CFG ClearPass Lab Guide Rev 23-13

Aruba ClearPass
Configuration
LAB GUIDE
Version: 23.13
Security Series
© Copyright 2023 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice.
The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accom-
panying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enter-
prise shall not be liable for technical or editorial errors or omissions contained herein.
Open Source Code

This product includes code licensed under the GNU General Public License, the GNU Lesser General Public License, and/or certain other
open source licenses. A complete machine-readable copy of the source code corresponding to such code is available upon request. This
offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this
product version by Hewlett Packard Enterprise Company. To obtain such source code, send a check or money order in the amount of US
$10.00 to:
Hewlett Packard Enterprise Company

6280 American Center Dr
San Jose, CA 95002
USA
Notices
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and
services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be con-
strued as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions
contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or copying. Consistent with
FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items
are licensed to the U.S. Government under vendor's standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard Enterprise has no control over
and is not responsible for information outside the Hewlett Packard Enterprise website.
Acknowledgments
All third-party marks are property of their respective owners.
2
Contents
Contents
Contents i
Lab 1: Testing Lab Connectivity 1
Device Access 1
Task 1-1: Aruba Training Lab Access 1
Objectives 1
Steps 1
Task 1-2: Aruba Training Lab Interface 2
Objectives 2
Task 1-3: Testing Connectivity 3
Objectives 3
CLI Console Access 4
Test the Wired MGMT Client Remote Desktop 4
Test Connectivity to the Wireless Client 7
Lab 2: Configuring Authentication Sources 9

Task 2-1: Explore the ClearPass Interface 9
Objectives 9
Steps 9
Task 2-2: Install a Public Signed HTTPS certificate on ClearPass 13
Objectives 13
Steps 14
Task 2-3: Join ClearPass1 to the Active Directory Domain 19
Objectives 19
Steps 19
Task 2-4: Configure Active Directory Authentication Source 21
Objectives 21
Steps 21
Contents i
Task 2-5: Select Custom Attributes from Active Directory 22
Objectives 22
Steps 22
Task 2-6: Sign ClearPass EAP/RADIUS certificate with AD CA 26
Objectives 26
Steps 26
Task 2-7: Test Your Active Directory Authentication Source 32
Objectives 32
Steps 32
Lab Debrief 34
Lab 3: Configuring External Devices 35
Task 3-1: Configure Network Devices 35
Objectives 35
Steps 35
Task 3-2: Configure Device Attributes and Network Device Groups 37
Objectives 37
Steps 37
Task 3-3: Configure Email Server 39
Objectives 39
Steps 39
Task 3-4: Connecting ClearPass to the MDM Server 41
Objectives 41
Steps 41
Lab Debrief 43
Lab 4: Endpoint Profiling 45
Task 4-1: View Current Endpoints 45
Objectives 45
Steps 45
Task 4-2: Configure the Controller for Endpoint Profiling 49
Objectives 49
ii Contents
Contents
Steps 50
Task 4-3: Configure Profiling on ClearPass 54
Objectives 54
Steps 54
Task 4-4: Examine Endpoint Profile Data 55
Objectives 55
Steps 55
Lab Debrief 64
Task Questions Answered 64
Task 1 64
Lab 5: Roles and Enforcement 67

Task 5-1: Plan your Enforcement 67
Objectives 67
Questions 68
Task 5-2: Create Local User Account 71
Objectives 71
Steps 71
Task 5-3: Create ClearPass Roles 72
Objectives 72
Steps 73
Task 5-4: Build Role Mapping Rules 74
Objectives 74
Steps 74
Task 5-5: Configure Enforcement Profiles 78
Objectives 78
Steps 78
Task 5-6: Configure Enforcement Policies 82
Objectives 82
Steps 82
Lab Debrief 88
Contents iii
Task 1 89
Task 6 91
Lab 6: Configuring Services 93

Task 6-1: Plan your Services 93
Objectives 93
Questions 93
Task 6-2: Configure the Aruba Wireless 802.1X Service 96
Objectives 96
Steps 96
Task 6-3: Testing a Failed Authentication Request 101
Objectives 101
Steps 101
Task 6-4: Testing the Aruba Wireless 802.1X Service 108
Objectives 108
Steps 109
Lab Debrief 125
Lab 7: Web Services 129

Task 7-1: Upload a File into Content Manager 129
Objectives 129
Steps 129
Task 7-2: Customize Built-in Skins 133
Objectives 133
Steps 133
Task 7-3: Customize the Service Unavailable Page 139
Objectives 139
Steps 139
Lab Debrief 141
iv Contents
Contents
Lab 8a: Guest Authentication 143
Task 8a-1: Create Web Login Page 143
Objectives 143
Steps 143
Task 8a-2: Create a Guest Account 147
Objectives 147
Steps 147
Task 8a-3: Create Services for Guest in Policy Manager 149
Objectives 149
Steps 149
Task 8a-4: Configure Aruba Controller for Guest 154
Objectives 154
Steps 154
Task 8a-5: Test the Web Login Page 155
Objectives 155
Steps 155
Lab Debrief 164
Lab 8b: Guest Authentication with MAC Caching 167

Task 8b-1: Create MAC Authentication Service 167
Objectives 167
Steps 167
Task 8b-2: Enable MAC Authentication on Controller 175
Objectives 175
Steps 175
Task 8b-3: Testing 176
Objectives 176
Steps 177
Lab Debrief 187
Contents v
Lab 9: Guest Access with Self-registration 193
Task 9-1: Configure a Self-Registration Portal 193
Objectives 193
Steps 193
Task 9-2: Configure Aruba Controller for Self-Registration 205
Objectives 205
Steps 205
Task 9-3: Testing Self-Registration 207
Objectives 207
Steps 207
Lab Debrief 215
Lab 10a: Wired Authentication 217

Task 10a-1: Configure the Service for Wired Authentication 218
Objectives 218
Steps 218
Task 10a-2: Configure the Switch Port for 802.1X 226
Objectives 226
Steps 226
Task 10a-3: Test the Wired Authentication Port 229
Objectives 229
Steps 229
Lab Debrief 240
Lab 10b: Wired Authentication With AOS-CX Switch (Optional Lab) 243
Task 10b-1: Configure the Service for Wired Authentication 244
Objectives 244
Steps 244
Task 10b-2: Configure the Switch Port for 802.1X 251
Objectives 251
vi Contents
Contents
Steps 252
Task 10b-3: Test the Wired Authentication Port 253
Objectives 253
Steps 253
Lab Debrief 265
Lab 11: Downloadable User Roles 267

Task 11-1: Configure the Aruba Controller for Downloadable Roles 267
Objectives 267
Steps 267
Task 11-2: Configure DUR Enforcement Profiles 270
Objectives 270
Steps 270
Task 11-3: Modify the Secure Wireless Service 276
Objectives 276
Steps 276
Task 11-4: Test the New Configuration 280
Objectives 280
Steps 280
Lab Debrief 284
Lab 12: Dynamic Segmentation 285
Task 12-1: Configure the AOS-S Switch for Tunneled Node 286
Objectives 286
Steps 286
Objectives 289
Steps 289
Task 12-3: Test Dynamic Segmentation 297
Objectives 297
Steps 297
Contents vii
Task 12-4: Return the Configuration to Normal 310
Objectives 310
Steps 310
Lab 13: OnGuard Configuration 311

Task 13-1: Create a Posture Policy 311
Objectives 311
Steps 311
Task 13-2: Create Enforcement Profiles 315
Objectives 315
Steps 315
Task 13-3: Create Posture Token Based Enforcement Policy 318
Objectives 318
Steps 318
Task 13-4: Create Service to Process Health Check 320
Objectives 320
Steps 321
Task 13-5: Configure and Install OnGuard Persistent Agent 323
Objectives 323
Steps 323
Task 13-6: Testing the OnGuard Persistent Agent 326
Objectives 326
Steps 326
Lab Debrief 337
Lab 14: OnGuard Enforcement 339

Task 14-1: Modify the Enforcement Policy 339
Objectives 339
Steps 339
Task 14-2: Modify the Wireless Service 343
Objectives 343
viii Contents
Contents
Steps 343
Task 14-3: Modify the Health Check Service 344
Objectives 344
Steps 344
Task 14-4: Testing 346
Objectives 346
Steps 346
Lab Debrief 359
Lab 15: Onboard Configuration 361

Task 15-1: Configure Onboard as Root CA 361
Objectives 361
Steps 361
Task 15-2: Configure Onboard Network Settings 367
Objectives 367
Steps 367
Task 15-3: Configure Onboard Configuration Profile & Provisioning Set-
tings 370
Objectives 370
Steps 370
Task 15-4: Create Onboard Services 373
Objectives 373
Steps 374
Task 15-5: Configure BYOD-Provision Role on Controller 380
Objectives 380
Steps 380
Task 15-6: Testing Onboard 383
Objectives 383
Steps 383
Lab Debrief 396
Contents ix
Lab 16: Onboard Administration 399

Task 16-1: Deny Access to Deleted User 399
Objectives 399
Steps 399
Task 16-2: Test OCSP 403
Objectives 403
Steps 403
Task 16-3: Deny Access to the Device 410
Objectives 410
Steps 410
Lab Debrief 421
Lab 17: Administrative Operations 423

Task 17-1: Certificate Stores 423
Objectives 423
Steps 423
Task 17-2: Licenses 426
Objectives 426
Steps 426
Task 17-3: Backups and Logs 428
Objectives 428
Steps 428
Lab Debrief 435
Lab 18: Cluster 437

Task 18-1: Enabling Clustering 437
Objectives 437
Steps 437
x Contents
Contents
Task 18-2: Monitoring Clustering 444
Objectives 444
Steps 444
Task 18-3: Configure High Availability 449
Objectives 449
Steps 450
Task 18-4: Testing High Availability 457
Objectives 457
Steps 457
Lab Debrief 460
Lab 19: Administrative Access 461
Task 19-1: Guest Operator Login 461
Objectives 461
Steps 461
Task 19-2: Create a New Guest Admin Account 463
Objectives 463
Steps 463
Task 19-3: Test Guest Operator Login 464
Objectives 464
Steps 465
Task 19-4: Policy Manager Admin Access for AD Users 470
Objectives 470
Steps 470
Task 19-5: Policy Manager Administrator Privileges 476
Objectives 476
Steps 476
Task 19-6: TACACS+ Admin Access to Aruba Devices 485
Objectives 485
Steps 485
Lab Debrief 492
Contents xi
Lab 20: Insight Reports 495

Task 20-1: Configuring Insight 495
Objectives 495
Steps 495
Task 20-2: Explore the Insight Dashboard 497
Objectives 497
Steps 498
Task 20-3: Creating Reports in Insight 504
Objectives 504
Steps 504
Task 20-4: Alerts and Watchlist 512
Objectives 512
Steps 512
Lab Debrief 515
Appendix 1: Configure DUR Enforcement Profiles (complete) 517

Objectives 517
Steps 519
xii Contents
Lab 1: Testing Lab Connectivity

The Aruba Training Lab provides you with two ClearPass servers, one wireless LAN Controller, an
Aruba wireless access point, and virtual laptops as well as the support servers you need for training.
You should know the procedures to access each of these devices and client PCs in the Aruba Training
Lab.
After completing this lab, you will have all the information needed to support the hands-on labs in this
course.
Device Access
You have received pod and table number assignments that define your remote lab location. When con-
figuring your equipment, you must follow a naming and numbering plan based on your pod and table
numbers. In these labs, the value # is your pod number, and X is your table number.
The table below lists the remote lab equipment. In the “My Device IP” column, write the IP address
assigned to your devices. (Your instructor may provide an IP address sheet.)
Device Model Device name My Device IP Username / Password
ClearPass server 1 ClearPass1 admin / eTIPS123

ClearPass server 2 ClearPass2 admin / eTIPS123
Aruba Controller Aruba 7030 MC admin / admin1
Aruba 2930 AOS-S Switch
Virtual AOS-CX vCX admin/
Windows server AD/DHCP/DNS 10.254.1.21
Email server Mail 10.254.1.31
MDM server MDM1 10.254.1.32
Task 1-1: Aruba Training Lab Access

Objectives
To check that you have connectivity to the remote lab and can successfully log in. This will ensure that
you have access to your remote lab equipment during this training.
Steps
1. On your local computer, launch a web browser, and enter to the Aruba Training Lab web portal at
the URL:https://arubatraininglab.computerdata.com.
Lab 1: Testing Lab Connectivity 1

2. Enter your username and password (if you do not have one, ask your instructor for the cre-
dentials), and click the Sign in button.
Task 1-2: Aruba Training Lab Interface

Objectives
Throughout this lab guide, you will need to connect to devices and client PCs. A right mouse click will
either open an access window to the device or a menu where you can select an option.
n Wired MGMT Client: This client is used for administration and accessing the Web-UI of the
ClearPass servers, the 7030 Controller, and the AOS-S Switch.
n Wireless Test Client: This client is used for wireless connectivity and testing.
n ClearPass Policy Manager 1: This will be your primary ClearPass server, and you will do most of
the configurations here.
n ClearPass Policy Manager 2: This will be your secondary ClearPass server and is used for the
cluster lab.
n Aruba 7030 MC: This is your Aruba Mobility Controller (MC).
n Aruba AP: This is your Aruba Access Point.
n AOS-S Switch: This is your ArubaOS switch.
n Virtual aOS-CX Switch: This is your virtual AOS-CX switch.
n Class switch: You have NO access to this switch
2 Task 1-2: Aruba Training Lab Interface

n AD/DNS/DHCP: You have NO access to this Windows server but will connect ClearPass to it.
n Mail server: This server is your email server, and you will use it to relay messages from
ClearPass.
n MDM. All students will use the MobileIron server for profiling endpoint. You have NO access to
this.
You can open the control menu of some of your devices by right-clicking the icon in the lab diagram.
Task 1-3: Testing Connectivity

Objectives
To test connectivity and authentication credentials for each of the devices. Working from the Aruba
Training Lab diagram, you will connect to and log into each of your remote lab hardware devices. Steps:

CLI Console Access
1. To connect to the console of the Aruba 7030 MC, right-click on the icon in the lab diagram, and
select “Open Console.”
2. A new browser tab should open with a blank, black screen.

3. Press [enter] a couple times, and you will see a user prompt.
4. Log in with admin/admin1 credentials.
5. Issue the command “show ap essid.”
6. You should see a list of SSIDs being broadcast by your Controller/access point.
(P1-T02-CPE) [mynode] #show ap essid
ESSID Summary
-------------
ESSID APs Clients VLAN(s) Encryption
----- --- ------- ------- ----------
guest1-2 1 0 23 Open
secure1-2 1 0 21 WPA2 8021X AES
Num ESSID:2
(P1-T02-CPE) [mynode] #
Test the Wired MGMT Client Remote Desktop

1. To access the Web-UIs of your lab hardware, open the desktop for Wired MGMT Client.
2. Right-click on the icon in the lab diagram, and select “Open Desktop.”
4 Task 1-3: Testing Connectivity

3. A new browser tab will open with the remote desktop.
It may take a few minutes for the Wired MGMT Client desktop to come up. Also, if
your Aruba Training Lab has been idle for a while after you log in, you may need to
log out of the lab interface and log back in and then launch the desktop again.
4. On the Wired MGMT Client desktop, launch the Google chrome browser.
5. Type the IP of your ClearPass1 server in the browser address bar. (refer to the lab diagram for
the correct IP)
6. Accept the certificate error.

By default, Aruba ClearPass has a self-signed certificate installed, generating the cer-
tificate error. A trusted certificate will be installed in the upcoming labs to fix that
error and security warning.
7. Click on the ClearPass Policy Manager link to navigate to the Policy Manager login page.
8. Log in using admin/eTIPS123.

9. On the Wired MGMT Client desktop, open a new browser tab, and type the IP of your Aruba
Controller in the address bar. Leave the other tabs open.
10. Log in to the Controller using admin/admin1.
Test Connectivity to the Wireless Client

Beginning in Lab 6, you will need to test client authentication attempts. To do this, you will need to
access the Wireless Test Client desktop.
1. To test the Wireless Test Client desktop, right-click on its icon in the lab diagram and select
Open Desktop.

2. To confirm the wireless functionality is enabled, click on the network icon in the taskbar and
look for a list of wireless networks.
If there are no wireless networks, notify your instructor, or if you are working on this
lab as part of a self-paced course, contact the support email you were given. Remem-
ber, you will not need the wireless client until Lab 6.
You have completed Lab 1!

Lab 2: Configuring Authentication Sources
Lab 2: Configuring Authentication Sources

This lab has three parts, it starts by exploring the ClearPass Policy Manager interface, and then you will
install HTTPS certificates, allowing the secure management of your ClearPass server. Lastly, you will
configure Active Directory as an Authentication Source in ClearPass.
When you have completed this lab, you will know how to join ClearPass into an Active Directory
domain, add an Active Directory Authentication Source, and configure Active Directory LDAP attrib-
utes for use in your services later in the labs.
Task 2-1: Explore the ClearPass Interface

Objectives
To become familiar with the basic interfaces and dashboards in the ClearPass Web-UI.
To learn how to move around and navigate the menus and the different modules.
Steps
1. From your local computer, log in to your Aruba Training Lab, and open the remote desktop for
Wired MGMT Client.
2. In the remote desktop, open a google chrome web browser, and navigate to the IP address of
ClearPass1.
You can check the lab diagram in the Aruba Training Lab Dashboard to get the IP
address.
3. Once at the ClearPass portal landing page, click on ClearPass Policy Manager to open the
administration login page.
4. Log into the Policy Manager with the credentials admin/eTIPS123.
Lab 2: Configuring Authentication Sources 9

You should now find yourself at the ClearPass Policy Manager Dashboard. Take
notice on the left side is a grouping of menus titled Dashboard, Monitoring, Con-
figuration, and Administration. Below the heading dashboard is a group of elements
you can add to the Dashboard workspace.
Find the option for License Usage in the sidebar menu click and drag it on top of the panel for
All Requests.
5. In the upper right-hand corner of the Dashboard, below the menu option, click the drop-down
box with the word Default in it, and select the option for 3x3. Another dashboard with nine smal-
ler panels in it will appear.
10 Task 2-1: Explore the ClearPass Interface

6. Drag some more of the Dashboard elements into the empty panels to create your own cus-
tomized dashboard.
7. On the sidebar menu, click the header Monitoring. You will spend a lot of time in the monitoring
screens while doing troubleshooting in your labs. The most notable tool is Access Tracker.
Lab 2: Configuring Authentication

8. Back on the sidebar menu, click the header for Configuration to expand it. Sources
9. Expand the sections for Authentication and Identity under the Configuration sidebar menu.
Task 2-1: Explore the ClearPass Interface 11

The Authentication: Sources and Identity: Local Users menus configure the
authentication and authorization sources used by ClearPass.
10. On the sidebar menu, click the header for Administration to expand it.
11. Below Administration, expand Users and Privileges and Server Manager.
The Administration: Users and Privileges menu is where the administrator

accounts are configured.
12. Look in the upper right corner of the ClearPass screen and expand the Menu option.
12 Task 2-1: Explore the ClearPass Interface

Sources
NOTE: The menu provides you with quick links to the different modules of ClearPass:
Policy Manager, Guest, Onboard, and Insight Reports. You can also get context-sens-
itive help for the screen that you are working on.
13. In the drop-down menu, click the option for Help. You may need to allow pop-ups to open the
built-in help page.
Task 2-2: Install a Public Signed HTTPS certificate on ClearPass

Objectives
Aruba ClearPass has a self-signed certificate by default, which leads to security warnings the accessing
it. As a security product, a best practice is to install public certificates that can be validated by your cli-
ents, securing your access to them.

There are two steps to uploading public HTTPS certificates to ClearPass. First ClearPass needs to trust
the root of the public certificate. Second, you will upload the server certificate to the HTTPS certificate
store.
Steps
1. Navigate to Administration > Certificates > Trust List
2. Click the Add button in the upper right corner to add a new trust bundle
3. Click the Browse button for the Certificate File:
4. Browse to the Desktop > Table X Student Folder > Certificates > start.aruba-training.com.
5. Select the file: star.Aruba – training.com.ca–bundle and click Open.
14 Task 2-2: Install a Public Signed HTTPS certificate on ClearPass

Sources
6. For Usage, select Database and Others.
7. Click Add Certificate.

8. Navigate to Administration > Certificates > Certificate Store.
9. Click Import Certificate in the upper right corner of the screen.

10. Select Server Certificate for the Certificate Type.
11. Select the following:
a. Server:{ClearPass1}
b. Usage: HTTPS(RSA) Server Certificate
c. Upload Method: Upload Certificate and Private Key Files
12. Click the Choose File button for Certificate File.
13. Select the file star.aruba-training.crt and click Open.
14. Click the Choose File button for Private Key File.
15. Select the file STAR_aruba-training.com_key and click Open.
16. Enter aruba123 for the Private Key Password.
17. Click Import.

18. Select HTTPS(ECC) Server Certificate at the Select Usage drop-down menu.
19. Click Disable.
20. Click Yes, at the overlay alert.

Sources
HTTPS(ECC) and HTTPS(RSA) certificates can be enabled or disabled by clicking the
Enable or Disable buttons in the lower right corner of the Certificates Store window.
A disabled certificate cannot be used, and you cannot disable both HTTPS(EEC) and
HTTPS(RSA) simultaneously. If both HTTPS(EEC) and HTTPS(RSA) Certificates are
enabled, any client that supports ECC ciphers will get HTTPS(ECC) certificates when
contacting ClearPass. If you enable ECC certificates, client trust lists should be
updated accordingly.
In this lab, we will use an RSA certificate. Therefore, you have disabled the HTTPS
ECC certificate.
21. Refresh your browser window for ClearPass1.

The browser will error out if you do not refresh the new certificate.
You may see a Security warning page in your browser. Just ignore it.
22. Navigate to your ClearPass 1 server using its FQDN: https://TT-cppm1.aruba-train-

ing.com/tips
For example: https://T14-cppm1.aruba-training.com/tips - For table 14
Notice that the security warning is no longer displayed, and the lock icon indicates a secure con-
nection was established. If you still see the certificate warning, wait a couple more minutes while
ClearPass loads the new certificate.
23. Log into the Policy Manager with the credentials admin/eTIPS123.

Task 2-3: Join ClearPass1 to the Active Directory Domain
Objectives
To confirm the time source for ClearPass and join ClearPass into your Active Directory domain, you will
also enable the Insight database so that there will be information available for reports later in the class.
Steps
1. In the sidebar menu, expand Administration: Server Manager, and click on Server Con-
figuration.
2. In the upper right corner the workspace, click on Set Date and Time.

Sources
You will use the Active Directory server for the lab as your time base, which should
already be set to 10.254.1.21
3. Click the Cancel button to close the Change Date and Time window.
4. In the Server Configuration workspace, click on your ClearPass1 server to open its con-
figuration.
Task 2-3: Join ClearPass1 to the Active Directory Domain 19

5. Look on the System tab for Insight Setting.
6. Check the boxes for Enable Insight and Enable as Insight Primary Server.
7. Scroll to the bottom, and click Save.

8. Close the Save Server Details pop-up window.
9. In the lower right corner of the Server Configuration workspace, click the Join AD Domain but-
ton.
10. Add the following details:
a. Domain Controller: aruba-ad.training.arubanetworks.com
b. Select Use Domain Controller returned by DNS query.
c. Uncheck Use default domain admin user.
d. Username: cpadmin
e. Password: aruba123
11. Click Save.
20 Task 2-3: Join ClearPass1 to the Active Directory Domain

12. Monitor the Join Domain progress, and click Close when complete.
13. Click the Save button to close the server configuration.

14. Click Close in the Save Server Details window.
Task 2-4: Configure Active Directory Authentication Source
Sources
Objectives
To set up and configure an Authentication Source in ClearPass to use the Active Directory to verify the
credentials of your network users.
Steps
1. In the sidebar menu, expand Configuration, and then the Authentication submenu.
2. Under Authentication, click on Sources.
3. In the upper right hand corner of the workspace, click Add.
4. On the General tab of the Authentication Sources workspace, enter the following information:
Task 2-4: Configure Active Directory Authentication Source 21

a. Name: Remote Lab AD
b. Type: Active Directory
5. Click the Primary tab, and enter the following information:
a. Hostname: aruba-ad.training.arubanetworks.com
b. Bind DN: cpadmin@training.arubanetworks.com
c. Bind Password: aruba123
6. Click the option for Search Base Dn.
7. In the LDAP browser window, click the domain name to expand it.
8. To select the new Base DN, click on OU=ClearPass, and click Save
The Search Base Dn option does two things for you: test the validity of your settings
and allow you to set the starting point in the directory tree for the search.
9. Click the Save button to save your new Authentication Source.
Task 2-5: Select Custom Attributes from Active Directory

Objectives
To configure custom LDAP attributes for your Active Directory Authentication Source.
Steps
1. Open the Authentication Sources workspace.
2. Sort through the list, and click to open Remote Lab AD for editing.
3. Click the Attributes tab.
22 Task 2-5: Select Custom Attributes from Active Directory

4. Open the Configure Filter Workspace by clicking the Page Icon for the Authentication fil-
ter.

5. In the Configure Filter screen, click the Attributes tab, and scroll up to the top.
6. To filter the list of accounts, enter the name “Alice” in the query box, and press Execute.
Sources
7. To add new options to the list of attributes collected by ClearPass, scroll through Alice’s AD
attribute box on the right side of the window, and find countryCode.

8. Click the line with countryCode to add it to the attribute list.
9. In the attribute list, click the line for countryCode.
10. Edit the alias name to be “Home Country.” Then, click the Save icon at the end of the line.
24 Task 2-5: Select Custom Attributes from Active Directory

11. Scroll through the user’s attribute list again, and find postalCode. Add it to the list with the alias
name of Zip Code.
Your attribute list should look like this:

Sources
12. To collect Active Directory attributes into ClearPass services, you need to select them as Attrib-
utes.
13. In the attribute list, click on Department to expand the line. Then, click the checkbox for Attrib-
ute, and the Save icon.
14. Repeat enabling attributes for “title,” “countryCode,” and “postalCode”

15. When you are done, click Save to close the Configure Filter window
16. Then, click Save again to save the Authentication Source.

Task 2-6: Sign ClearPass EAP/RADIUS certificate with AD CA
Objectives
By default, ClearPass has a self-signed certificate for RADIUS. Therefore, it may cause EAP/RADIUS cli-
ents to see a pop-up asking if they trust this certificate at their first connection attempt.
In this lab, you will create a ClearPass EAP/RADIUS certificate and sign it with your AD CA allows
domain-joined computers to trust ClearPass when connecting to 802.1X networks.
Steps
1. Navigate to the Certificate Store page, Administration > Certificates > Certificate Store.
2. Select RADIUS/EAP Server certificate at the Select Usage drop-down menu.
3. Notice that, by default, ClearPass has a self-signed certificate for RADIUS.
4. Click Create a Certificate Signing Request to create a CSR file.
5. At the overlay window, enter the following configuration that ClearPass will use to generate the
CSR file:
a. Common Name: TT-CPPM1.aruba-training.com
b. Organization: Aruba Networks
c. Location: San Jose
d. State: CA
26 Task 2-6: Sign ClearPass EAP/RADIUS certificate with AD CA

e. Country: US
f. Subject Alternate Name: <Leave it as default>
g. Private Key Password: aruba123
h. Verify Private Key Password: aruba123
i. Private Key Type: 2048-bit RSA (RSA|2048)
j. Digest Algorithm: SHA-512
6. Click Submit

Sources
7. Copy the CSR content into a local Wired MGMT Client file.
8. Click Download CSR.

9. Open a new browser tab on your Wired Client VM.

10. Navigate to http://10.254.1.21/certsrv
11. When prompted, log in with the following credentials: Username: cpadmin Password: aruba123
12. Before signing your certificate, you need to download the CA Certificate to add it at the
ClearPass Trust list. Click “Download a CA certificate, certificate chain, or CRL.”
13. Click Download CA Certificate.

Sources
14. Click Home to go back to the ADCS Home Page.
15. At the Active Directory Certificate Service page, select Request a certificate.
16. Select advanced certificate request.

17. Paste the CSR request you have copied to your clipboard at Saved request field.
18. Select Web Server as Certificate Template.
19. Click Submit.
20. Click Download certificate.

21. At the Wired VM browser, select the ClearPass tab.
22. Click Import Certificate.

Sources
23. At the Import Certificate overlay window, enter the following:
a. Certificate Type: Server Certificate
b. Server: <Select your CPPM1 server>
c. Usage: RADIUS/EAP Server Certificate
d. Upload method: Upload Certificate and Use Saved Private Key
e. Certificate file: Select the certificate you have just downloaded.
f. Click Import.

Task 2-7: Test Your Active Directory Authentication Source
Objectives
To use the policy simulator to test your Active Directory Authentication Source.
Steps
1. Expand the Configuration sidebar menu, and click on Policy Simulation.
2. To add a new simulation, select Add in the upper right corner.
3. In the Policy Simulation workspace, enter the following information:
a. Name: Active Directory Test
b. Type: Active Directory Authentication
c. Active Directory Domain: TRAINING
d. Username: employee
4. Click Save.
32 Task 2-7: Test Your Active Directory Authentication Source

5. To run the test, click on Active Directory Test in the Policy Simulation list.
6. On the Simulation tab, type in the password aruba123.
7. Click the Results tab.

Sources
8. Repeat the above test for the following options:
a. employee / test123 {this is a bad password}
9. tank / aruba123 {user account does not exist}
Task 2-7: Test Your Active Directory Authentication Source 33

Lab Debrief
In Task 1 of this lab, you became familiar with the web user interface in ClearPass, and you should now
know how to move around to access the different screens and modules.
In Task 2, you have installed an HTTPS RSA certificate, allowing the secure management of your
ClearPass server.
In Task 3, you added ClearPass to the Active Directory domain, which you needed, because you will be
using EAP-PEAP authentication with mschapv2. This requires ClearPass to be joined to the domain.
In Task 4, you created an Authentication Source pointing to the Active Directory server that you will
use to process user credentials when you build services. If you were going to authenticate your users
with EAP-TLS only, you would not have needed to join the Active Directory domain with ClearPass.
However, you would still have created an Authentication Source pointing to the Active Directory server.
In Task 5, you selected two AD LDAP attributes that were not in the default Authentication Source fil-
ter and enabled these as attributes that ClearPass will collect.
In Task 6, you have generated a CSR (Certificate Sign Request) and used the local AD CA to sign the
certificate. After that, you installed the new certificate on ClearPass to be used for EAP/RADIUS ser-
vice.
Finally, in Task 7, you used the Policy Simulator to test your Active Directory Authentication Source.
There are quite a few policy simulations that you can run including service categorization, role map-
ping, enforcement policies, and authentication tests.
34 Lab Debrief
Lab 3: Configuring External Devices

In this lab, you will configure some devices that ClearPass will need to communicate with in order to per-
form its functions. You will begin with the Network Access Devices that will send requests to ClearPass.
Next, you will configure an email server so that ClearPass can send the notifications used in later labs.
Then, you will configure an MDM server that ClearPass will poll to read in endpoint profile information.
Task 3-1: Configure Network Devices

Objectives
To configure Network Access Devices in ClearPass, which is essential as only valid Network Access
Devices may send requests to ClearPass.
In this task, you will configure the ClearPass half of Network Devices setup. The Authentic-
ation Source configuration on the Controller, and switch in the lab are already completed.
Configuration of the individual Network Access Device hardware will vary depending on
vendor and is beyond the scope of this lab.
Steps
1. Log into your Aruba Training Lab, and open the remote desktop for Wired MGMT Client.
2. In the remote desktop, open a web browser, and browse to the IP address of ClearPass1.
3. Log in to the Policy Manager (https://TT-cppm1.aruba-training.com) with the credentials
admin / eTIPS123.
For example, https://t14-cppm1.aruba-training.com -> T equals your table #.
4. Navigate to the Configuration menu, and expand the Network submenu.
5. Click on Devices.
6. In the Network Devices workspace, click on Add in the upper right corner.
7. In the Add Device window, configure the following settings:
a. Name: Aruba Controller
b. IP or Subnet Address: the IP address of your Controller
c. RADIUS Shared Secret: aruba123
d. TACACS+ Shared Secret: aruba123
Lab 3: Configuring External Devices 35

e. Vendor Name: Aruba
f. Enable RADIUS Dynamic Authorization: yes
TIP: The IP addresses of all your devices are listed on the Aruba Training Lab dia-
gram interface.
8. Click Add to save the new network device settings.

9. Repeat the above steps to configure network device settings for your switch.
a. Name: AOS-S Switch
b. IP or Subnet Address: the IP address of your switch
c. RADIUS Shared Secret: aruba123
d. Vendor Name: Hewlett-Packard-Enterprise
e. Enable RADIUS Dynamic Authorization: yes
TIP: The IP addresses of all your devices are listed on the Aruba Training Lab dia-
gram interface.
36 Task 3-1: Configure Network Devices

ArubaOS-Switch uses the Hewlett-Packard-Enterprise RADIUS dictionary and two
new vendor-specific attributes (VSAs) were added to support the local user role and
downloadable user role features.
Task 3-2: Configure Device Attributes and Network Device Groups

Objectives
To add extra identifying context in the form of Device Attributes or Device Groups to your network
devices, which will help identify the source of requests sent to ClearPass.
Steps
1. In the Network Devices workspace, click the device named Aruba Controller to open it for edit-
ing.

