guest logon and viewed the troubleshooting information in access tracker.
Steps
1. Log in to your Aruba Training Lab, and open the remote desktop for
Wired MGMT Client.
2. In the remote desktop, open a web browser, and navigate to ClearPass1.
3. Log in to the Policy Manager with admin / eTIPS123.
4. Expand Configuration in the sidebar menu.
5. Click Service Templates & Wizards.
6. Scroll down the list, and click Guest Authentication with MAC Caching to open the service tem-
plate.
The setting for Captive Portal Access: is the name of the pre-authenticated guest
access role configured in the guest AAA profile on the Controller. Likewise, Employee
Access, Guest Access, and Contractor Access would be the name of the appropriate
role assigned to the guest user on the Controller.
9. Navigate to the Enforcement Profiles submenu under the Configuration sidebar menu.
10. Select the [Update Endpoint Known] enforcement profile – use the filter feature to quickly find
the profile.
11. Answer the following question:
n Based on what you see here, what do you think is the purpose of this enforcement profile
in the context of MAC caching?
n With the [Allow All MAC Auth] method how will access to the guest network be controlled?
18. Click the Time Source authorization source, and select View Details.
You should have already enabled Insight under Administration > Server Manager
> Server Configuration during a previous lab. Therefore, your authorization check
of the Insight Repository in this service will work.
n Explain the difference between “account expired equals false” and “Now DT less than end-
point: MAC- Auth Expiry.”
Steps
1. On Wired MGMT Client, open a web browser and access your Mobility Controller web Interface
at: http://10.1.X0.100 (where X is your table number)
2. Log in with admin / admin1.
3. Expand Configuration in the sidebar menu.
4. Select the Authentication submenu.
5. In the workspace, click AAA Profiles, and click the + to expand.
Steps
1. Log in to your Aruba Training Lab, and open the remote desktop for
Wired MGMT Client.
2. In the remote desktop, open a web browser, and navigate to the IP address of ClearPass1.
3. Log in to the Policy Manager with admin / eTIPS123.
4. Expanded Configuration in the sidebar menu.
5. Expand the Identity submenu.
6. Click Endpoints.
7. In the right side of the workspace, select Show 100 records.
You will now connect to your wireless client and authenticate into the guest network.
There should already be a wireless network profile configured for the guest SSID. If
that is not configured reference Task Five of Lab 8A.
6. From the Aruba Training Labs control panel, open the Wireless Test Client.
7. Click the Network Icon. When you click the network icon in the virtual desktop, you should see
your guest SSID listed at the top.
8. Select your guest SSID and click Connect.
n What part of the service generated the policy server “failed to construct” error?
Now you will test the MAC cache option by disconnecting your wireless client and recon-
necting to the guest SSID. This second connection should not prompt the user for a captive
portal.
Lab 8b: Guest Authentication with
1. Open the browser screen to your Wireless Test Client client desktop.
MAC Caching
At this point, you should still see your guest user login. Take note of the username,
MAC address, and role. Also, look at the authentication type, it should say “web.”
7. Run the command to delete the users: # aaa user delete all.
8. Open the browser to Wireless Test Client.
9. Connect to the guest SSID.
This time, you should see the guest user listed in the guest role with the same user
account and MAC address. The only difference is that the Authentication type will be
listed as MAC.
n Why is the username listed on the summary page guest user account?
22. Click the Input tab, and expand the RADIUS Request shade.
n Can you explain why the username on the summary tab and the username on the input tab
are different?
Lab Debrief
During this lab, you modified the guest SSID AAA profile on the Controller to execute a MAC authen-
tication before running the captive portal web auth. This required that you build a new service to do
Lab 8b: Guest Authentication with
proper enforcement on the MAC authentication. This is one condition that it is highly recommended to
use the service templates as it creates the two services with proper checks and balances.
MAC Caching
a conference would issue a guest account valid for 10 days but require that the guest actu-
ally log in daily, the “endpoint: MAC- Auth Expiry” could be set for 12 hours and the guest
account expire in 10 days, meaning that after 12 hours the endpoint would not get the
MAC Caching
[MAC Caching] role. Thus forcing the user to have to log back in
Steps
1. Log in to your Aruba Training Lab, and open the remote desktop for
Wired MGMT Client.
2. Open a web browser to the IP address of ClearPass1 to open the launch page.
3. On the launch page, select the button for ClearPass Guest.
11. Under the option for skin choose the Galleria Skin.
If the Galleria Skin has been slowing your system down during testing, select the
Aruba ClearPass Skin instead.
The NAS Vendor Settings tell the browser how to post the user’s credentials to the Network
Access Device.
You will need to modify the email confirmation template in a production environment
to ensure that the link the email sends to the sponsor has the proper FQDN for the
ClearPass server. Consider public DNS records and forwarding rules if the sponsor
can be located outside the company.
19. Leave the rest of the form as defaults, and Save Changes.
5. Scroll down the Editor page, and find the edit box for Notes.
6. Look through the HTML code in the edit box for 'guest_register_confirm.php,' and replace with.
'https://TT-CPPM1.aruba-training.com/guest/guest_register_confirm.php'
(for example, https://T14-CPPM1.aruba-training.com/guest/guest_register_confirm.php
The link 'guest_register_confirm.php' is listed three times in the edit box. You can use
cut and paste with Wired MGMT Client to help you make these edits.
2. Add the following text before the closing paragraph tag </p>:
5. In the Customize Form Fields Editor, select sponsor_email, and click Enable Field to enable it.
The settings will put the sponsor email field on the form. It will be visible to the user,
but they will not be able to make any changes.
14. Scroll to the bottom of the forms editor, and click Back to Self-Registration Editor. You have
completed the configuration of your self-registration portal.
Steps
1. On Wired MGMT Client, open a web browser, and access your Mobility Controller web interface
at: http://10.1.X0.100 (where X is your table number).
2. Log in with admin / admin1.
3. Navigate to Configuration > Authentication in the sidebar menu.
4. Select L3 Authentication.
5. Click the + next to Captive Portal Authentication to expand.
6. Click Guest#-X-cp_prof to edit.
Steps
1. Log in to your Aruba Training Lab, and open the remote desktop for
Wired MGMT Client.
2. In the remote desktop, open a web browser, and navigate to the IP address of ClearPass1.
3. Log in to the Policy Manager with admin / eTIPS123.
4. Expanded Configuration in the sidebar menu.
5. Expand the Identity submenu.
6. Then, click Endpoints.
7. In the right side of the workspace, select Show 100 records.
You will now connect to Wireless Test Client and authenticate into thfor exampleest
network. There should already be a wireless network profile configured for thfor
exampleest SSID. If that is not configured, reference Task Five of Lab 9A.
6. From the Aruba Training Labs control panel, open the Wireless Test Client.
7. Click the Network Icon. You should see your guest SSID listed at the top.
8. Select your guest SSID, and click Connect.
15. Leave the browser page up on the client and return to your browser for the Wired MGMT Client.
16. Log into your Policy Manager.
17. Navigate to Configuration in the sidebar menu, and expand Identity.
18. Click Endpoints.
19. Answer the following questions
23. In the sidebar of the email interface, expand Mail. You should see the access request from your
guest user.