2. In the Edit Device details window, select the tab for Attributes.
3. To open a new attribute line in the list click on click to add.
4. Pull down the list, and select Device Type.
5. For the Value, type “Wireless Controller,” and click the Save icon .
6. To save the Device Details, click Save.
7. Repeat for the AOS-S Switch, and set the Device Type value to Network Switch.
Task 3-2: Configure Device Attributes and Network Device Groups 37

8. To configure a device group, select Device Groups under Configuration > Network in the side-
bar menu.
For this lab, device groups really do not make sense because you only have two
devices, and there is little similarity between them, so logically, it really does not mat-
ter if you have them grouped. This section is just an example of how to create a
device group.
9. In the Network Device Groups workspace, click Add in the upper right corner.
10. Give the device group the name “My Devices.”
11. To see a list of your network devices, select Format: List.
12. Under Available Devices, highlight your two network devices from the list and move them to the
Selected Devices column.
13. To save your new device group, click the Save button.
38 Task 3-2: Configure Device Attributes and Network Device Groups

Task 3-3: Configure Email Server
Objectives
To configure an email server for ClearPass to use to send alerts and guest notifications.

Steps
1. In the sidebar menu, expand the Administration section.
2. Under Administration, expand External Servers, and select Messaging Setup.
Task 3-3: Configure Email Server 39

3. In the messaging workspace under SMTP Settings, enter the following settings:
a. Server Name: IP address of the class email server
b. Username: pPtT. Where P is your Pod number and T is your Table number (for example,
Pod 5, Table 1 is p5t1)
c. Password: Aruba123
d. Default from Address: pPtT@arubaclass.com (For example, Pod 5, Table 1 is
p5t1@arubaclass.com
4. Click Save.
5. To test your configuration, click on Send Test Email button.

6. In the Send Test Email window, enter the following:
a. Recipient Email address: pPtT@arubaclass.com
b. Message: This is a test of the Email server.
40 Task 3-3: Configure Email Server

7. Click Send Email.
If your email settings are correct, the test email will send even if the send to address
is bogus. The test checks the ability of ClearPass to communicate with the mail
server and pass off the message. In a live system, it is the mail server’s responsibility
to actually deliver the email message, and you would need to confirm receipt of the
message for a full test.
Task 3-4: Connecting ClearPass to the MDM Server

Objectives
To configure ClearPass to communicate with a MobileIron MDM server. You will configure most End-
point Context Servers in the same manner.

Steps
1. In the Administration: External Servers sidebar menu, select Endpoint Context Servers.
2. To add a new Endpoint Context Server, click Add in the upper right corner of the workspace.
3. On the Server Tab pull down, configure: Select Server Type: MobileIron Core.
4. Enter the following settings:
a. Server Name: mdm1.training.arubanetworks.com
b. Base Server URL: Note: setting this will auto fill>
c. Authentication Method: Basic
d. Username: ClearPass
f. Enable Server: checked Enable to fetch endpoint’s from the server
Task 3-4: Connecting ClearPass to the MDM Server 41

5. Click Save.
To test your MobileIron settings:

1. Click the checkbox to select the MobileIron Core server.
2. In the lower menu bar, click Trigger Poll.
3. Confirm that you wish to poll the MDM server by clicking the Trigger button in the popup win-
dow.
4. To see the results of the poll, click on your MDM server in the External Context Server list to
open the Modify Endpoint Context Server window.
42 Task 3-4: Connecting ClearPass to the MDM Server

5. Select the Poll Status tab, and you should see a success status.
Lab Debrief
In this lab, you learned how to configure Network Access Devices in ClearPass. You will need to do this
for every device that will send a request to ClearPass. In a production deployment you will need to con-
figure the Network Access Devices to use ClearPass as an authentication source. You also configured
an email relay for ClearPass to use while sending notifications and an Endpoint Context Server
(MobileIron) server for profiling in ClearPass.
Lab Debrief 43
[This page intentionally left blank]
44 Lab Debrief
Lab 4: Endpoint Profiling

When you have completed this lab, you will have an understanding of the profile data that ClearPass
collects about endpoints. You will also know how to configure the most common profile collectors used
to gather profile context about endpoints.
Task 4-1: View Current Endpoints

Objectives
To view the entries in the endpoints database and understand what context ClearPass gathers about
endpoints.
Steps
1. Log in to the Aruba Training Lab, and open the remote desktop for Wired MGMT Client.
2. In the remote desktop, open a web browser, and navigate to ClearPass1 (https://-TT-
CPPM1.aruba-training.com)
3. You should now be at the ClearPass Policy Manager Login page.
4. Log into the Policy Manager with the credentials admin / eTIPS123.
5. In the sidebar menu, expand Configuration, and then expand the submenu Identity.
6. Click on Endpoints.
Lab 4: Endpoint Profiling 45

When you open the endpoints database, you should see quite a few endpoints. Des-
pite the fact that you have not done much in the lab, these endpoints have been
pulled into ClearPass from your MDM server.
Answer the Following Questions:

n In the endpoints workspace under the heading Device Category, what device types do you
see listed?
n Under the heading Profiled, are any of your endpoints not profiled?
7. To open the Edit Endpoint screen, click one of the Smart Devices listed.
46 Task 4-1: View Current Endpoints

n Does your selected endpoint have an IP address?
n If your endpoint does not have an IP address, why not?
n What is the last profiled time for your endpoint?
8. Click on the Attributes tab
Task 4-1: View Current Endpoints 47

n Why are there so many attributes listed?
n What is the meaning of MDM enabled?
n Scroll down the list, what is the source of these attributes?
9. Click on the Device Fingerprints tab.
48 Task 4-1: View Current Endpoints

n What are some of the listed fingerprints for your selected endpoint?
n Why do these attributes seem generic?
10. Press Cancel to close the window.
Take a few moments to explore some of the other endpoints in your list. Note the dif-
ference in attributes, between the MDM-sourced ones and those that are not. For
example, look at an endpoint with the device category of computer or server.
Task 4-2: Configure the Controller for Endpoint Profiling

Objectives
To configure the Aruba Networks Mobility Controller for DHCP Relay and IF-MAP.

Steps
1. Log into your Aruba Training Lab, and open the remote desktop for Wired MGMT Client.
2. In the remote desktop, open a web browser, and navigate to the IP address of your Mobility Con-
troller.
3. Log in with your mobility Controller admin credentials – admin / admin1.
4. In the sidebar menu, expand Configuration, and then expand the submenu Interfaces.
Configure the DHCP Forwarder on the Employee VLAN X1

1. Click the tab for VLANs.
2. In the top window, click the “–” under the Name column to open the list of VLANS in the lower
section of the screen.
3. Click the X1 VLAN, and expand the lower section of the screen.
4. Click the header IPv4.
50 Task 4-2: Configure the Controller for Endpoint Profiling

5. Scroll down the screen, and expand the IP Address Assignment section under IPv4.
6. From IP DHCP settings, open the drop-down, and select “Relay to external.”
7. To add ClearPass IP address and DHCP server IP address, click the + sign under DHCP helpers.
8. Add the following:

a. The IP address of your Active Directory server. (The Active Directory server is also the
DHCP server for the lab.)
b. The IP address of your ClearPass1 server.
9. To save the changes, click Submit.

10. In the upper right corner of the screen, click Pending Changes, and then click Deploy Changes
in the pop-up window.
Configure IF-MAP on the Aruba Mobility Controller

1. Navigate to Configuration: System, and select Profiles in the workspace.
2. Under All Profiles, expand Other Profiles, and select CPPM IF-MAP.
3. Check the box for CPPM IF-MAP Interface to enable IF-MAP.
52 Task 4-2: Configure the Controller for Endpoint Profiling

4. Click the + under CPPM IF – MAP server.
5. Configure the following details:
a. Host: the IP address of your ClearPass server
b. Portnum: 443
c. Username: admin
d. Passwd: eTIPS123
6. Click Okay to save the new profile.

7. Click Submit.
Task 4-3: Configure Profiling on ClearPass

Objectives
To configure the settings on ClearPass required to enable profiling and collection of endpoint context.
Steps
1. Log in to your Aruba Training Lab, and open the remote desktop for Wired MGMT Client.
2. In the remote desktop, open a web browser, and navigate to ClearPass1.
3. Log into the Policy Manager.
4. In the sidebar menu, expand Administration > Server Manager.
5. Select Server Configuration.
6. Select Cluster-Wide-Parameters in the upper righthand corner of the server configuration work-
space.
7. In the Cluster-Wide-Parameters settings window, select the Profiler tab.

8. Under the option Process wired device information from IF-MAP interface, select True.
9. Click Save.
54 Task 4-3: Configure Profiling on ClearPass

Task 4-4: Examine Endpoint Profile Data
Objectives
To look at the fingerprints dictionary and how to create a custom fingerprint with the endpoint context
that ClearPass has gathered into the system.
Steps
1. In the ClearPass WEB UI, expand the Dashboard sidebar menu.
2. In the list of available dashboard widgets, find the following, and drag them onto the dashboard:
a. Endpoint Profiler Summary
b. Device Category
c. Device Family
d. MDM Discovery Summary
3. Spend a little time exploring the options in the dashboard widgets. Each of the elements is active,
so you can click on images and modify the element view.
4. In the sidebar menu, expand Monitoring, and expand Profile and Network Scan.
5. Click on the submenu option for Endpoint Profiler. Lab 4: Endpoint Profiling

6. Under the facet for Device Category, click on the entry for SmartDevice.
7. Take note of what happens to the Device Family and Device Name facets.
8. In the upper righthand corner of the screen, click the Toggle Dashboard View link.
9. Scroll down, and take note of the new view.
56 Task 4-4: Examine Endpoint Profile Data

Explore the Endpoint Fingerprint Dictionary
1. Expand the Administration sidebar menu, expand the Dictionaries submenu, and click on
Device Fingerprints.
2. Take a minute to explore some of the existing device fingerprints.

Currently, ClearPass has 600+ devices that it will identify natively out-of-the-box,
but you can add custom fingerprints if you find devices in the endpoints repository
that are either incorrectly categorized or unknown.
3. To add a new fingerprint, click the Add button in the upper right corner of the workspace.
4. Enter the following settings in the Add Devices Fingerprints window:

a. Category: Aruba Server
b. Family: CPPM
c. Name: VM Install
5. To save, click Add.
6. Scroll through the fingerprint list, and find your new fingerprint – look at the end of the access
points list.

7. Review the new device fingerprint.
8. Click Close.
Apply the Fingerprint to an Endpoint

1. Navigate to Configuration > Identity, and select Endpoints.
In a live environment, you would use this to categorize devices that are showing up
as unknown in the profiler. In this lab, you will re-categorize your ClearPass server as
an example of how to apply a custom endpoint device fingerprint. Note that once you
have applied a custom endpoint device fingerprint, ClearPass will continue to profile
all similar devices with the new device fingerprint.
2. In the endpoints list, select the checkbox for your ClearPass server – you may need to Clear Fil-
ter to view the complete list.
3. In the bottom of the Endpoints workspace select the option for Update Fingerprint.

You can modify the endpoint context for just the selected devices, and future discovered devices
will not be categorized the same, or you have the option to add rules to the Device Fingerprint.
4. Enter the following settings in the Update Device Fingerprint window:
a. Device Category: Aruba Server
b. Device OS Family: CPPM
c. Device Name: VM Install
5. Click your ClearPass server in the endpoints list, and open the Edit Endpoint page.

You will notice that the endpoint is now categorized with your new custom fin-
gerprint. In this example, you simply assigned a fingerprint to the pre-discovered end-
points. This method will not implement proper device profiling for any newly
discovered devices. However, you can use the update type Add Fingerprint Rule to
continue to categorize new endpoints as ClearPass discovers them.
Create a New Update Fingerprint Rule

1. In the Endpoints list select the checkbox for your ClearPass Server.
2. In the bottom of the endpoints workspace, select the option for Update Fingerprint.
3. Enter the following settings in the Update Device Fingerprint window:
a. Update Type: Add fingerprint rule
b. Device Category: Aruba Server
c. Device OS Family: CPPM
d. Device Name: VM Install
4. In the bottom section Enter the following options:

a. Add a line and enter the following configuration:
i. Name: Host Mac Vendor:
ii. Operator: Contains
iii. Value: VMware Inc.
iv. Click the save icon.
b. Add a line and enter the following configuration:
i. Name: SNMP System Description
ii. Operator: Equals
iii. Value: ClearPass CP-VA
iv. Click the save icon.
5. Click Save.
View the new Device Fingerprint Rule

1. In the sidebar, expand Administration then Dictionaries and Device Fingerprints.
2. Configure the filter: Category contains server and press Go.

3. In the list, click Aruba Server to open the Update Device Fingerprints window.
4. Take note that the new fingerprint rules have been added to the Aruba Server Device Finger-
print.
5. Close the Update Device Fingerprints window.

You have finished Lab 4!

Lab Debrief
During Lab 4, you explored endpoint profiling in ClearPass. You should now understand how ClearPass
categorizes devices and how to set up profiling on the Aruba Controller and ClearPass. You also
learned how to customize the fingerprints dictionary.
Task Questions Answered

Task 1
n In the Endpoints workspace under the heading Device Category, what device types do you
see listed?
l While each lab may be slightly different, you should at least see SmartDevice, computer,
and server.
n Under the heading Profiled, are any of your endpoints not profiled?
l Because they were all brought in from the MDM server or discovered by ClearPass. This is
because we have not done any client connections in the lab yet.
n Does your selected endpoint have an IP address?
l This should be NO.
n If your endpoint does not have an IP address, why not?
l Discovered devices should not have an IP address if they have not connected to the net-
work. The endpoints database will either discover the IP address of the device while it is
being profiled or it may receive the IP address in a RADIUS Accounting message.
n What is the last profiled time for your endpoint?
l This will vary depending on when ClearPass actually profiled the endpoint. Note the latest
profile time will update the endpoints profile, which may overwrite or change the previous
discovered context.
n Why are there so many attributes listed?
l These attributes came from the MDM server, and depending on how the server is set up,
there may be a large amount of attributes passed to ClearPass.
n What is the meaning of MDM enabled?
l The MDM enabled attribute instructs ClearPass that an MDM server is managing the
device. You can use this to help ClearPass make decisions while processing a service
request.
n Scroll down the list, what is the source of these attributes?
l The MDM server in the lab is a MobileIron server, so these endpoints were ingested from a
poll of the mobile iron server.
64 Lab Debrief
n What are some of the listed fingerprints for your selected endpoint?
l On live endpoints, the fingerprints will reflect how ClearPass discovered the endpoint and
what context data it has gathered, which may differ depending on the fingerprints dis-
covered.
n Why do these attributes seem generic?
l These attributes are simple attributes gathered from MDM server, which is why they seem
so generic.

66 Task Questions Answered

Lab 5: Roles and Enforcement

In this lab, you will start with a planning exercise where you will plan the access logic for the services
you will build. After planning, you will implement Roles and Role Mappings. Lastly, you will build your
Enforcement Profiles and Policies that will be used in your service.
Upon completion of this lab, you will have the knowledge and skills to plan and design basic enforce-
ment in ClearPass. You will also gain experience with ClearPass Roles and Role Mapping.
.
Task 5-1: Plan your Enforcement

Objectives
To design the role mapping and enforcement rules required for the implementation.
Your scenario is this:
n You have a simple wireless network that uses 802.1 X authentication.
n Almost all of your user accounts are in Active Directory.
n The company does have a few contingent workers which are set up with accounts in the local
database on ClearPass.
n All users will authenticate with a username and password.
n To execute the enforcement on the user’s traffic there are five User Roles on the Aruba Mobility
Controller preconfigured.
n The Firewall User Roles are:
l A role for employee full access named employee_full
l A role for employee smart phone named employee_smart
l A role for contingent worker access named temp_access
l A deny access role named deny_all
l A “profile_only” role for access to DHCP profile collectors
n Remember that ClearPass is only the director in this scenario, ClearPass will be sending role
assignment instructions to the Controller that will allow the Controller to assign the proper fire-
wall enforcements to the user’s traffic. It is actually the Controller that does the active enforce-
ment on the user’s traffic.
Lab 5: Roles and Enforcement 67

n In ClearPass, you will need to define the enforcement logic that identifies each of the clients that
fit into the five Firewall User Role defined above.
n The organization’s requirements are:
l Users with a valid account in Active Directory that log in from a computer or laptop will be
placed in the employee_full user role on the Controller.
l If the account is a member of Active Directory and they are connecting with a smart
device, they will get the employee_smart user role.
l If the user is not in Active Directory but has a contractor role assigned in the local data-
base on ClearPass, the client will be given the temp_access user role, and only if the client
is a computer.
l If the user is connecting in any other scenario, they will be given the deny_all user role.
This first task is a planning exercise you will need to answer the questions.
The answers for the questions are in the appendix at the end of this lab. It is recommended
that you take some time to work through this exercise and do not just go look at the
answers.
Questions
1. What authentication sources will you be using?
2. How will you know what type device the user has?
3. Will you need to add authorization sources? If yes, list them.
68 Task 5-1: Plan your Enforcement

4. Write out your Role Mapping rules.
5. Will you need to add any new ClearPass Roles?
6. How will you handle Endpoints that have not been profiled yet?
7. Write out your Enforcement Policy rules.
8. Define your Enforcement Profiles.
Task 5-1: Plan your Enforcement 69

Scratch Pad
70 Task 5-1: Plan your Enforcement

Task 5-2: Create Local User Account
Objectives
To manage users in the built-in local user database in ClearPass.
Steps
1. Log in to the Aruba Training Lab and open the remote desktop for Wired MGMT Client.
2. In the remote desktop, open a web browser and navigate to the IP address of ClearPass1.
4. Expand the Configuration sidebar menu.
5. Expand the Identity submenu, and click on Local Users.
6. To create a new user, click Add in the upper right corner of the Local Users workspace.
7. In the Add Local User pop-up window, configure the following settings:
a. User ID: contractUser
b. Name: Temp User
c. Password: aruba
d. Role: [Contractor]
Task 5-2: Create Local User Account 71

8. Click Add
Task 5-3: Create ClearPass Roles

Objectives
To configure ClearPass Roles that can be used to qualify your clients in your services. Using Roles in
ClearPass will make enforcement rules simpler, more consistent, and more intuitive.
You will create the following ClearPass Roles:
n corporate_user
n temp_user
n computer
n smart_phone
72 Task 5-3: Create ClearPass Roles

Steps
1. Navigate to Configuration > Identity, and click Roles.
2. To add a new role, click the Add link in the upper right corner of the Roles workspace.
3. In the Add New Role window, type in the following:
a. Name: corporate_user
b. Description: this is a corporate user
4. Click Save.
5. Repeat the above steps for the remaining user roles:
Task 5-3: Create ClearPass Roles 73

a. temp_user
b. computer
c. smart_phone
Task 5-4: Build Role Mapping Rules

Objectives
To build Role Mapping Rules in ClearPass that may be used to simplify enforcement in your services.
To implement the following role mapping logic:
n IF the user is a member of the Active Directory domain “users” group,
THEN assign corporate_user role.
n IF the user authenticated with the Local User database,
THEN assign temp_user role.
n IF Endpoint Device category equals “Computer,”
THEN assign computer role.
n IF Endpoint Device category equals “SmartDevice,”
THEN assign smart_phone role.
Steps
1. Navigate to Configuration > Identity and select Role Mappings in the sidebar.
2. To add a new role mapping, click the Add link in the upper right corner of the workspace.
74 Task 5-4: Build Role Mapping Rules

3. On the Policy tab, configure the following settings:
a. Policy name: corporate role mapping policy
b. Description: role mapping policy for corporate users
c. Default role: [other]
4. Click on the Mapping Rules tab.

5. Change the Rules Evaluation Algorithm to Select all matches.
This will cause ClearPass to evaluate all of the role mapping rules and may assign more than one
role to the client.
6. To add role mapping rules, click the Add Rule button.

7. In the Rules Editor, enter the following settings, clicking on Save to save each.
a. Rule #1
i. Type: Authorization: Remote Lab AD
ii. Name: UserDN
iii. Operator: CONTAINS
iv. Value: clearpass
v. Role Name: corporate_user
b. Rule #2
i. Type: Authentication
ii. Name: Source
iii. Operator: EQUALS
iv. Value: [Local User Repository]
v. Role Name: temp_user
76 Task 5-4: Build Role Mapping Rules

c. Rule #3
i. Type: Authorization: [Endpoints Repository]
ii. Name: Category
iv. Value: Computer
v. Role Name: computer
d. Rule #4
i. Type: Authorization: [Endpoints Repository]
ii. Name: Category
iv. Value: SmartDevice
v. Role Name: smart_phone
8. Click Save to finish the Role Mapping policy

Task 5-5: Configure Enforcement Profiles
Objectives
To configure basic RADIUS Enforcement Profiles. Enforcement Profiles are the action items in a
ClearPass Service. The Enforcement Policy will evaluate the conditions surrounding the authentication
and service process, then based on the Enforcement Policy rules will call up and execute the Enforce-
ment Profiles.
Steps
1. Navigate to Configuration and the Enforcement submenu.
2. Click on Profiles, and then click on Add in the upper right-hand corner.
78 Task 5-5: Configure Enforcement Profiles

3. In the Enforcement Profiles workspace, enter the following settings on the Profile tab:
a. Template: Aruba RADIUS Enforcement
b. Name: assign deny all role
c. Type: RADIUS
d. Action: accept

5. Click in the line that says, “Enter role here,” and type “deny_all.”
6. Click the save icon .
WARNING: The role names in the Enforcement Profiles must exactly match the User
Role names in the Controller and are case sensitive. If the name value assigned does
not match the User Role in the Controller exactly, the Controller will assign the
default 802.1X User Role.
7. To finish, click Save.

8. Repeat the above steps to add 4 more Enforcement Profiles.
a. Profile #2
i. Name = assign employee full role
ii. Template = Aruba RADIUS enforcement

iii. Attribute = RADIUS: Aruba Aruba–User–Role = “employee_full”
b. Profile #3
i. Name = assign employee smart role
iii. Attribute = RADIUS: Aruba Aruba–User–Role = “employee_smart”
c. Profile #4
i. Name = assign temp access role
iii. Attribute = RADIUS: Aruba Aruba–User–Role = “temp_access”
d. Profile #5
i. Name = assign profile only role
iii. Attribute = RADIUS: Aruba Aruba–User–Role = “profile_only”
Consider naming conventions when you are building your enforcement profiles. A
proper naming convention will help make your enforcement policy rules much more
readable. Consider that while reading the enforcement policy rules that call up the
above named profiles you can easily tell what each profile does from its name.
Review the New Enforcement Profiles

1. In the filter for the Enforcement Profiles screen: set Name: contains “assign,” and press Go.
2. You should see your five new enforcement profiles in the list. There may be others, but that is
okay.

The Aruba User Roles have been built on the Aruba Controller for you. If you wish to
check these, log into your Controller and navigate to Configuration > Roles &
Policies > Roles.
Task 5-6: Configure Enforcement Policies

Objectives
To configure Enforcement Policies that will implement the organization’s access rules. This new
Enforcement Policy will use the Enforcement Profiles and role mappings previously configured.
The Enforcement Policy will have multiple rule sets that will implement the logic required by the scen-
ario, and call up and execute the appropriate Enforcement Profile.
Steps
1. In the sidebar menu, select Configuration > Enforcement > Policies.
2. To create a new enforcement policy, click the Add link in the upper right-hand corner.
3. On the Enforcement tab, enter the following settings:
a. Name: Aruba wireless enforcement policy
b. Description: Aruba wireless enforcement policy
c. Enforcement Type: RADIUS
d. Default Profile: [Deny Access Profile]
82 Task 5-6: Configure Enforcement Policies

4. To edit the enforcement rules, click Next.
5. On the rules tab, set Rules Evaluation Algorithm: to Select first match.
6. To configure the Rules, click the Add Rule button.

You will implement to rules for each of the IF/THEN conditions for the scenario.
First Condition:
IF ClearPass role equals “corporate_user” AND “computer,”
THEN assign Aruba_User_Role “employee_full.”
7. In the Rules Editor, create two lines.
a. Rule #1
i. Type: Tips
ii. Name: Role
iv. Value: corporate_user
b. Rule #2

i. Type: Tips
ii. Name: Role
iv. Value: computer
8. For Profile Names, select to add: [RADIUS] assign employee full role.
Compare the enforcement rules in the above example to the IF – THEN statement.
Internally, ClearPass refers to roles and posture as a type labeled “Tips.” The
acronym “TIPS” refers to the original Avenda product called the Trust and Identity
Policy System.
9. To commit the rule, click Save.
Configure the rules for the remaining IF-THEN statements

Condition 2
IF ClearPass role equals “corporate_user” AND “smart_phone,”
THEN assign Aruba_User_Role “employee_smart.”
1. In the rules editor create two lines:
a. Rule #1
i. Type: Tips
ii. Name: Role
iv. Value: corporate_user
b. Rule #2

i. Type: Tips
ii. Name: Role
iv. Value: smart_phone
2. For Profile Names, select to add: [RADIUS] assign employee smart role
Condition 3
IF ClearPass role equals “temp_user” AND “computer,”
THEN assign Aruba_User_Role “temp_access.”
3. In the rules editor, create two lines:
a. Rule #1
i. Type: Tips
ii. Name: Role
iv. Value: temp_user
b. Rule #2
i. Type: Tips
ii. Name: Role
iv. Value: computer
4. For Profile Names, select to add: [RADIUS] assign temp access role.

Condition 4:
IF ClearPass role equals “temp_user” AND “smart_phone,”
THEN assign Aruba_User_Role “deny_all.”
5. In the rules editor, create two lines:
a. Rule #1
i. Type: Tips
ii. Name: Role
iv. Value: temp_user
b. Rule #2
i. Type: Tips
ii. Name: Role
iv. Value: smart_phone
6. For Profile Names, select to add: [RADIUS] assign deny all role.

Condition 5:
IF Endpoint: Category does not exist,
THEN assign Aruba_User_Role “profile_only.”
7. In the rules editor, create one line:
a. Rule #1
i. Type: Authorization:[Endpoints Repository]
ii. Name: Category
iii. Operator: NOT_EXISTS
8. For Profile Names, select to add: [RADIUS] assign profile only role.
9. As a good practice, you should move the “not profiled” enforcement rule to the top of the list. To
do this, highlight the “(Authorization: Endpoints Repository: category NOT_EXISTS)” rule and
use the Move Up button.

10. Be sure to click the Save button to finish your new Enforcement Policy.

n What enforcement profile would be assigned if a user attempted to connect a client that was
assigned a different Endpoint > Category than computer or smart device?
n What is the advantage to using the “Endpoints Category Exist” rule?
Lab Debrief
During this lab, you started with a design exercise to help plan the roles and enforcement you would
build. From this plan, you defined the required ClearPass Roles and Role Mapping Policies. You also
defined the correct Enforcement Profiles that would properly assign the User Roles to the clients when
they connect to the Wireless SSID. Finally, you defined the Enforcement Policy rules required to imple-
ment the access logic requirements.
88 Lab Debrief
Task 1
n What authentication sources will you be using?
l Remote lab AD
l Local Users Database
n How will you know what type device the user has?
l You will need to gather the device category profile information about the user’s device
before you can evaluate the enforcement policy properly.
n Will you need to add authorization sources? If yes, list them.
l Yes, you will need authorization sources. You will need to add the endpoints database to
the authorization source for the service.
n Write out your Role Mapping rules.
l IF the user is a member of the Active Directory domain users group,
THEN assign corporate_user role.
l IF the user authenticated with the Local User database,
THEN assign temp_user role.
l IF Endpoint Device category equals “Computer,”
THEN assign computer role.
l IF Endpoint Device category equals “SmartDevice,”
THEN assign smart_phone role.
n Will you need to add any new ClearPass Roles?
l corporate_user
l temp_user
l computer
l smart_phone
n How will you handle endpoints that have not been profiled in ClearPass?
l You can evaluate that the endpoints category equals NOT_EXIST to indicate endpoints
that have not been properly profiled yet. The endpoints that do not have profile context
you will redirect into the “profile_only” role to allow ClearPass to collect profile data, in this
case DHCP options. This evaluation should be done in the enforcement policy rules not by
Roles.
n Write out your Enforcement Policy rules.
Lab Debrief 89
l Enforcement policy default profile to assign Aruba_User_Role “deny_all.”
o IF Endpoint: Category does not exist,
THEN assign Aruba_User_Role “profile_only.”
o IF ClearPass user role equal “corporate_user” AND “computer,”
THEN assign Aruba_User_Role “employee_full.”
o IF ClearPass user role equal “corporate_user” AND “smart_phone,”
THEN assign Aruba_User_Role “employee_smart.”
o IF ClearPass user role equal “temp_user” AND “computer,”
THEN assign Aruba_User_Role “temp_access.”
o IF ClearPass user role equal “temp_user” AND “smart_phone,”
THEN assign Aruba_User_Role “deny_all.”
n Define your Enforcement Profiles.
l Rule #1
o Name = assign deny all role
o Template = Aruba RADIUS enforcement
o Attribute = RADIUS: Aruba Aruba–User–Role = “deny_all”
l Rule #2
o Name = assign employee full role
o Attribute = RADIUS: Aruba Aruba–User–Role = “employee_full”
l Rule #3
o Name = assign employee smart role
o Attribute = RADIUS: Aruba Aruba–User–Role = “employee_smart”
l Rule #4
o Name = assign temp access role
o Attribute = RADIUS: Aruba Aruba–User–Role = “temp_access”
l Rule #5
o Name = assign profile only role
o Attribute = RADIUS: Aruba Aruba–User–Role = “profile_only”
90 Lab Debrief
Task 6
n What enforcement profile would be assigned if a user attempted to connect a client that
was assigned a different Endpoint àCategory than computer or smart device?
l The client would not match any of the rules in the enforcement policy and would be
assigned the “default profile.” You set the default profile to “deny access,” which sends a
RADIUS reject message to the NAD.
n What is the advantage to using the “Endpoints Category Exist” rule?
l The “IS_Profiled” flag can be ambiguous. It gets set as true anytime any profile data is writ-
ten for the endpoint. The data you are evaluating may not exist but other profile data that
you do not care about may have set the flag.
Lab Debrief 91
92 Lab Debrief
Lab 6: Configuring Services

In the previous labs, you have staged the requirements for this lab. In Lab 2, you established the
Authentication Sources that ClearPass will use to verify the user’s account and credentials. This is your
Active Directory Authentication Source. In Lab 3, you established the relationship between the Aruba
Mobility Controller and ClearPass, so that the Mobility Controller can send authentication requests to
ClearPass. In Lab 4, you explored Endpoint Profiling, which allows ClearPass to categorize your client
devices and properly process them in your service. And in Lab 5, you built the Role Mapping and
Enforcement Policies that will become the logic in your service.
Upon completion of this lab, you will have the knowledge to plan and design a basic service structure in
ClearPass as well as to configure and test this service.
Task 6-1: Plan your Services

Objectives
To design the services required for the implementation.
To expand the scenario from the last lab:
n You have a simple wireless network that uses 802.1X authentication. The SSID name is in the
format of “secure{pod #}-{table #}” (e.g., pod 5, table 1 = secure5-1).
n If you want to confirm your SSID names, open the console for your Aruba 7030 MC in the remote
lab, and run the command “show ap essid.”
n In this scenario, all users will authenticate with a username and password.
n This network will use the same access logic developed in the last lab.
n The first task is a planning exercise, so you will need to answer the questions.
The answers for the questions are in the appendix at the end of this lab. Aruba recom-
mends that you take some time to work through this exercise and do not just go look at the
answers.
Questions
1. What type of a service will you be creating?
2. What service selection rules will you need for this service?
Lab 6: Configuring Services 93

3. What authentication sources will you need to list? List these in order.
4. What authentication methods will you be using?
5. Will you need to add authorization sources? If yes list them.
6. How will the service handle profiling endpoints?
94 Task 6-1: Plan your Services

Scratch Pad
Task 6-1: Plan your Services 95

Task 6-2: Configure the Aruba Wireless 802.1X Service
Objectives
n To understand all of the mechanics involved in building a service to process 802.1X authen-
tication.
n To configure a service from scratch.
n To put all the pieces together to create a service without using a wizard.
Steps
1. To open the Services workspace, expand Configuration in the sidebar menu, and click Services.
2. To add a new service, click the Add link in the upper right corner.
3. In the Services window, select Aruba 802.1X Wireless for the type.
4. In the name field, type: “Aruba 802.1X Secure Wireless.”
5. In the Service Rules, change line 3:
a. From: RADIUS: Aruba Aruba-Essid-name EXISTS
b. To: RADIUS: Aruba Aruba-Essid-name CONTAINS “secure”
96 Task 6-2: Configure the Aruba Wireless 802.1X Service

The scenario requires that the service authorizes against endpoint profile context from the End-
points database. To do this you will need to add the Endpoints Database to the service and also
instruct the service to monitor the state of the client’s profiled data post authentication. If the cli-
ent’s profile data changes post authentication the service can react to it.
6. You need to add the Authorization tab and the Profiler tab. On the service page, under More
Options, check the box Authorization and Profile Endpoints.
7. Click Next to move to the Authentication tab.

8. Under Authentication Methods, remove everything except EAP-PEAP.
9. Under authentication sources, select to add Remote Lab AD and [Local User Repository].

10. Click Next to advance to the Authorization tab.
11. To import endpoint profile context into the service, select [Endpoints Repository] under addi-
tional authorizations sources.
Take note of the fact that both the Remote Lab AD and the Local User Repository
are already part of the Authorization Sources. This is because ClearPass will always
attempt to gather authorization attributes from any servers placed in the additional
authentication source list.

12. Click Next to advance to the Roles tab.
13. In the role mapping policy drop-down box, select corporate role mapping policy

14. Click Next to advance to the Enforcement tab.
15. In the Enforcement Policy drop-down box, select Aruba wireless enforcement policy
16. Click Next to advance to the Profiler tab.

17. In the Endpoint Classification selection box, choose Any Category / OS Family / Name.
18. Under RADIUS CoA Action, select [ArubaOS Wireless – Terminate Session].

Adding the Profiler tab to the service causes ClearPass to continue to monitor any
endpoints that have authenticated through this service for changes in profile status
after they have authenticated. The RADIUS CoA (Dynamic Authorization) Action: will
cause the Network Access Device to disconnect causing the client to re-authenticate
allowing you to implement a new enforcement when the profile data changes.
19. Click Next to review the Summary tab.

20. Click Save to complete the service creation.
21. You will want to reorder the service’s list to put your new service at the top. To do this, click the
Reorder button in the lower right corner of the screen.

22. Click your new service – Aruba 802.1X Secure Wireless. Then, hover your mouse over the first
position in the list. When you get a message saying “Move to 1st Position,” click, and the service
will move up in the list.

23. Click Save.
Task 6-3: Testing a Failed Authentication Request

Objectives
n To use the tools provided in ClearPass to troubleshoot access requests.
n To test the connection between the Aruba Mobility Controller and ClearPass. You will change the
shared secret in ClearPass forcing it to fail. You will then look at the results, and come back to fix
the problem, and see a different result.
During this task, you will not get a successful authentication. The point of this task is to
lead you through some of the troubleshooting tools that you will use.
Steps
1. To disable the Aruba Controller’s access in ClearPass, navigate to Configuration > Network, and
click Devices.

2. Click the Aruba Controller to open the Edit Device Details screen
3. In the Edit Device Details screen, change the RADIUS shared secret to “test.”
4. Click Save.
5. On your Wired MGMT Client desktop, open a new browser tab to the IP address of your Aruba
Controller (10.1.X0.100, where X is your table number).
6. Log into the Controller with your admin credentials: admin / admin1.
7. In the sidebar menu of the Mobility Controller, expand Diagnostics and the submenu Tools.
8. In the workspace, select the AAA Server Test tab.
9. Pull down the Server Name menu, and select ClearPass.
10. For the username and password, type in user / password.
11. To submit, click Test.
102 Task 6-3: Testing a Failed Authentication Request

This test will fail. It will fail for one of two reasons: (1) if you get a timeout error then
the Controller cannot contact ClearPass at all, and you have a communication prob-
lem; or (2) ClearPass will reject the RADIUS request from the Controller because of
the mismatched passphrase. Reason number two is the more likely reason for failure.
12. In the bottom portion of the test screen, take a look at the Attribute Value Pairs in Response
section.
The Controller has a new feature that will show you the RADIUS attributes that were sent with
this test request. In the first section of attribute value pairs consider your service selection rules,
specifically NAS-port-type and Service Type.
13. Scroll down the attribute value list to the bottom.

In the bottom section, you will find the Aruba-specific attributes. Please note that this is a test
message sent from the Controller, so any wireless-specific settings will be blank.

14. Return to your browser window for ClearPass. You may need to log in again.
15. Expand the Monitoring menu, and click Event Viewer.
16. In the Event Viewer workspace, look for recent RADIUS error messages.
17. Open one of the messages by clicking on it. You should see that ClearPass rejected the test
RADIUS request from due to a possible shared secret mismatch error.

18. Close the error message window.
You will use the Event Viewer to investigate system events or errors. In this case, the
system rejected the authentication request from the Mobility Controller, so it made
an entry in the Event Viewer. The Event Viewer is the go-to when you do not see
requests logged into Access Tracker.
Fix the Shared Secret on the Network Device

1. Navigate to Configuration > Network, and click Devices.
2. Click the Aruba Controller to open the Edit Device Details screen.
3. In the edit device details screen, change the RADIUS shared secret to “aruba123.”

4. Click Save.
Rerun the AAA Server Test

1. Return to the browser tab for the Mobility Controller, and log in if it requests.
2. In the sidebar menu of the Mobility Controller, expand Diagnostics and the submenu Tools.
3. In the workspace, select AAA Server Test.
4. Pull down the Server Name menu, and select ClearPass.
5. For the username and password, type in user / password.
6. To submit, click Test.
This test will fail. In this case, the test will fail because ClearPass cannot find a service
to process the request. The Aruba Controller tags the test request as a wireless type
request, but it does not send an Aruba-ESSID -Name attribute. The service you built
must have an ESSID name that contains “secure.”
7. Return to the browser window for ClearPass, and log in again, if necessary.

8. Expand Monitoring on the sidebar menu, and select the Live Monitoring submenu. Then, click
Access Tracker.

9. Find the RADIUS request from your test user.
10. Click it to open the Request Details.
11. On the Request Details pop-up window, click the Alerts tab.
12. Take notice that the reason this request was rejected is a “Service Categorization Failed” error.
This means that there was no service configured for the characteristics of this request.

13. In Request Details, click the Input tab, and expand the section for RADIUS Request.
The RADIUS Request section exposes the actual RADIUS attributes sent by the Net-
work Access Device. Often, you can use the information exposed here to fine-tune
your Service Selection Rules. Notice that this request failed because it did not contain
an Aruba-ESSID-Name, and that is one of the requirements for your service selection
rules in the service you created.
14. Close the request details.
Task 6-4: Testing the Aruba Wireless 802.1X Service

Objectives
n To test your 802.1X service and give you an opportunity to look at all of the information exposed
in Access Tracker about the service request.
108 Task 6-4: Testing the Aruba Wireless 802.1X Service

n To use a virtual Windows 10 client. Unfortunately, there is no way to test your smart device rules
and enforcement due to the fact that there are no remote smart devices in the lab.
This lab is designed to test role assignments and profile capabilities. To make this cleaner
you will want to delete all of the current endpoints at the beginning of the lab, so that you
start with a clean un-profiled endpoint.
Steps

Clean out the endpoints database
1. Return to your browser window for ClearPass.
2. Navigate to Configuration > Identity, and click Endpoints.
3. Select all of the endpoints by clicking the Select Box next to the title MAC Address.
4. Scroll to the bottom right of the screen and click the Delete button. You may need to repeat this
to delete all of the endpoints.
The next time that ClearPass polls the MDM server, it will pull in all of the MDM man-
aged endpoints again. This is okay. It was easier to delete everything rather than to
search for a single MAC address.
Set Up a Wireless Network Profile on the Wireless Client

1. From the Aruba Training Lab dashboard, open the Wireless Test Client desktop.
2. Click the Network Icon in the tool tray, and open Network and Internet Settings.

3. Click WiFi on the left side of the screen.
4. Click Network and Sharing Center under Related Settings.

5. In the Network and Sharing Center, select Set up a New Connection or Network.
6. Under Choose a Connection Option, select Manually Connect to a Wireless Network.
7. Click Next.
8. Enter the following information:
a. Network name: secure{pod #}-{table X} (for example, secure5-1)
b. Security Type: WPA2-Enterprise

9. Click Next.
10. Select Change Connection Settings in the successfully added message window.
11. Click the Security Tab.

12. Click Settings next to the Network Authentication Method.
13. In the Protected EAP Properties window, check the Verify the server’s identity by validating
the certificate.
14. On the Trusted Root Certification Authorities, scroll-down and select both training-ARUBA-
AD-CA.
15. Select Do not ask user to authorize new servers or trusted CAs at the Notifications before
connecting drop-down menu.

Validating the RADIUS server identity is a best practice and recommended. Not val-
idating servers' identity may facilitate an attacker to execute a man-in-the-middle
attack and spoof users' credentials.
Changing the notifications before connection not to ask will prevent users from mis-
takenly accepting an unknown certificate.
The certificate can be manually added for computers not part of the domain, or a
solution like ClearPass Onboard can do the certificate provisioning.

16. Scroll down, and click Configure.
17. Uncheck the setting for Automatically use my windows logon name.
18. Click OK Then OK again, to save back to the security tab.

19. Uncheck the select box for Remember my credentials for this connection each time I’m
logged on.

20. Click Advanced Settings.
21. Check Specify authentication mode, and select User authentication.
22. Click OK, then OK, and then Close to finish and save the settings.

Test the Temporary User
This test uses the “contractUser” from the internal database on ClearPass. You created this user in an
earlier lab.
1. Pull down the network list from the tool tray, and connect to your secure SSID with User = con-
tractUser / Password = aruba.

2. Once the client has authenticated to the wireless network, return to Wired MGMT Client, and
open the browser tab for ClearPass1.
3. Expand the Monitoring sidebar menu, and expand the Live Monitoring submenu. Click Access
Tracker.

4. Find the first entry for your user based on its timestamp, and click it to open.
You should see two entries for your authentication. If you only have one entry in
Access Tracker, return to Wireless Test Client to make sure the client is still con-
nected. If it is not, reconnect.
There is a lot of important information in the Request Details Summary panel.

Take note of the following data:
n Login Status:
n Username:

n Service:
n Authentication Source:
n Roles:

n Enforcement Profiles:
You will want to pay extra attention to the Roles for troubleshooting.
5. Click the Alerts tab.
a. What is significant about the alert: “Failed to get value for attributes = [Category]”?
6. Click the RADIUS Dynamic Authorization tab, and take note of the status message. It should
show as successful for the client.

7. Click the Input tab, and expand the RADIUS Request section.
Take note of the Aruba-specific RADIUS information that is now part of this access
tracker entry.
8. Click the Output tab and expand the RADIUS Response section.
9. Close the Request Details.

10. Click the second request in access tracker (the one with the most recent timestamp).

11. Click the Input tab. Take note of the Authorization Attributes section which has been added to
this request. Expand the Authorization Attributes section.
a. Why is the Authorization Attributes section included on this request?

12. Click the Output tab, and expand the RADIUS Response section.
Test the Active Directory User

1. On your wireless client, expand the network icon, and disconnect your wireless network.
2. Reconnect to the wireless network with the credentials:

a. Username: employee
b. Password: aruba123

3. Return to Wired MGMT Client and open the browser tab to ClearPass1,
4. Open Access Tracker, and find your “employee” account authentication. Open it to view the
details.
5. Take note of the Authentication Source and Enforcement Profiles.

6. Click the Input tab.
7. Expand the Authorization Attributes section, and scroll down.
Take note of the Active Directory authorization attributes that were collected during the service
process. Notice that the home country and zip code attributes that you added to the authen-
tication source LDAP attributes have been picked up by the service.
8. On the Input tab, scroll down, and expand the Endpoint Attributes section. Scrolling through
the endpoints attributes, you will see all of the endpoint profiler information as well as the fin-
gerprints for this client.

Lab Debrief
Task 1
n What type of a service will you be creating?
802.1X Wireless or Aruba 802.1X Wireless
n What service selection rules will you need for this service?
RADIUS: IETF NAS-Port-Type = Wireless
RADIUS: IETF Service-Type = Login-User
RADIUS: Aruba Aruba – ESSID – name contains “secure”
n What authentication sources will you need to list? List these in order.
Remote lab AD
Local Users Database
Lab Debrief 125

Because users exist in both of the authentication servers – the Remote Lab AD and
the ClearPass Local User database – you will need to use both of the sources in your
service. By listing the Remote Lab AD first, ClearPass will check that authentication
source first, and if the account does not exist, it will check the Local User database. It
is important to put the heaviest use authentication source at the top.
n What authentication methods will you be using?

All that is needed is EAP-PEAP because everything is authenticated with username and pass-
word.
n Will you need to add authorization sources? If yes, list them.
Yes, you will need authorization sources. You will need to add the Endpoints Database to the
authorization source for the service.
n How will the service handle profiling Endpoints?
You will need to add the profiler tab to the service. You will set this up so that any change of pro-
file data will trigger a Change-of-Authorization Aruba Terminate Session and cause the endpoint
to re-authenticate. This will allow the service to deal with endpoints that fail the Category Exist
test and get placed into the Profile_only role.
Task 4
n Step 26 – Take note of the following data:
Login Status: ACCEPT
Username: contractUser
Service: Aruba 802.1X Secure Wireless
Authentication Source: Local:localhost
Roles: [Contractor], [User Authenticated], temp_user
Enforcement
Profiles: assign profile only role
n Step 27 – What is significant about the alert: “Failed to get value for attributes = [Cat-
egory]”?
This alert fired because the service was not able to recover the endpoint attribute “category.”
This is essentially an indicator that the endpoint had not been profiled when this service request
ran.
n Step 33 – Why is there the authorization attributes section on this request but not on the
previous request?
126 Lab Debrief

This second request includes the profile information that was gathered after the first request.
The timeline works like this:
l The new endpoint authenticates to the network, and this triggers an entry in access
tracker.
l Because there is no profile data for the endpoint, ClearPass instructs the network access
device to place the client into the limited access profile-only role, which allows the client to
execute a DHCP request.

l Once ClearPass receives the DHCP request forwarded by the network access device, it
reads the profile data and updates the endpoints profile information.
l The profiler tab will detect that the endpoint profile has changed and execute the RADIUS
Dynamic AUthorization action Aruba terminate session.
l The network access device will disconnect the client, and the client will automatically recon-
nect and authenticate a second time.
l This shows up in access tracker as a second request, only this time the request has the
required endpoint category.
Lab Debrief 127

128 Lab Debrief

Lab 7: Web Services
Lab 7: Web Services

In this lab, you will explore the web services that ClearPass provides and build a simple informational
page to display to your users that fail health checks as well as customize one of the built-in skins. The
web services content manager in ClearPass is highly functional and convenient for creating simple
informational pages.
Task 7-1: Upload a File into Content Manager

Objectives
n To gain experience working with the online content in ClearPass Guest. The Content Manager
allows you to upload images and files that you can use on your informational or guest access
webpages. This is a simple way for you to customize your web presence without a lot of custom
code.
Steps
1. Log in to the Aruba Training Lab, and open the remote desktop for Wired MGMT Client.
2. In the remote desktop, open a web browser, and navigate to ClearPass1 to open the launch
page.
3. On the launch page, select the button for ClearPass Guest.
Lab 7: Web Services 129

4. Log in to the ClearPass Guest with the credentials admin / eTIPS123.
130 Task 7-1: Upload a File into Content Manager

If you are already logged into the Policy Manager, you can use the menu in the upper
right corner of the screen to switch between the Policy Manager interface and
ClearPass Guest.
Lab 7: Web Services

5. Navigate to Configuration > Content Manager, and click Public Files.
Task 7-1: Upload a File into Content Manager 131

Upload a New Logo File
1. Click the link “Upload New Content.”
2. Click the Choose Files button, and look in the Table X Student Folder > Images on the desktop
of Wired MGMT Client for a file called cpe_6.7.jpg.
3. Click Upload Content.
4. Expand the newly uploaded file in the menu, and click Quick View.
132 Task 7-1: Upload a File into Content Manager

Task 7-2: Customize Built-in Skins
Objectives
To customize the look and feel of your webpages. The advantage of skins is that it gives you a unified
look and feel across all of your pages by selecting a common template for each page.
To modify the built in Galleria skins to provide a custom look and feel to your pages.
Steps
1. Expand Configuration on the sidebar menu, and then expand the submenu Pages.
2. Click Web Pages.
3. Click the menu listing for the Service Unavailable page, and expand.
4. Click Edit to view the current applied skin.
5. Scroll down the page, and under the option for *Skin select ClearPass Guest Skin
Lab 7: Web Services
6. Scroll to the bottom and select Save Changes

7. Click the menu listing for the Service Unavailable page, and expand.
8. To preview the page, click Launch.

9. A new browser tab will open with the Service Unavailable Page.
10. Take note of the general style of the page and the title in the browser tab.
134 Task 7-2: Customize Built-in Skins

11. Close the Preview tab.
12. Click Edit for the Service Unavailable page.
13. Scroll down the page, and under the option for *Skin select Galleria Skin.
Using the Galleria Skin might adversely impact performance on the wireless client. If
you notice that your client is not responsive when testing the Captive Portal, you can
change the skin to default.
Lab 7: Web Services

14. Scroll to the bottom of the page, and select Save Changes.
15. Preview the Service Unavailable page again.
The Galleria Skin contains high-resolution graphics backgrounds. If you have a slow
internet link or long ping times to the lab, you will notice after installing the Galleria
Skin that the browser window slows considerably. If this occurs change to one of the
other skin, such as the “Aruba Guest Skin.”

The Galleria Skin has a dark background theme and rotates between background
images that you can change. It also adds to the title on the browser tab.
Modify the Galleria Skin

1. Close the Preview tab.
2. Expand Administration in the sidebar menu.
3. Click Plugin Manager.
4. In the workspace, click the header menu link for Skin Plugins.

5. To edit the Galleria skin, click the Configuration link under its name.
Lab 7: Web Services

Using the Galleria Skin could adversely impact performance on the wireless client. If
you notice that your client is not responsive when testing the Captive Portal, you can
change the skin to the default.
6. Under Version:, select the option for Version 2(2019 Recommended).

7. Scroll down, and edit the Title Prefix:
From: Galleria WiFi
To: Education Services
This will change the Title in the browser tab.

8. Scroll down to the Logo option, and select cpe_6.7.jpg. This will add a logo image to the page.
9. Scroll down to the Guest Background Mode: option, and select Single Solid Color
10. Scroll down to the Guest Content Header: section, and change the first line of text to: Guest
Access. This will change the text in the page header.
11. Scroll to the bottom of the page, and click Save Configuration.

Preview the Service Unavailable page again.
1. Navigate to Configuration > Pages > Web Pages.
2. Expand the menu for Service Unavailable.
3. Click the link for Launch.
Lab 7: Web Services

4. Close the preview browser tab.
Task 7-3: Customize the Service Unavailable Page

Objectives
To make some basic changes to the Service Unavailable webpage.
Steps
1. Navigate to Configuration > Pages > Web Pages.
2. Expand the menu for Service Unavailable.
3. Click the link for Edit.
4. Scroll down to the HTML edit box.
5. Insert the following text just before the closing “div” tag (</div>).
<p>
<strong>This is some extra text added to the page</strong>
</p>
Task 7-3: Customize the Service Unavailable Page 139

6. With your cursor just before the closing </div> tag, open the “Insert” selection, and select the
page link “Browser Unsupported.”
7. Scroll down, and select Save Changes.

8. Preview the Service Unavailable page again, and take note of the added text and link.
140 Task 7-3: Customize the Service Unavailable Page

9. Close the Preview Page
Lab Debrief
During this lab exercise, you got a feel for how you can modify ClearPass web services using the Con-
Lab 7: Web Services

tent Manager to upload your own images and logos. You are also able to customize the basic skins that
come with ClearPass to add some personalization to your webpages. For a fully customized look and
feel, Aruba Networks offers a custom skin service.
Lab Debrief 141

142 Lab Debrief

Lab 8a: Guest Authentication
Task 8a-1: Create Web Login Page

Objectives
n To create a simple web login page to use to test captive portal authentication.
Steps
1. Log in to Aruba Training Lab, and open the remote desktop for Wired MGMT Client.
2. In the remote desktop, open a web browser, and browse to the IP address of ClearPass1 to open
the launch page.

5. Navigate to the web login configuration page at Configuration > Pages > Web Logins.
Lab 8a: Guest Authentication 143

6. Create a New Web Login page by clicking on Create a new web login page link in top right
corner.
7. Configure as follows:
a. Name: Guest Network
b. Page Name: arubalogin (This will set the URL for login to: https://<your ClearPass server-
>/guest/arubalogin.php)
c. Vendor Settings: Aruba
d. Address: captiveportal-login.arubatraininglab.com
The address change is required because, in the lab environment, the Controller has a
new wildcard certificate for the domain arubatraininglab.com. If you were using a cer-
tificate with a fully qualified common name, you would place that name in the
address field. This is required to properly facilitate the credentials post operation
where the client’s browser sends the credentials to the Controller using this address.
144 Task 8a-1: Create Web Login Page

8. Scroll down, and modify the settings under Login Form.
a. Authentication: Credentials – Require a username and password (default)
b. Pre-Auth Check: RADIUS – Check using a RADIUS request
As good practice, you should normally enable pre-auth checks to insure a good user
experience. The default application-based pre-auth check requires an application ser-
vice to process it. By changing to a RADIUS pre-auth check, the same service that pro-
cesses the guest login will also process the pre-auth check.
9. Below the ‘Login Page’ heading you can customize the look of the page:
Task 8a-1: Create Web Login Page 145

a. Login Page
i. Skin: Galleria Skin – The skin will modify the overall look and feel of the page.
ii. Title: Login Page – The title will change the page title displayed in the guest user’s
browser.
Using the Galleria Skin might adversely impact performance on the wireless client. If
you notice that your client is unresponsive when testing the captive portal, you can
change the skin to default.
10. Scroll to the bottom of the page, and click Save Changes to commit the configuration of the web
login page. This could take a minute or so as ClearPass generates your new pages in the web
server.
11. Now you should see your new web login page created.
12. Click Launch to view the page.
13. This should open a new tab in your browser that shows the completed guest web login page.
This is the page that users will see when they log in.
146 Task 8a-1: Create Web Login Page

Task 8a-2: Create a Guest Account

Objectives
n To create a guest account to use to test the new web login page.
Steps
1. Navigate to Guest > Create Account.
2. Enter the details below:
Task 8a-2: Create a Guest Account 147

a. Guest’s Name: myguest
b. Company name: myCompany
c. Email Address: mg@myc.com
d. Account Activation: Now
e. Account Expiration: 1 week from now
f. Account Role: [Guest]
g. Terms of Use: Marked
3. Click the Create New Guest Account button to save the new guest account:
148 Task 8a-2: Create a Guest Account

What is your new guest account password?
Task 8a-3: Create Services for Guest in Policy Manager

Objectives
n To create a guest service to authenticate guest users.
Steps
1. Use the Menu in the upper right corner of the Guest Workspace to navigate to ClearPass Policy
Manager.
2. Log in with admin / eTIPS123, if required.
3. Navigate to Configuration > Service Templates & Wizards.

4. Scroll down, and select the Guest Access template.

5. Fill it in with the following details:
a. Name Prefix: Lab 8
6. Click Next to go to the Wireless Network Settings tab.
a. Wireless SSID for Guest access: guest#-X (where # is your pod, and X is your table)
Example: guest5-1.
7. Click Add Service, which will close the wizard.

8. Click Services in the sidebar menu.
9. Open Lab 8 Guest Access to edit.
150 Task 8a-3: Create Services for Guest in Policy Manager

10. Look on the Summary tab. Make sure that the [Guest User Repository] is listed as the authen-
tication source.

11. Click the Enforcement tab.
The Service Template creates several Enforcement Profiles to assign to users, includ-
ing Lab 8 session timeout, Lab 8 bandwidth limit, etc. All of these Enforcement Pro-
files serve different purposes, such as setting session time limits and bandwidth
limits for guests on the network.

Add an Aruba Role assignment Enforcement Profile
1. Click the “Modify” button on the Enforcement tab.
2. Click the Enforcement tab on the Enforcement Policies Edit page.
3. To add a new Enforcement Profile, click the Add New Enforcement Profile link.
4. In the new Enforcement Profile screen, add the following:

a. Template: Aruba RADIUS Enforcement
b. Name: Assign Guest Role
5. Click Next.
6. On the Attributes tab, under Value, click the words Enter Role Here. Enter the role name
“guest” (note that this is case-sensitive).
152 Task 8a-3: Create Services for Guest in Policy Manager

7. Click the Save icon to save the attribute.
8. Click Save to save the Enforcement Profile.
9. In the Enforcement Policy, click the Rules tab.
10. Click the rule in the list, and select Edit Rule button.
11. In the rules editor, select the RADIUS Assign Guest Role profile, and add it to the list in Profile
Names.
12. Click Save to save the changes to the rule.

13. Click Save to save the Enforcement Policy.
NOTE: Ignore the warning “Note: This Service is created by Service Template.”

14. Click Save to save changes to the Lab 8 Guest Access service.
15. Click Reorder to move the new guest access service to the top of the list.
16. Move the Guest Access service to the first position,
17. Click Save. Your service configuration is now complete.
Task 8a-4: Configure Aruba Controller for Guest

Objectives
n To ensure that your Controller is setup to redirect clients to the Guest Web Login Page.
Steps
1. On Wired MGMT Client, open a web browser, and access your Mobility Controller’s web inter-
face at: http://10.1.X0.100 (where X is your table number).
2. Log in with admin / admin1
3. Navigate to Configuration > Authentication in the sidebar menu.
4. Select the L3 Authentication tab in the workspace.
5. Click the + next to Captive Portal Authentication Profile to expand.
6. Click Guest#-X-cp_prof to edit.
7. Add the login page URL in the Login Page: option

https://TT-CPPM1.aruba-training.com/guest/arubalogin.php
Where T = your table number
For example, https://T14-CPPM1.aruba-training.com/guest/arubalogin.php for table 14.
154 Task 8a-4: Configure Aruba Controller for Guest

8. Click Submit in the lower right corner of the screen.
9. Click Pending Changes in the upper right corner of the screen.
10. To save your edits, click Deploy Changes.
You are now ready to test authentication on your guest network.

Task 8a-5: Test the Web Login Page
Objectives
n To test your guest captive portal page and guest authentication service.
Steps
Set Up a “Wireless Network Profile” on the Wireless Client
In this lab, you will manually set up a wireless network connection in Windows 10. This will
make it easier to find your guest network in the list.
1. From the Aruba Training Labs control panel, open the Wireless Test Client.
2. Click the Network Icon in the tool tray, and open Network and Internet Settings.

3. Click Wi-Fi on the left side of the screen.
4. Click Network and Sharing Center (scroll down to Related Settings).
156 Task 8a-5: Test the Web Login Page

5. In the Network and Sharing Center, select Set up a New Connection or Network.
6. Under Choose a Connection Option, select Manually Connect to a Wireless Network.
7. Click Next.
8. Enter the following information.
a. Network name: guestP-T (your guest SSID name)
b. Security type: No authentication (open)

9. Click Next.
10. Click Close.
11. Close the network configuration screens.
12. When you click the Network Icon in the virtual desktop, you should see your guest SSID listed
near the top.
13. Select your guest SSID and click Connect.

m
14. Open the Edge Browser on Wireless Test Client.
15. Browse to the address of the Windows server in the lab: 10.254.1.21.
16. This page redirect to the Login Page.
17. Before you select the option, go to your start page, and take note of the URL that the browser is
attempting to open.
TIP: If the browser connects to 10.254.1.21 and displays a Microsoft IIS splash page,
Go back to the “Change Adaptor settings” in Network and Sharing Center and check
to make sure that Lab NIC is disabled
18. Answer the following questions:

n Why do you get this certificate error?
n How can you prevent guests from seeing this certificate error in your deployment?

If you use a different browser, the process will be slightly different, but you will need
to accept the certificate (again, this will be different depending on the browser you
use), and then log in.
19. Log in to the guest login page:

a. Username: mg@myc.com
b. Password: {your password from when you created the account}

20. Click the Log In button.
21. After you have logged in, your browser will be redirected to an “Authentication Successful” mes-
sage for 10 seconds. This page is from the Aruba Controller.
22. Quickly take note of the URL in the browser. This should be the URL you entered in the vendor
settings on the web login page.

Investigate the Authentication Request in ClearPass
1. Reconnect to your Wired MGMT Client desktop.
2. Open a browser, and connect to ClearPass1.
3. Log into your ClearPass Policy Manager.
4. Expand Monitoring in the sidebar menu, and then expand Live Monitoring in the submenu.
5. Click Access Tracker. You should see two entries for your guest login.
6. Answer the following question

n Why are there two authentication requests when your client only logs in one time?
7. Click the lower RADIUS request in the list to open the Request Details.
8. Answer the following questions

n What is the Access Device?
n What Roles have been assigned?
n What is the significance of the role “User Authenticated”?

10. Open the newest RADIUS request to view the Request Details.

n What is the Authentication Source?
n What is the Authorization Source?
12. Click the Input tab in the request details.

13. Click to expand the RADIUS Request shade.
n What SSID did this request come from?
n What is the client’s IP address?

15. Click the Output tab.
16. Expand the RADIUS Response shade.
17. Answer the following question
n What Aruba user role was sent for the client?

You have completed Lab 8a!
Lab Debrief
During this lab, you configured a guest logon page, including modified vendor settings because the
Aruba Controller has a wildcard certificate installed. You also configured the captive portal profile in
the Aruba Controller to redirect pre-authenticated guest users to your web login page and built a ser-
vice to handle the authentication request from the Controller. Finally, you tested your captive portal
guest logon and viewed the troubleshooting information in access tracker.

Task 5
n Why do you get this certificate error?
l You will get this error because the HTTPS certificate on ClearPass is self-signed and not
trusted.
n How can you prevent guests from seeing this certificate error in your deployment?
l You should replace the self-signed certificate and install a properly formatted HTTPS cer-
tificate on all of your ClearPass servers.
n Why are there two authentication requests when your client only log in one time?
l Looking at the timestamps, you will notice that these two authentication requests were
seconds apart. The first request is the Pre-Auth sent as a RADIUS request from the
ClearPass web login page. The second request is the actual RADIUS request from the Con-
troller on behalf of the client.
l Because this is the pre-authentication request, the access device is actually ClearPass
guest, so it shows up as the localhost.
n What roles have been assigned?
l You should see the guest role and [user authenticated] role.
n What is the significance of the role “User Authenticated”?
l Anytime you see the User Authenticated Role assigned in Access Tracker, it is an indicator
that the authentication request passed. This means that the user’s credentials checked
out, but they may still fail the enforcement in the service and get denied access to the
resource.
l This request came from your Aruba Controller.
n What is the Authentication Source?
164 Lab Debrief

l The service used the local guest database and refers to it in the Authentication Sources as
Local:localhost.
n What is the Authorization Source?
l The service used the guest user repository as an authorization source. This is actually the
same as the authentication source.
n What SSID did this request come from?
l You should see your guest SSID listed here in the example; it is guest5-1.
n What is the client’s IP address?
l This will be a 192.168 address and will differ from table to table. It is listed as the framed
IP address.
n What Aruba user role was sent for the client?
l When you created the service for guest access, you added an Enforcement Profile to
assign the “guest” role. The assignment of that role is reflected here.
Lab Debrief 165

166 Lab Debrief

Lab 8b: Guest Authentication with MAC Caching
Lab 8b: Guest Authentication with MAC Caching
Task 8b-1: Create MAC Authentication Service

Objectives
n To create guest access and MAC authentication services in the policy manager using the service
templates.
Steps
1. Log in to your Aruba Training Lab, and open the remote desktop for
Wired MGMT Client.
2. In the remote desktop, open a web browser, and navigate to ClearPass1.
3. Log in to the Policy Manager with admin / eTIPS123.
4. Expand Configuration in the sidebar menu.
5. Click Service Templates & Wizards.
6. Scroll down the list, and click Guest Authentication with MAC Caching to open the service tem-
plate.
7. Fill in the template as follows:

n Name Prefix: Lab 8B
Next
n Wireless Network Settings
Wireless SSID for Guest Access: (your guest SSID name)
Lab 8b: Guest Authentication with MAC Caching 167

Next
n MAC Caching Settings
MAC Caching Settings: Cache duration for Guest role: One Day
Next
Skip Posture Settings
Next
n Access Restrictions
Enforcement Type: Aruba Role Enforcement
Captive Portal Access: guest#-X-guest-logon {#=Pod and X=Table}
Maximum number of devices allowed per user: 5
Guest Access: guest
The setting for Captive Portal Access: is the name of the pre-authenticated guest
access role configured in the guest AAA profile on the Controller. Likewise, Employee
Access, Guest Access, and Contractor Access would be the name of the appropriate
role assigned to the guest user on the Controller.
8. Click Add Service.

9. Click Reorder.
10. Move the two “Lab 8B …” services to the top.
11. Click Save.
168 Task 8b-1: Create MAC Authentication Service

12. Disable the “Lab 8 Guest Access” service by clicking the green checkmark under status to
make it turn into a red stop sign .
Examine the Settings Created by the Template

1. Click the Lab 8B User Authentication with MAC Caching service.
2. Navigate to the Authentication tab.
3. Answer the following question:
n What is the Authentication Source used for this service?
4. Navigate to the Authorization tab.

n What are the authorization sources used for this service?
6. Navigate to the Enforcement tab.

n What is the condition ‘Authorization: [Endpoints Repository]: Unique-Device-Count
GREATER_THAN 5’ used for? Lab 8b: Guest Authentication with
MAC Caching

Remove the Unnecessary Enforcement Profiles
1. Click Modify to edit the enforcement policy.
2. Navigate to Rules tab.
3. Edit the last rule.
4. Remove all the enforcement profiles except for:

[Post Authentication] Lab 8B Guest MAC Caching and
[Post Authentication] [Update Endpoint Known] and
[RADIUS] Lab 8B Guest Profile
5. Click Save to close the Rules Editor.

6. Click Save again to save the Enforcement Policy.
7. Click Save to save the service.

n What is the Update Endpoint Known enforcement profile used for? Take a look at it to
understand.
9. Navigate to the Enforcement Profiles submenu under the Configuration sidebar menu.
10. Select the [Update Endpoint Known] enforcement profile – use the filter feature to quickly find
the profile.
n Based on what you see here, what do you think is the purpose of this enforcement profile
in the context of MAC caching?
12. Now, navigate back to Services.

You will now modify the MAC authentication service to use the Allow-All MAC auth method and
configure it to do authorization to insure that the MAC address belongs to a valid guest user.
13. Select the Lab 8B MAC Authentication service.
14. Click the Authentication tab.
Lab 8b: Guest Authentication with

MAC Caching

n With the [Allow All MAC Auth] method how will access to the guest network be controlled?
16. Click the Authorization tab.

n What Context does each contribute?
18. Click the Time Source authorization source, and select View Details.

n What is the Database Name used for this lookup?
You should have already enabled Insight under Administration > Server Manager
> Server Configuration during a previous lab. Therefore, your authorization check
of the Insight Repository in this service will work.
20. Close the Policy Manager Entity Details screen.


MAC Caching

n Can you explain the conditions listed?
n What is the significance of the [MAC Caching] ClearPass role?
23. Navigate back to the Roles tab.

n How does the [MAC Caching] ClearPass role get assigned?
n Explain the difference between “account expired equals false” and “Now DT less than end-
point: MAC- Auth Expiry.”