24. Open the email “Wireless access request from:…”
25. Click the link in the email to confirm the request.
26. The sponsor confirmation page should come up. If it asks you to authenticate, log in with your
admin account.
213
Task 9-3: Testing Self-Registration
27. Click the Confirm link.
28. You will be redirected to a confirmation receipt page, you can just close this browser tab.
29. Return to your Wireless Test Client. Your guest registration receipt browser page should still be
up.
30. Answer the following questions:
n What is your account status now?
33. Return to your browser for the Wired MGMT Client desktop.
34. Log into your Policy Manager.
35. Navigate to Access Tracker.
36. Find your new guest registration user’s login, and open the request details.
37. Investigate the three tabs in the request details: Summary, Input, and Output.
As you investigate the Access Tracker entries for your guest self-registration, you
will notice the same attributes and characteristics that seen on thfor exampleest
logon page in Lab 9. This is because the exact same services processed the request.
If you disconnect and reconnect your wireless client, you would see the same MAC
caching result as you did in the previous lab.
Lab Debrief
During this lab, you set up a self-registration portal, and then modified a few characteristics of the regis-
tration form. You added a captcha to the form and a sponsor email. The simplest way to deploy a self-
registration portal is to have the user encounter the registration page instead of a login page when
they connect to the pre-authenticated guest SSID.
In this scenario, the enforcement will be very simple. If the user passes authentication, then it will
assign VLAN X.
Steps
1. From the Aruba Training Lab dashboard, connect to Wired MGMT Client.
2. Open a browser to the IP address of your ClearPass1 server.
3. Log in with admin / eTIPS123.
4. Navigate to Configuration > Service Templates & Wizards.
5. Select the Service Template for 802.1X Wired.
7. Click Next.
8. On the Authentication tab, for the Select Authentication Source: pull down, select Remote
Lab AD.
To find your AOS-S Switch IP address check the diagram on the Remote Lab - Dash-
board
To make reading the Enforcement Policy easier later, rename each profile to indicate
what it does.
6. Click Save.
2. Click Copy.
3. Click the new enforcement profile to edit (Copy_of_Lab 10 802.1X…).
4. Click the Profile tab, and change the name to: Lab 10 802.1X Wired assign VLAN X2 (where X
= table #).
8. Click Save.
9. Move the new rule to the top.
Steps
1. On the Aruba Training Lab dashboard, open a console window to your AOS-S Switch.
6. Click the network icon in the upper right corner of the desktop, and select Network & Internet
Settings.
8. Click the Input tab, and expand the RADIUS Request shade.
9. Answer the following questions:
n What is the connection type?
Lab Debrief
During this lab, you configured a wired 802.1X authentication service with simple enforcement, using
the Wired 802.1X Service Template, and you had to make some minor adjustments to the service to
make it exactly what you needed. The lab asked you to rename the enforcement profiles created by the
service template. This is a good general practice as it makes troubleshooting your service much easier
later on. The wizard tends to create generically named enforcement profiles that do not indicate what
they do. You also configured basic 802.1X authentication settings on the ArubaOS 2930F switch.
In this scenario, the enforcement will be very simple. If the user passes authentication, then it will
assign VLAN X.
Lab 10b: Wired Authentication With AOS-CX Switch (Optional Lab) 243
Task 10b-1: Configure the Service for Wired Authentication
Objectives
n To create an 802.1X service for wired authentication. In the new service, you will need to con-
figure different service selection rules from those in the wireless service to differentiate between
wired and wireless authentications.
Steps
1. From the Aruba Training Lab dashboard, connect to Wired MGMT Client.
2. Open a browser to the IP address of your ClearPass1 server.
3. Log in with admin / eTIPS123.
4. Navigate to Configuration > Service Templates & Wizards.
5. Select the Service Template for 802.1X Wired.
7. Click Next.
8. On the Authentication tab, for the Select Authentication Source: pull down, select Remote
Lab AD.
To find your AOS-CX Switch IP address check the diagram on the Remote Lab - Dash-
board
To make reading the Enforcement Policy easier later, rename each profile to indicate
what it does.
6. Click Save.
7. Follow the above steps and modify the name on the Wired Default Profile to: Lab 10 802.1X
Wired assign VLAN X0 (where X = table #).
In the scenario when a client logs in with credentials from Active Directory, they are
assigned to VLAN X1, and if they log in with an account in the Local Users’ Database,
they will be assigned to VLAN X2.
2. Click Copy.
3. Click the new enforcement profile to edit (Copy_of_Lab 10 802.1X…).
4. Click the Profile tab, and change the name to: Lab 10 802.1X Wired assign VLAN X8 (where X
= table #).
8. Click Save.
9. Move the new rule to the top.
Steps
1. From the Aruba Training Lab dashboard, connect to the Wireless Test Client desktop.
2. Click the start button, and type “services.”
255
Task 10b-3: Test the Wired Authentication Port
4. Search through the list of services for Wired AutoConfig.
5. Start the Wired AutoConfig service.
6. Click the network icon in the upper right corner of the desktop, and select Network & Internet
Settings.
16. Click the Input tab, and expand the RADIUS Request shade.
17. Answer the following questions:
Steps
Create an administrator account on ClearPass for the Aruba Controller
1. From the Remote Lab dashboard, connect to Wired MGMT Client.
2. Open a browser to the IP address of your ClearPass1 server.
3. Log in with admin / eTIPS123.
4. Navigate to Administration > Users and Privileges > Admin Users in the sidebar.
5. To add a user click Add in the upper right corner of the workspace.
268 Task 11-1: Configure the Aruba Controller for Downloadable Roles
6. Scroll down and check the option for CPPM credentials:
7. Fill In the CPPM username: and CPPM password:
a. ArubaDUR / Aruba123
8. Click Submit.
Task 11-1: Configure the Aruba Controller for Downloadable Roles 269
9. In the upper right corner of the screen, click Pending Changes, and then click Deploy Changes
in the pop-up window.
4. Click Submit.
5. In the upper right corner of the screen, click Pending Changes, and then click Deploy Changes
in the pop-up window.
Steps
1. From the Remote Lab dashboard, connect to Wired MGMT Client.
6. In the filter for the enforcement profile window configure: Name contains dur.
Steps
1. From the Remote Lab dashboard, connect to Wired MGMT Client.
2. Open a browser to the IP address of your ClearPass1 server.
3. Log in with admin / eTIPS123.
4. Navigate to Configuration> Services.
5. Click the service: Aruba 802.1X Secure Wireless to edit.
10. In the Profile Names: menu add [RADIUS] Aruba Controller DUR profile only.
11. Remove: [RADIUS] assign profile only role.
12. Click Save.
21. Select the 4th rule in the list and click Edit Rule (actions = assign temp access role).
22. In the Profile Names: menu add [RADIUS] Aruba Controller DUR temporary access.
23. Remove: [RADIUS] assign temp access role.
24. Click Save.
Steps
1. From the Remote Lab dashboard, connect to Wireless Test Client.
2. Click the network Icon in the upper right corner of the desktop and make sure that the Wireless
Test Client desktop is not connected to any wireless networks.
Lab Debrief
During this lab, you configured Aruba Controller Downloadable User Roles. The Controller had some
basic configuration settings and ClearPass needed a valid HTTPS certificate installed to secure the
communications. The certificate root / trust is the most important part, the Controller cannot trust the
built in ClearPass HTTPS certificate.
Building the Downloadable Role Enforcement Profiles with the GUI involves creating all of the indi-
vidual elements such as NetDestinations, NetServices and ACLS then assembling them.
Steps
1. On the Aruba Training Lab dashboard, open a console window to your AOS-S Switch.
2. Press [enter] a couple times to activate the console.
Look at current RADIUS authentication settings on the switch.
3. Run the #show authentication command.
4. Notice Port-Access | EapRadius is set to CLEARPASS,
286 Task 12-1: Configure the AOS-S Switch for Tunneled Node
5. Exit the output.
6. To look at the RADIUS Server settings, run the #show radius authentication command.
7. Notice the Server IP ( configured previously).
Task 12-1: Configure the AOS-S Switch for Tunneled Node 287
12. Enable tunneled node, role-based:
(config)# tunneled – node – server
(..server)# controller – ip { IP address of your controller}
(..server)# mode role – based
(..server)# enable
(..server)# exit
288 Task 12-1: Configure the AOS-S Switch for Tunneled Node
# config t
(config)# timesync ntp
(config)# ntp unicast
(config)# ntp server 10.254.1.21 iburst
(config)# time timezone -5
(config)# ntp enable
ClearPass displays the time in UTC. Previously you set the time zone for Eastern US
which is UTC -5. You can look at the time on your ClearPass server and subtract 5
hours for the correct time to set on the switch.
Steps
1. From the Aruba Training Lab dashboard, connect to Wired MGMT Client.
1. Open a browser to the IP address of your ClearPass1 server.
Lab 12: Dynamic Segmentation
Add the Downloadable User Role for the switch that will execute the Per – User tun-
nel
This role is very simple in that it just executes the tunnel to the tunneled node controller and specifies
the secondary role on the Controller that controls the client’s data.
1. Click Add to configure a new Enforcement Profile.
2. Configure the Following:
n Template: Aruba Downloadable Role Enforcement
n Name: AOS-S Switch DUR Dynamic
n Product: ArubaOS – Switch
Lab 12: Dynamic Segmentation
3. Click Next.
4. Delete the attribute line for Aruba – User – Role.
5. Under the Type: column Click to add….
6. From the drop-down select: Radius:Hewlett-Packard-Enterprise.
7. Under the Name: select: HPE-User-Role (25).
8. Type the Value: tun-temp-user.
9. Click Save.
7. Remove the profile “[RADIUS] Lab 10 802.1X Wired assign VLAN 141”.
8. Add the Profile Name”: [RADIUS] AOS-S Switch DUR Dynamic.
9. Click Save.
Steps
1. From the Aruba Training Lab dashboard, connect to the Wireless Test Client desktop.
1. Click the start button, and type “services.”
2. Open the Services app.
3. Scan through the list of services and find Wired AutoConfig.
4. Start the service if it is not already running.
28. Click the Output tab, and expand the RADIUS Response shade.
n What VSA was used in the response?
17. Click the Output tab, and expand the RADIUS Response shade.
Steps
1. From the Aruba Training Lab dashboard, connect to Wireless Test Client.
2. Disable the Lab NIC and enable the Wi-Fi connection.
Steps
1. Log in to your Aruba Training Lab, and open the remote desktop for Wired MGMT Client.
2. In the remote desktop, open a web browser, and navigate to the IP address of ClearPass1.
3. Log into the Policy Manager.
4. Navigate to Configuration > Posture, and select Posture Policies.
5. Click Add to add a new posture policy.
When you click the configure button, the plugin configuration popup window will
appear. For the purposes of this lab, you will check for any firewall application run-
ning on the Windows 10 operating systems.
20. Click the Next button to go the Summary tab, and review the posture policy configuration.
By selecting the two rules, “Passes all SHV checks” and “Fails one or more SHV
checks” you have configured a Go-No Go test. If the system passes all, then you know
nothing is out of specs. However, if it fails any SHV condition it will trigger the Quar-
antined token.
Steps
1. Expand Configuration > Enforcement in the sidebar menu.
2. Click Profiles.
3. Click Add to create a new Enforcement Profile.
4. In the Add New Enforcement Profile screen:
a. Select the template “Agent Enforcement.”
b. Add the following information:
i. Enforcement Profile name: Agent Unhealthy Profile
ii. Description: “Use when posture is Quarantined”
6. Click Next to go to the Summary tab and verify the configuration added so far.
Steps
1. Expand Configuration > Enforcement.
2. Click Policies.
3. Click Add, to create a new enforcement policy.
4. Add the following details in the enforcement policy’s Enforcement tab:
a. Name: Employee Health Enforcement
b. Description: <any description>
c. Enforcement Type: WEBAUTH
d. Default Profile: [RADIUS_DynAuthZ][ArubaOS Wireless - Terminate Session]
7. In the Rules tab conditions, click the Add Rule button to add a rule.
8. Enter the following conditions:
a. Type = “Tips”
b. Name = “Posture”
c. Operator = “EQUALS”
d. Value = “HEALTHY”
e. Enforcement Profiles: [Agent] Agent Healthy Profile
The enforcement policy is now ready to be applied to a service. In the next task, you
will create a health check where the posture policy and enforcement policy that you
created will be used.
3. Click Web-based Health Check Only template. A service creation wizard will launch.
5. Click the Posture tab. Here you will select the Posture Policy that will be applied.
6. From the Posture Policies section drop-down menu, select the Employee Posture Policy.
There is no need to reorder the health check service to the top since the service rules
are so unique that no other service you created before will match.
Steps
1. In the Policy Manager, navigate to Administration > Agents and Software Updates in the side-
bar menu.
2. Click OnGuard Settings.
3. On the Settings tab, Under Agent Customization, configure the following options:
a. In Managed Interfaces: only check Wireless – uncheck the Wired and VPN Interfaces.
b. Select Mode as Check Health – No Authentication.
c. Keep all the other settings as default.
d. Click Save.
In the next steps, you will install the OnGuard agent on Wireless Test Client. The easi-
est way to do this is to connect to your wireless network, open a browser, and log in
to ClearPass as an administrator. Then you will navigate to the Agents & Software
Updates page and install from there.
4. From the Aruba Training Lab dashboard, log into your Wireless Test Client remote desktop.
5. Connect to your wireless SSID secure{pod #}-{table #} (e.g., secure5-1) with the credentials
contractUser / aruba.