25. Click Save to close the service editor. Your service configuration is now complete.
Task 8b-2: Enable MAC Authentication on Controller

Objectives
n To modify the guest SSID settings in the Controller to enable MAC Authentication. The way that
the Controller handles MAC Authentication is that when the guest endpoint first associates to
the SSID it will send a MAC Auth. If that MAC Auth fails, then the Controller will prompt the user
with the captive portal.
Steps
1. On Wired MGMT Client, open a web browser and access your Mobility Controller web Interface
at: http://10.1.X0.100 (where X is your table number)
2. Log in with admin / admin1.
3. Expand Configuration in the sidebar menu.
4. Select the Authentication submenu.
5. In the workspace, click AAA Profiles, and click the + to expand.

MAC Caching
Task 8b-2: Enable MAC Authentication on Controller 175

1. Look in the list of AAA profiles, and select the aaa_guestP-X profile.
2. In the list below “aaa_guestP-X,” click MAC Authentication.
3. For the MAC Authentication profile, select “default.”
4. Click Submit, in the lower right corner.

5. In the list below “aaa_guestP-X,” click MAC Authentication Server Group.
6. Pull down the list, and select your “guestP-X-srvgrp.”
7. In the lower right corner, click Submit.

8. Click Pending Changes to commit the edits.
9. Click the Deploy Changes button. You have now set the Controller up to use MAC Authentic-
ation first on the guest network.
Task 8b-3: Testing

Objectives
n To test your MAC Authentication set up.
First, you will remove all of the entries from the endpoint’s database so that you start with a clean
unknown endpoint. You will connect the wireless client to the guest SSID. The Controller will initiate a
MAC authentication which will fail because the client endpoint is not associated to a valid guest user
account. The MAC Auth service will prompt the Controller to move the client into the pre-authenticated
176 Task 8b-3: Testing

captive portal user role. Once the client has completed the captive portal authentication, ClearPass will
mark the endpoint with the guest user’s attributes, meaning that the next MAC authentication will suc-
ceed, and the user will not be presented the captive portal a second time.
Steps
Wired MGMT Client.
2. In the remote desktop, open a web browser, and navigate to the IP address of ClearPass1.
4. Expanded Configuration in the sidebar menu.
5. Expand the Identity submenu.
6. Click Endpoints.
7. In the right side of the workspace, select Show 100 records.
8. Click the checkbox in the title bar to select all.

MAC Caching

9. Scroll down, and select Delete.
10. Click Yes to confirm the deletion of all endpoints.
Disconnect the Wireless Client

2. Click the Network Icon. When you click the network icon in the virtual desktop, you should see
your guest SSID listed at the top.
3. Select your guest SSID, and click Disconnect.

Check for Users on the Guest Network
1. Open Aruba Controller console in the Aruba Training Lab dashboard.
2. In the new window that pops up, hit [enter] twice.

3. Log into your Controllers CLI with admin / admin1.
4. Execute the following commands:
# show user (You may not see any users, if none are connected.)
# aaa user delete all (If no users are connected, you can skip this.)
# show user (There should be no users connected here, but if there are, connect to your wireless
client and disconnect from the network.)

MAC Caching

5. Leave the CLI browser screen open.
You will now connect to your wireless client and authenticate into the guest network.
There should already be a wireless network profile configured for the guest SSID. If
that is not configured reference Task Five of Lab 8A.
7. Click the Network Icon. When you click the network icon in the virtual desktop, you should see
your guest SSID listed at the top.
8. Select your guest SSID and click Connect.

11. This page will redirect to the Login Page.
12. Log in to the guest login page:
Username: mg@myc.com
Password: {your password from when you created the account}

13. Click the Log In button.
14. After you have been logged in, your browser will redirect to an authentication successful mes-
sage for 10 seconds.
View your authentications in Access Tracker

1. Open the browser screen to your Wired MGMT Client desktop.
2. Log into your Policy Manager.
3. Navigate to Monitoring > Live Monitoring, and select Access Tracker.
4. In Access Tracker, you should see a failed MAC authentication followed by two guest user authen-
tications that passed.
MAC Caching

5. Click the failed MAC authentication.
6. Click the Alerts tab to determine why this authentication failed.

n What is the status of the RADIUS message?
n What part of the service generated the policy server “failed to construct” error?
8. Close the Request Details window.

9. Select the newest successful guest authentication request.

10. Select the Output tab.
11. Pull down the RADIUS Response shade.

n What is the significance of the endpoint attributes written by the enforcement?
n Explain the status “Update: Endpoint = Known entry".
Test the MAC Cache Option
Now you will test the MAC cache option by disconnecting your wireless client and recon-
necting to the guest SSID. This second connection should not prompt the user for a captive
portal.
1. Open the browser screen to your Wireless Test Client client desktop.
MAC Caching
2. Leave your Edge Browser open on the desktop.

3. Click the network icon, and disconnect from the guest network.

4. Navigate to the browser tab for your Console on the Aruba Controller.
5. Hit [enter] a few times, and then log in with your admin credentials if required.
6. Run the following command: # show user.
At this point, you should still see your guest user login. Take note of the username,
MAC address, and role. Also, look at the authentication type, it should say “web.”
7. Run the command to delete the users: # aaa user delete all.
8. Open the browser to Wireless Test Client.
9. Connect to the guest SSID.

10. Wait for the network to finish connecting.
11. Use the Refresh button on the Edge Browser to resend an HTTP request to the IP address
10.254.1.21. You should see the IIS splash page and not be redirected to the captive portal login
page.
12. Navigate to the browser tab for your Console on the Aruba Controller.
13. Hit [enter] a few times, and then log in with your admin credentials, if required.
14. Run the following command: # show user.
This time, you should see the guest user listed in the guest role with the same user
account and MAC address. The only difference is that the Authentication type will be
listed as MAC.
15. Open the browser to your Wired MGMT Client.

17. Navigate to Access Tracker.
18. You should see a successful MAC authentication for your guest user.
19. Click the MAC authentication to open the request details.
20. View the Summary tab.

MAC Caching
n What is the authentication method used?

n What are the roles assigned?
n Why is the username listed on the summary page guest user account?
22. Click the Input tab, and expand the RADIUS Request shade.

n What username is listed on the RADIUS inputs?
n Can you explain why the username on the summary tab and the username on the input tab
are different?

24. Click the Output tab, and expand the RADIUS Response shade.

n Why is ClearPass sending the guest account username to the Controller?
You have Completed Lab 8b!
Lab Debrief
During this lab, you modified the guest SSID AAA profile on the Controller to execute a MAC authen-
tication before running the captive portal web auth. This required that you build a new service to do
proper enforcement on the MAC authentication. This is one condition that it is highly recommended to
use the service templates as it creates the two services with proper checks and balances.
MAC Caching
Lab Debrief 187

Task 1
l This service will collect the username from the web login page that authenticated against
the Guest User Repository.
l The authorization sources are: the Guest User Repository, Endpoints Repository, and the
Time Source
n What is the condition ‘Authorization: [Endpoints Repository]: Unique-Device-Count
GREATER_THAN 5’ used for?
l The condition is used to limit the total number of unique devices that a single guest
account can put on the network.
n What is the Update Endpoint Known enforcement profile doing?
l The Update Endpoint Known Enforcement Profile changes the status of the endpoint MAC
authentication condition from unknown to known
n Based on what you see here, what do you think is the purpose of this enforcement profile
in the context of MAC Caching?
l The enforcement profile [Update Endpoint Known] sets the status of the endpoint to
known which allows the endpoint to be used as a MAC authenticated endpoint. If the end-
point is set to unknown than MAC Authentication’s against the endpoint’s database will
fail.
l This MAC Authentication service uses the endpoints repository as its authentication
source
n With the [Allow All Mac Auth] Method, how will access to the guest network be controlled?
l All MAC authentications will pass but then the service will authorize the client. It is import-
ant to understand that as the client connects to the guest network the guest account
attributes will be added to the endpoint. These attributes are actually used for access con-
trol in the MAC authentication.
l The MAC Auth service uses the time source and guest user repositories for authorization.
n What Context does each contribute?
188 Lab Debrief

l The time source contributes the current time on the ClearPass server, this will be com-
pared to the expired time of the guest account to determine if the guest account is still
valid.
l The guest user repository is used as a reference for the endpoint. When the endpoint first
connects to the guest network and does a log in, the guest account name is written into
the attributes for the endpoint. This allows the MAC Auth service to check and see if the
guest account has been and disabled or deleted.
n What is the Database Name used for this lookup?
l The time source uses the Insight database. This means Insight must be enabled in your
ClearPass cluster.
n Can you explain the conditions listed?
l The two conditions evaluate the endpoint. The first condition checks for the guest account
type. It also tests if the endpoint has passed authentication and then it looks for the MAC
caching role to determine if the endpoint is a valid guest endpoint. The first condition
allows access and assigns the guest role.
l The second condition evaluates guest account type and redirects the user to a captive
portal page allowing valid guests execute a second web Auth.
n What is the significance of the [MAC Caching] ClearPass role?
l The [MAC Caching] ClearPass role is used to define the endpoints that have passed MAC
Authentication and are associated to users that are members of the guest database.
n How does the [MAC Caching] ClearPass role get assigned?
l In order for the MAC caching role to be assigned the endpoint must not exceed unique
device. Count set in the template and the guest account associated to the MAC address
must pass the evaluations for MAC Auth expiry time and account expired or enabled. If the
guest account has been deleted or disabled it will fail this check.
n Explain the difference between “account expired equals false” and “Now DT less than end-
point: MAC- Auth Expiry.”
l The check for “account expired equals false” looks at the status of the guest account asso-
ciated to the endpoint. The “endpoint: MAC- Auth Expiry” is an attribute attached to the
endpoints record in the endpoint’s database. The “endpoint: MAC- Auth Expiry” can be set
to a different time than the guest accounts expiry time. An example of this would be where
a conference would issue a guest account valid for 10 days but require that the guest actu-
ally log in daily, the “endpoint: MAC- Auth Expiry” could be set for 12 hours and the guest
account expire in 10 days, meaning that after 12 hours the endpoint would not get the
MAC Caching
[MAC Caching] role. Thus forcing the user to have to log back in
Lab Debrief 189

Task 3
n What is the status of the RADIUS message?
l This RADIUS request failed because the endpoint was marked as unknown or did not exist
in the endpoint’s database. This is expected because it is the first MAC Auth sent by the cli-
ent and the client has not passed a web Auth.
n What part of the service generated the policy server “failed to construct” error?
l This construct is the authorization that is generated by the [MAC Caching] role mapping.
n What is the significance of the endpoint attributes written by the enforcement?
l The three attributes written to the endpoint’s database describe the guest user associated
to this endpoint. The role ID is used to determine what type of guest account it is. The
MAC Auth expiry date sets the time when this MAC Auth entry expires and then the user-
name is the guest’s user account reference. These attributes will be used as a reference
the next time the user connects to the guest network and executes a MAC Auth
n Explain the Status “Update: Endpoint = Known entry.”
l The update endpoint to known enforcement is executed when the user has given a valid
login to the guest network. This tags the endpoint as able to MAC authenticate in the next
authentication cycle.
l This will show as a MAC Authentication Method
n What are the roles assigned?
l [guest] [MAC Caching] [User Authenticated]
n Why is the username listed on the summary page guest user account?
l ClearPass will read the endpoint attributes and determine the guest account details that
were written by the Web Authentication Enforcement.
n What username is listed on the RADIUS inputs?
l The username listed is the client MAC address.
n Can you explain why the username on the summary tab and the username on the input
tab are different?
l The username, listed in the RADIUS Request information, is the actual user sent by the
Controller, this is the identity that is used by the MAC Auth. The User on the Summery tab
came from the Attributes on the Endpoint.
n Why is ClearPass sending the guest account username to the Controller?
190 Lab Debrief

l If you think back to when you looked at the show user output for the MAC Auth, it listed
the guest user account name. Without this enforcement attribute being sent to the Con-
troller, the Controller would list the user as a MAC address and you would not have the abil-
ity to audit the actual guest user on the Controller.

MAC Caching
Lab Debrief 191

192 Lab Debrief

Lab 9: Guest Access with Self-registration
Lab 9: Guest Access with Self-registration

In this lab, you will configure a self-registration portal for your guest network. The registration portal
will allow your guest users to create their own user account for thfor exampleest network and include a
registration form and a login page. You will configure the portal with administrative sponsor approval.
The sponsor approval will use the email set up in your earlier labs.
Task 9-1: Configure a Self-Registration Portal

Objectives
n To configure a self-registration portal. This is all done through the interface in ClearPass guest.
n To create a registration page, modify the form and receipt page. This portal will also have the
sponsorship feature.
Steps
Wired MGMT Client.
2. Open a web browser to the IP address of ClearPass1 to open the launch page.

5. Navigate to Configuration > Pages in the sub-menu.
Lab 9: Guest Access with Self-registration 193

6. Click Self-Registrations.
7. To create a new self-registration portal, click “Create new self-registration page” in the upper
right corner.
8. Fill out the form with the following settings:

Name: My Guest Registration
Register page: regpage
9. Click Save Changes.
194 Task 9-1: Configure a Self-Registration Portal

Lab 9: Guest Access with Self-
registration
First, you will edit the common settings for the portal. This will include selecting a
skin, NAS vendor settings, and sponsorship settings.
10. In the self-registration editor, click Choose Skin.
11. Under the option for skin choose the Galleria Skin.
If the Galleria Skin has been slowing your system down during testing, select the
Aruba ClearPass Skin instead.

13. Click the link for NAS Vendor Settings.
The NAS Vendor Settings tell the browser how to post the user’s credentials to the Network
Access Device.

14. Configure the following settings:
a. Vendor settings: Aruba
b. Address: captiveportal-login.arubatraininglab.com
captiveportal-login.arubatraininglab.com is required by the captive portal for the cre-

dentials post to the Controller because the Controller has a wildcard certificate
installed, the hostname is “captiveportal-login.”

16. Click Sponsor Confirmation.
17. Check the box to enable: Sponsor Confirmation.

registration
18. Under the Email Delivery section, take note of the option for email confirmation:
You will need to modify the email confirmation template in a production environment
to ensure that the link the email sends to the sponsor has the proper FQDN for the
ClearPass server. Consider public DNS records and forwarding rules if the sponsor
can be located outside the company.
19. Leave the rest of the form as defaults, and Save Changes.
Enabling sponsor confirmation is optional. If you do not enable sponsor confirmation,

thfor exampleest user automatically receives an activfor exampleest account. The
default settings require that the sponsor log in to the ClearPass guest interface as an
operator before approving a new guest user.
Modify the Sponsor Email Template

1. Expand Configuration in the ClearPass guest sidebar, and expand the submenu Receipts.
2. Click the option in the sidebar menu for Templates.
3. In the list, find the template named Sponsorship Confirmation.
Expand the menu, and click Duplicate. The duplicate function will create a copy of the template
named Sponsorship Confirmation (2).

4. Expand the menu for Sponsorship Confirmation (2), and select Edit.
5. Scroll down the Editor page, and find the edit box for Notes.
6. Look through the HTML code in the edit box for 'guest_register_confirm.php,' and replace with.
'https://TT-CPPM1.aruba-training.com/guest/guest_register_confirm.php'
(for example, https://T14-CPPM1.aruba-training.com/guest/guest_register_confirm.php
The link 'guest_register_confirm.php' is listed three times in the edit box. You can use
cut and paste with Wired MGMT Client to help you make these edits.
In a production deployment, the FQDN would need to be a hostname that is able to

be resolved in DNS. Keep in mind that sponsors may be answering this email internal
to the organization, as well as public from web-based mail.

registration
7. Scroll down and click Save Changes.
Select the Modified Sponsorship Confirmation Template

1. Navigate back to Configuration > Pages > Self-Registrations.
2. Expand the menu for your self-registration page (My Guest Registration) and click Edit.
3. Click Sponsor Confirmation on the right side.
4. Select Sponsorship Confirmation (2) for the Email Confirmation option.
5. Scroll down and click Save Changes.
6. Preview the self-registration page by clicking “Launch this self-registration page” in the upper
right corner of the workspace.
7. Take note of the URL in the address bar.

Edit Content and Fields on the Register Page

1. To edit the Register Page Header, click the Header link in the editor.
2. Add the following text before the closing paragraph tag </p>:

registration
</br></br>
<strong>
Your guest account will need to be approved by a sponsor before it will be active
</strong>

4. To edit the Register Page Form, click the Form link.
5. In the Customize Form Fields Editor, select sponsor_email, and click Enable Field to enable it.

6. Click the Edit link for the sponsor_email.
Set and Protect Sponsor Email Address

1. Scroll down the form to the Form Validation Properties section.
2. Set the Initial Value to your email address (for example, p#tX@arubaclass.com).
3. Scroll down to Advanced Properties,
4. Check the Show Advanced Properties checkbox.
5. Scroll down in the Advanced Properties, and check the select box for Force Value.
The settings will put the sponsor email field on the form. It will be visible to the user,
but they will not be able to make any changes.

registration
7. Preview your changes so far. At the top of the Customize Form Field Editor, click the link Pre-
view Form.

8. To add a captcha field to the bottom of the form, scroll down the Customize Form Fields Editor
page.
9. Select Line 60, and expand it.
10. Click the link for Insert After.
11. Select the option “captcha” for the Field Name.

registration
13. Preview your form again.
14. Scroll to the bottom of the forms editor, and click Back to Self-Registration Editor. You have
completed the configuration of your self-registration portal.
Task 9-2: Configure Aruba Controller for Self-Registration

Objectives
n To configure the guest SSID to use the new self-registration page as a captive portal because cur-
rently, the Aruba Controller is sending the pre-authenticated guest user to a simple web login
page.
Steps
1. On Wired MGMT Client, open a web browser, and access your Mobility Controller web interface
at: http://10.1.X0.100 (where X is your table number).
4. Select L3 Authentication.
5. Click the + next to Captive Portal Authentication to expand.
6. Click Guest#-X-cp_prof to edit.
Task 9-2: Configure Aruba Controller for Self-Registration 205

7. Configure the login page URL as per your configuration:
https://TT-CPPM1.aruba-training.com/guest/regpage.php.
8. Click Submit in the lower right corner of the screen.

9. Click Pending Changes in the upper right corner of the screen.
10. To save your edits, click Deploy Changes. You are now ready to test self-registration on your
guest network.
206 Task 9-2: Configure Aruba Controller for Self-Registration

registration
Task 9-3: Testing Self-Registration
Objectives
n To test your self-registration portal. In the last lab, you set up thfor exampleest SSID for MAC
authentication with fall back to captive portal, and your guest user might still be logged into the
SSID on the Controller. So the first step will be to clear out any connected users to allow you to
start over fresh
Steps
Wired MGMT Client.
6. Then, click Endpoints.
7. In the right side of the workspace, select Show 100 records.
8. Click the checkbox in the title bar to select all.

9. Scroll down, and select Delete.
10. Click Yes to confirm delete of all endpoints.
Ensure All Users are Logged Off the Guest Network

1. Open a console to your Aruba Controller.

3. Log into your Controller’s CLI with admin / admin1.
show user (You may not see any users if none are connected.)
aaa user delete all (If no users are connected, you can skip this.)
show user (There should be no users connected here. If there are, connect to your wireless client
and disconnect from the network.)
208 Task 9-3: Testing Self-Registration

registration
5. Leave the CLI browser screen open.
You will now connect to Wireless Test Client and authenticate into thfor exampleest
network. There should already be a wireless network profile configured for thfor
exampleest SSID. If that is not configured, reference Task Five of Lab 9A.
7. Click the Network Icon. You should see your guest SSID listed at the top.
8. Select your guest SSID, and click Connect.

11. This page will redirect to the Self-Registration Page.
12. Fill In the Self-Registration Page with a fictitious user:
Your Name: Larry Fine
Email Address: lf@stooges.com
Fill in the captcha.
Check the box to accept the terms of use.
13. Click the Register button. You will be redirected to the receipt page.

registration
n What is your guest password?
n What is the account status listed as?
n What is the status of the Log In button?
15. Leave the browser page up on the client and return to your browser for the Wired MGMT Client.
17. Navigate to Configuration in the sidebar menu, and expand Identity.
18. Click Endpoints.

n Is your client endpoint in the list?
n How did your client endpoint get in the list?
n What is the status listed as?
20. Open a new browser tab on Wired MGMT Client.

21. Type in the address of your email server. (If you need this IP address, check your Aruba Training
Lab dashboard.)
22. Log into your assigned email account with your credentials: p{pod #}t{table #} / Aruba123.
23. In the sidebar of the email interface, expand Mail. You should see the access request from your
guest user.
24. Open the email “Wireless access request from:…”
25. Click the link in the email to confirm the request.
26. The sponsor confirmation page should come up. If it asks you to authenticate, log in with your
admin account.

registration
213
Task 9-3: Testing Self-Registration
27. Click the Confirm link.
28. You will be redirected to a confirmation receipt page, you can just close this browser tab.
29. Return to your Wireless Test Client. Your guest registration receipt browser page should still be
up.
n What is your account status now?

registration
n What is the condition of the Log In button?
31. Click the Log In button to log in.

32. You will be redirected to the Authentication Successful page.
33. Return to your browser for the Wired MGMT Client desktop.
36. Find your new guest registration user’s login, and open the request details.
37. Investigate the three tabs in the request details: Summary, Input, and Output.
As you investigate the Access Tracker entries for your guest self-registration, you
will notice the same attributes and characteristics that seen on thfor exampleest
logon page in Lab 9. This is because the exact same services processed the request.
If you disconnect and reconnect your wireless client, you would see the same MAC
caching result as you did in the previous lab.

Lab Debrief
During this lab, you set up a self-registration portal, and then modified a few characteristics of the regis-
tration form. You added a captcha to the form and a sponsor email. The simplest way to deploy a self-
registration portal is to have the user encounter the registration page instead of a login page when
they connect to the pre-authenticated guest SSID.
Lab Debrief 215

Task 3
n What is your guest password?
l Thfor exampleest password will be a randomly generated number. This can be modified in
ClearPass guest under Configuration > Guest Manager.
n What is the account status listed as?
l Right now the account will be listed as disabled because the sponsor has not sponsored
the account yet.
n What is the status of the Log In button?
l The login button will bfor exampleayed out and not functional.
n Is your client endpoint in the list?
l Yes, your client will be in the list even though it has not authenticated yet because the pro-
filer will have seen it.
n How did your client endpoint get in the list?
l If you remember from the endpoint’s profiling module, thfor exampleest web server is one
of your profiling collectors. When the client’s browser requested the self-registration
portal, ClearPass profiled your endpoint and added it to the endpoint’s database.
n What is the status listed as?
l At this point, the client has connected but not authenticated, so the status of your end-
point should be Unknown, meaning it will fail MAC off because it has not passed a web
auth successfully.
n What is your account status now?
l This question comes after the sponsor has approved the account. When the browser
updates the webpage, ClearPass will change the content of the page to reflect that the
account status is now enabled.
n What is the condition of the Log In button?
l When the client browser updates the webpage from ClearPass, ClearPass will activate the
log in button. Your button should be showing up as an active orange button.
216 Lab Debrief

Lab 10a: Wired Authentication

In this lab, you will configure 802.1X on an ArubaOS 2930F switch (AOS-S Switch) and then build a ser-
vice to authenticate the client.
Because of the way that the lab is laid out, Wireless Test Client has an interface connected to port 20
on the switch. You will have to use this interface for testing.
In this scenario, the enforcement will be very simple. If the user passes authentication, then it will
assign VLAN X.
Lab 10a: Wired Authentication 217

Task 10a-1: Configure the Service for Wired Authentication
Objectives
n To create an 802.1X service for wired authentication. In the new service, you will need to con-
figure different service selection rules from those in the wireless service to differentiate between
wired and wireless authentications.
Steps
1. From the Aruba Training Lab dashboard, connect to Wired MGMT Client.
2. Open a browser to the IP address of your ClearPass1 server.
3. Log in with admin / eTIPS123.
5. Select the Service Template for 802.1X Wired.
6. In the Name Prefix box, enter “Lab 10.”
7. Click Next.
8. On the Authentication tab, for the Select Authentication Source: pull down, select Remote
Lab AD.
218 Task 10a-1: Configure the Service for Wired Authentication

9. Click Next.
10. On the Wired Network Settings tab, under Vendor Name, select Hewlett-Packard Enterprise.
11. Click Next.

12. Click the Enforcement Details tab.
13. Add rule “userDN equals clearpass then assign VLAN/Role X1” {where X = your table #}.
14. For the Default VLAN/Role:, enter the value X0 {where X = your table #}.

16. Scroll to the bottom of the page, and click Reorder.

17. Move the Lab 10 802.1X Wired service to the top of the list.
18. Click Save.
Fine-Tune the New Service

1. In the services list, click Lab 10 802.1X Wired.
2. To adjust the Service Selection Rules, click the Service tab.
3. Make the following settings:
More Options: Check the box for Authorization
Add a new Service Rule: Connection: NAD-IP-Address equals {IP of AOS-S Switch}
To find your AOS-S Switch IP address check the diagram on the Remote Lab - Dash-
board

5. Under Authentication Methods, remove everything except for EAP PEAP.
6. Under Authentication Sources, add [Local User Repository].

8. Add the [Endpoints Repository].

10. Take note of the enforcement policy being used. You will edit this in the next steps.

11. Click Save.
Modify the Enforcement Policy & Create New Enforcement Profiles

1. Navigate to Configuration > Enforcement > Profiles.
2. Set the list filter to: Name contains Lab 10.
To make reading the Enforcement Policy easier later, rename each profile to indicate
what it does.
3. Click Lab 10 802.1X Wired Profile 1 to edit.

4. Click the Profile tab.
5. Edit the name to: Lab 10 802.1X Wired assign VLAN X1 (where X = table #).
6. Click Save.

7. Follow the above steps and modify the name on the Wired Default Profile to: Lab 10 802.1X
Wired assign VLAN X0 (where X = table #).

In the scenario when a client logs in with credentials from Active Directory, they are
assigned to VLAN X1, and if they log in with an account in the Local Users’ Database,
they will be assigned to VLAN X2.
Create an Enforcement Profile that Assigns VLAN X2 (where X = table #)

1. In the list, click the select box for Lab 10 802.1X Wired assign VLAN X1.
2. Click Copy.
3. Click the new enforcement profile to edit (Copy_of_Lab 10 802.1X…).
4. Click the Profile tab, and change the name to: Lab 10 802.1X Wired assign VLAN X2 (where X
= table #).

6. Modify the last line: Radius: IETF Tunneled – Private – Group – ID = X2 (where X = table #).
7. Click Save.
8. Your Enforcement Profile list should look like this:
Modify the Enforcement Policy to Include the New Logic

1. Navigate to Configuration > Enforcement > Policies.
2. Set the filter on the Enforcement Policies list to: Name contains Lab 10.
3. Click to edit Lab 10 802.1X Wired Enforcement Policy.

4. On the Summary tab, take notice of the Default Profile.

5. Select the Rules tab.
6. Add a new rule: Authentication: Source equals [local user repository]
7. Assign Profile Name: [RADIUS] Lab 10 802.1X Wired assign VLAN X2 (where X = table #).
8. Click Save.
9. Move the new rule to the top.
10. To save the Enforcement Policy, click the Save button.

This completes the configuration of the wired 802.1X service.

Task 10a-2: Configure the Switch Port for 802.1X
Objectives
n To configure your 802.1X settings on port 20 of the AOS-S Switch.
Steps
1. On the Aruba Training Lab dashboard, open a console window to your AOS-S Switch.
2. Hit [enter] in the console session.

If the switch presents the banner, click any key to continue.
226 Task 10a-2: Configure the Switch Port for 802.1X

3. You should be at the enable prompt logged in as manager.
4. Run the command: # show radius authentication.
5. You should see your ClearPass1 server IP listed.
6. Run the command: #show port–access authenticator.
Task 10a-2: Configure the Switch Port for 802.1X 227

7. Enter configuration mode: # config t.
Configure the Authenticator Settings on port 20

1. Enter the following commands:
(config)# aaa port-access authenticator active
(config)# aaa port-access authenticator 20
(config)# aaa port-access authenticator 20 client-limit 10
(config)# aaa port-access authenticator 20 supplicant-timeout 10
(config)# aaa port-access authenticator 20 tx-period 10
Explanation of the commands above:

n [client-limit]:
Used to convert a port from port-based authentication to user-
based authentication. In user-based, each device on the port, up to the client-
limits, can authenticate and received its own individual setup such as different
VLANs.
n [tx-period <0-65535>]:
Sets the period the port waits to retransmit the next
EAPOL PDU during an authentication session. (Default: 30 seconds)
n [supplicant-timeout <1-300>]: Sets the period of time the switch waits for a sup-
plicant response to an EAP request. If the supplicant does not respond within
the configured time frame, the session times out. (Default: 30 seconds)
2. Commit the configuration: Write Memory.

3. Type Exit to leave the configuration mode.
4. Run the command: # show port – access authenticator.
5. Close the browser tab with the console session.
228 Task 10a-2: Configure the Switch Port for 802.1X

The switch is now configured for 802.1X authentication.
Task 10a-3: Test the Wired Authentication Port

Objectives
n To test your wired port authentication service in ClearPass. The test client will be the Wireless Cli-
ent VLT1 desktop.

Steps
1. From the Aruba Training Lab dashboard, connect to the Wireless Test Client desktop.
2. Click the start button, and type “services.”

3. Click Services Desktop app to open.
230 Task 10a-3: Test the Wired Authentication Port


4. Search through the list of services for Wired AutoConfig.
5. Start the Wired AutoConfig service.
6. Click the network icon in the upper right corner of the desktop, and select Network & Internet
Settings.
7. Click Ethernet in the sidebar menu.

8. Click Change Adapter Options.

9. Enable the LAB NIC interface. If it is already enabled you are OK.
10. In Network Connections, right-click the interface for LAB NIC, and select Properties.
11. In the Properties window, click the Authentication tab.

12. Select Settings, and choose a network authentication method.

13. On the Protected EAP Properties tab, Check the “Verify the Server’s Identity” option.
14. Check the training-ARUBA-AD-CA certificate at the Trusted Root Certification Authorities.
15. Select Do not ask user to authorize new servers or trusted CAs at the Notifications before
connecting drop-down menu.
16. Click the Configure button next to Select Authentication Method.
17. Uncheck the “Automatically Use My Windows Login Name” option.

18. Click Ok to close EAP MSCHAPv2 Properties.
19. Click OK to close Protected EAP Properties.
20. On the Authentication tab, click Additional Settings.

21. Under Specify Authentication Mode, select User Authentication.

22. Click the button for Save Credentials, and enter contractUser / aruba.

23. Click OK to close Save Credentials.
24. Click OK to close Additional Settings.
25. Click OK to close Ethernet Properties.
Toggle the interface to force it to authenticate.

1. Right-click the Ethernet interface Lab NIC, and click Disable.
2. Right-click the Ethernet interface Lab NIC, and click Enable.
3. Switch to Wired MGMT Client.
4. Open a browser to ClearPass1, and log in to the Policy Manager.
5. Navigate to Monitoring > Live Monitoring > Access Tracker.
6. Look for your authentication request from the user contractUser

7. On the Summary tab, answer the following questions:
n What service processed the request?
n What enforcement profile was applied?
n What is the IP address and port number of the NAS?
n What is the connection type?
n What is the username?
10. Expand the Computed Attributes shade.

n What is the device type?
Disable the wired interface on the Wireless Client VLT1

1. In the upper right corner, click the Network icon.
2. Click the link for Network & Internet Settings.
3. In the Settings window, click Ethernet.
5. Right-click the Ethernet interface Lab NIC, and select Disable.

6. Close all open windows on Wireless Test Client.
You have finished Lab 10a!
Lab Debrief
During this lab, you configured a wired 802.1X authentication service with simple enforcement, using
the Wired 802.1X Service Template, and you had to make some minor adjustments to the service to
make it exactly what you needed. The lab asked you to rename the enforcement profiles created by the
service template. This is a good general practice as it makes troubleshooting your service much easier
later on. The wizard tends to create generically named enforcement profiles that do not indicate what
they do. You also configured basic 802.1X authentication settings on the ArubaOS 2930F switch.

Task 3
l This was processed by the Lab 10 802.1X wired service.
l The enforcement profile was the Lab 10 802.1X wired assigned VLAN 12.
l The IP address will be equal to the IP of your AOS-S Switch and the :19 indicates its inter-
face 19 on the switch
l The connection info shows this as a CONNECT Ethernet 1000 Mbps Full-Duplex con-
nection.
l This is the tempuser username.
240 Lab Debrief

l The device type is listed as a Network Switch.
Lab Debrief 241

242 Lab Debrief

Lab 10b: Wired Authentication With AOS-CX
Switch (Optional Lab)
Lab 10b: Wired Authentication With AOS-CX Switch (Optional Lab)

In this lab, you will configure 802.1X on an ArubaOS-CX switch (AOS-CX Switch) and then build a ser-
vice to authenticate the client.
Because of the way that the lab is laid out, Wireless Test Client has an interface connected to port
1/1/1 on the switch. You will have to use this interface for testing.
In this scenario, the enforcement will be very simple. If the user passes authentication, then it will
assign VLAN X.
Lab 10b: Wired Authentication With AOS-CX Switch (Optional Lab) 243
Task 10b-1: Configure the Service for Wired Authentication
Objectives
n To create an 802.1X service for wired authentication. In the new service, you will need to con-
figure different service selection rules from those in the wireless service to differentiate between
wired and wireless authentications.
Steps
5. Select the Service Template for 802.1X Wired.
6. In the Name Prefix box, enter “Lab 10b.”
7. Click Next.
8. On the Authentication tab, for the Select Authentication Source: pull down, select Remote
Lab AD.
244 Task 10b-1: Configure the Service for Wired Authentication

9. Click Next.
10. On the Wired Network Settings tab, select Hewlett-Packard-Enterprise as vendor name.
Lab 10b: Wired Authentication With

AOS-CX Switch (Optional Lab)
11. Click Next.
12. Click the Enforcement Details tab.
13. Add rule “userDN equals clearpass then assign VLAN/Role X7” {where X = your table #}.
14. For the Default VLAN/Role:, enter the value X0 {where X = your table #}.