16. At the “SmartScreen cannot be reached right now” pop-up, click Run.
17. Follow the onscreen instructions to install the OnGuard agent.
Steps
1. On your Wireless Test Client, expand the taskbar menu, and right-click the OnGuard icon.
You should see the agent go active as soon as it recognizes the wireless network has
connected, and you will see it gather information. This happens quickly, so you may
miss it.
If your agent comes up as Unhealthy, check to see if the firewall is disabled. You may
want to go in and enabled it to get it to list as healthy.
11. When the test has finished, scroll back through the output window and review the test results.
12. On the Wired MGMT Client client, open the browser to ClearPass1, and log into the Policy Man-
ager.
13. Expand Configuration > Identity in the sidebar menu.
The easiest way to find your wireless client in the list is to sort the endpoints list by
Device Category or Device OS Family. Your wireless client should be the only Win-
dows computer.
If your endpoint does not have a Policy Cache tab, it may have timed out and been
removed. Close the endpoint window and return to your wireless client, and run the
agent again by clicking the Retry button.
24. Click the Input tab in the Request Details popup, and expand the Posture Request section.
26. Navigate to the Output tab, and expand the Posture Response and Application Response sec-
tions.
27. Answer the following questions:
n What is the Firewall Health Status?
32. Wait for a few seconds, you will see that the OnGuard agent will send the updated posture status
to the ClearPass Server.
37. Return to your Wireless Test Client desktop, and turn the firewall back on.
You have completed Lab 13!
Steps
1. Log in to your Aruba Training Lab, and open the remote desktop for Wired MGMT Client.
2. In the remote desktop, open a web browser, and navigate to the IP address of ClearPass1.
3. Log into the Policy Manager.
4. Navigate to Configuration > Enforcement > Policies in the sidebar menu.
5. Click the checkbox next to aruba wireless enforcement policy.
6. Click Copy to create a copy of the policy.
12. Click the Save icon at the end of the row to commit the rule.
13. Click Save to close the Rules Editor.
Adding the posture evaluation to the rule means that the employee connecting on a
computer must also pass a health check to get the employee full access role.
You will now add a new rule to account for the employee endpoint with a Quarantined token assigned.
Adding this rule means that the employee, who is connected on a computer and has
failed the health check, will get the temp access role.
Now consider the employee that just connects to the network, OnGuard is a layer 3 application so you
must build enforcement that allows limited access for the client that will allow the agent to com-
municate with ClearPass.
For this lab, you will be placing the client that is in the unknown state in the Profile_
Only role, which has been configured to allow HTTPs traffic to ClearPass. Doing so
will give the OnGuard agent access to ClearPass so that it can pass in a system health
validation.
3. Click the new (tips: posture equals unknown) rule, and use the Move Up button to place the
rule at the top of the list.
4. Your Enforcement Policy should now look like this:
Steps
1. Navigate to Configuration > Services.
2. Click your “Aruba 802.1X Secure Wireless” service to edit.
Steps
1. Navigate to Configuration > Services, and select the Health Check Service.
Adding the [RADIUS-DynAuthZ] [ArubaOS Wireless – Terminate Session] to the rule’s actions
will make ClearPass instruct the Aruba Controller to disconnect and authenticate the client any-
time that the posture token changes for the endpoint. This allows you to take action against
non-compliant clients.
12. Click Save again. You will be redirected back to the Health Check Service.
Steps
1. Log in to your Aruba Training Lab, and open the remote desktop for Wired MGMT Client.
2. In the remote desktop, open a web browser, and navigate to the IP address of ClearPass1.
3. Log in to the Policy Manager with admin / eTIPS123.
4. Expanded Configuration in the sidebar menu.
5. Expand the Identity submenu.
6. Then, click Endpoints.
7. Sort the list of endpoints by Device OS Family descending.
The goal is to clear out any previously assigned roles and posture settings while not
removing the profiled status of the client. If you were to delete it, the endpoint would
have to go through a profile cycle in order to connect. This makes the lab a little
more streamlined.
# aaa user delete all (if no users are connected. You can skip this)
TIP: If you do not see a healthy status, then check the condition of your Windows fire-
wall, and enable if needed. Then, use the “Retry” button to send a new SHV.
7. Click OK to save the settings; however, be sure to leave the Windows Defender firewall open.
8. Bring the ClearPass OnGuard Agent to the front.
9. If the client has disconnected, log back into the secure SSID with the employee account
(employee / aruba).
TIP: If you do not see both of the requests, then return to your wireless client, and
check to see if the client has disconnected. There are times in the lab environment
that the clients will not automatically reconnect after a Dynamic Authorization due to
interference.
n What health status or posture token would you expect to see on the previous RADIUS
employee request?
n What health status or posture token would you expect to see on the second RADIUS
employee request?
Lab Debrief
During this lab, you configured an enforcement policy to evaluate the status of the posture token. You
also needed to modify the health check service in order to execute the Aruba terminate session, which
disconnects the client and forces it to log in again.
Steps
1. Log in to your Aruba Training Lab and open the remote desktop for Wired MGMT Client.
2. In the remote desktop, open a web browser, and navigate to the IP address of ClearPass1.
3. Log into the Policy Manager.
4. In the upper right corner, pull down the menu, and select Onboard.
When authenticating the BYOD user after they have completed onboard you will need to use the EAP
TLS with OCSP Enabled authentication method. The default method includes the OCSP link to the
default certificate authority, and will cause a failed authentication.
The Onboard Service Template uses the default [EAP TLS With OCSP Enabled]
method as its authentication method in the RADIUS service for EAP – TLS. However,
the default OCSP URL points to Root CA 1. The method also requires OCSP veri-
fication and is configured to override the OCSP URL sent from the client embedded
in the certificate. There are two ways this could be fixed: first, you could edit the
OCSP URL in the method with the correct URL. Secondly, because you have con-
figured the correct URL in the certificate authority you can uncheck the enable for
“Override OCSP URL from Client,” and ClearPass will then use the URL embedded in
the certificate.
Steps
1. Use the menu option in the upper right corner to navigate back to Onboard.
2. Under the Onboard sidebar menu, click to expand Configuration.
3. Click Network Settings in the sidebar.
In this lab, you only need to configure the Windows section. This will ensure that Win-
dows devices are provisioned to use EAP-TLS authentication after onboarding.
ClearPass will push a certificate to the device to use as credentials. This is the default
setting.
8. Click Next.
9. Make sure the Certificate Store settings under Windows Authentication are set as “Machine and
User.”
Steps
1. Navigate to Onboard > Deployment and Provisioning > Configuration Profiles.
2. To create a new configuration profile, click the link in the upper right corner “Create new con-
figuration profile.”
3. Name the profile “Employee Secure Wireless.”
370 Task 15-3: Configure Onboard Configuration Profile & Provisioning Settings
4. Scroll down the list, and find the Networks section.
5. Click the checkbox next to your Employee Secure network profile.
Both the name and the organization will be embedded into the certificate that is pro-
visioned to the client.
Task 15-3: Configure Onboard Configuration Profile & Provisioning Settings 371
10. Scroll down the list to the Identity section.
11. Select the following settings:
a. Certificate Authority: My Lab, CA
b. Signer: Onboard Certificate Authority
c. TLS Certificate Authority: My Lab, CA
d. Key Type: 1024 – bit RSA – created by device
The Certificate Authority is used to provide security for the Onboard portal as it
negotiates profiles with the client. The TLS Certificate Authority actually issues the
TLS credentials certificate.
372 Task 15-3: Configure Onboard Configuration Profile & Provisioning Settings
14. Scroll back to the top and select the Web Login tab.
On the web login tab, take notice of the Page Name. The page name becomes part of
the URL for the Onboard portal. The URL for this Onboarding page will be:
https://TT-cppm1.aruba-training.com/guest/device_provisioning_2.php.
Steps
1. Connect your browser to the Policy Manager, and log in.
2. Navigate to Configuration > Service Templates & Wizards.
3. Scroll to the bottom of the list, and select the Onboard template.
8. Click Add Service. You should see a message box like the one shown in the screenshot below.
The role assignments in this authorization service are all about identifying the device
type. Using the roles assigned, you can modify the enforcement to allow or deny
given types of devices. In this lab, you will not modify the roles or enforcement on
this service.
The Onboard Pre-Auth service is a service that processes the user’s authentication
into the Onboard portal. You will modify enforcement on this service to govern which
users may or may not provision their devices. In this lab you will allow all to Onboard,
so you will not be modifying the enforcement on this service.
3. Click Save.
4. In the services list, locate the Aruba 802.1X Wireless Service.
5. Click the checkmark under status to turn it into a stop sign to disable the service.
This is the role that ClearPass will assign when the user first connects to the secure
SSID using EAP-PEAP.
This is the role that will be assigned after the user completes Onboarding, and
authenticates using EAP-TLS. For the lab, you will leave it as the authenticated role.
In a production environment, you will want to build a proper role, and then change
the value in the enforcement profile to match that new role.
The user roles assigned by these two enforcement profiles are the built-in authenticated
and BYOB-Provision role that are the default on the Controller. For this lab, you will con-
tinue to use those, but in a production environment, you will have to make sure that the
roles assigned sync up with what is created on the Controller for your specific environment.
Steps
1. From the Wired MGMT Client desktop, open the browser to your Aruba Controller’s IP address:
10.1.X0.100 (where X is you table number).
2. Log in with admin / admin1.
3. Navigate to Configuration > Authentication.
4. Click L3 Authentication in the workspace.
5. Expand Captive Portal Authentication.
6. Click onboard.
Steps
Uninstall the OnGuard Agent
1. On your Wireless Test Client, expand the taskbar menu.
2. Click the Windows start button and select the Settings icon.
8. You will be prompted by two/three security warning screens asking for permission to install a cer-
tificate, answer Yes to both.
TIP: The successful one with the oldest timestamp in this group for the service
should be “Employee Wireless Onboard Provisioning.”
Task 6
n What is the username?
l The username is “contractUser.”
n Where did this username come from?
l The username is one of the attributes in the TLS certificate.
n What is the authentication method?
l EAP-TLS, indicating that this is a certificate authentication.
n What is the authentication source?
l The local user repository / local: localhost.
n Why is this authentication source used?
l Once the service reads the TLS certificate presented by the client and finds the username,
it will attempt to authenticate that username against the authentication sources con-
figured in the service. This means that if you were to disable the user account, even
though the certificate was valid, the authentication would fail.
n What source issued this certificate?
l This certificate was issued by the ClearPass Onboard Local Certificate Authority.
n What is the key usage of this certificate?
l This certificate is a TLS Web Client Authentication certificate.
n What is the Onboard username of this certificate?
this service does is say yes or no to the question: “Is the client allowed to Onboard?”
Steps
1. Log in to your Aruba Training Lab, and open the remote desktop for Wireless Test Client.
2. On your Wireless Test Client, expand the taskbar menu.
3. Disconnect and reconnect your wireless client to the secure SSID.
All you should need to do is select the secure SSID from the list and pick connect. It
should not prompt you to log in.
4. From the Aruba Training Lab, open the Wired MGMT Client desktop.
5. Log in to the Policy Manager.
6. Navigate to Access Tracker.
7. Find your latest “contractUser” authentication request and open it to view request details.
8. Check the request, and make sure that the authentication method is EAP – TLS, and authen-
tication source is local: localhost.
The goal is to make it appear like the account has been deleted without actually delet-
ing the account. This will allow you to use the account later in the lab.
Steps
Disable OCSP on the Secure Wireless RADIUS Service
1. Return to Wired MGMT Client.
2. Log into the Policy Manager.
3. Navigate to Configuration > Services.
4. Click to open the Employee Wireless Onboard Provisioning RADIUS service.
The [EAP TLS] authentication method simply checks that the certificate is proper
but does not perform any certificate revocation checks. If the certificate date has not
expired, regardless of the revocation status, the certificate authentication will pass.
Now you are ready to test your revocation with OCSP. Previously, you could authen-
ticate into the secure network using the TLS certificate that had been revoked. All
you need to do now is disconnect from the secure wireless network and attempt to
reconnect to the same SSID network. If your OCSP is set up correctly, your authen-
tication will fail.
Steps
Deny the contractUser in Onboard
1. From your Wired MGMT Client desktop, connect to Onboard, and log in.
2. Navigate to Onboard > Management and Control.
3. Select View by Username.
4. Expand the menu for contractUser, and select Manage Access.
12. Select Change Connection Settings in the successfully added message window.
6. This will download the QuickConnect application, and you will see an option at the bottom asking
what you want to do with it, click Run.
8. When you get the error message, if you move the installer window to the side you will see an
error message saying you cannot continue because your user access has been revoked.
9. Close the Onboard Wizard.
10. Switch to your Wired MGMT Client desktop connect to Onboard, and log in.
14. Under managed access pull down, and select “Allow access to this user.”
15. Click the Set Access button to finish.
Lab Debrief
In this lab, you got to work with some of the tools for controlling access related to Onboard and BYOD
clients. You also got a firsthand look at why the certificate revocation and OCSP settings are so import-
ant. One of the big advantages Onboard has is that it converts your device authentication into a one to
one relationship with its credentials, while still retaining the user identity of the owner. If you do not
have revocation set up properly, you lose this advantage.
Steps
1. From the Aruba Training Lab dashboard, connect to Wired MGMT Client.
2. Connect to ClearPass1 with Google Chrome.
3. Log into the Policy Manager as admin.
4. Click the Lock Icon in the address bar of your browser.
5. Click Connection is secure.
9. Close all the info windows, but do not close your browser.
10. In the Policy Manager, navigate to Administration > Certificates.
11. Click Certificate Store in the sidebar menu.
14. Click the option on the top listing for View Details. (the Server Certificate)
Steps
1. On the Wired MGMT Client desktop, connect to ClearPass1, and log in is admin.
2. On the dashboard sidebar menu, find the license Usage widget, and drag it to the dashboard.
Steps
RADIUS Debug Logs
1. On the Wired MGMT Client desktop, connect to ClearPass1 Policy Manager, and log in as the
admin.