16. Scroll to the bottom of the page and click Reorder.
17. Move the Lab 10b service to the top of the list.
18. Click Save.

Fine-Tune the New Service
1. In the services list, click Lab 10 802.1X Wired.
2. To adjust the Service Selection Rules, click the Service tab.
More Options: Check the box for Authorization
Add a new Service Rule: Connection: NAD-IP-Address equals {IP of AOS-CX Switch}
To find your AOS-CX Switch IP address check the diagram on the Remote Lab - Dash-
board

5. Under Authentication Methods, remove everything except for EAP PEAP.
6. Under Authentication Sources, add [Local User Repository].

8. Add the [Endpoints Repository].

10. Take note of the enforcement policy being used. You will edit this in the next steps.

11. Click Save.
Modify the Enforcement Policy & Create New Enforcement Profiles

2. Set the list filter to: Name contains Lab 10.
To make reading the Enforcement Policy easier later, rename each profile to indicate
what it does.
3. Click Lab 10 802.1X Wired Profile 1 to edit.

4. Click the Profile tab.
5. Edit the name to: Lab 10 802.1X Wired assign VLAN X7 (where X = table #).
6. Click Save.
7. Follow the above steps and modify the name on the Wired Default Profile to: Lab 10 802.1X
Wired assign VLAN X0 (where X = table #).
In the scenario when a client logs in with credentials from Active Directory, they are
assigned to VLAN X1, and if they log in with an account in the Local Users’ Database,
they will be assigned to VLAN X2.

Create an Enforcement Profile that Assigns VLAN X8 (where X = table #)
1. In the list, click the select box for Lab 10 802.1X Wired assign VLAN X7.
2. Click Copy.
3. Click the new enforcement profile to edit (Copy_of_Lab 10 802.1X…).
4. Click the Profile tab, and change the name to: Lab 10 802.1X Wired assign VLAN X8 (where X
= table #).

6. Modify the last line: Radius: IETF Tunneled – Private – Group – ID = X8 (where X = table #).
7. Click Save.

8. Your Enforcement Profile list should look like this:
Modify the Enforcement Policy to Include the New Logic

1. Navigate to Configuration > Enforcement > Policies.
2. Set the filter on the Enforcement Policies list to: Name contains Lab 10.
3. Click to edit Lab 10 802.1X Wired Enforcement Policy.

4. On the Summary tab, take notice of the Default Profile.

6. Add a new rule: Authentication: Source equals [local user repository]
7. Assign Profile Name: [RADIUS] Lab 10 802.1X Wired assign VLAN X8 (where X = table #).
8. Click Save.
9. Move the new rule to the top.

10. To save the Enforcement Policy, click the Save button.
This completes the configuration of the wired 802.1X service.
Task 10b-2: Configure the Switch Port for 802.1X

Objectives
n To configure your 802.1X settings on port 1/1/1 of the AOS-CX switch.
Task 10b-2: Configure the Switch Port for 802.1X 251

Steps
1. On the Aruba Training Lab dashboard, open a console window to your Virtual AOS-CX Switch.
2. Hit [enter] in the console session.

3. If the switch presents the banner, click any key to continue.
4. Log in with Username: admin / Password: <<hit enter>>(no password)
5. Run the command: # show radius-server detail.
6. You should see your ClearPass1 server name listed.
252 Task 10b-2: Configure the Switch Port for 802.1X

Your switch has a pre-defined configuration, such as RADIUS server, AAA port-
access and Local User Role (LUR).
7. Configure the Authenticator Settings on port 1/1/1

8. Enter the following commands:
configure-terminal
interface 1/1/1
aaa authentication port-access dot1x authenticator
enable
exit
exit

9. Commit the configuration: Write Memory.
10. Close the browser tab with the console session.
The switch is now configured for 802.1X authentication.
Task 10b-3: Test the Wired Authentication Port

Objectives
n To test your wired port authentication service in ClearPass. The test client will be the Wireless Cli-
ent VLT1 desktop.
Steps

3. Click Services Desktop app to open.
254 Task 10b-3: Test the Wired Authentication Port

255
Task 10b-3: Test the Wired Authentication Port
4. Search through the list of services for Wired AutoConfig.
5. Start the Wired AutoConfig service.
6. Click the network icon in the upper right corner of the desktop, and select Network & Internet
Settings.
7. Click Ethernet in the sidebar menu.


9. Enable the AOS-CX NIC interface. If it is already enabled you are OK.
10. In Network Connections, right-click the interface for AOS-CX NIC, and select Properties.

12. Select Settings, and choose a network authentication method.

13. On the Protected EAP Properties tab, uncheck the “Verify the Server’s Identity” option.
14. Click the Configure button next to Select Authentication Method.
15. Uncheck the “Automatically Use My Windows Login Name” option.

16. Click Ok to close EAP MSCHAPv2 Properties.
17. Click OK to close Protected EAP Properties.

19. Select the Specify authentication mode checkbox.


Toggle the interface to force it to authenticate

1. Right-click the Ethernet interface AOS-CX NIC, and click Disable.
2. Right-click the Ethernet interface AOS-CX NIC, and click Enable.
6. Look for your authentication request from the user contractUser

7. Open the latest access tracker record form the contractUser.
8. At the output tab, expand RADIUS response.
9. Notice that VLAN X8 (Tunnel-Private-Id) was sent to the switch.
10. Go the AOS-CX switch tab on your local browser.
11. Check interface 1/1/1 configuration: show run interface 1/1/1

12. Notice that port 1/1/1 is configured as an access port for VLAN 1.
13. Check VLANs assignments: show vlan.
14. Notice that VLAN X1 now was dynamically assigned to port 1/1/1


Disable the wired interface on the Wireless Client VLT1

1. In the upper right corner, click the Network icon.
1. Click the link for Network & Internet Settings.
2. In the Settings window, click Ethernet.
4. Right-click the Ethernet interface AOS-CX NIC, and select Disable.
5. Close all open windows on Wireless Test Client.

You have finished Lab 10b!

Lab Debrief
During this lab, you configured a wired 802.1X authentication service with simple enforcement, using
the Wired 802.1X Service Template, and you had to make some minor adjustments to the service to
make it exactly what you needed. The lab asked you to rename the enforcement profiles created by the
service template. This is a good general practice as it makes troubleshooting your service much easier
later on. The wizard tends to create generically named enforcement profiles that do not indicate what
they do. You also configured basic 802.1X authentication settings on the ArubaOS 2930F switch.

Task 3
l This was processed by the Lab 10 802.1X wired service.
l The enforcement profile was the Lab 10 802.1X wired assigned VLAN 12.

l The IP address will be equal to the IP of your AOS-S Switch and the :19 indicates its inter-
face 19 on the switch
l The connection info shows this as a CONNECT Ethernet 1000 Mbps Full-Duplex con-
nection.
l This is the tempuser username.
l The device type is listed as a Network Switch.
Lab Debrief 265

266 Lab Debrief

Lab 11: Downloadable User Roles

ClearPass has built-in support for downloadable user roles in conjunction with the Aruba Controller and
Aruba Switches. In this lab you will configure a scenario for the Aruba Controller. The switch con-
figuration for downloadable user roles will be done in the lab on Dynamic Segmentation.
Task 11-1: Configure the Aruba Controller for Downloadable Roles

Objectives
When configuring the Aruba Controller to support Downloadable User Roles, there are some extra con-
figuration required that ensures that the RADIUS communication between the Controller and ClearPass
is secure and not subject to a man in the middle attack.
In this task you will configure administrative authentication for the authentication source on the Aruba
Wireless Controller.
Overview: The following configuration steps need to be completed.
1. On ClearPass create an admin user account that the Aruba Controller will use to download the
User Role.
2. Install a Public signed HTTPS certificate on ClearPass.
3. Install the HTTPS certificate root in the Aruba Controller ‘s trust list.
4. Configure the Authentication Server for DUR in the Aruba Controller.
5. Configure AAA profile for DUR in the Aruba Controller.
6. Configure Enforcement Profiles for Aruba Controller DUR.
7. Modify the Enforcement Policy in the service to use the new Enforcement Profiles.
8. Test the config.
Steps
Create an administrator account on ClearPass for the Aruba Controller
1. From the Remote Lab dashboard, connect to Wired MGMT Client.
4. Navigate to Administration > Users and Privileges > Admin Users in the sidebar.
5. To add a user click Add in the upper right corner of the workspace.
Lab 11: Downloadable User Roles 267

6. Add a user with the following:
a. User ID : ArubaDUR.
b. Name: Aruba Downloadable Role Admin.
c. Password: Aruba123.
d. Enable User: (checked).
e. Privilege Level: Aruba User Role Download.
Modify the authentication source in the Aruba Wireless Controller

1. Open a browser to the IP address of your Aruba 7030 MC.
3. Navigate to Configuration> Authentication in the sidebar menu.
4. You should be on the Auth Servers tab in the workspace.
5. Click “ClearPass” in the bottom pane under All Servers to edit the authentication server settings.
268 Task 11-1: Configure the Aruba Controller for Downloadable Roles
6. Scroll down and check the option for CPPM credentials:
7. Fill In the CPPM username: and CPPM password:
a. ArubaDUR / Aruba123
8. Click Submit.
Task 11-1: Configure the Aruba Controller for Downloadable Roles 269
Enable downloadable user roles in the AAA profile on the Controller

1. Click the AAA Profiles tab.
1. Expand the AAA list in the workspace.
2. Click to edit your secure AAA profile - aaa_secure{pod}-{table} example: aaa secure10-14 for
Pod 10 Table 14.
3. check the option box for Download Role from CPPM:
4. Click Submit.
Task 11-2: Configure DUR Enforcement Profiles

Objectives
Downloadable User Roles are built in ClearPass Enforcement Profiles. If you are familiar with the struc-
ture of an Aruba Firewall User Role on the Controller then you will be familiar with the structure of
Downloadable User Roles in ClearPass. In this task you will configure the Downloadable User Roles
required by the secure wireless network.
Because of the amount of repetitive tasks in creating the downloadable user roles in this task you will
be creating one downloadable user role and importing the rest from a file. If you want to see all the
steps required in creating each of the downloadable user roles refer to Appendix 1 at the end of this
lab.
Steps
270 Task 11-2: Configure DUR Enforcement Profiles

3. Navigate to Configuration> Enforcement> Profiles>.
4. Click Add to create a new Enforcement Profile.
Configure the Employee Full Access DUR

n RADIUS Accept
n Rule 1: any any any permit – Create new session ACL
1. Click Add in the Configuration > Enforcement > Profiles workspace to create a new Enforce-
ment Profile.
2. On the Profile tab enter the following:

a. Template: Aruba Downloadable Role Enforcement.
b. Name: Aruba Controller DUR employee full access.
c. Product: Mobility Controller.
3. Click Next.

4. In the Role Configuration tab click “Add Session Access Control List”.
5. On the General tab name the ACL: AllowAll.
6. Click Add Rule.
7. On the Role Configuration configure the following: (these are the defaults):
a. Source Traffic Match: any
b. Destination Traffic Match: any
c. Service Type: any
d. Action: permit
8. Click Save Rule.
9. Click Save.

10. On ACL: select:
a. ACL Type: Session
b. ACL Name: AllowAll
11. Click Add.
12. Click Next.

13. On the Summary tab review the new DUR.

14. Click Save to commit the new Enforcement Profile.
Import the remaining Downloadable User Role Enforcement Profiles

1. In the upper right corner click the link for Import.
2. In the Import from file window click Choose File.
3. Navigate to the student folder on the desktop and select the zip file EnforcementProfile.

4. Enter secret for the file: aruba123.
5. Click Import.
6. In the filter for the enforcement profile window configure: Name contains dur.

7. In the list you will see four downloadable user role profiles.

Task 11-3: Modify the Secure Wireless Service
Objectives
Downloadable User Roles are executed as Enforcement Profiles in the service. The processing of the
service is actually not modified. You need to modify the Enforcement Policy to call up the new DUR
enforcement.
In this task you will look in the service for the policy and then modify the rules conditions to use the
new Enforcement Profiles.
Steps
4. Navigate to Configuration> Services.
5. Click the service: Aruba 802.1X Secure Wireless to edit.
6. In the services workspace click the Enforcement tab.

7. Click Modify next to the Enforcement Policy Used by the Service.
8. Click the Rules tab.
276 Task 11-3: Modify the Secure Wireless Service

9. Select the first rule in the list and click Edit Rule (actions = assign profile only role).
10. In the Profile Names: menu add [RADIUS] Aruba Controller DUR profile only.
11. Remove: [RADIUS] assign profile only role.
12. Click Save.

13. Select the second rule in the list and click Edit Rule (actions = assign employee full role).
14. In the Profile Names: menu add [RADIUS] Aruba Controller DUR employee full access.
15. Remove: [RADIUS] assign employee full role.
16. Click Save.

17. Select the third rule in the list and click Edit Rule (actions = assign employee smart role).
18. In the Profile Names: menu add [RADIUS] Aruba Controller DUR employee smart access.
19. Remove: [RADIUS] assign employee smart role.
20. Click Save.
21. Select the 4th rule in the list and click Edit Rule (actions = assign temp access role).
22. In the Profile Names: menu add [RADIUS] Aruba Controller DUR temporary access.
23. Remove: [RADIUS] assign temp access role.
24. Click Save.
278 Task 11-3: Modify the Secure Wireless Service

25. Leave the last rule alone.

26. Click Save in the bottom of the window to return to the service.
27. Click Save to finish editing the service.

You have now finished modifying the service to support Downloadable User Roles with the Aruba Con-
troller.
Task 11-4: Test the New Configuration

Objectives
When ClearPass pushes a Downloadable User Role to the Controller, the Controller creates a temporary
System Role that it assigns to the authenticated client. Once the temporary role has been created, mul-
tiple clients can be assigned the same role without added entries in the Controller’s roles database.
Once the last client assigned that downloadable user role disconnects from the Controller, the tem-
porary system role will dissolve.
In this task you will clean out any existing user entries in the Wireless Controller’s user database and
then authenticate your wireless client to the secure SSID. Once the client has authenticated you will be
able to log into the Controller’s Administrative Interface and view the client and user role assignments.
Then you will go into ClearPass and view the downloadable user role in Access Tracker.
Steps
1. From the Remote Lab dashboard, connect to Wireless Test Client.
2. Click the network Icon in the upper right corner of the desktop and make sure that the Wireless
Test Client desktop is not connected to any wireless networks.
280 Task 11-4: Test the New Configuration

3. From the Remote Lab Dashboard right click on the Aruba 7030 MC and select Open Console.

4. Press [enter] in the console screen and log in with admin/admin1.
5. Delete all users with the #aaa user delete all command.
6. Leave the Console Window Open.
7. Return to the Wireless Test Client desktop.
8. Log into your secure wireless network as contractUser / aruba.

To confirm that the user/client received the correct downloaded role from ClearPass you will first look
in Access Tracker for a successful login request with the downloadable role enforcement. Then you will
check in the CLI of the Aruba Controller to see what role the Controller assigned to the client.
1. Open the browser tab for Wired MGMT Client.
1. Log into ClearPass1.
3. Look at the top of the list for your latest “contractUser” authentication request.
4. Open the request to see the details.
5. On the Summary tab look for the Enforcement Profiles: assigned.
282 Task 11-4: Test the New Configuration

6. Click the Output tab and expand RADIUS Response window shade.
7. Scroll down the list and look at the output under the section Radius:Aruba:Aruba-CPPM-Role.

9. From the Remote Lab dashboard open a console to Aruba 7030 MC.
10. Log into the console with admin / admin1.
11. Run the command #show user.

12. Look in the command output for the role assigned to the user. This should be the Aruba_Con-
troller_DUR_temporary_access role.
13. Run the command #show rights.
Lab Debrief
During this lab, you configured Aruba Controller Downloadable User Roles. The Controller had some
basic configuration settings and ClearPass needed a valid HTTPS certificate installed to secure the
communications. The certificate root / trust is the most important part, the Controller cannot trust the
built in ClearPass HTTPS certificate.
Building the Downloadable Role Enforcement Profiles with the GUI involves creating all of the indi-
vidual elements such as NetDestinations, NetServices and ACLS then assembling them.
284 Lab Debrief

Lab 12: Dynamic Segmentation

Dynamic Segmentation uses a user role on the switch to start a tunnel to the Aruba Controller. The tun-
nel user role also instructs the controller of which User Firewall role to assign to the tunneled user. The
roles on both the switch and the controller may be configured either as static roles or downloadable
roles.
We have the opportunity to be able to configure both static and downloadable roles. In this lab you will
configure a static tunneled user role for the contractor user and a downloadable user role for the Active
Directory user.
Remember that ClearPass already has an admin role for the user role downloads that you created in the
previous lab. You will use that same admin account here.
Between the initial lab setup and the previous labs you have already done part of the AAA con-
figuration on the switch. For reference those are included here:
#conf t
Enable AAA visibility

(config)# ip client-tracker trusted
Configure ClearPass as RADIUS server

(config)# radius-server host {ip of CPPM} key {shared secret}
(config)# radius-server host {ip of CPPM} dyn-authorization
(config)# radius-server host {ip of CPPM} time-window plus-or-minus-time-window
(config)# radius-server host {ip of CPPM} time-window 30
Configure a RADIUS server group

(config)# aaa server-group radius "CLEARPASS" host {ip of CPPM}
(config)# aaa accounting network start-stop radius server-group "CLEARPASS"
(config)# aaa authentication port-access eap-radius server-group "CLEARPASS"
Set AAA configuration

aaa accounting update periodic 5
aaa authorization user-role enable
aaa port-access authenticator 20
aaa port-access authenticator 20 tx-period 10
aaa port-access authenticator 20 supplicant-timeout 10
aaa port-access authenticator 20 client-limit 10
aaa port-access authenticator active
For a more in depth explanation refer to the ClearPass Tech Note:
Lab 12: Dynamic Segmentation 285

n ClearPass_Solution-Guide_Wired-Policy-Enforcement
https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_
Download/Default.aspx?EntryId=33276
An extensive security guide for the Aruba OS switch can be found here:
n Aruba 2930F / 2930M Access Security Guide for ArubaOS-Switch
https://techhub.hpe.com/eginfolib/Aruba/16.09/5200-5903/index.html#book.html
Task 12-1: Configure the AOS-S Switch for Tunneled Node

Objectives
In this task you will complete the configuration required on the AOS-S Switch to support downloadable
roles from ClearPass. This includes specifying the host as a CPPM server and enabling downloadable
roles. You will also need to transfer the HTTPS certificate from ClearPass onto the switch so that when
the switch goes to ClearPass to download the role it can do it over a secure connection. You will also
specify the Aruba Controller as a tunneled – node – server on the switch.
Next you will configure the static tunneled user role that will reference the
Steps
2. Press [enter] a couple times to activate the console.
Look at current RADIUS authentication settings on the switch.
3. Run the #show authentication command.
4. Notice Port-Access | EapRadius is set to CLEARPASS,
286 Task 12-1: Configure the AOS-S Switch for Tunneled Node
5. Exit the output.
6. To look at the RADIUS Server settings, run the #show radius authentication command.
7. Notice the Server IP ( configured previously).
8. Enter configuration mode #config t,

9. Enter the DUR admin user on the Switch with the following command:
(config)#radius-server cppm identity ArubaDUR key Aruba123
10. Install the HTTPS CA Root certificate from ClearPass:

(config)# crypto ca-download usage clearpass retry 3
11. Enable Downloadable User Roles with the following commands:

(config)# aaa authorization user-role enable download
Task 12-1: Configure the AOS-S Switch for Tunneled Node 287
12. Enable tunneled node, role-based:
(config)# tunneled – node – server
(..server)# controller – ip { IP address of your controller}
(..server)# mode role – based
(..server)# enable
(..server)# exit
13. Configure VLAN for the tunneled user:

(config)# vlan X3 (where X is your table number)
(config)# exit
Configure the role-based tunneled node user on the AOS-S Switch

The tunneled node user role will tunnel the contract user to the Aruba Controller and applied the sec-
ondary role of “limited – access”
1. Enter the commands:
(config)# aaa authorization user-role name tun-temp-user
(user-role)# vlan-id X3 (where X is your table number)
(user-role)# tunneled-node-server-redirect secondary-role limited-access
(user-role)# exit
Sync the Clock on the AOS-S Switch

During the downloadable role function the switch and ClearPass will exchange certificates to enforce
identity. If the clocks are skewed between the switch and ClearPass this functionality will fail. It is a
good idea to configure any network devices to operate from an NTP server.
1. Check the current time on the switch
# show time
2. Configure NTP server settings
288 Task 12-1: Configure the AOS-S Switch for Tunneled Node
# config t
(config)# timesync ntp
(config)# ntp unicast
(config)# ntp server 10.254.1.21 iburst
(config)# time timezone -5
(config)# ntp enable
3. Force the time on the Switch.

This will make time sync faster.
ClearPass displays the time in UTC. Previously you set the time zone for Eastern US
which is UTC -5. You can look at the time on your ClearPass server and subtract 5
hours for the correct time to set on the switch.
The command is in the format:

(config)# clock set mm/dd/yyyy hh:mm:ss
Example: for 24 Nov 2019 at 2:34:18 PM

(config)# clock set 11/24/2019 14:34:18
4. Exit Config node.

5. Save the running config:
(config)# write memory
Task 12-2: Configure Enforcement Profiles

Objectives
Configuring Dynamic Segmentation on the switch involves setting up a user role on the switch that is
assigned a secondary role that corresponds to a role configured on the Aruba Controller. The role on
the switch executes the user tunnel.
The primary role on the switch and the secondary role on the Controller can be configured as Down-
loadable User Roles.
For Functionality the roles will be kept simple
Steps

Add the Secondary role for the Controller

Remember that this will become a Downloadable User Role for the Aruba Controller.

2. Configure the Following:
n Template: Aruba Downloadable Role Enforcement
n Name: Gateway DUR Dynamic
n Product: Mobility Controller
3. Add a simple Session ACL: AllowAll.

4. Click Next and review the summary.
5. Click Save.
Add the Downloadable User Role for the switch that will execute the Per – User tun-
nel
This role is very simple in that it just executes the tunnel to the tunneled node controller and specifies
the secondary role on the Controller that controls the client’s data.
1. Click Add to configure a new Enforcement Profile.
n Template: Aruba Downloadable Role Enforcement
n Name: AOS-S Switch DUR Dynamic
n Product: ArubaOS – Switch

3. Click Next.
4. On the Role Configuration tab configure:
n Secondary Role Type: Dynamic
n Controller Downloadable Role: Gateway DUR Dynamic
n VLAN: ID
n VLAN ID<1-4094>: X3, where X = your table number
This VLAN is the user VLAN on the Controller.

5. Click Next and review the summary, take note of the tunneled node user role.
6. Click Save.
Configure the Enforcement Profile for the Contract user

When the role-based tunneled user role is configured on the switch all ClearPass needs to do is instruct
the switch to assign the correct role.

1. Click Add to configure a new Enforcement Profile.
n Template: Aruba RADIUS Enforcement
n Name: AOS-S Switch assign tun-temp-user
3. Click Next.
4. Delete the attribute line for Aruba – User – Role.
5. Under the Type: column Click to add….
6. From the drop-down select: Radius:Hewlett-Packard-Enterprise.
7. Under the Name: select: HPE-User-Role (25).
8. Type the Value: tun-temp-user.
9. Click Save.
Configure the 802.1X wired service for downloadable roles

The authentication request and the service that you will use to test downloadable user roles with
dynamic segmentation is the same as previous labs. You will need to modify the enforcement policy to
assign the new Enforcement Profiles that will execute the user data tunnel.

1. Navigate to Configuration Services.
2. Find the Lab 10 802.1X Wired service in the list and open to edit.
4. Click Modify to edit the Enforcement Policy.

6. Edit the rule for Remote Lab AD user.
7. Remove the profile “[RADIUS] Lab 10 802.1X Wired assign VLAN 141”.
8. Add the Profile Name”: [RADIUS] AOS-S Switch DUR Dynamic.
9. Click Save.

10. Select the Rule for [Local User Repository].
11. Edit the rule.
12. Remove the profile “[RADIUS] Lab 10 802.1X Wired assign VLAN 142”.
13. Add the Profile Name”: [RADIUS] AOS-S Switch assign tun-temp-user.
14. Click Save.

15. Click Save to save the Enforcement Policy and return to the service configuration.
16. Click Save to commit the changes to the service.

Task 12-3: Test Dynamic Segmentation
Objectives
Looking at the enforcement policy applied to the service, you will expect to have the local user log in
and get a locally assigned VLAN just like they did in the previous lab. With the new changes to the act-
ive directory user rule you would expect the active directory user to log in and be tunneled to the con-
troller.
This is one of the advantages of dynamic segmentation with role-based tunneling. You can configure
the same switch port to provide different types of services based on the identity of the client.
Steps
2. Open the Services app.
3. Scan through the list of services and find Wired AutoConfig.
4. Start the service if it is not already running.
5. Close the services window.

6. Open Network & Internet settings.
7. Click the network icon in the upper right corner of the screen.
8. Click to open Network & Internet settings.

9. Click the link for Ethernet.
10. Click the link for Change adapter options.
298 Task 12-3: Test Dynamic Segmentation

11. In the adapter settings make sure that your Wi-Fi connection is disabled and the Lab NIC is
enabled.
12. Right-Click the Lab NIC and select Properties.




25. Look for your authentication request from the user contractUser.

26. Open the Request Details.
n What VSA was used in the response?
View the client on the switch

3. View the Client State:
# show port-access clients
4. View the tunneled node server state.

# show tunneled-node-server state
5. Show tunneled node users:

# show tunneled-node-users all
View the Client on the Aruba Controller

1. On the Aruba Training Lab dashboard, open a console window to your Aruba 7030 MC.
4. View the client’s connected to the Controller:
# show user
n What is the users name and role assigned?
n What is the user’s type?

n What is the roaming status of the user?
Test the Active Directory User with Downloadable Roles.

2. Right-Click the Lab NIC and select Properties.

5. Click the button for Replace credentials, and enter employee / aruba123.

14. Look for your authentication request from the user employee.
15. Open the Request Details.

18. What VSA was used in the response?
View the DUR client on the switch

3. View the Client State:
# show port-access clients
4. View the downloaded user role:

# show user-role downloaded

5. Show tunneled node users on port 20:
# show tunneled-node-users port 20
View the Client on the Aruba Controller

1. On the Aruba Training Lab dashboard, open a console window to your Aruba 7030 MC.
4. View the client’s connected to the Controller:
# show user
n What is the users name and role assigned?


Task 12-4: Return the Configuration to Normal
Objectives
To return the network settings on Wireless Test Client to normal, so you will not have to mess with it
during the rest of the labs.
Steps
1. From the Aruba Training Lab dashboard, connect to Wireless Test Client.
2. Disable the Lab NIC and enable the Wi-Fi connection.
310 Task 12-4: Return the Configuration to Normal

Lab 13: OnGuard Configuration
Task 13-1: Create a Posture Policy

Objectives
n To configure a posture policy to be used with ClearPass OnGuard.
n To implement a simple policy to check your Windows 10 client and ensure that the firewall is
enabled and will show up as healthy. If the firewall has been disabled, it will be assigned a quar-
antine token.
Steps
4. Navigate to Configuration > Posture, and select Posture Policies.
5. Click Add to add a new posture policy.
6. In the Posture Policies page, add the following details:

n Policy Name: Employee Posture Policy
n Description: <Any description>
Lab 13: OnGuard Configuration 311

n Posture Agent: OnGuard Agent
n Host Operating System: Windows
7. Click Next to navigate to the Posture Plugins tab.

8. Click the checkbox beside the ClearPass Windows Universal System Health Validator.
9. This is your OnGuard plugin. Click the Configure button to continue.
When you click the configure button, the plugin configuration popup window will
appear. For the purposes of this lab, you will check for any firewall application run-
ning on the Windows 10 operating systems.
10. In the sidebar menu expand Windows 10.

11. Enable checks for: Windows 10.
12. Click the “Firewall” submenu.
13. Check the Enable checks for Windows 10.
14. Check the box for: A firewall application is on.
15. Uncheck the box for: Product-specific checks.
312 Task 13-1: Create a Posture Policy

Even though the Auto Remediation option is set by default on the Posture Policy,
auto-remediation will not happen unless it is also enabled in the WEBAUTH service.
You will not be enabling auto-remediation in the service for this lab.
16. Click Save.

17. Click Next to go to Rules tab.
18. In the Rules tab, click the Add Rule button.
19. Add the rules as follows:

a. First rule:
i. Select Plugin Checks: Passes all SHV checks
ii. Select Plugins: ClearPass Windows Universal System Health Validator
iii. Action: Posture Token: HEALTHY
iv. Click Save to commit rule.
Task 13-1: Create a Posture Policy 313

b. Add second rule:
i. Select Plugin Checks: Fails one or more SHV checks
ii. Select Plugins: ClearPass Windows Universal System Health Validator
iii. Action: Posture Token: QUARANTINE
iv. Click Save to commit changes.
20. Click the Next button to go the Summary tab, and review the posture policy configuration.
314 Task 13-1: Create a Posture Policy

21. Once done click Save.
By selecting the two rules, “Passes all SHV checks” and “Fails one or more SHV
checks” you have configured a Go-No Go test. If the system passes all, then you know
nothing is out of specs. However, if it fails any SHV condition it will trigger the Quar-
antined token.
Task 13-2: Create Enforcement Profiles

Objectives
n To configure Agent Enforcement Profiles that send messages to the OnGuard agent. These pro-
files will be used in the Enforcement Policies for the WEBAUTH service that processes the Sys-
tem Health Validation messages from the Agent.
Steps
1. Expand Configuration > Enforcement in the sidebar menu.
2. Click Profiles.
4. In the Add New Enforcement Profile screen:
a. Select the template “Agent Enforcement.”
b. Add the following information:
i. Enforcement Profile name: Agent Unhealthy Profile
ii. Description: “Use when posture is Quarantined”

5. Click the Next button to go to the Attributes tab, and add the following rule:
a. BounceClient: “False”
b. Message: “Your client is unhealthy”
6. Click Next to go to the Summary tab and verify the configuration added so far.
316 Task 13-2: Create Enforcement Profiles

7. Click the Save button to return to the Enforcement Profiles screen.
8. Add one more Agent Enforcement Profile for the healthy agents by clicking the Add link again.
9. Select the template “Agent Enforcement”.
10. Add the following information:
a. Enforcement Profile name = “Agent Healthy Profile”
b. Description = “Use when posture is Healthy”
11. In the Attributes tab, add the following rule:
a. BounceClient= “False”
b. Message = “Welcome to the Corporate Network”
12. Click the Next button to go to the Summary tab and verify the configuration added so far.
13. Click the Save button.

The enforcement profiles Agent Unhealthy Profile and Agent Healthy Profile are
ready to be used in the enforcement policy.
Task 13-3: Create Posture Token Based Enforcement Policy

Objectives
n To build enforcement policies that you can use in the WEBAUTH service for processing the sys-
tem health validation from the agent. This enforcement policy will read the posture token
assigned by the posture policy and then call up the correct enforcement profiles from those you
just built.
The enforcement logic is as follows:
n IF tips posture EQUALS Healthy
n THEN assign Agent Healthy Profile
n IF tips posture EQUALS quarantine
n THEN assign Agent Unhealthy Profile
n ELSE execute Aruba Terminate Session.
Steps
1. Expand Configuration > Enforcement.
2. Click Policies.
3. Click Add, to create a new enforcement policy.
4. Add the following details in the enforcement policy’s Enforcement tab:
a. Name: Employee Health Enforcement
b. Description: <any description>
c. Enforcement Type: WEBAUTH
d. Default Profile: [RADIUS_DynAuthZ][ArubaOS Wireless - Terminate Session]
318 Task 13-3: Create Posture Token Based Enforcement Policy

5. Click the Next button, and go to the Rules tab.
6. Select the Rules Evaluation Algorithm: as Select first match.
7. In the Rules tab conditions, click the Add Rule button to add a rule.
8. Enter the following conditions:
a. Type = “Tips”
b. Name = “Posture”
c. Operator = “EQUALS”
d. Value = “HEALTHY”
e. Enforcement Profiles: [Agent] Agent Healthy Profile
9. Click Save on the popup window of Rules Editor.

10. Click Add Rule to create a second rule with the following conditions:
a. Type = “Tips”
b. Name = “Posture”
c. Operator = “EQUALS”
Task 13-3: Create Posture Token Based Enforcement Policy 319

d. Value = “QUARANTINE”
e. Enforcement Profiles: Agent Unhealthy Profile
11. Save the rule.
12. Click Next to verify the policy on the summary tab.
The enforcement policy is now ready to be applied to a service. In the next task, you
will create a health check where the posture policy and enforcement policy that you
created will be used.
13. Click Save.
Task 13-4: Create Service to Process Health Check

Objectives
n To build a WEBAUTH service to process web-based health checks. This service receives the sys-
tem health validation from the agent and then applies the posture policy and assigns the posture
tokens. It will then execute the enforcement profiles to send the proper messages to the agent.
320 Task 13-4: Create Service to Process Health Check

Steps
1. Navigate to Configuration > Service Templates and Wizards.
2. Click here, at the top of the page, to configure a service and related policies using the full wiz-
ard.
3. Click Web-based Health Check Only template. A service creation wizard will launch.
4. On the Service tab, add the following details:

a. Name: Health Check Service
b. Description: “This service processes agent SHV“
c. More Options: Check Posture Compliance
5. Click the Posture tab. Here you will select the Posture Policy that will be applied.
6. From the Posture Policies section drop-down menu, select the Employee Posture Policy.
Task 13-4: Create Service to Process Health Check 321

7. Navigate to the Enforcement tab by clicking Next. On this tab you will select the Enforcement
Policy that will implement the logic for this service.
8. From the Enforcement Policy: drop-down menu select Employee Health Enforcement.
9. Click Next to go to the Summary tab, verify your configuration.