2. Navigate to Administration > Server Manager > Log Configuration.
8. Look through the request log details pop-up window, and take note of the entries logged as
debug.
9. Spend some time looking through these logs to familiarize yourself with RADIUS debugging on
ClearPass.
10. Close the Popup Window.
11. Close the Request Details Window.
12. Select Backup files, and you will see the test_backup you just ran.
13. Select System Log, and you will see the test_logs you just collected.
14. Select Automated backup files, and you will see the automatic backups that ClearPass has been
running. Note: The backups run at 1:00 a.m.
Lab Debrief
During this lab, you spent time exploring the certificate stores in ClearPass Policy Manager. You also
looked at licensing, configured debug logging, and collected server logs. Finally, you ran a backup and
saw how you can copy those off of the system from the web UI.
Steps
Configure ClearPass1 as the Publisher
Reset the appadmin Password on the Publisher (ClearPass1)
1. Log into the Aruba Training Lab.
2. Connect to the Wired MGMT Client. Desktop.
3. Open a browser to your ClearPass1 server.
4. Log into the Policy Manager.
5. Expand the Administration sidebar menu.
6. Expand Server Manager.
7. Click Server Configuration.
8. Click the link in the upper right corner for Change Cluster Password.
The HTTPS Server Certificate has been configured for ClearPass Server 1 in Lab 2.
Configuring Authentications Sources. Check the HTTPS Certificate status as dis-
played below and follow the steps to install the certificate as shown in the next sec-
tion for ClearPass 2 if the certificate is not installed properly.
Steps
1. Log back into ClearPass2, which is now your subscriber.
2. Take notice of the dashboard on the subscriber. You should see a notice at the top of the page
telling you that you are logged into the subscriber and have limited access. You should see in the
cluster status on the dashboard both the publisher and subscriber.
4. Attempt to edit one of the services. For example, add an authorization source. When you click
save you will get an error, informing you that you cannot edit on the subscriber.
TIP: If the cluster status widget is not on the dashboard, then you can drag it in from
the sidebar menu.
In your labs, you should not have any errors, but if you do, this is where you would
come to look for indicators to explain why.
13. In the Select Server/Domain pull down, and select default (2 servers).
The Access Tracker view editor allows you to select any individual ClearPass server
in your cluster or the default view of all servers in your cluster. You also have the
option in this Edit window to modify the columns displayed in the main Access
Tracker window. Note that the information in Access Tracker is part of the Local
Logs Database which is not consolidated onto the Publisher but remains local to each
ClearPass Node.
Steps
1. On your Wired MGMT Client, open a browser tab to the subscriber (ClearPass2).
2. Log into the Policy Manager.
3. Navigate to Administration > Server Manager > Server Configuration.
4. Click the subscriber (ClearPass2) to open the server configuration editor.
5. In the upper right corner of the screen, click the link Promote to Publisher.
7. Wait for the Promote Process to finish, and then close the window.
11. Now configure ClearPass1 (the current subscriber) as the Standby Publisher.
12. On ClearPass2, navigate to Administration > Server Manager > Server Configuration.
13. Click Cluster-Wide Parameters in the upper right corner.
14. In the Cluster-Wide Parameters editor, click the Standby Publisher tab.
15. Enter the following configuration:
3. Click Save.
6. Take note of the configuration along with which node is tagged as serving the VIP.
7. Click Close.
For the remainder of the labs, you will only be performing 802.1X authentications, so you
will not modify any of the captive portal addresses. In a real-world scenario, you may have
to modify those as well.
1. In the browser on Wired MGMT Client, open a new tab, and navigate to the IP address of your
Aruba Controller {10.1.X0.100 (where X is your table number)}.
2. Log in with admin / admin1.
3. Navigate to Configuration > Authentication in the sidebar menu.
4. Select the Auth Servers tab.
5. Click your secure#–X-srvgrp server group (where # is your pod number, and X is your table
number).
You will now test your new authentication server settings by disconnecting and recon-
necting the wireless client. Then you will go into your publisher (ClearPass2) and view the
Access Tracker entries for the authentication request.
The Client should fail authentication with an error due to the EAP certificate.
EAP-TLS: fatal alert by client - unknown_ca
TLS Handshake failed in SSL_read with error:14094418:SSL routines:ssl3_read_
bytes:tlsv1 alert unknown ca
eap-tls: Error in establishing TLS session
The error indicates that the Onboard client does not trust the EAP certificate on
ClearPass 2. This is the reason you should install the same EAP certificate on all of
the ClearPass servers in the cluster.
8. Look under the server column; you should have listings for both ClearPass servers.
9. Look through the list in Access Tracker and find your latest contractUser log in request.
WARNING: You will be shutting down ClearPass2. To be certain that you are working in the
interface for ClearPass2, you will reconnect to the VIP and confirm your publisher con-
nection because once you initiate the shutdown, you do not have a method to restart the
ClearPass2 server. If you do require ClearPass2 restarted, you will need to contact your
instructor or lab support.
Steps
1. On your Wired MGMT Client desktop, open a browser tab to the VIP {10.1. X9.13 (where X is
your table number)}.
8. Click Yes.
9. Wait 3-4 minutes, and then refresh the browser tab connected to the VIP.
The standby publisher and VIP each have different timings. If you refresh your tab
early, you will be connected to ClearPass1 before it gets automatically promoted to
Publisher. This is alright. Just wait a little longer, and then refresh again.
7. Find your latest contractUser authentication and confirm that it authenticated against
ClearPass1. You can check the timestamp on the entry to be sure you are looking at the correct
authentication.
Lab Debrief
During this lab, you learned how to configure a ClearPass cluster with high availability. You learned how
to configure a publisher and virtual IP address to provide redundancy.
Steps
1. From the Aruba Training Lab dashboard, connect to Wired MGMT Client.
2. Open a browser tab to your ClearPass1 server.
3. Log in to ClearPass Guest.
4. Navigate to Administration > Operator Login > Profiles and review the built-in profiles.
7. Review the restrictions for access to the various features, along with the roles they are allowed to
provision.
n Which rights does Receptionist have in relation to creating a new guest account?
9. Scroll down to the User Roles section, and select Guest for user roles.
10. Scroll down to User Interface, and select “Aruba ClearPass Skin” to change the visual appear-
ance.
Steps
1. Switch to the Policy Manager, and log in.
2. Navigate to Configuration > Identity > Roles.
3. Click Add in the upper right corner.
4. Add a role with the following information:
a. Name: Receptionist
b. Description: Guest admin user role
5. Click save.
6. Navigate to Configuration > Identity > Local users.
7. Click Add in the upper right corner.
8. Add a user with following information:
9. Click Save.
3. You should now see the ClearPass Guest Operator Login page.
Alternately, you may open a different browser (Firefox, Chrome, IE etc.) and log into
ClearPass Guest at https://<ClearPass IP>/guest/ as the frontdesk user.