10. Click Save. You will be redirected to the Reorder Services page.
11. Click Save again. Your web-health check service is now ready for testing.
There is no need to reorder the health check service to the top since the service rules
are so unique that no other service you created before will match.
322 Task 13-4: Create Service to Process Health Check

Task 13-5: Configure and Install OnGuard Persistent Agent
Objectives
n To stage the required agent on the client laptop. This will be used for testing in the next task.
There is some configuration that needs to be done on the agent, and you will do that in this task
as well.
Steps
1. In the Policy Manager, navigate to Administration > Agents and Software Updates in the side-
bar menu.
2. Click OnGuard Settings.
3. On the Settings tab, Under Agent Customization, configure the following options:
a. In Managed Interfaces: only check Wireless – uncheck the Wired and VPN Interfaces.
b. Select Mode as Check Health – No Authentication.
c. Keep all the other settings as default.
d. Click Save.
In the next steps, you will install the OnGuard agent on Wireless Test Client. The easi-
est way to do this is to connect to your wireless network, open a browser, and log in
to ClearPass as an administrator. Then you will navigate to the Agents & Software
Updates page and install from there.
4. From the Aruba Training Lab dashboard, log into your Wireless Test Client remote desktop.
5. Connect to your wireless SSID secure{pod #}-{table #} (e.g., secure5-1) with the credentials
contractUser / aruba.

6. Open a browser on Wireless Test Client.
7. Browse to your ClearPass server.
9. Navigate to Administration > Agents and Software Updates in the sidebar menu.
10. Click OnGuard Settings.
11. Select the Installers tab.
12. Select the Windows installer for OnGuard (full Install –EXE), and download it.
13. After the download is complete, close the browser window.

14. Disconnect from the wireless SSID.
15. Launch the executable from the Downloads folder.
16. At the “SmartScreen cannot be reached right now” pop-up, click Run.
17. Follow the onscreen instructions to install the OnGuard agent.
324 Task 13-5: Configure and Install OnGuard Persistent Agent

18. After installation, run the OnGuard Agent on the remote laptop.

Task 13-6: Testing the OnGuard Persistent Agent
Objectives
n To connect the wireless client to your wireless SSID. The agent should activate and send a health
update to ClearPass. Upon completion of this task, you will know how to monitor OnGuard and
review the posture status for your endpoint.
Steps
1. On your Wireless Test Client, expand the taskbar menu, and right-click the OnGuard icon.
2. Select Restore to open the OnGuard agent application.
326 Task 13-6: Testing the OnGuard Persistent Agent

3. At this point, without being connected to the network, your agent should show a Health Status:
Not Known.

4. Leave the OnGuard Agent window open.
5. Connect to your wireless network SSID with the credentials contractUser / aruba.
You should see the agent go active as soon as it recognizes the wireless network has
connected, and you will see it gather information. This happens quickly, so you may
miss it.

6. You should notice the agent change to a Health Status: Healthy.
If your agent comes up as Unhealthy, check to see if the firewall is disabled. You may
want to go in and enabled it to get it to list as healthy.
7. On the agent click the Diagnostics tab.

8. In the Diagnostics Type: drop-down box, select Connectivity Tests.

9. Type in the IP address of your ClearPass1 server.
10. Click Start Test button to begin the test.
11. When the test has finished, scroll back through the output window and review the test results.
12. On the Wired MGMT Client client, open the browser to ClearPass1, and log into the Policy Man-
ager.
13. Expand Configuration > Identity in the sidebar menu.

14. Click Endpoints.
15. Find your wireless client endpoint in the list.
The easiest way to find your wireless client in the list is to sort the endpoints list by
Device Category or Device OS Family. Your wireless client should be the only Win-
dows computer.
16. Click your endpoint entry to open it.

17. Click the Policy Cache tab.
If your endpoint does not have a Policy Cache tab, it may have timed out and been
removed. Close the endpoint window and return to your wireless client, and run the
agent again by clicking the Retry button.

n What is the posture status of your endpoint?
n When was the posture status last updated?

n At what time will the posture cache expire?
19. Close the endpoint details.

20. Navigate to Monitoring > Access Tracker.
21. Search through the list and find your WEBAUTH request. There may be multiples, just select the
last one.
22. Click the Request to view the Request Details.

n What policy service is used to process the request?
n What is the system Posture Status?
n What is the Enforcement Profile applied?
24. Click the Input tab in the Request Details popup, and expand the Posture Request section.

n What is the client operating system?
n What is the firewall application name?
n What is the firewall status?
26. Navigate to the Output tab, and expand the Posture Response and Application Response sec-
tions.
n What is the Firewall Health Status?
n What is the Agent Message?

28. Close the Request Details window, and keep the Access Tracker page active on your VLT2
laptop.
29. Change to your Wireless Test Client remote desktop.
30. Access the windows firewall settings on your Wireless Test Client from control panel.

31. Disable the Windows Firewall.
32. Wait for a few seconds, you will see that the OnGuard agent will send the updated posture status
to the ClearPass Server.

If the agent is showing a Health Status: Not Known, you may need to reconnect to
the secure wireless network.
33. Change to your Wired MGMT Client desktop.

34. In Access Tracker, look for the latest WEBAUTH request.
35. Open it to view the Request Details.
36. Spend some time looking at the data in the Summary, Input, and Output tabs. Take note at how
this request has resulted in a quarantined token and a firewall health status of not healthy.
37. Return to your Wireless Test Client desktop, and turn the firewall back on.

Lab Debrief
During this lab, you configured the posture policy and deployed the posture agent on the wireless
laptop. This simple configuration will not do access enforcement based on the token status of the cli-
ent. To accomplish that, you would need to add enforcement rules in the 802.1X service that would
read the token status and apply and enforcement profile. This configuration can be used to provide
data and insight into the compliance status of all of your clients without doing enforcement.

Task 6
n What is the posture status of your endpoint?
l The endpoint should show up as healthy.
n When was the posture status last updated?
l This should be within the last five minutes.
n At what time will the posture cache expire?
l The cache expires five minutes after its last updated.
n What service is used to process the request?
l Health Check Service
n What is the system Posture Status?
l Healthy
n What is the Enforcement Profile applied?
l The Agent Healthy Profile is applied.
n What is the Client Operating System?
l Windows 10
n What is the Firewall Application Name?
l Windows Firewall
n What is the Firewall Status?
l Enabled
n What is the Firewall Health Status?
l Healthy
n What is the Agent Message?
l Welcome to the Corporate Network
Lab Debrief 337

338 Lab Debrief

Lab 14: OnGuard Enforcement

In the previous lab, you configured the OnGuard Posture Policies and the OnGuard Agent that you
deployed to your client. The Agent scanned the local desktop and sent a status update which the ser-
vice used to set a posture token in the endpoint. In this lab, you will see how to use the information
presented by the agent in enforcement in your services.
Task 14-1: Modify the Enforcement Policy

Objectives
n To modify your enforcement policy by adding enforcement based on the OnGuard posture status
of the client.
Steps
4. Navigate to Configuration > Enforcement > Policies in the sidebar menu.
5. Click the checkbox next to aruba wireless enforcement policy.
6. Click Copy to create a copy of the policy.
7. Click the Copy_of_aruba wireless enforcement policy to edit it.

8. Navigate to the Enforcement tab and rename the policy as aruba wireless enforcement policy –
with posture.
Lab 14: OnGuard Enforcement 339

10. Select the “(Tips:Role EQUALS corporate_user) and (tips:Role EQUALS computer)” rule, and
click Edit Rule.
11. Add the following condition:
a. Condition 3
i. Type = “Tips”
ii. Name = “Posture”
iii. Operator = “EQUALS”
iv. Value = “HEALTHY”
12. Click the Save icon at the end of the row to commit the rule.
13. Click Save to close the Rules Editor.
Adding the posture evaluation to the rule means that the employee connecting on a
computer must also pass a health check to get the employee full access role.
You will now add a new rule to account for the employee endpoint with a Quarantined token assigned.
340 Task 14-1: Modify the Enforcement Policy

1. Click Add Rule to add another rule with following options:
a. Condition 1
ii. Name = “Role”
iv. Value = “corporate_user”

b. Condition 2
ii. Name = “Role”
iv. Value = “computer”
c. Condition 3
iv. Value = “Quarantine”
d. Enforcement Profile = [RADIUS] assign Temp Access Role
2. Click Save to save this new rule.
Adding this rule means that the employee, who is connected on a computer and has
failed the health check, will get the temp access role.
Now consider the employee that just connects to the network, OnGuard is a layer 3 application so you
must build enforcement that allows limited access for the client that will allow the agent to com-
municate with ClearPass.
Task 14-1: Modify the Enforcement Policy 341

1. Click Add Rule to add another rule with the following conditions:
a. Condition 1
iv. Value = “Unknown”
b. Enforcement Profile = [RADIUS] assign Profile_only role
2. Click Save to save this new rule.
For this lab, you will be placing the client that is in the unknown state in the Profile_
Only role, which has been configured to allow HTTPs traffic to ClearPass. Doing so
will give the OnGuard agent access to ClearPass so that it can pass in a system health
validation.
3. Click the new (tips: posture equals unknown) rule, and use the Move Up button to place the
rule at the top of the list.
4. Your Enforcement Policy should now look like this:
342 Task 14-1: Modify the Enforcement Policy

5. Click Save at the bottom to save this enforcement policy.
Task 14-2: Modify the Wireless Service

Objectives
n To modify the enforcement tab of your 802.1X service to support OnGuard enforcement. Remem-
ber that you will need to check the cached roles and policies options on the enforcement page to
keep the posture token assigned to the endpoint after a change of authorization and re-authen-

tication.
Steps
1. Navigate to Configuration > Services.
2. Click your “Aruba 802.1X Secure Wireless” service to edit.
3. In the service editor, click the Enforcement tab.

4. Check the box for Use Cached Results.
5. Select your new Enforcement Policy “Aruba wireless enforcement policy – with posture.”
6. Click Save to commit the changes to the service.
Task 14-2: Modify the Wireless Service 343

Task 14-3: Modify the Health Check Service
Objectives
n To add [RADIUS_DynAuthZ] Aruba Terminate Session enforcement profiles to the Health Check
service, in order to bounce the user after they have complete a health check, forcing them to per-
form another 802.1X authentication. When they perform this second 802.1X authentication, the
802.1X with posture enforcement service will then be able to assign them the correct access
rights based on their posture token.
Steps
1. Navigate to Configuration > Services, and select the Health Check Service.
2. Navigate to Enforcement tab.

3. Click Modify next to the selected Employee Health Enforcement Policy. You will be redirected
to the Enforcement Policy edit page.

5. Click the first Rule to select it.
6. Click Edit Rule.
344 Task 14-3: Modify the Health Check Service

7. Add the [RADIUS_DynAuthZ] ArubaOS Wireless-Terminate Session profile from the drop-
down.
8. Click Save.

9. Modify the second rule to add the [RADIUS_DynAuthZ] ArubaOS Wireless-Terminate Session
profile as well.
10. Click Save.
11. Your Enforcement Policy should now look like this:
Adding the [RADIUS-DynAuthZ] [ArubaOS Wireless – Terminate Session] to the rule’s actions
will make ClearPass instruct the Aruba Controller to disconnect and authenticate the client any-
time that the posture token changes for the endpoint. This allows you to take action against
non-compliant clients.
12. Click Save again. You will be redirected back to the Health Check Service.
Task 14-3: Modify the Health Check Service 345

13. Click Save to save the modified service. You are now ready to test the client health based Radius
Enforcement.
Task 14-4: Testing

Objectives
n To test OnGuard with enforcement in your service. The first step will be to clear out your end-
points and make sure that your client is disconnected from Controller. When testing, keep in
mind that the Controller tracks a user that has dropped away for an additional five minutes to
streamline reconnect, and the endpoint policy cache is generally a five minute timeout. This
means that if you do not do clear outs while you are testing, you will not get repeatable and pre-
dictable results.
Steps
6. Then, click Endpoints.
7. Sort the list of endpoints by Device OS Family descending.
8. The top of the list should be your Windows wireless client.

9. Click your endpoint to open the Edit Endpoint window.
346 Task 14-4: Testing

10. Look at the tabs at the top of the page. If you have a tab for Policy Cache, click the clear cash
button at the bottom of the page.

11. Click Save to close the window
The goal is to clear out any previously assigned roles and posture settings while not
removing the profiled status of the client. If you were to delete it, the endpoint would
have to go through a profile cycle in order to connect. This makes the lab a little
more streamlined.
Disconnect the Wireless Test Client

1. Open Wireless Test Client desktop
2. Disconnect from the Secure SSID

Check for Users on the Secure Network
1. Open Console for the Aruba Controller in the browser.
2. Right-click your Aruba Controller, and select Open Console.

4. Log into your Controller’s CLI console with your admin credentials.
# show user (you may not see any users, if none are connected)
# aaa user delete all (if no users are connected. You can skip this)

# show user (there should be no users connected here, if there are connect to your wireless client
and disconnect from the network)

6. Leave the CLI console browser screen open.
Connect and Authenticate to the Secure Network

1. Switch back to Wireless Test Client.
2. Click the Network Icon. You should see your guest SSID listed at the top.
3. Select your secure SSID, and click Connect.
4. Log in to the network with employee / aruba123.
5. On your Wireless Test Client, expand the taskbar menu, and right-click the OnGuard icon.

6. Select Restore to open the OnGuard agent application.
7. You should see a “Healthy” status on the agent.
TIP: If you do not see a healthy status, then check the condition of your Windows fire-
wall, and enable if needed. Then, use the “Retry” button to send a new SHV.

8. Switch back over to your Wired MGMT Client, and open a browser to ClearPass1.
9. Log into Policy Manager.
11. At the top of the list, you should see three events: your employee’s first RADIUS login (1), fol-
lowed by the client’s health check (2), and another employee RADIUS login (3).

TIP: If you do not see a second authentication request after the health check, return
to Wireless Test Client, and make sure that the “Connect Automatically” box is
checked for the secure SSID:
12. Click the first employee log in to view the details.

13. Look on the Summary tab.
n What is the posture status of the client?
n What enforcement profile did the service use?

15. Click the RADIUS Dynamic Authorization tab.
n What is the Dynamic Authorization action type?
n What is the status message?

18. Open the WEBAUTH request just above the request you just viewed.
n What is the posture status of the health check?
n What enforcement profiles were executed?
n Why is the RADIUS Dynamic Authorization tab not on this entry?

21. Open the latest employee RADIUS request.
22. Take Note of the posture status and Enforcement Profile selected.
Disable Firewall and Acquire a Quarantined Token

1. Switch to Wireless Test Client.
2. On your wireless client, pull up the start menu, and click Settings.

3. Enter “Firewall” in the “Find a Setting” box.
4. Select the option for “Check firewall status.”
5. Click the option for “Turn Windows Defender Firewall On or Off.”

6. Turn off the three network firewalls.
7. Click OK to save the settings; however, be sure to leave the Windows Defender firewall open.
8. Bring the ClearPass OnGuard Agent to the front.
9. If the client has disconnected, log back into the secure SSID with the employee account
(employee / aruba).

n What is the status of your posture agent?
n Which service assigned this status?

11. Switch to the Wired MGMT Client desktop, and log in to the Policy Manager.
13. In access tracker, you should see two new requests: a WEBAUTH health check (4) , and another
RADIUS employee request (5).
TIP: If you do not see both of the requests, then return to your wireless client, and
check to see if the client has disconnected. There are times in the lab environment
that the clients will not automatically reconnect after a Dynamic Authorization due to
interference.

n What is significant about this pattern of requests?
n What health status or posture token would you expect to see on the previous RADIUS
employee request?
n What health status or posture token would you expect to see on the second RADIUS
employee request?
15. Take a few minutes, and investigate the request details.

16. On the Wireless Test Client desktop, turn the firewall back on.

Lab Debrief
During this lab, you configured an enforcement policy to evaluate the status of the posture token. You
also needed to modify the health check service in order to execute the Aruba terminate session, which
disconnects the client and forces it to log in again.

Task 4
n What is the posture status of the client?
l The client should be listed as UNKNOWN.
n What enforcement profile did the service use?
l The client was assigned the profile_only role.
n What is the Dynamic Authorization action type?
l This is a disconnect action type.
n What is the status message?
l Status message should indicate “successful for client.” If it does not, then the Dynamic
Authorization action did not happen.
n What is the posture status of the health check?
l The posture status will be healthy.
n What enforcement profiles were executed?
l The service executed the agent healthy profile sending a message to the OnGuard agent,
and it executed the ArubaOS Wireless – Terminate Session profile.
n Why is the RADIUS Dynamic Authorization tab not on this entry?
l When a service executes a Dynamic Authorization, it executes against the session iden-
tifier for the client. ClearPass tracks that back to the original service that authenticated the
client into the network. This means that, while the Dynamic Authorization is issued by this
service request, it is actually the service that authenticated the user into the network that
has knowledge of the Network Access Device the client is connected to. This means that
the Dynamic Authorization actually gets executed by that service.
n What is the status of your posture agent?
l The health status should show as quarantined.
n Which service assigned this status?
Lab Debrief 359

l What you cannot see the service on the client. You should know that the client interacts
with WEBAUTH service, and the WEBAUTH service selects the posture policy. The posture
policy then determines what health checks the agent needs to do.
n What is significant about this pattern of three requests?
l This pattern of three requests – a RADIUS request, a WEBAUTH request, and a RADIUS
request – is a classic for OnGuard. Remember that the OnGuard agent operates at layer 3,
and for this reason, must be allowed access to the network in order to send in a health
check.
n What health status or posture token would you expect to see on the 1st RADIUS employee
request?
l The first radius request should list unknown for its posture status since the client should
always enter the network known state until ClearPass has received a health validation
report.
n What health status or posture token would you expect to see on the 2nd RADIUS employee
request?
l This second radius request should list quarantined for the status. This will be set because
the client, with its firewall turned off, will fail your posture policy.
360 Lab Debrief

Lab 15: Onboard Configuration

In this lab, you will configure Secure-SSID Onboarding. The user will connect to the secure SSID using
EAP-PEAP (username and password) first, and then they will be redirected to the Onboard portal to
execute the onboard process. Finally, the client will connect back to the same secure SSID using EAP-
TLS w/ OCSP (Onboard certificate).
Task 15-1: Configure Onboard as Root CA

Objectives
n To configure a self-signed Root Certificate Authority in Onboard.
Steps
1. Log in to your Aruba Training Lab and open the remote desktop for Wired MGMT Client.
4. In the upper right corner, pull down the menu, and select Onboard.
Lab 15: Onboard Configuration 361

5. In ClearPass Onboard, navigate to Onboard > Certificate Authorities.
6. To add a new certificate authority, click “Create new certificate authority” in the upper right
corner.
7. Name the NEW CA:
a. Name: My Lab CA
b. (Select the option for Root CA)
362 Task 15-1: Configure Onboard as Root CA

8. Scroll down, and fill in the following information:
a. Organization: Aruba Networks Training Lab
b. Common name: Aruba Networks Training Lab
c. Signing Common Name: Aruba Networks Training Lab (Signing)
d. Email Address: admin@traininglab.com

9. To save click Create Certificate Authority.
10. You should now see your certificate authority in the list

Edit the “My Lab CA OCSP” Settings
1. Expand the menu for My Lab CA and select Edit.

2. Scroll down the Certificate Authority Settings to the Certificate Issuing section.
3. For Authority Info Access, select Specify an OCSP Responder URL.
4. For OCSP URL, edit the hostname of your ClearPass to read “localhost” http://-
localhost/onboard/mdps_ocsp.php/2.
5. Scroll to the bottom, and Save Changes.
When authenticating the BYOD user after they have completed onboard you will need to use the EAP
TLS with OCSP Enabled authentication method. The default method includes the OCSP link to the
default certificate authority, and will cause a failed authentication.

Modify the Authentication Method
1. Return to the Policy Manager
2. In the Policy Manager, navigate to Configuration > Authentication > Methods in the sidebar
menu.
3. In the list of Methods, locate: [EAP TLS With OCSP Enabled].
4. Click to open.
The Onboard Service Template uses the default [EAP TLS With OCSP Enabled]
method as its authentication method in the RADIUS service for EAP – TLS. However,
the default OCSP URL points to Root CA 1. The method also requires OCSP veri-
fication and is configured to override the OCSP URL sent from the client embedded
in the certificate. There are two ways this could be fixed: first, you could edit the
OCSP URL in the method with the correct URL. Secondly, because you have con-
figured the correct URL in the certificate authority you can uncheck the enable for
“Override OCSP URL from Client,” and ClearPass will then use the URL embedded in
the certificate.
5. Click Copy to create a new authentication method.

6. Look in the list of authentication methods and find Copy_of_[EAP TLS With OCSP Enabled] ,
and Open it.
7. Rename the Authentication Method to My_Lab_CA__[EAP TLS With OCSP Enabled].
8. Towards the bottom, uncheck the Enable for Override OCSP URL from Client.

9. Click Save.

Task 15-2: Configure Onboard Network Settings
Objectives
n To build the network profiles that will be pushed to the client. In this lab, you will build one wire-
less profile for your secure network.
Steps
1. Use the menu option in the upper right corner to navigate back to Onboard.
2. Under the Onboard sidebar menu, click to expand Configuration.
3. Click Network Settings in the sidebar.

4. To add a network profile, click “Create new network” in the upper right corner.
5. Configure the following options:
a. Name: Employee Secure
b. Description: <any description>
c. Network Type: Wireless Only
d. Security Type: Enterprise (802.1x)
e. Security version: WPA2 with AES
f. SSID: secure#-X (where # is your pod number, and X your table number – this is the wire-
less network SSID that the device connects to after Onboarding)
368 Task 15-2: Configure Onboard Network Settings

6. Click Next.
7. On the Protocols tab, select TLS for the Windows EAP field.
In this lab, you only need to configure the Windows section. This will ensure that Win-
dows devices are provisioned to use EAP-TLS authentication after onboarding.
ClearPass will push a certificate to the device to use as credentials. This is the default
setting.
8. Click Next.
9. Make sure the Certificate Store settings under Windows Authentication are set as “Machine and
User.”

You will be using domain PCs for testing, and in this environment, you will need to
select Machine and User to install the certificate in both the Machine and User cer-
tificate stores. Otherwise, you might see an ‘Unknown_CA’ error in the Access
Tracker Alerts tab.
Task 15-3: Configure Onboard Configuration Profile & Provisioning Set-

tings
Objectives
n To configure the Onboard portal. You will need to configure a configuration profile that will
define what the portal will push to the client, and then under the provisioning settings you will
set the characteristics of the portal itself.
Steps
1. Navigate to Onboard > Deployment and Provisioning > Configuration Profiles.
2. To create a new configuration profile, click the link in the upper right corner “Create new con-
figuration profile.”
3. Name the profile “Employee Secure Wireless.”
370 Task 15-3: Configure Onboard Configuration Profile & Provisioning Settings
4. Scroll down the list, and find the Networks section.
5. Click the checkbox next to your Employee Secure network profile.

If your organization has multiple sites or multiple networks and you wish to push
more than one network profile, this is acceptable. Onboard can install multiple net-
work profiles during the same session, and the client will use the same certificate
identity for all networks.

7. Click the link for Provisioning Settings in the sidebar menu.
8. Create a new device provisioning by clicking on the “Create new provisioning settings” link in
the upper right corner.
9. Enter the following information on the General tab:
a. Name: Employee Secure Device Provisioning
b. Organization: My Company
Both the name and the organization will be embedded into the certificate that is pro-
visioned to the client.
Task 15-3: Configure Onboard Configuration Profile & Provisioning Settings 371
10. Scroll down the list to the Identity section.
11. Select the following settings:
a. Certificate Authority: My Lab, CA
b. Signer: Onboard Certificate Authority
c. TLS Certificate Authority: My Lab, CA
d. Key Type: 1024 – bit RSA – created by device
The Certificate Authority is used to provide security for the Onboard portal as it
negotiates profiles with the client. The TLS Certificate Authority actually issues the
TLS credentials certificate.
12. Scroll down to the Authorization section.

13. Select “Employee Secure Wireless” as the Configuration Profile.
372 Task 15-3: Configure Onboard Configuration Profile & Provisioning Settings
14. Scroll back to the top and select the Web Login tab.
On the web login tab, take notice of the Page Name. The page name becomes part of
the URL for the Onboard portal. The URL for this Onboarding page will be:
https://TT-cppm1.aruba-training.com/guest/device_provisioning_2.php.
15. Click the Onboard Client tab.

16. Configure the following options:

a. Provisioning Address: <ip of ClearPass> (Management Port) – This will avoid any DNS
resolution issues.
b. Validate Certificate: No, do not validate web server’s certificate.
Task 15-4: Create Onboard Services

Objectives
Onboard requires two services to operate effectively. The first service is the authentication service and
allows you to configure enforcement on which users may or may not, provision devices. The second ser-
vice does device authorization in its default state it will allow any device to be provisioned. You can
modify the second service to grant or deny provisioning access to certain types of devices, such as
iPads, iPhones, Android or Windows computers.

To will run the Onboard Service Template that will actually create three services – the third service is
the RADIUS service for the secure network. You will modify this radius service to support your secure
SSID.
Steps
1. Connect your browser to the Policy Manager, and log in.
3. Scroll to the bottom of the list, and select the Onboard template.
4. Fill in the template as follows:

5. Name Prefix: Employee Wireless
6. Click the tab for Provisioning Wireless Network Settings.

7. Configure: Wireless SSID for Onboard Provisioning: secure#-X (where # is your pod number, and
X your table number)
8. Click Add Service. You should see a message box like the one shown in the screenshot below.
374 Task 15-4: Create Onboard Services

9. Click Services in the sidebar menu
10. Take note of the three services created by the template.
a. Employee Wireless Onboard Provisioning
b. Employee Wireless Onboard Authorization
c. Employee Wireless Onboard Pre-Auth
If you do not see all of them, remember that some might be on the next page.

The wizard creates services that authenticate against the guest user repository. You
will need to change your services to authenticate and authorize against the local user
repository because that is where the accounts were going to use the test.
11. Click the Employee Wireless Onboard Authorization service.

12. Navigate to the Authorization tab.
13. Add the Local User Repository as an authorization source.
14. Remove the Guest User Repository.

15. Click the Roles tab.
The role assignments in this authorization service are all about identifying the device
type. Using the roles assigned, you can modify the enforcement to allow or deny
given types of devices. In this lab, you will not modify the roles or enforcement on
this service.
16. Click Save.

17. Select the Employee Wireless Onboard Pre-Auth service.
19. Add the Local User Repository as an authorization source.
20. Remove the Guest User Repository.

21. Click Save.
The Onboard Pre-Auth service is a service that processes the user’s authentication
into the Onboard portal. You will modify enforcement on this service to govern which
users may or may not provision their devices. In this lab you will allow all to Onboard,
so you will not be modifying the enforcement on this service.
22. Select the Employee Wireless Onboard Provisioning service.

24. In the Upper window for Authentication Method: remove [EAP TLS With OCSP Enabled]
25. Add the Authentication Method: My Lab CA_[EAP TLS With OCSP Enabled]
26. In the lower window for Authentication Sources, remove the Guest User Repository.
27. Add the Local User Repository into the Authentication Sources list.
You should now see the Onboard Device Repository and the Local User Repository inside the list.

NOTICE: There are two types of enforcement profiles assigned: Employee Wireless
Onboard Pre-Provisioning (assigned before Onboarding) and Employee Wireless
Onboard Post-Provisioning (assigned after Onboarding). Take note of these. You
will look at these after saving and reordering your services.
29. Click Save.
Put Onboarding Service at the Top & Disable Wireless Service

1. Click Reorder.
2. Move the three Onboard services to the top three positions. Your services should look like this:
3. Click Save.
4. In the services list, locate the Aruba 802.1X Wireless Service.
5. Click the checkmark under status to turn it into a stop sign to disable the service.
Investigate the Enforcement Profiles

2. Set the list filter to: Name contains onboard.

3. Click GO.
4. Click the Employee Wireless Onboard Pre-Provisioning enforcement profile.

5. On the Summary tab, take note of the Attributes: and what Aruba-User-Role will be assigned to
the client.
This is the role that ClearPass will assign when the user first connects to the secure
SSID using EAP-PEAP.

6. Click Cancel to close the profile.
7. Click to open the Employee Wireless Onboard Post-Provisioning enforcement profile.
This is the role that will be assigned after the user completes Onboarding, and
authenticates using EAP-TLS. For the lab, you will leave it as the authenticated role.
In a production environment, you will want to build a proper role, and then change
the value in the enforcement profile to match that new role.

8. Click Cancel to close the enforcement profile. You have configured the Onboard Services.
The user roles assigned by these two enforcement profiles are the built-in authenticated
and BYOB-Provision role that are the default on the Controller. For this lab, you will con-
tinue to use those, but in a production environment, you will have to make sure that the
roles assigned sync up with what is created on the Controller for your specific environment.
Task 15-5: Configure BYOD-Provision Role on Controller

Objectives
The concept behind secure SSID Onboarding is that when the user connects to the SSID with a user-
name and password, they are assigned the BYOD–Provision role which has a captive portal profile con-
figured that will redirect them to the Onboard portal. The BYOD-Provision User role is already built on
the Controller. You will need to put the proper URL into Captive Portal Profile that the Controller will
use for the BYOD-Provision user role
Steps
1. From the Wired MGMT Client desktop, open the browser to your Aruba Controller’s IP address:
10.1.X0.100 (where X is you table number).
3. Navigate to Configuration > Authentication.
4. Click L3 Authentication in the workspace.
5. Expand Captive Portal Authentication.
6. Click onboard.
380 Task 15-5: Configure BYOD-Provision Role on Controller

7. Scroll down the options to Login page.
8. Enter the following URL (all lower case): https://TT-cppm1.aruba-train-
ing.com/onboard/device_prosioning_2.php.
9. Click Submit.
10. Click “Pending Changes.”
11. Click Deploy Changes.

Check the BYOD-Provision Role
1. Navigate to Configuration > Roles & Policies in the sidebar menu.
2. Scroll through the list of roles and find BYOD – Provision.
3. Click Show Advanced View.

4. Click the header tab for More.
5. Expand the Authentication section.
Task 15-5: Configure BYOD-Provision Role on Controller 381

6. Confirm Onboard for the captive portal profile is selected.
7. If Onboard is not selected for the captive portal profile, pull down the list, and select it.
382 Task 15-5: Configure BYOD-Provision Role on Controller

8. Click Submit.
9. Click “Pending Changes.”
10. Click Deploy Changes.
You have now configured the BYOD-Provision role.
Task 15-6: Testing Onboard

Objectives
n To connect to the secure SSID and log in with the temp user account. ClearPass will instruct the
Controller to assign the BYOD – Provision role which will captive portal your user over to the
Onboard portal page
Steps
Uninstall the OnGuard Agent
1. On your Wireless Test Client, expand the taskbar menu.
2. Click the Windows start button and select the Settings icon.

3. In the Settings window, search for “programs.”
4. Select Add or remove programs.
5. Search through the list to find ClearPass OnGuard application.

6. Uninstall the ClearPass OnGuard application.
384 Task 15-6: Testing Onboard

7. When the uninstall process completes, close all windows.

Connect to your Secure SSID and Log In
1. Pull down the network list from the tool tray, and connect to your secure SSID with username:
contractUser and password: aruba.

2. Once the client has authenticated to the wireless network, open the Edge Browser.
3. Put in the address of the AD server https://10.254.1.21, and it should take you to the Onboard
Portal.
4. Log in to the portal with your temporary user credentials: contractUser / aruba.

5. Click the link for Start QuickConnect.

6. This will download the QuickConnect application. You will get an option at the bottom asking
what you want to do with it, click Run.
7. When the QuickConnect application runs, click Next.
8. You will be prompted by two/three security warning screens asking for permission to install a cer-
tificate, answer Yes to both.

9. When the wizard finishes, click the Connect button.

10. Close the Connection Summary.
11. Return to your Wired MGMT Client desktop, and log in to the Policy Manager.
12. Open Access Tracker.
13. Locate your latest RADIUS request from contractUser (this should be at the top of the list).
14. Click the request to view the details.

n Where did this username come from?
n What is the authentication method?
n What is the authentication source?
n Why is this authentication source used?

18. Scroll down the list until you find the Certificate Properties.

n What source issued this certificate?
n What is the key usage of this certificate?

n What is the Onboard username of this certificate?

21. Scroll down the list to find the first RADIUS authentication in this session.
TIP: The successful one with the oldest timestamp in this group for the service
should be “Employee Wireless Onboard Provisioning.”
22. Click to open the Request Details.


n What is the username for this request?
n What authentication method did the client use?
n What enforcement profile was assigned?

25. Click to open the Onboard Pre-Auth request.

View the client certificate in Onboard

1. Use the menu in the upper right corner to navigate to ClearPass Onboard.
2. In the sidebar menu, expand Management and Control.
3. Click the option for View by Certificate – you should see your Onboard client certificate in the
list.

4. Expand the menu, and click view certificate, taking note of the certificate details.
You have Completed Lab 15!

Lab Debrief
Task 1
n What is the subject of the certificate?
l The organization is the policy manager, and the common name will be the name of your
ClearPass server.
n Who was the certificate issued by?
l The issuer of the certificate is the ClearPass server itself.
n Why is this information significant?
l This is significant because it represents a self-signed certificate on ClearPass being used
for RADIUS/EAP. Many clients will reject this certificate and may not complete the eat
transaction during RADIUS attempts.
Task 6
l The username is “contractUser.”
n Where did this username come from?
l The username is one of the attributes in the TLS certificate.
n What is the authentication method?
l EAP-TLS, indicating that this is a certificate authentication.
l The local user repository / local: localhost.
n Why is this authentication source used?
l Once the service reads the TLS certificate presented by the client and finds the username,
it will attempt to authenticate that username against the authentication sources con-
figured in the service. This means that if you were to disable the user account, even
though the certificate was valid, the authentication would fail.
n What source issued this certificate?
l This certificate was issued by the ClearPass Onboard Local Certificate Authority.
n What is the key usage of this certificate?
l This certificate is a TLS Web Client Authentication certificate.
n What is the Onboard username of this certificate?
396 Lab Debrief

l The attribute “Certificate: Subject – AltName – DirName – OnboardUserName” references
the “assignment contractUser.”
n What is the username for this request?
l The username is “contractUser.”
n What authentication method did the client use?
l The authentication method is EAP – PE AP indicating a username password authen-
tication.
l The authentication source is the local user database.
l The client received the pre-provisioning enforcement profile. This would put the client into
the captive portal page you saw pop up after the initial login.
The enforcement profile is very simple and allows the application access. In all honesty, all

l
this service does is say yes or no to the question: “Is the client allowed to Onboard?”
Lab Debrief 397

398 Lab Debrief

Lab 16: Onboard Administration
Task 16-1: Deny Access to Deleted User

Objectives
n To test Onboard’s ability to deny access to client device when the user account has been deleted.
Steps
1. Log in to your Aruba Training Lab, and open the remote desktop for Wireless Test Client.
2. On your Wireless Test Client, expand the taskbar menu.
3. Disconnect and reconnect your wireless client to the secure SSID.
All you should need to do is select the secure SSID from the list and pick connect. It
should not prompt you to log in.
4. From the Aruba Training Lab, open the Wired MGMT Client desktop.
5. Log in to the Policy Manager.
7. Find your latest “contractUser” authentication request and open it to view request details.
8. Check the request, and make sure that the authentication method is EAP – TLS, and authen-
tication source is local: localhost.

10. Navigate to Configuration > Identity in the sidebar menu.
Lab 16: Onboard Administration 399

11. Click Local Users.
12. Click to edit the contractUser.
13. Change the User ID: to contractUser2.
The goal is to make it appear like the account has been deleted without actually delet-
ing the account. This will allow you to use the account later in the lab.
14. Click Save.
Disconnect and remove client from the Controller User Database

1. Return to your Wireless Test Client.
2. Disconnect from the secure wireless network.
3. From the Aruba Training Lab, open the console session to your Aruba Controller.
5. Run the command: # aaa user delete all.
7. Attempt to reconnect to the secure wireless SSID. (This should fail.)
400 Task 16-1: Deny Access to Deleted User

8. Switch over to your Wired MGMT Client.
10. Navigate to Monitoring > Live Monitoring in the sidebar menu.
11. Open Access Tracker. You should see at least one rejected authentication from contractUser.
12. Open one of the rejected authentications to view the details.

13. To view the reason why the authentication was rejected, click the Alerts tab. The request should
have failed due to “unknown user.”
Task 16-1: Deny Access to Deleted User 401

15. Navigate back to Configuration > Identity > Local Users.
16. Rename the contractUser2 account back to contractUser.
17. Reconnect to your Wireless Test Client.
18. Attempt to connect to your secure wireless SSID. (This connection should be successful.)
402 Task 16-1: Deny Access to Deleted User

Task 16-2: Test OCSP
Objectives
n To test your OCSP configuration. Properly configuring OCSP is critical to ensuring that when you
revoke a certificate in Onboard, the client associated to that certificate gets denied access. At the
end of the previous task you reestablished and tested your client’s connection with authen-
tication, and its Onboard certificate is functional.
Steps
Disable OCSP on the Secure Wireless RADIUS Service
1. Return to Wired MGMT Client.
4. Click to open the Employee Wireless Onboard Provisioning RADIUS service.
5. Select the Authentication tab.

6. Remove the My_Lab_CA_[EAP-TLS with OCSP Enabled] Authentication Method.

7. Add [EAP TLS].
The [EAP TLS] authentication method simply checks that the certificate is proper
but does not perform any certificate revocation checks. If the certificate date has not
expired, regardless of the revocation status, the certificate authentication will pass.

8. Click Save.
Revoke your client’s certificate.

1. Use the menu in the upper right corner to switch to ClearPass Onboard.
2. Navigate to Onboard > Management and Control.
3. Click View by Certificate.
4. Locate the certificate for contractUser.
5. Expand the menu, and select Revoke Certificate.
6. Under Confirm, click the checkbox “Revoke this client certificate.”

7. Click the button for Revoke Certificate.
404 Task 16-2: Test OCSP

8. Disconnect and reconnect to your Wireless Test Client.

9. Attempt to connect to your secure wireless SSID. (This connection should be successful.)

10. Switch to the Wired MGMT Client desktop.
13. In Access Tracker, locate your last contractUser RADIUS request.
14. Click the Request to view the details.

n What is the authentication source listed?
n What is the enforcement profile assigned?

n Why do you think this authentication did not fail when the certificate is revoked?
Apply the Correct Authentication Method

1. In the Policy Manager, navigate to Configuration > Services.
2. Click to open the Employee Wireless Onboard Provisioning RADIUS service.

4. Remove the [EAP TLS] authentication method.
5. Add back the My_Lab_CA_[EAP-TLS with OCSP Enabled] authentication method.
6. Click Save.
Now you are ready to test your revocation with OCSP. Previously, you could authen-
ticate into the secure network using the TLS certificate that had been revoked. All
you need to do now is disconnect from the secure wireless network and attempt to
reconnect to the same SSID network. If your OCSP is set up correctly, your authen-
tication will fail.

8. Disconnect from the secure wireless network.
9. From the Aruba Training Lab, open a console session to your Aruba Controller.
Check for Connected Clients on the Wireless Network

1. Run the command: # aaa user delete all.
3. Attempt to reconnect to the secure wireless SSID. (This should fail.)

4. Switch over to your Wired MGMT Client.
6. Open Access Tracker.
7. You should see at least one rejected authentication from contractUser.
8. Click one of the failed authentication attempts.


n What authentication method was used?
n What authentication source was used?

n What is the reason that this authentication failed?
Task 16-3: Deny Access to the Device

Objectives
n To deny the contractUser the right to Onboard any devices and test that.
n To re-enable the contractUser and Onboard your wireless client again.
Steps
Deny the contractUser in Onboard
1. From your Wired MGMT Client desktop, connect to Onboard, and log in.
3. Select View by Username.
4. Expand the menu for contractUser, and select Manage Access.
410 Task 16-3: Deny Access to the Device

5. Under Manage Access pull down, and select “Deny access to this user.”
6. Click the Set Access button to finish.

Remove the Onboard created wireless profile from the client and create a new pro-
file for EAP-PEAP authentication.
1. Connect to your Wireless Test Client.
2. Open Network & Internet Settings.

3. Click Wi-Fi in the sidebar menu.
4. Select Manage known networks under Wi-Fi.
5. Look for your secureP-X wireless network and select it.

6. To delete the wireless profile, click the Forget button.
7. To go back to the Wi-Fi settings, click the back arrow.
8. To create a new wireless network, start by clicking Network and Sharing Center on the right
side of Wi-Fi settings.
9. In the Network and Sharing Center, select “Set up a new connection or network.”
10. Under “Choose a connection option,” select “Manually connect to a wireless network,” and
click Next.
11. Enter the following information and click Next.

a. Network name: secure{pod #}-{table #} (for example, secure5-1)
b. Security Type: WPA2-Enterprise
12. Select Change Connection Settings in the successfully added message window.
13. Click the Security tab.

Disable the Certificate Check
1. Click Settings next to the Network Authentication Method.
2. In the Protected EAP Properties window, check the “Verify the server’s identity by val-
idating the certificate” box.
3. In the Trusted Root Certification Authorities, check the “training-ARUBA-AD-CA” box.
4. Scroll down and click Configure.

5. Uncheck the setting for “Automatically use my windows logon name…”

6. Click OK to close the EAP MSCHAPv2 Properties pop-up.
7. Click OK to save back to the Security tab.
8. Uncheck the select box for “Remember my credentials for this connection each time I’m
logged on.”
9. Click Advanced Settings. Lab 16: Onboard Administration
10. Check “Specify authentication mode,” and select “User authentication.”

11. Click OK, then OK, and then Close to finish and save the settings.
Attempt to Onboard Client

1. Pull down the network list from the tool tray and connect to your secure SSID with the username
contractUser and password aruba.

2. Once the client has authenticated to the wireless network, open the Edge browser.
Portal.
4. Log in to the portal with your temp user credentials contractUser / aruba.

5. Click the link for Start QuickConnect.
6. This will download the QuickConnect application, and you will see an option at the bottom asking
what you want to do with it, click Run.

7. When the QuickConnect application runs, click Next.
8. When you get the error message, if you move the installer window to the side you will see an
error message saying you cannot continue because your user access has been revoked.
9. Close the Onboard Wizard.
10. Switch to your Wired MGMT Client desktop connect to Onboard, and log in.

12. Select View by Username.
13. Expand the menu for contractUser, and select Manage Access.
14. Under managed access pull down, and select “Allow access to this user.”
15. Click the Set Access button to finish.
16. Switch to your Wireless Test Client.

17. Close any browser windows that may still be open.
18. Disconnect and reconnect to your secure wireless SSID. Log in with contractUser, if prompted.
19. Once the client has authenticated to the wireless network, open the Edge browser.
Portal.
21. Accept the certificate error and connect to the portal.

22. Log in with contractUser and complete the Onboard process.
23. Test your Onboard connection.

Lab Debrief
In this lab, you got to work with some of the tools for controlling access related to Onboard and BYOD
clients. You also got a firsthand look at why the certificate revocation and OCSP settings are so import-
ant. One of the big advantages Onboard has is that it converts your device authentication into a one to
one relationship with its credentials, while still retaining the user identity of the owner. If you do not
have revocation set up properly, you lose this advantage.

Task 2
l The authentication method is EAP – TLS, indicating that it is a certificate authentication.
n What is the authentication source listed?
l The authentication source is local: localhost.
n What is the enforcement profile assigned?
l The authentication was successful, and the allow access profile was assigned.
n Why do you think this authentication did not fail when the certificate is revoked?
l When the authentication method is simply EAP – TLS, ClearPass will not check for revoke
certificates. Very simply, if the certificate is valid as presented by the client, ClearPass will
accept it.
Lab Debrief 421

l The user was the contractUser.
n What authentication method was used?
l Authentication method was EAP – TLS.
n What authentication source was used?
l The authentication source is local: localhost.
n What is the reason that this authentication failed?
l This is listed as a “Certificate Status revoked.”
422 Lab Debrief

Lab 17: Administrative Operations
Task 17-1: Certificate Stores

Objectives
n To explore the Certificate Stores in ClearPass Policy Manager. When working with Onboard, you
looked at the Certificate Authority in Onboard, which is separate from the Certificate Stores in
Policy Manager. You also installed a RADIUS certificate on ClearPass1 that you requested from
the lab Active Directory server. In this lab, you will copy that RADIUS certificate to ClearPass2.
Steps
2. Connect to ClearPass1 with Google Chrome.
3. Log into the Policy Manager as admin.
4. Click the Lock Icon in the address bar of your browser.
5. Click Connection is secure.
6. Click Certificate is valid.
Lab 17: Administrative Operations 423

7. Check certificate details.
n Who was this certificate issued to?
n What server issued the certificate?
n What is the validity term of the certificate?
9. Close all the info windows, but do not close your browser.
10. In the Policy Manager, navigate to Administration > Certificates.
11. Click Certificate Store in the sidebar menu.
424 Task 17-1: Certificate Stores

12. In the certificate store, select Server {your ClearPass1}.
13. Select server type: HTTPS(RSA) server certificate.
14. Click the option on the top listing for View Details. (the Server Certificate)
Task 17-1: Certificate Stores 425

n Who issued the certificate?
n What is the significance of the subject: Common Name?
Task 17-2: Licenses

Objectives
n To look at the licenses on ClearPass.
Steps
1. On the Wired MGMT Client desktop, connect to ClearPass1, and log in is admin.
2. On the dashboard sidebar menu, find the license Usage widget, and drag it to the dashboard.
426 Task 17-2: Licenses

In this lab, you will not see much activity in this widget, but in a production envir-
onment, it is a quick way to see how your license consumption is going.
3. In the Dashboard Widget explore the different types of licenses.
4. Navigate to Administration, and expand Server Manager in the sidebar.

5. Click Licensing.
Task 17-2: Licenses 427

6. On the License Summary tab, take note of which applications are installed.
7. Click the Servers tab.
8. Take note of the license installed on the servers, this is a virtual machine-based ClearPass install-
ation and requires a Platform Activation Key.
9. Click the Applications tab.
10. Take note of the license types and quantities for the applications.
Task 17-3: Backups and Logs

Objectives
n To view detailed RADIUS debugging logs in the Access Tracker.
n To execute a Collect Logs on ClearPass1, which is the same function you should perform before
rebooting the server, or when contacting TAC.
Steps
RADIUS Debug Logs
1. On the Wired MGMT Client desktop, connect to ClearPass1 Policy Manager, and log in as the
admin.
2. Navigate to Administration > Server Manager > Log Configuration.
428 Task 17-3: Backups and Logs

3. Select the service RADIUS server.
4. Enable the DEBUG log level for the RADIUS Server.
5. Click SAVE when finished.
Generate a RADIUS request to view the log output

1. Connect to your Wireless Test Client.
2. Disconnect and reconnect to your secure#-X (where # is your Pod and X your table number)
SSID to trigger a RADIUS request, and you will be able to see the debug logs.
3. Connect to your Wired MGMT Client.

4. In Policy Manager, navigate to Monitoring > Access Tracker.
5. Click the newest request to view the Request Details.
6. Select Show Logs button.

7. If your browser gives a pop-up blocker warning, accept it.
8. Look through the request log details pop-up window, and take note of the entries logged as
debug.
9. Spend some time looking through these logs to familiarize yourself with RADIUS debugging on
ClearPass.
10. Close the Popup Window.
11. Close the Request Details Window.
Collect the Server Logs for ClearPass1

1. Navigate to Administration > Server Manager in the sidebar menu.
2. Click Server Configuration.
3. Click Collect Logs.

4. In the collect logs pop-up window, configure the following:
a. Output file name: test_logs
b. Password: @ruba123
c. Confirm Password: @ruba123
d. Check the following logs:
i. System logs
ii. Logs from all Policy Manager Services
iii. Diagnostic dumps from Policy Manager Services
iv. Backup of ClearPass configuration data
v. Logs from performance Metrics
e. For number of days until today: 3

5. Click Start.
6. When the building logs dump screen finishes, click Download File.

7. Click the Backup button.
8. Configure the following options in the backup window:
a. Uncheck: Generate file name
b. File Name: test_backup
c. Password: @ruba123
d. Confirm Password: @ruba123
e. Check the following options:
i. Backup ClearPass configuration data
ii. Backup ClearPass session log data
iii. Backup Insight data

9. Click Start.
10. Close the window, but do not download the file.
11. Click Local Shared Folders in the sidebar menu. In the local shared folders, there are four sub-
folders: Backup files, System log, Automated backup files, and Service log.
12. Select Backup files, and you will see the test_backup you just ran.
13. Select System Log, and you will see the test_logs you just collected.
14. Select Automated backup files, and you will see the automatic backups that ClearPass has been
running. Note: The backups run at 1:00 a.m.

Lab Debrief
During this lab, you spent time exploring the certificate stores in ClearPass Policy Manager. You also
looked at licensing, configured debug logging, and collected server logs. Finally, you ran a backup and
saw how you can copy those off of the system from the web UI.

Task 1
n Who was this certificate issued to?
l The certificate is issued to *.aruba-training.com, and is a wildcard certificate.
n What server issued the certificate?
l Aruba-labs-ca.aruba.local.
n What is the validity term of the certificate?
l This certificate has a ten year validity period from 7/23/2021 to 7/22/2031.
n Who issued the certificate?
l The certificate was issued by a public CA to see the entire chain scroll to the right.
n What is the significance of the subject: Common Name?
l The subject’s common name used to be very popular with browsers as the primary identity
server today. This has been replaced by the subject alternative name.
n What is listed in the subject alternative name?

l This certificate is issued to a wildcard thus the SAN contains the DNS: *.aruba-training.com
and the base domain name DNS:aruba-training.com SAN entries.
n What is this certificate intended for use as?
Lab Debrief 435

l The extended key usage for this certificate lists it as a TLS Web Server Authentication,
with Digital Signature and Key Encipherment. If you were doing Onboard with IOS devices
to support Over-The-Air provisioning you would need to add the key for Code Signing as
well.
436 Lab Debrief

Lab 18: Cluster
Lab 18: Cluster

In this lab, you will connect your ClearPass2 server to a cluster with the ClearPass1 server. During the
lab, you will set up redundancy with virtual IP addresses and test the failover functionality of the
cluster.
Task 18-1: Enabling Clustering

Objectives
n To configure a ClearPass server as a subscriber to a publisher.
ClearPass version 6.8 requires a HTTPS certificate validation to establish communications

in the cluster. This means that you will have to install a public HTTPS certificate on the Pub-
lisher that can be validated by each member of the cluster. On top of that a Database
Server Certificate has been introduced and needs to be configured as well on all the Cluster
members.
Steps
Configure ClearPass1 as the Publisher
Reset the appadmin Password on the Publisher (ClearPass1)
1. Log into the Aruba Training Lab.
2. Connect to the Wired MGMT Client. Desktop.
3. Open a browser to your ClearPass1 server.
5. Expand the Administration sidebar menu.
6. Expand Server Manager.
7. Click Server Configuration.
8. Click the link in the upper right corner for Change Cluster Password.
Lab 18: Cluster 437

9. In the Change Cluster Password dialog box, add the new password: aruba123.
10. Click Save.

11. Confirm that the change was successful and click Close.
12. Verify the HTTPS(RSA) Server Certificate status
The HTTPS Server Certificate has been configured for ClearPass Server 1 in Lab 2.
Configuring Authentications Sources. Check the HTTPS Certificate status as dis-
played below and follow the steps to install the certificate as shown in the next sec-
tion for ClearPass 2 if the certificate is not installed properly.
438 Task 18-1: Enabling Clustering

Lab 18: Cluster
The Self-Signed Database Server Certificate has to be added in the Trust List of the
Subscriber (ClearPass2) server in order to build the cluster. In order to add the Cer-
tificate in the Trust list, the Certificate type should be changed from .p12 to .pem file.
OpenSSL application is used to make the certificate conversion. The conversion pro-
cess has been added at the end of this module for your reference.
Configure ClearPass2 as the Subscriber

1. Open a browser tab to your ClearPass2 server:
https://TT-CPPM2.aruba-training.com/tips
Add a Public HTTPS Certificate to ClearPass2

1. Log into the Policy Manager of ClearPass2 with admin / eTIPS123.
2. Navigate to Administration > Certificates > Trust List
3. Click the Add button in the upper right corner to add a new trust bundle

4. Click the Choose File button for the Certificate File:
5. Browse to the Desktop\Table X Student Folder\Certificates.
6. Select the file star.Aruba – training.com.ca – bundle and click Open.
7. For Usage: check Database and Others
8. Click Add Certificate

9. Navigate to Administration > Certificates > Certificate Store.
10. Click Import Certificate in the upper right corner of the screen
11. Select Server Certificate for the Certificate Type.

12. Select the following:
a. Server:{ClearPass2}
b. Usage: HTTPS(RSA) Server Certificate
c. Upload Method: Upload Certificate and Private Key Files

Lab 18: Cluster
13. Click the Choose File button for Certificate File.
14. Select the file: star.aruba-training.com.crt and click Open.
15. Click the Choose File button for Private Key File.
16. Select the file:STAR_aruba-training.com_key.txt and click Open.
17. Enter aruba123 for the Private Key Password.
18. Click Import.
19. Refresh your browser window for ClearPass2.

20. Select HTTPS(ECC) Server certificate.
21. Click Disable.
Add the ClearPass1 “Database Server Certificate” in Trust list of ClearPass2

1. Navigate to Administration > Certificates > Trust List.
2. Click the link in the upper right corner for Add.
3. Browse to the Desktop\Table X Student\Certificates Folder and select the Data-
baseServerCertificate_tX.pem file.
4. Select the Database and Others Usage.
5. Click on Add Certificate.

6. Look for the confirmation that 1 Certificate has been added to the trust list.
Make ClearPass2 a subscriber to ClearPass1

1. Navigate to Administration > Server Manager > Server Configuration.
2. Click the link in the upper right corner for Make Subscriber.
3. In the Add Subscriber Node pop up box, configure the following:

Publisher IP: {the IP address of your ClearPass1}
Publisher Password: aruba123
Check the box for Do not backup the existing databases before this operation

Lab 18: Cluster
There is no need to back up the database on the existing ClearPass2 server as it is a
default configuration with nothing added.
4. Click the Certificates tab.

5. Select Enable to save the above certificate to Trust List and proceed with Make Subscriber
operation.
6. Click Save to create the cluster.

7. Monitor the progress in the pop-up window.
8. When the add subscriber process finishes, click Close.

TIP: The make subscriber operation is database intensive. In a production envir-
onment, when you have more than one subscriber to join into the cluster, Aruba
recommends you join only one subscriber at a time waiting for the sync operation to
finish. Attempting to join multiple subscribers concurrently will almost always fail.
Task 18-2: Monitoring Clustering

Objectives
n To look at some of the changes that clustering ClearPass1 and 2 made.
n To learn how to monitor and troubleshoot cluster functionality.
Steps
1. Log back into ClearPass2, which is now your subscriber.
2. Take notice of the dashboard on the subscriber. You should see a notice at the top of the page
telling you that you are logged into the subscriber and have limited access. You should see in the
cluster status on the dashboard both the publisher and subscriber.
444 Task 18-2: Monitoring Clustering

Lab 18: Cluster
3. In the sidebar menu, click Configuration > Services. You will notice that all of your services have
been migrated to the subscriber.
4. Attempt to edit one of the services. For example, add an authorization source. When you click
save you will get an error, informing you that you cannot edit on the subscriber.
5. Click Cancel to close the edit.

6. Switch browsers to the ClearPass1 Web-UI. This is your Publisher.
7. Navigate to the Dashboard in the sidebar menu.

8. In the upper right corner, select Default.
You will notice

that the cluster status lists both of your ClearPass servers.
TIP: If the cluster status widget is not on the dashboard, then you can drag it in from
the sidebar menu.
9. Navigate to Monitoring > Event Viewer.

10. Set the event viewer filter to “Source contains cluster.”
In your labs, you should not have any errors, but if you do, this is where you would
come to look for indicators to explain why.

Lab 18: Cluster
12. To edit the view in Access Tracker, click the Edit button in the upper right side of the screen.
13. In the Select Server/Domain pull down, and select default (2 servers).
The Access Tracker view editor allows you to select any individual ClearPass server
in your cluster or the default view of all servers in your cluster. You also have the
option in this Edit window to modify the columns displayed in the main Access
Tracker window. Note that the information in Access Tracker is part of the Local
Logs Database which is not consolidated onto the Publisher but remains local to each
ClearPass Node.
14. Click Save to save the view.

15. Navigate to Administration > Server Manager > Server Configuration. You will notice in the
server configuration screen. You now have both servers listed.

16. Click to edit your publisher (ClearPass1) server.
17. Notice that ClearPass1 is joined to the domain and has Insight enabled.
18. Click Cancel to close.
19. Open the subscriber (ClearPass2).
20. Notice that the subscriber is not part of any domain, and Insight is not enabled.
Join the Subscriber into the Active Directory Domain

1. In the lower right corner of the Server Configuration workspace, click the Join AD Domain but-
ton.

Lab 18: Cluster
2. Add the following details:
n Domain Controller: aruba-ad.training.arubanetworks.com
n Select Use specified Domain Controller.
n Uncheck Use default domain admin user.
n Username: cpadmin
n Password: aruba123
3. Click Save button to join.

4. Monitor the progress, and then click Close when completed.
5. Click Save to finish server configuration.
6. Close the Save Server Details pop-up.
Task 18-3: Configure High Availability

Objectives
Having a publisher online is a critical function to the cluster. When the publisher goes offline or fails, all
functions related to adding new data into the database stops. This means that you should always
provide a standby publisher.
n To configure multiple virtual IPs between two members of the cluster in order to provide redund-
ancy for Guest Portal and AAA connections to the cluster. You can use them as the target IP
address for AAA and Guest Portals as well as a failover mechanisms.
n To promote the subscriber to a publisher.

n To shut down ClearPass2 and failover to ClearPass1, which will cause you to have to reactivate
the licenses on ClearPass1.
Steps
1. On your Wired MGMT Client, open a browser tab to the subscriber (ClearPass2).
4. Click the subscriber (ClearPass2) to open the server configuration editor.
5. In the upper right corner of the screen, click the link Promote to Publisher.
6. Leave the defaults, and click Yes.
7. Wait for the Promote Process to finish, and then close the window.
450 Task 18-3: Configure High Availability

Lab 18: Cluster
8. Refresh the browser for ClearPass2.
9. If the browser does not take you back to the dashboard, open the Dashboard.
10. Notice that ClearPass2 is now the publisher.
11. Now configure ClearPass1 (the current subscriber) as the Standby Publisher.
12. On ClearPass2, navigate to Administration > Server Manager > Server Configuration.
13. Click Cluster-Wide Parameters in the upper right corner.
14. In the Cluster-Wide Parameters editor, click the Standby Publisher tab.
15. Enter the following configuration:

n Enable Failover Publisher: True
n Designated Standby Publisher: {Select ClearPass1}
n Failover Wait Time: 3 Minutes
16. Click Save.
Configure the Virtual IP Settings for Redundancy

1. On the Server Configuration page, click Virtual IP Settings in the upper right corner.
2. In the Virtual IP Settings editor, configure the following:

n Virtual IP: 10.1.X9.13 (Where X is your table number)
n Virtual Host ID: {use the third Octet of your VIP}
n Primary Node: {select ClearPass2} Interface: [MGMT]
n Secondary Node: {select ClearPass1} Interface: [MGMT]
3. Click Save.

Lab 18: Cluster
4. Click Close.
5. Wait about a minute for the configuration to take effect before reopening the Virtual IP Set-
tings.
6. Take note of the configuration along with which node is tagged as serving the VIP.
7. Click Close.
Change the Authentication Source to Use the New VIP Address
For the remainder of the labs, you will only be performing 802.1X authentications, so you
will not modify any of the captive portal addresses. In a real-world scenario, you may have
to modify those as well.
1. In the browser on Wired MGMT Client, open a new tab, and navigate to the IP address of your
Aruba Controller {10.1.X0.100 (where X is your table number)}.
4. Select the Auth Servers tab.
5. Click your secure#–X-srvgrp server group (where # is your pod number, and X is your table
number).

6. In the lower window, click ClearPass.
7. Change the IP address to your virtual IP {10.1.X9.13 (where X is your table number)}.
8. To commit the changes, click Submit.
9. Click Pending Changes in the upper right corner.
10. Then, deploy the changes by clicking Deploy Changes.
Test Authentication Server Settings
You will now test your new authentication server settings by disconnecting and recon-
necting the wireless client. Then you will go into your publisher (ClearPass2) and view the
Access Tracker entries for the authentication request.
1. In the Aruba Training Lab, connect to Wireless Test Client.

2. If you are currently connected to your secure SSID, disconnect.

Lab 18: Cluster
3. Attempt to reconnect to your secure SSID. Remember that you have an onboard wireless profile,
so you will not be prompted for authentication.
The Client should fail authentication with an error due to the EAP certificate.
EAP-TLS: fatal alert by client - unknown_ca
TLS Handshake failed in SSL_read with error:14094418:SSL routines:ssl3_read_
bytes:tlsv1 alert unknown ca
eap-tls: Error in establishing TLS session
The error indicates that the Onboard client does not trust the EAP certificate on
ClearPass 2. This is the reason you should install the same EAP certificate on all of
the ClearPass servers in the cluster.
4. Connect to Wired MGMT Client.

5. Open a browser tab to ClearPass2 (publisher).
7. Edit the view on your Access Tracker screen to show default (2 servers).
8. Look under the server column; you should have listings for both ClearPass servers.
9. Look through the list in Access Tracker and find your latest contractUser log in request.

the fact that the request came into ClearPass2 shows that the virtual IP settings are
working. Consider that the authentication source on the Aruba Controller is pro-
grammed to send authentication requests to the virtual IP and the virtual IP is being
serviced by ClearPass2 presently.
10. Open the request details.

12. Look at the “Alerts for this Request”.

14. Expand Computed Attributes.
15. Scroll through the list, and find Connection:Dest-IP-Address.
Make note of the IP address., This should be your VIP:

Lab 18: Cluster
Task 18-4: Testing High Availability
Objectives
n To test your configuration for high-availability. You will shut down ClearPass2, which should ini-
tiate a publisher failover from ClearPass2 over to ClearPass1. The virtual IP should also transfer
and be serviced by ClearPass1.
WARNING: You will be shutting down ClearPass2. To be certain that you are working in the
interface for ClearPass2, you will reconnect to the VIP and confirm your publisher con-
nection because once you initiate the shutdown, you do not have a method to restart the
ClearPass2 server. If you do require ClearPass2 restarted, you will need to contact your
instructor or lab support.
Steps
1. On your Wired MGMT Client desktop, open a browser tab to the VIP {10.1. X9.13 (where X is
your table number)}.
2. Log into the Policy Manager with your admin credentials.

3. Check in the ClearPass Policy Manager header that there is NO WARNING you are connected
to a subscriber.

5. Click the Select box next to ClearPass2 (be certain it is ClearPass2).

TIP: Remember that ClearPass1 is enabled as the Insight Primary Server. You can
key on this to make sure you are selecting the one that is not enabled for Insight.
6. Click the button for Shutdown.

7. Confirm in the pop-up window that the IP address listed is your ClearPass2.
8. Click Yes.
9. Wait 3-4 minutes, and then refresh the browser tab connected to the VIP.
The standby publisher and VIP each have different timings. If you refresh your tab
early, you will be connected to ClearPass1 before it gets automatically promoted to
Publisher. This is alright. Just wait a little longer, and then refresh again.
10. Log in to the Policy Manager, if it asks for credentials.

11. On the dashboard, take notice of the Cluster Status.
458 Task 18-4: Testing High Availability

Lab 18: Cluster
12. Your ClearPass1 server should now be the publisher, and ClearPass2 should show up as disabled
or down.
Test Authentication to Confirm the VIP Works

1. From the Aruba Training Lab, connect to Wireless Test Client.
2. Disconnect and reconnect to your secure SSID.
3. Reconnect to Wired MGMT Client.
4. In your browser for the VIP {10.1.X9.13 (where X is your table number)}, navigate to Access
Tracker.
5. When you connect to Access Tracker, you might get an error stating that ClearPass2 is unreach-
able. The Access Tracker entries are part of the logs database and are localized to each server,
so normally ClearPass1 would have to go to ClearPass2 to get those entries.
6. Edit the view in Access Tracker to only display ClearPass1.
7. Find your latest contractUser authentication and confirm that it authenticated against
ClearPass1. You can check the timestamp on the entry to be sure you are looking at the correct
authentication.

The client was able to reconnect to the SSID because it is authenticating on
ClearPass 1. ClearPass1 still has the EAP certificate that was trusted during the
Onboard lab. A full fix of this issue would be to load the same valid EAP certificates
onto all of the ClearPass servers in the cluster. Then you would have to rerun the
onboard process.
Lab Debrief
During this lab, you learned how to configure a ClearPass cluster with high availability. You learned how
to configure a publisher and virtual IP address to provide redundancy.
460 Lab Debrief

Lab 19: Administrative Access
Task 19-1: Guest Operator Login

Objectives
n To learn how to create Guest Operator Profiles, Operator Accounts, and associate-specific cap-
abilities to different operators.
Steps
2. Open a browser tab to your ClearPass1 server.
3. Log in to ClearPass Guest.
4. Navigate to Administration > Operator Login > Profiles and review the built-in profiles.
5. Click the Receptionist profile to select it.

6. Click Edit.
7. Review the restrictions for access to the various features, along with the roles they are allowed to
provision.
Lab 19: Administrative Access 461

n What are the rights for Receptionist in relation to changing expiration of guest accounts?
n Which rights does Receptionist have in relation to creating a new guest account?
9. Scroll down to the User Roles section, and select Guest for user roles.
10. Scroll down to User Interface, and select “Aruba ClearPass Skin” to change the visual appear-
ance.
462 Task 19-1: Guest Operator Login

11. Leave all other settings as default.
Task 19-2: Create a New Guest Admin Account

Objectives
n To learn how to create a new Guest Admin Account.
Steps
1. Switch to the Policy Manager, and log in.
2. Navigate to Configuration > Identity > Roles.
3. Click Add in the upper right corner.
4. Add a role with the following information:
a. Name: Receptionist
b. Description: Guest admin user role
5. Click save.
6. Navigate to Configuration > Identity > Local users.
8. Add a user with following information:
Task 19-2: Create a New Guest Admin Account 463

n UserID: frontdesk
n Name: <Any name>
n Password: aruba
n Enable User: yes
n Role: [Receptionist]
9. Click Save.
Task 19-3: Test Guest Operator Login

Objectives
n To test your new Guest Operator logon account.
464 Task 19-3: Test Guest Operator Login

Steps
1. Go back to ClearPass Guest in your browser.

2. Click the logout link in the menu at the top right, as shown here:
3. You should now see the ClearPass Guest Operator Login page.
4. Log in with the front desk account:

n User ID: frontdesk
n Password: aruba
Alternately, you may open a different browser (Firefox, Chrome, IE etc.) and log into
ClearPass Guest at https://<ClearPass IP>/guest/ as the frontdesk user.
5. Verify that you get the Create Guest Account page as the start page.

n What account role will be assigned to the guest user?
n Can you change this role?
7. Log out of ClearPass Guest by clicking the Logout link in the sidebar menu.
Understand How Login Worked

1. Go to the Policy Manager in your browser. (https://<ip address CP1>/tips}
2. Login as admin / eTIPS123.
4. Look to the list for and application request for the frontdesk user.