5. Verify that you get the Create Guest Account page as the start page.
7. Log out of ClearPass Guest by clicking the Logout link in the sidebar menu.
Steps
Start by creating a new role mapping policy that will be used in the ClearPass administrative logon ser-
vice.
1. From the Wired MGMT Client desktop, open a browser tab to ClearPass1.
2. Log into the Policy Manager.
3. Navigate to Configuration > Identity > Role Mappings.
4. Click Add to create a new role mapping policy with the following information:
n Policy Name: Admin Role Mapping Policy
n Description: <Any description>
n Default Role: [Other]
8. Click Save.
You have to make a copy as you are not allowed to edit default services.
15. Click the Authentication tab and add active directory authentication source:
n Authentication Sources: remote lab AD
16. Click the Roles tab and add new role mapping:
To test your new Policy Manager Admin Login service, you will log out of the policy
manager and log back in with an account configured in Active Directory.
n Authentication:Source:
Steps
1. On the Wired MGMT Client desktop, open a browser tab to your ClearPass1 IP address.
2. Login to the Policy Manager with admin / eTIPS123.
3. Navigate to Administration > Users and Privileges, and click Admin Privileges.
4. To configure a new Admin Privileges, click Add in the upper right corner.
5. On the Basic Information tab, configure the following:
On the rules tab, you will want to add two rules: One rule is for if the user is a mem-
ber of the “ClearPass Helpdesk” group, then assign your new Administrator Priv-
ileges. The second rule is if the user is a member of the “ClearPass Admins” group,
then you want to assign the Super Administrator Privileges.
4. Click the menu in the upper right corner, and look at your login information.
Steps
Configure the TACACS+ Shared Key
1. From your Wired MGMT Client desktop, log in to ClearPass1 Policy Manager.
2. Navigate to Configuration > Network > Devices.
5. Click Save.
20. Click the green checkmark under status to Disable the [Aruba Device Access Service].
At this stage, you should be logged in because the Aruba Controller pre-configured
to send TACACS+ authentication requests for admin logins to the ClearPass server.
Task 3
n What account role will be assigned to the guest user?
l The account role is preconfigured as [Guest].
n Can you change this role?
l There is no option to change the account role.
n What service is used to process this authentication request?
l The [Guest Operator Logins] service, it is a default service which you can tell because of
the brackets in the name [ ].
n What is the username?
l The user is frontdesk.
n What roles were assigned?
l The roles [TACACS Receptionist] and [User Authenticated] were assigned.
n What is the enforcement profile?
l The enforcement profile is [Operator Logon – Local Users].
n What is the name of the attributes sent to the application?
l The attribute being sent is called “admin_privileges.”
n What is the value of the attributes sent?
Task 4
Task 6
n What are the ClearPass roles applied to the user?
l The user received the [User Authenticated] role indicating that the authentication passed.
n What enforcement profile is sent?
l The enforcement profile was [ArubaOS Wireless TACACS Root Access].
n What AD Group is the user a member of?
l The user is a member of the “clearpass admin” group.
n How did the user get assigned the enforcement profile?
l In the enforcement policy for the TACACS service, there is a rule that says, “If the user is a
member of a group that contains the word ‘admin,’ then assign the super admin admin-
istrative privileges.”
Steps
1. From the Aruba Training Lab dashboard, open the Wired MGMT Client desktop.
2. Open a browser to ClearPass1, and login to the Policy Manager with admin.
3. Navigate to Administration > Server Manager in the sidebar menu.
4. Click on Server Configuration.
5. Select your ClearPass1 server, and open to edit.
6. Review the Insight settings, make sure that Enable Insight is checked, and ClearPass1 is set as
the Insight Primary Server. If Insight is not currently enabled in your system, Enable it now.
When you enable Insight in your cluster, you must enable it on at least one cluster
node, and only one cluster node can be the Insight primary server. This becomes the
server node that owns the database. Even if you only have a single ClearPass node
enabled for Insight, you must select that node as the primary server.
n What effect on the system would there be if you set the database retention time to 365
days?
This is the main dashboard and each operator that logs into Insight will have their
own customizable dashboard. You can add widgets to the dashboard as required.
2. To add a widget for Endpoint Device Categories, click on Endpoints in the sidebar menu.
3. Scroll down through the Endpoints Dashboard and find Endpoints Device Categories.
4. Click the down arrow in the right corner and select Add to Dashboard.
5. Look through the sidebar menu and add the following widgets to your dashboard:
n Endpoints: Endpoint Device Families
n Licensing: Maximum License Usage
The above widgets are a sampling from each of the grouping’s widgets. As an admin-
istrator of ClearPass, you will want to assemble your own dashboard that you can
check periodically to quickly see how ClearPass is performing.
9. Click in Start Date box and set the beginning date of this course.
10. Set End Date equal to today’s date.
Steps
1. While still focused on the Clients Dashboard, click the Download Reports icon in the
upper right corner.
2. Save the .CSV file.
17. To download the report, click the download icon on the right.
18. Save the Report. It will save as a ZIP file, and you will need to open the file and preview it.
8. Scroll down and set the custom date range for the start and finish of your class.
n Repeat Scheduled Report: No Repeat
n Preset Date Range: Custom Date
n Start Date: First Day of Class
9. Click Next.
10. On the Filters, Raw Data, Branding screen, do not modify the filter.
11. Under Configure CSV Raw Data Columns, select Fingerprint as a new column. (You just need
to click it in the Available Columns to move it to Selected Columns.)
1. On the Configured Reports screen, click the Run button for the new report.
7. In the Extracted Reports folder, open the .CSV file in Wired MGMT Client.
Steps
1. In the browser, log into Insight, and navigate to Alerts in the sidebar menu.
2. To create a new alert, click on Create New Alert in the upper right corner.
4. Do not modify the filter so that the alert will apply to all authentication instances.
5. Scroll down to the Trigger section.
6. Set the following filter:
To add a user to the Watchlist, use the search box at the top of the page, and search
for a username. Then add that user to the Watchlist by clicking the star next to the
user’s name.
6. In the details page for the temp user, click the star next to username to add the user to the
Watchlist.
Lab Debrief
During this lab, you have explored many of the tools available in Insight. Insight is an intuitive and
simple-to-use report engine that allows you to gather a lot of data about your ClearPass system.