5. Click to view the Request Details for the frontdesk user.

n What service is used to process this authentication request?
n What roles were assigned?
n What is the Enforcement Profile?

7. Click the Output tab.
8. Expand the Application Response shade.

n What is the name of the attributes sent to the application?
n What is the value of the attributes sent?
n What do you think is significant about this attribute?

11. Switch to ClearPass Guest in your browser. You should be logged in as an administrator now.
12. Navigate to Administration > Operator Logins > Translation Rules.
13. Select the ClearPass Profile Mappings rule.

14. Click Edit to view it.
15. Click Cancel to close the edit window.

In the local user repository, you created the ‘frontdesk’ user with role set as
[TACACS Receptionist]. As you saw in the request details, the service assigned
admin_privileges = [TACACS Receptionist]. The translation rule that you see here
mapped this admin_privileges attribute of [TACACS Receptionist] to the Recep-
tionist Operator profile. Thus, the guest operator ‘frontdesk’ is able to log in to the
Guest UI and get the Receptionist Operator profile.
Task 19-4: Policy Manager Admin Access for AD Users

Objectives
n To configure the authentication into the policy manager to allow distributors to use their Active
Directory accounts.
Steps
Start by creating a new role mapping policy that will be used in the ClearPass administrative logon ser-
vice.
1. From the Wired MGMT Client desktop, open a browser tab to ClearPass1.
3. Navigate to Configuration > Identity > Role Mappings.
4. Click Add to create a new role mapping policy with the following information:
n Policy Name: Admin Role Mapping Policy
n Description: <Any description>
n Default Role: [Other]
5. On the Mapping Rules tab, leave Select first match.
470 Task 19-4: Policy Manager Admin Access for AD Users

6. Click Add Rule.
7. Add the following conditions:
a. Condition 1
i. Type = “Authorization:remote lab AD”
ii. Name = “memberof”
iii. Operator = “CONTAINS”

iv. Value = “Admin”
b. Role Name: [TACACS Super Admin]
8. Click Save.
9. Click Save again to save the Role Mapping Policy.

11. Select the [Policy Manager Admin Network Login Service].
You have to make a copy as you are not allowed to edit default services.
12. Click Copy to create a duplicate.

13. Click to edit the Copy of [Policy Manager Admin Network Login Service].
14. On the Service tab, change the services name:
n Name: AD Auth - Policy Manager Admin Login
n Description: Use for AD Accounts
15. Click the Authentication tab and add active directory authentication source:
n Authentication Sources: remote lab AD
16. Click the Roles tab and add new role mapping:

n Role Mapping Policy: Admin Role Mapping Policy

17. Click the Enforcement tab and keep the default enforcement policy:
n Enforcement Policy: [Admin Network Login Policy]

n Based on this enforcement policy, which enforcement profile would you expect to get
assigned for an AD user that is a member of an Admin AD group?
19. Click Save to save the service.

20. Click Reorder.

21. Make sure that the new AD Auth – Policy Manager Admin Login service is above [Policy Man-
ager Admin Network Login Service].
22. Click Save.
To test your new Policy Manager Admin Login service, you will log out of the policy
manager and log back in with an account configured in Active Directory.
23. Log out of the Policy Manager UI.

24. Log back in with the following credentials:
n Username: itadmin
26. Find your itadmin access request and click to view details.

27. Click the Request tab and expand both the Computed Attributes and the Authorization attrib-
utes tabs.
28. Note the Following Information:
n Tips:Service:
n Authentication:Source:

n Authorization:remotelab AD:memberOf:
29. Click Policies tab.

n What are the ClearPass Roles applied to the user?
n What enforcement profile is applied?

32. Log out of the Policy Manager.
Task 19-5: Policy Manager Administrator Privileges

Objectives
n To explore Administrator Privileges and methods for controlling the interface in the Policy Man-
ager. This uses a system similar to ClearPass Guest Operators where you assigned Administrator
Privileges to an administrator role. You will start by creating a new Administrator Privilege and
then modifying the enforcement on the AD Auth – Policy Manager Admin Login service, so that
the TAC admin user gets assigned the new privilege.
Steps
1. On the Wired MGMT Client desktop, open a browser tab to your ClearPass1 IP address.
2. Login to the Policy Manager with admin / eTIPS123.
3. Navigate to Administration > Users and Privileges, and click Admin Privileges.
4. To configure a new Admin Privileges, click Add in the upper right corner.
5. On the Basic Information tab, configure the following:
476 Task 19-5: Policy Manager Administrator Privileges

n Name: TAC ClearPass Helpdesk
n Access type: Give UI access to the Admin

6. Click the Policy Manager tab.
7. Set the following access:
= Check Nothing (No Access)
8. Expand Monitoring, and select Read for Live Monitoring.
9. Expand Configuration, and then expand Identity.

10. Grant Read access for Endpoints.

11. Click Save to commit.
12. Click Admin Users in the sidebar.
14. Add a new admin user with the following settings:
n User ID: testuser
n Name: test
n Enable User: yes
n Privilege Level: TAC ClearPass Helpdesk

15. Click Add to close the window, and create the user.
Assign New Administrative Privilege

Start by creating an enforcement profile to assign the new Administrative Privileges.
1. Navigate to Configuration > Enforcement and click Profiles.
2. Click the checkbox next to [TACACS Help Desk].
3. Click Copy.
4. Click to edit Copy_of_[TACACS Help Desk].

5. On the Profile tab change the name to: TACACS TAC ClearPass Help Desk.

6. Click the Services tab.
7. Select the following value “TAC ClearPass Help Desk” under Service Attributes.
8. To save the line click the Save icon .

9. To save the new Enforcement Profile, click the Save button.
Modify the Enforcement Policy for the Service

1. Click Enforcement > Policies in the sidebar menu.
2. Select [Admin Network Login Policy], and copy.
3. Click to edit Copy_ of_[Admin Network Login Policy].
4. Select the Enforcement tab, and change the name to LAB 19 [Admin Network Login Policy].

On the rules tab, you will want to add two rules: One rule is for if the user is a mem-
ber of the “ClearPass Helpdesk” group, then assign your new Administrator Priv-
ileges. The second rule is if the user is a member of the “ClearPass Admins” group,
then you want to assign the Super Administrator Privileges.
6. Add a rule with the following conditions:

n Type: Authorization:Remote Lab AD
n Name: memberOf
n Operator: CONTAINS
n Value: clearpass helpdesk
n Profile Name: TACACS TAC ClearPass Help Desk
7. Add a second rule with the following conditions:

n Name: memberOf

n Value: clearpass admin
n Profile Name: [TACACS Super Admin]
8. Move the new rules to the top of the list.
9. To commit the new changes, click Save.
Add the New Enforcement to the Service

1. Click Services in the sidebar menu.
2. Click to edit the AD Auth - Policy Manager Admin Login service.
3. Click the Enforcement tab in the service.
4. Select your new LAB 19 Admin Network Login Policy.
5. Click Save.
Now Test helpdesk and admin Logins

1. Click the menu in the upper right corner, and logout of the Policy Manager.
2. Log back in with the user tacdesk / aruba123.

3. Take notice of the menu options on the sidebar. You should only have Monitoring > Live Mon-
itoring and Configuration > Identity > Endpoints.
4. Click the menu in the upper right corner, and look at your login information.

6. Log back into the Policy Manager with itadmin / aruba123.
You should now have your Super Administrator Privileges.
7. Click the menu in the upper right corner, and look at your login information.

Task 19-6: TACACS+ Admin Access to Aruba Devices
Objectives
n To setup ClearPass as the TACACS+ Authentication server for Aruba Network Access Device
Admin logins.
Steps
Configure the TACACS+ Shared Key
1. From your Wired MGMT Client desktop, log in to ClearPass1 Policy Manager.
2. Navigate to Configuration > Network > Devices.

3. Click your Aruba Controller entry.
4. Enter >aruba123 as the TACACS+ Shared Secret.
5. Click Save.
Create a New TACACS Service to Process Admin Authentications

2. Select the [Aruba Device Access Service], and click Copy to create a duplicate.
486 Task 19-6: TACACS+ Admin Access to Aruba Devices

3. Click to edit the new Copy_Of_[Aruba Device Access Service].
4. Select the Service tab.
5. Rename the service to AD Auth – Aruba Device Access Service.
6. Configure a Service Selection Rule as follows:
Connection NAD-IP-Address EQUALS <your Controller IP>

8. Add Remote Lab AD as an Authentication Source.
9. Select the Enforcement tab.

10. In Enforcement Policy tab, click Add New Enforcement Policy.
11. Create an Enforcement Policy with following information:

n Name: AD Auth - Aruba Device Access Policy
n Default Profile: [TACACS Deny profile]

13. In the Rules tab, click Add rule to add the following rule:
n Name: memberOf
n Value: admin
n Profile Name: [ArubaOS Wireless - TACACS root Access]

14. Click Save to save the rule.
15. Click Save to save the enforcement policy.
16. You will be redirected back to the service.
17. Choose your newly created enforcement policy.

18. Click Save again to save the service.
19. Scan through the list, and find the default [Aruba Device Access Service].
20. Click the green checkmark under status to Disable the [Aruba Device Access Service].
Test the Aruba Controller with AD Credentials

1. Open a new browser tab on your Wired MGMT Client.
2. Connect to your Aruba Controller at https://<your Controller IP address>.
3. Log in using the following information:
n Username: itadmin
At this stage, you should be logged in because the Aruba Controller pre-configured
to send TACACS+ authentication requests for admin logins to the ClearPass server.

4. From the Aruba Training Lab dashboard, right-click your Aruba Controller, and select Open
Console.
5. Login with admin / admin1 (Remember: You have to press [Enter] to get a prompt.)
6. Enter the following command in your Controller CLI: show loginsessions.
7. Log in to the ClearPass1 Policy Manager UI as admin.

9. Find the newest TACACS request from itadmin.
10. Click the request to View Details.

11. Select the Policies tab.

n What are the ClearPass Roles applied to the user?
n What enforcement profile is sent?

13. Select the Request tab, and expand the Authorization Attributes shade.

n What AD Group is the user a member of?
n How did the user get assigned the enforcement profile?

Lab Debrief
This lab had three parts. In the first part, you configured Operator Profiles to control what parts of
ClearPass Guest an operator could have access to. The second part of the lab was focused on con-
trolling access through custom Administrative Privileges to the ClearPass Policy Manager interface.
The final section of the lab took a look at using ClearPass as a TACACS authentication source for admin-
istrative access to your network devices.

Task 1
n What are the rights for Receptionist in relation to changing expiration of Guest Accounts?
l The receptionist has no access to Change Expiration of guest account.
n Which rights does Receptionist have in relation to creating a new guest account?
l The receptionist has full access to Create New Guest Accounts, but no access to Create
Multiple Guest Accounts.
Task 3
n What account role will be assigned to the guest user?
l The account role is preconfigured as [Guest].
n Can you change this role?
l There is no option to change the account role.
n What service is used to process this authentication request?
l The [Guest Operator Logins] service, it is a default service which you can tell because of
the brackets in the name [ ].
l The user is frontdesk.
n What roles were assigned?
l The roles [TACACS Receptionist] and [User Authenticated] were assigned.
n What is the enforcement profile?
l The enforcement profile is [Operator Logon – Local Users].
n What is the name of the attributes sent to the application?
l The attribute being sent is called “admin_privileges.”
n What is the value of the attributes sent?
492 Lab Debrief

l In this case, the value is actually one of the roles assigned to the user [TACACS Recep-
tionist].
n What do you think is significant about this attribute?
l The attribute for admin_privileges is used to select the operator profile to assign to the
operator at log on.
Task 4

n Based on this enforcement policy, which enforcement profile would you expect to get
assigned for an AD user that is a member of an Admin AD group?
l The user will get the super admin role and be given the admin interface.
n What are the ClearPass roles applied to the user?
l The user got the [User Authenticated] and [TACACS Super Admin] role.
n What enforcement profile is applied?
l The enforcement profile applied was [TACACS Super Admin].
Task 6
n What are the ClearPass roles applied to the user?
l The user received the [User Authenticated] role indicating that the authentication passed.
n What enforcement profile is sent?
l The enforcement profile was [ArubaOS Wireless TACACS Root Access].
n What AD Group is the user a member of?
l The user is a member of the “clearpass admin” group.
n How did the user get assigned the enforcement profile?
l In the enforcement policy for the TACACS service, there is a rule that says, “If the user is a
member of a group that contains the word ‘admin,’ then assign the super admin admin-
istrative privileges.”
Lab Debrief 493

494 Lab Debrief

Lab 20: Insight Reports

In this lab, you will learn about the Insight Reports tool. The lab starts by confirming that Insight has
been enabled, and then explores the dashboard in Insight. You will learn how to create reports from the
dashboard, and then you will learn how to create reports that can be downloaded as comma-delimited
files for use in external applications.
Task 20-1: Configuring Insight

Objectives
n To consider Insight configuration. You will start by checking that Insight is properly enabled on
ClearPass 1. This was done earlier in the labs, so you should have some data available now.
n To look at administrative settings in Insight.
Steps
1. From the Aruba Training Lab dashboard, open the Wired MGMT Client desktop.
2. Open a browser to ClearPass1, and login to the Policy Manager with admin.
3. Navigate to Administration > Server Manager in the sidebar menu.
4. Click on Server Configuration.
5. Select your ClearPass1 server, and open to edit.
6. Review the Insight settings, make sure that Enable Insight is checked, and ClearPass1 is set as
the Insight Primary Server. If Insight is not currently enabled in your system, Enable it now.
When you enable Insight in your cluster, you must enable it on at least one cluster
node, and only one cluster node can be the Insight primary server. This becomes the
server node that owns the database. Even if you only have a single ClearPass node
enabled for Insight, you must select that node as the primary server.
Lab 20: Insight Reports 495

7. Click Save to exit.
8. Select Insight from the menu in the upper right corner.
9. You will be connected to the Dashboard for Insight.
496 Task 20-1: Configuring Insight

10. Select Administration from the sidebar menu.
11. Scroll down through the list.
12. Answer the Following questions:
n What protocols can be used to transfer report files automatically out of Insight?

n What is the default database retention time?
n What effect on the system would there be if you set the database retention time to 365
days?
Task 20-2: Explore the Insight Dashboard

Objectives
n To look at customizations and functions in the Insight Dashboard.

Steps
1. To open the main dashboard, click on the word Dashboard in the sidebar menu.
This is the main dashboard and each operator that logs into Insight will have their
own customizable dashboard. You can add widgets to the dashboard as required.
2. To add a widget for Endpoint Device Categories, click on Endpoints in the sidebar menu.
3. Scroll down through the Endpoints Dashboard and find Endpoints Device Categories.
4. Click the down arrow in the right corner and select Add to Dashboard.
5. Look through the sidebar menu and add the following widgets to your dashboard:
n Endpoints: Endpoint Device Families
n Licensing: Maximum License Usage
498 Task 20-2: Explore the Insight Dashboard

n Network: NAD Vendor Distribution
n Posture: Health Status
The above widgets are a sampling from each of the grouping’s widgets. As an admin-
istrator of ClearPass, you will want to assemble your own dashboard that you can
check periodically to quickly see how ClearPass is performing.
6. To view your customized dashboard, click on Dashboard in the sidebar menu.

7. Scroll through the list of widgets in the dashboard to find your new widgets.

8. To change the date range of the dashboard view, click the down arrow next to custom in the
upper right corner.
9. Click in Start Date box and set the beginning date of this course.
10. Set End Date equal to today’s date.

11. Click Apply.
12. Take note of the changes in your dashboard.
13. Click on the Clients heading in the sidebar menu.

14. To change the columns displayed in the inventory screen, click the pencil icon in the right
corner.
15. In the Edit Columns editor window, pull down IP Address, and select Username.

16. Click Apply.
17. To sort the list by Username in the Inventory Dashboard, click the down arrow next to the User-
name column tag.

18. Now filter the inventory list to display only computers discovered by the DHCP collector. Do this
by clicking on the Filter icon in the upper right corner.

n Device Category: Computer

n Fingerprint Type: dhcp
20. Click Apply.

21. Take note of the results:

Task 20-3: Creating Reports in Insight
Objectives
To create a report from a widget in the dashboard as well as a report from scratch.
Steps
1. While still focused on the Clients Dashboard, click the Download Reports icon in the
upper right corner.
2. Save the .CSV file.
504 Task 20-3: Creating Reports in Insight

Create a Report for One of the Dashboard Widgets
1. Click Dashboard in the sidebar menu.
2. Scroll through the main dashboard to find the widget for Authentication Service.
3. Click the down arrow in the right corner of the widget, and select Create Reports.

4. Name the report “Lab 20 Authentication Service Report.”
5. Click Sample Report, to view a preview example of the report. A generic sample of the report
you are creating will open in a second browser tab.
6. Close the Sample Browser tab.

7. Scroll down, and set the report to run Daily at 06:00.

8. Click Next to go to Filter Settings.
9. In the Filters, configure the following:
n Field: Device Category
n Operator: EQUALS
n Value: Computer
10. Click Next.
11. Review the Report Summary.
12. Click Save.
13. To run the report, click the run icon.

14. Click on the Reports header in the sidebar menu.

15. Preview the calendar, and then scroll down to the Created Reports Section.
16. Take note of the “Last Run At” date.
17. To download the report, click the download icon on the right.
18. Save the Report. It will save as a ZIP file, and you will need to open the file and preview it.

19. Open the Downloads folder.
20. Open the PDF file for viewing.

The file will open in a new browser window. Spend a little time looking through what
ended up in the report.
Create a New Report from Scratch

1. Close the Report browser window.
2. Return to your browser with Insight open.
3. Click Reports > Configuration in the sidebar menu.
4. To create a new report, click Create New Report in the upper right corner.
5. Give the report the following name: “Lab 20 Custom Report.”

6. Under Category, select Endpoint > Endpoint Overview.

7. Under Options, check the box for “Include raw data and output.”
8. Scroll down and set the custom date range for the start and finish of your class.
n Repeat Scheduled Report: No Repeat
n Preset Date Range: Custom Date
n Start Date: First Day of Class

n End Date: Today
9. Click Next.
10. On the Filters, Raw Data, Branding screen, do not modify the filter.
11. Under Configure CSV Raw Data Columns, select Fingerprint as a new column. (You just need
to click it in the Available Columns to move it to Selected Columns.)

12. Click Next.
13. Click Save.
Run and Download the Report
1. On the Configured Reports screen, click the Run button for the new report.
2. Click the folder icon to view the report status.

3. Download the Report.

4. Notice that the report is a “.zip” file, and save the report.

5. Open the Downloads folder.
6. Extract the ZIP file.
7. In the Extracted Reports folder, open the .CSV file in Wired MGMT Client.
8. Examine the contents of the file.

9. Close Wired MGMT Client.
10. Close all windows.
Task 20-4: Alerts and Watchlist

Objectives
n To explore the configuration of system alerts and user Watchlist in Insight.
Steps
1. In the browser, log into Insight, and navigate to Alerts in the sidebar menu.
2. To create a new alert, click on Create New Alert in the upper right corner.
3. Enter the following configuration on the Alerts Settings:

n Alert Name: Lab 20 Test Alert
n Category: Authentication / RADIUS Failed Authentication
n Notifications: Notify by Email
n Email Address: {your lab email address} (for example, P5T1@traininglab.com)
4. Do not modify the filter so that the alert will apply to all authentication instances.
5. Scroll down to the Trigger section.
6. Set the following filter:
512 Task 20-4: Alerts and Watchlist

n Severity: Critical
n Threshold: 3
n Interval: 5 Minutes
7. Take notice of the Alert Summary at the bottom of the page.

8. Click Save.
Add Temp User to the Watchlist

1. In the Alerts Configuration screen, click on the pencil icon for the User Watchlist.
2. Check to enable Notify by Email, and add your trainingLab.com email address.
Task 20-4: Alerts and Watchlist 513

3. Click Save.
To add a user to the Watchlist, use the search box at the top of the page, and search
for a username. Then add that user to the Watchlist by clicking the star next to the
user’s name.
4. In the search box at the top of the page, type contractUser.

5. Select “contractUser as Username” to search for the contractUser.
6. In the details page for the temp user, click the star next to username to add the user to the
Watchlist.
7. Navigate back to Alerts > Configuration in the sidebar menu.
514 Task 20-4: Alerts and Watchlist

8. Notice that the enable state of the Watchlist has changed.
9. Navigate to Alerts > Watchlist.

10. If you have any alerts for contractUser, you can click on the alerts history button to view those.
You have Completed Lab 20!
Lab Debrief
During this lab, you have explored many of the tools available in Insight. Insight is an intuitive and
simple-to-use report engine that allows you to gather a lot of data about your ClearPass system.
Lab Debrief 515

Task 1
n What protocols can be used to transfer report files automatically out of Insight?
l The protocols are Secure Copy Protocol (SCP) and Secure FTP.
n What is the default database retention time?
l The default database retention time is 30 days.
n What effect on the system would there be if you set the database retention time to 365
days?
l While it is tempting to keep the Insight data for a long period of time in case you need to
do reports, you have to understand that it will affect the size of the database on any
ClearPass servers hosting the Insight database or replicating it. This means, if you start
changing data retention periods, you need to monitor disk drive usage on those servers.
516 Lab Debrief

Appendix 1: Configure DUR Enforcement Profiles (complete)
Appendix 1 is a complete set of directions for creating all of the required downloadable user role
enforcement profiles.
Objectives
Enforcement Profiles (complete)

Appendix 1: Configure DUR
The rules listed below are given in the form “source” “destination” “service or protocol” “action”.
Profile Only Role: the client receiving this “profile only” role requires the ability to get on the network
and receive an IP address through DHCP. This is a limited access role that allows the system to do pro-
filing. It is also common to use this role with OnGuard so it will have the required OnGuard agent access
for TCP ports 80, 443 and 6658 with access to ClearPass only.
n RADIUS Accept
n Rule 1: any any DHCP (UDP 68) permit
n Rule 2: user {ip of CPPM} tcp 80 permit
n Rule 5: any any any deny
Employee Full Access Role: when an employee properly authenticates into the secure SSID they are
granted full access which means a very simple access rule of any source to any destination on any pro-
tocol or port (any any any allow).
Objectives 517
n RADIUS Accept
n Rule 1: any any any permit
Employee Smart Access Role: it is common in many organizations to limit access to smart devices on
the employee secure network to only have Internet access. This would require blocking internal IP
address spaces and allowing external addresses only.
n RADIUS Accept
n Rule 1: any any DHCP permit
n Rule 2: any any DNS permit
n Rule 3: any {ip-subnet internal} any deny
n Rule 4: any any tcp 80 permit
n Rule 5: any any any deny - This is implied but added here for rule readability
Temporary Access Role: another common practice is to grant limited access roles to temporary work-
ers such as contractors, these roles would include access to only the few IP addresses required by the
contractor internally and possibly allow Internet access as well. In this scenario you will configure this
role to allow access to the internal Windows / Active Directory server.
n RADIUS Accept
n Rule 3: user 10.254.1.21 any permit
n Rule 4: user any tcp 80 permit
n Rule 5: any any any deny - This is implied but added here for rule readability.
Deny All Role: there are two ways that the you can implement the “deny all” functionality. First, you
can simply configure a RADIUS enforcement profile that sends a deny access. The second option would
be to allow the device to authenticate into the wireless network and then assign a role that denies all
source addresses to all destination addresses for all protocols or ports (any any any deny). For ease
this role will use option 1.
n RADIUS Reject
In this lab you will use the Standard Role Configuration Mode to create your downloadable roles. You
will also use the best practices procedures of creating NetServices to define TCP/UDP ports and pro-
tocol, NetDestinations to define aliases that will be used in your session ACL’s for the role.
518 Objectives
Steps
4. Navigate to Configuration > Enforcement > Profiles>.

6. On the Profile Tab set the following:
a. Template: Aruba Downloadable Role Enforcement
b. Name: Aruba Controller DUR profile only
c. Action: Accept
d. Product: Mobility Controller
7. Click Next.
Steps 519
8. On the Role Configuration Tab scroll down the list to the NetService Configuration: section.
9. Click the link for Manage NetServices.
10. Enter the following settings:
a. Name: DHCPdiscover
b. Protocol: UDP
c. Port Selection: List
d. Port List: 68
11. Click Save.
520 Steps
12. Continue to add the following NetServices.

a. Web ports
i. Name: WEB-PORTS
ii. Protocol: TCP
iii. Port Selection: List
iv. Port List: 80,443
b. OnGuard Agent Heartbeat.

i. Name: OnGuard
ii. Protocol: UDP
Steps 521
iii. Port Selection: List
iv. Port List: 6658
13. Click Cancel to close the NetService editor.

14. Scroll down the Role Configuration Tab to the NetDestination Configuration: section.
15. Click the link for Manage NetDestinations.
16. Fill-in the following settings:
a. Name: ClearPass
b. Rule 1: host {IP address of your ClearPass 1 server}
Click Save Rule.
c. Rule 2: host {IP address of your ClearPass 2 server}
Click Save Rule.
522 Steps
17. Click Save to create the NetDestination.
18. Click Cancel to close the NetDestination editor.
19. Scroll down the Role Configuration Tab to the ACL: section.
20. Click Add Session Access Control List.
21. Add an ACL with the following Name: DHCPallow.
22. On the General tab click Add Rule.
23. Create a rule with the following:
c. Service Type: service
d. Service: DHCPdiscover
e. Action: permit
Steps 523
24. Click Save Rule.
25. On the General tab click Save.

Repeat the above steps to create two more Session Access Control Lists.
First ACL:
1. On the General tab assign the Name: ClearPassWEB.
a. Web access to ClearPass.
i. Source Traffic Match: user
ii. Destination Traffic Match: alias
524 Steps
iii. Destination Alias: ClearPass
iv. Service Type: service
v. Service: WEB-PORTS
vi. Action: permit

3. Click Save Rule.
a. Heartbeat for OnGuard.
ii. Destination Traffic Match: alias
iii. Destination Alias: ClearPass
iv. Service Type: service
v. Service: OnGuard
vi. Action: permit
Steps 525
5. Click Save to Save the ACL.
Second ACL:
1. On the General tab assign the Name: DenyAll.
a. Web access to ClearPass.
i. Source Traffic Match: any
ii. Destination Traffic Match: any
iii. Service Type: any
iv. Action: deny
526 Steps
3. Click Save to Save the ACL.

Assemble the ACL list
1. Below the window in the ACL section select:
b. ACL Name: DHCPallow
ClearPassWEB
DenyAll
Steps 527
2. Click Next.
3. On the Summary Tab scroll down and look at the User Role Configuration:
528 Steps
Configure the Employee Full Access DUR
n RADIUS Accept
n Rule 1: any any any permit – Create new session ACL
ment Profile.
2. On the Profile tab enter the following:
a. Template: Aruba Downloadable Role Enforcement.
b. Name: Aruba Controller DUR employee full access.
c. Product: Mobility Controller.
3. Click Next.

4. In the Role Configuration tab, click “Add Session Access Control List”. Appendix 1: Configure DUR
5. On the General tab, name the ACL: AllowAll.

6. Click Add Rule.
7. On the Role Configuration, configure the following: (it is the defaults).
Steps 529
c. Service Type: any
d. Action: permit
8. Click Save Rule.
9. Click Save.
10. On the General tab, under ACL:, select:

b. ACL Name: AllowAll
11. Click Add.
530 Steps
12. Click Next.
13. On the Summary tab, review the new DUR.

14. Click Save to commit the new Enforcement Profile.
Steps 531
Configure the Employee Smart Access DUR
n RADIUS Accept
n Rule 1: any any DHCP permit – Use existing Session ACL
n Rule 5: any any any deny – Use existing Session ACL
ment Profile.
2. On the Profile tab, enter the following:
b. Name: Aruba Controller DUR employee smart access
c. Product: Mobility Controller
3. Click Next.
4. In the Role Configuration tab, click “Manage NetServices”.
532 Steps
5. Set the following:
a. Name: DNS-SVC
b. Protocol: TCP
c. Port Selection: List
d. Port List: 53

6. Click Save.
7. Click Cancel to close the window.
8. In the Role Configuration tab click “Manage NetDestinations”.
9. Set the following settings:
a. Name: Internal-Network
b. Rule Type: network
c. IP Address: 10.254.1.0
d. Netmask: 255.255.255.0
Steps 533
Create the DNS Allow ACL
1. In the Role Configuration tab, click “Add Session Access Control List”.
2. On the General tab, name the ACL: DNSallow.
3. Click Add Rule.
4. On the Role Configuration tab, configure the following: (these are the defaults)
a. Source Traffic Match: user
d. Service: DNS-SVC
e. Action: permit
5. Click Save Rule.
534 Steps
6. Click Save to commit the ACL.

Create the Deny Internal Network ACL
2. On the General tab, name the ACL: DenyInternal.
3. Click Add Rule.
b. Destination Traffic Match: alias
c. Destination Alias: Internal-Network
d. Service Type: any
e. Action: deny
5. Click Save Rule.
Steps 535
Create the Access to Internet ACL

2. On the General tab, name the ACL: AllowInternet.
3. Click Add Rule.
a. Source Traffic Match: user
d. Service: WEB-PORTS
e. Action: permit
5. Click Save Rule.
536 Steps
7. In the Role Configuration tab, under ACL, add the following Session ACLs to the list:
a. DHCPallow

b. DNSallow

c. DenyInternal
d. AllowInternet
e. DenyAll
8. Click Add after each.
9. When all ACLs are in the list Click Next.
10. Review the Summary.

11. Click Save.
Steps 537
Configure the Temporary Access DUR
n RADIUS Accept
n Rule 3: user 10.254.1.21 any permit
n Rule 5: any any any deny - This is implied but added here for rule readability.
Use the methods you have learned to create the Temporary Access DUR
1. Create a new Enforcement Profile.
b. Name: Aruba Controller DUR temporary access
c. Product: Mobility Controller
538 Steps
2. Configure a new Session ACL.
a. Name: AllowADserver
b. Add Rule:
ii. Destination Traffic Match: host
iii. Destination IP Address: 10.254.1.21
iv. Service Type: any
v. Action: permit
Steps 539
3. Add the correct ACLs to the DUR.
a. DHCPallow
b. DNSallow
c. AllowADserver
d. DenyInternal
e. AllowInternet
f. DenyAll
4. Review the Summary.
540 Steps
5. Save the Enforcement Profile.
You have finished configuring the Enforcement Profiles.
Steps 541
542 Steps
Aruba ClearPass Configuration
LAB GUIDE
Version: 23.13
Copyright 2023

CFG ClearPass Lab Guide Rev 23-13

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CFG ClearPass Lab Guide Rev 23-13

Uploaded by

Copyright:

Available Formats

Aruba ClearPass

Open Source Code

Hewlett Packard Enterprise Company

Lab 2: Configuring Authentication Sources 9

Lab 5: Roles and Enforcement 67

Lab 6: Configuring Services 93

Lab 7: Web Services 129

Lab 8b: Guest Authentication with MAC Caching 167

Lab 10a: Wired Authentication 217

Lab 11: Downloadable User Roles 267

Lab 13: OnGuard Configuration 311

Lab 14: OnGuard Enforcement 339

Lab 15: Onboard Configuration 361

Lab 16: Onboard Administration 399

Lab 17: Administrative Operations 423

Lab 18: Cluster 437

Lab 20: Insight Reports 495

Appendix 1: Configure DUR Enforcement Profiles (complete) 517

Lab 1: Testing Lab Connectivity

Device Model Device name My Device IP Username / Password

ClearPass server 1 ClearPass1 admin / eTIPS123

Task 1-1: Aruba Training Lab Access

Lab 1: Testing Lab Connectivity 1

Task 1-2: Aruba Training Lab Interface

2 Task 1-2: Aruba Training Lab Interface

Lab 1: Testing Lab Connectivity

Task 1-3: Testing Connectivity

Task 1-3: Testing Connectivity 3

2. A new browser tab should open with a blank, black screen.

Test the Wired MGMT Client Remote Desktop

4 Task 1-3: Testing Connectivity

Task 1-3: Testing Connectivity 5

8. Log in using admin/eTIPS123.

6 Task 1-3: Testing Connectivity

Test Connectivity to the Wireless Client

Task 1-3: Testing Connectivity 7

You have completed Lab 1!

8 Task 1-3: Testing Connectivity

Lab 2: Configuring Authentication Sources

Task 2-1: Explore the ClearPass Interface

Lab 2: Configuring Authentication Sources 9

10 Task 2-1: Explore the ClearPass Interface

Lab 2: Configuring Authentication

Task 2-1: Explore the ClearPass Interface 11

The Administration: Users and Privileges menu is where the administrator

12 Task 2-1: Explore the ClearPass Interface

Task 2-2: Install a Public Signed HTTPS certificate on ClearPass

Task 2-2: Install a Public Signed HTTPS certificate on ClearPass 13

3. Click the Browse button for the Certificate File:

14 Task 2-2: Install a Public Signed HTTPS certificate on ClearPass

7. Click Add Certificate.

Task 2-2: Install a Public Signed HTTPS certificate on ClearPass 15

16 Task 2-2: Install a Public Signed HTTPS certificate on ClearPass

20. Click Yes, at the overlay alert.

Lab 2: Configuring Authentication

21. Refresh your browser window for ClearPass1.

Task 2-2: Install a Public Signed HTTPS certificate on ClearPass 17

22. Navigate to your ClearPass 1 server using its FQDN: https://TT-cppm1.aruba-train-

18 Task 2-2: Install a Public Signed HTTPS certificate on ClearPass

Lab 2: Configuring Authentication

Task 2-3: Join ClearPass1 to the Active Directory Domain 19

7. Scroll to the bottom, and click Save.