Objectives
Objectives 517
n RADIUS Accept
n Rule 1: any any any permit
Employee Smart Access Role: it is common in many organizations to limit access to smart devices on
the employee secure network to only have Internet access. This would require blocking internal IP
address spaces and allowing external addresses only.
n RADIUS Accept
n Rule 1: any any DHCP permit
n Rule 2: any any DNS permit
n Rule 3: any {ip-subnet internal} any deny
n Rule 4: any any tcp 80 permit
n Rule 5: any any tcp 443 permit
n Rule 5: any any any deny - This is implied but added here for rule readability
Temporary Access Role: another common practice is to grant limited access roles to temporary work-
ers such as contractors, these roles would include access to only the few IP addresses required by the
contractor internally and possibly allow Internet access as well. In this scenario you will configure this
role to allow access to the internal Windows / Active Directory server.
n RADIUS Accept
n Rule 1: any any DHCP permit
n Rule 2: any any DNS permit
n Rule 3: user 10.254.1.21 any permit
n Rule 3: any {ip-subnet internal} any deny
n Rule 4: user any tcp 80 permit
n Rule 5: user any tcp 443 permit
n Rule 5: any any any deny - This is implied but added here for rule readability.
Deny All Role: there are two ways that the you can implement the “deny all” functionality. First, you
can simply configure a RADIUS enforcement profile that sends a deny access. The second option would
be to allow the device to authenticate into the wireless network and then assign a role that denies all
source addresses to all destination addresses for all protocols or ports (any any any deny). For ease
this role will use option 1.
n RADIUS Reject
In this lab you will use the Standard Role Configuration Mode to create your downloadable roles. You
will also use the best practices procedures of creating NetServices to define TCP/UDP ports and pro-
tocol, NetDestinations to define aliases that will be used in your session ACL’s for the role.
518 Objectives
Steps
1. From the Remote Lab dashboard, connect to Wired MGMT Client.
2. Open a browser to the IP address of your ClearPass1 server.
3. Log in with admin / eTIPS123.
4. Navigate to Configuration > Enforcement > Profiles>.
5. Click Add to create a new Enforcement Profile.
Steps 519
8. On the Role Configuration Tab scroll down the list to the NetService Configuration: section.
9. Click the link for Manage NetServices.
10. Enter the following settings:
a. Name: DHCPdiscover
b. Protocol: UDP
c. Port Selection: List
d. Port List: 68
11. Click Save.
520 Steps
12. Continue to add the following NetServices.
Steps 521
iii. Port Selection: List
iv. Port List: 6658
522 Steps
Enforcement Profiles (complete)
Appendix 1: Configure DUR
17. Click Save to create the NetDestination.
18. Click Cancel to close the NetDestination editor.
19. Scroll down the Role Configuration Tab to the ACL: section.
20. Click Add Session Access Control List.
21. Add an ACL with the following Name: DHCPallow.
22. On the General tab click Add Rule.
23. Create a rule with the following:
a. Source Traffic Match: any
b. Destination Traffic Match: any
c. Service Type: service
d. Service: DHCPdiscover
e. Action: permit
Steps 523
24. Click Save Rule.
First ACL:
1. On the General tab assign the Name: ClearPassWEB.
2. On the General tab click Add Rule.
a. Web access to ClearPass.
i. Source Traffic Match: user
ii. Destination Traffic Match: alias
524 Steps
iii. Destination Alias: ClearPass
iv. Service Type: service
v. Service: WEB-PORTS
vi. Action: permit
Steps 525
5. Click Save to Save the ACL.
Second ACL:
1. On the General tab assign the Name: DenyAll.
2. On the General tab click Add Rule.
a. Web access to ClearPass.
i. Source Traffic Match: any
ii. Destination Traffic Match: any
iii. Service Type: any
iv. Action: deny
526 Steps
3. Click Save to Save the ACL.
Steps 527
2. Click Next.
3. On the Summary Tab scroll down and look at the User Role Configuration:
528 Steps
Configure the Employee Full Access DUR
n RADIUS Accept
n Rule 1: any any any permit – Create new session ACL
1. Click Add in the Configuration > Enforcement > Profiles workspace to create a new Enforce-
ment Profile.
2. On the Profile tab enter the following:
a. Template: Aruba Downloadable Role Enforcement.
b. Name: Aruba Controller DUR employee full access.
c. Product: Mobility Controller.
3. Click Next.
Steps 529
c. Service Type: any
d. Action: permit
8. Click Save Rule.
9. Click Save.
530 Steps
12. Click Next.
13. On the Summary tab, review the new DUR.
Steps 531
Configure the Employee Smart Access DUR
n RADIUS Accept
n Rule 1: any any DHCP permit – Use existing Session ACL
n Rule 2: any any DNS permit
n Rule 3: any {ip-subnet internal} any deny
n Rule 4: any any tcp 80 permit
n Rule 5: any any tcp 443 permit
n Rule 5: any any any deny – Use existing Session ACL
1. Click Add in the Configuration > Enforcement > Profiles workspace to create a new Enforce-
ment Profile.
2. On the Profile tab, enter the following:
a. Template: Aruba Downloadable Role Enforcement
b. Name: Aruba Controller DUR employee smart access
c. Product: Mobility Controller
3. Click Next.
532 Steps
5. Set the following:
a. Name: DNS-SVC
b. Protocol: TCP
c. Port Selection: List
d. Port List: 53
Steps 533
Create the DNS Allow ACL
1. In the Role Configuration tab, click “Add Session Access Control List”.
2. On the General tab, name the ACL: DNSallow.
3. Click Add Rule.
4. On the Role Configuration tab, configure the following: (these are the defaults)
a. Source Traffic Match: user
b. Destination Traffic Match: any
c. Service Type: service
d. Service: DNS-SVC
e. Action: permit
5. Click Save Rule.
534 Steps
6. Click Save to commit the ACL.
Steps 535
6. Click Save to commit the ACL.
536 Steps
7. In the Role Configuration tab, under ACL, add the following Session ACLs to the list:
a. DHCPallow
Steps 537
Configure the Temporary Access DUR
n RADIUS Accept
n Rule 1: any any DHCP permit
n Rule 2: any any DNS permit
n Rule 3: user 10.254.1.21 any permit
n Rule 3: any {ip-subnet internal} any deny
n Rule 4: user any tcp 80 permit
n Rule 5: user any tcp 443 permit
n Rule 5: any any any deny - This is implied but added here for rule readability.
Use the methods you have learned to create the Temporary Access DUR
1. Create a new Enforcement Profile.
a. Template: Aruba Downloadable Role Enforcement
b. Name: Aruba Controller DUR temporary access
c. Product: Mobility Controller
538 Steps
Enforcement Profiles (complete)
Appendix 1: Configure DUR
2. Configure a new Session ACL.
a. Name: AllowADserver
b. Add Rule:
i. Source Traffic Match: user
ii. Destination Traffic Match: host
iii. Destination IP Address: 10.254.1.21
iv. Service Type: any
v. Action: permit
Steps 539
3. Add the correct ACLs to the DUR.
a. DHCPallow
b. DNSallow
c. AllowADserver
d. DenyInternal
e. AllowInternet
f. DenyAll
540 Steps
Enforcement Profiles (complete)
Appendix 1: Configure DUR
5. Save the Enforcement Profile.
You have finished configuring the Enforcement Profiles.
Steps 541
[This page intentionally left blank]
542 Steps
Aruba ClearPass Configuration
LAB GUIDE
Version: 23.13
Copyright 2023