Security

 View Only
last person joined: 22 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Aruba ClearPass Workshop (Video Series 2021)

This thread has been viewed 545 times

  • 1.  Aruba ClearPass Workshop (Video Series 2021)

    EMPLOYEE
    Posted May 27, 2021 10:03 AM
    All, upon many requests I decided to start over with the ClearPass Workshop Series in a 2021 'reboot'.

    The content is similar to the series published in 2017, but now with the current latest & greatest like ClearPass 6.10, Instant 8.8, and ArubaOS-CX Switching 10.7, and the 2021 insights.

    Videos are planned on Wednesdays #workshopwednesday. I'll update this page to keep a track of videos while these are posted. Hope you enjoy the videos and they will be useful.

    How do I configure 802.1X authentication? How do I configure Profiling, Onboard, Onguard? How to integrate with Active Directory, or deploy ClearPass Exchange?

     

    In this workshop series, we will cover these and more topics by showing you how to set up a lab environment from scratch with ClearPass, Aruba Instant wireless, and the ArubaOS switches.


    Index of videos: The schedule or content may change without prior notice.

    Here is the network diagram as used in the workshop:


    The 2017 version of the ClearPass Workshop is still here.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------​​​​


  • 2.  RE: Aruba ClearPass Workshop (Video Series 2021)

    Posted May 27, 2021 12:43 PM
    This is great Herman and looking forward to watch these videos. Let me also share that thanks to your videos its the reason that I have learned Clearpass.

    Hopefully there may be some future advanced videos. 😃
    Original Message


  • 3.  RE: Aruba ClearPass Workshop (Video Series 2021)

    EMPLOYEE
    Posted May 28, 2021 03:11 AM
    I'll start with the basics. If you have requests for advanced topics, let me know.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 4.  RE: Aruba ClearPass Workshop (Video Series 2021)

    MVP
    Posted May 28, 2021 09:49 AM

    Herman,

    This is great!  Can you go over some details about certificates? There are certificates for the web, radsec, onboard, and maybe more (database cert for cluster, cert for deployment of the quick connect app?)

    What certs do we need from the public ca vs what private ca is ok.

    We have trouble with machine auth on WiFi and getting users authenticated because the machine can't connect then the user can't log on.  Details there would be a good refresher as I go back through the config to see what's wrong.  


    thanks!!



    ------------------------------
    Phillip Horn
    ------------------------------

    Original Message


  • 5.  RE: Aruba ClearPass Workshop (Video Series 2021)

    EMPLOYEE
    Posted May 28, 2021 10:15 AM
    Yes, certificates will be part of the labs, and I will try as much as possible to mention which type of certificates I will use and why.

    If you want to get going today, please check the ClearPass Certificates 101 Technote, as available on arubanetworks.com/clearpassdocs

    In general:
    - RADIUS/EAP Server certificate: Use certificates issued by a private PKI/CA. Same certificate on all of your ClearPass servers
    - RADIUS/EAP Client certificate (TLS): Get the certificates automatically enrolled / deployed from AD Group Policies/MDM solution, and issued from a private PKI/CA. Can be the same, or different one as the CA for the Server Cert. Unique certificate per client (or more if user+machine).
    - Radsec: Follow the guidance for EAP: Private CA. For your Radsec clients, use factory certs where possible, or find another way to get a client certificate enrolled to your network devices, like through EST.
    - Guest/Onboard: Use a public CA, so that unmanaged devices of your guests don't get certificate warnings. Wildcard Certificate will be fine here as you can use the same certificate on all of your servers.
    - WebUI: Use the same as for Guest/Onboard, as there is only a single HTTPS Server Certificate that you can deploy (with 6.10 you can deploy two, one RSA, one ECDSA, but both are for the same purpose of HTTPS). Multi-SAN is a more affordable option if you don't have a wildcard yet.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 6.  RE: Aruba ClearPass Workshop (Video Series 2021)

    Posted May 28, 2021 02:32 AM

    Hi Herman, very nice step to revive the absolutely great series of 2017!

    Personally I would appreciate a tshoot video with common issues and pitfalls :)

    Keep up the good work!


    Original Message


  • 7.  RE: Aruba ClearPass Workshop (Video Series 2021)

    EMPLOYEE
    Posted May 28, 2021 03:14 AM
    What I try to do is just walk through the process and 'forget' things while I go, so I run into issues in the videos, which I then show how to fix which introduces troubleshooting while we go. If you have specific questions, let me know.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 8.  RE: Aruba ClearPass Workshop (Video Series 2021)

    Posted May 28, 2021 11:03 AM
    Hi Herman, very nice you are working on new videos. Is it possible to do a little part on EAP-TEAP and integration with azure ad?

    Kind regards.

    ------------------------------
    James -
    ------------------------------

    Original Message


  • 9.  RE: Aruba ClearPass Workshop (Video Series 2021)

    EMPLOYEE
    Posted Jun 09, 2021 07:43 AM
    Good suggestion on TEAP, will include that. For Azure AD integration, did you see this series that Mitchell created?

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 10.  RE: Aruba ClearPass Workshop (Video Series 2021)

    MVP
    Posted Jun 10, 2021 02:41 AM
    Hi Herman,

    I saw your video series from 2017. Perfect job. Thx for that. It would be nice, if you could include a video on Wired GuestAccess for HPE/Aruba Switches.

    ------------------------------
    Matthias Pohl
    ------------------------------

    Original Message


  • 11.  RE: Aruba ClearPass Workshop (Video Series 2021)

    EMPLOYEE
    Posted Jun 10, 2021 05:06 AM
    That is a good suggestion. For CX Switching, in the meanwhile, you could check the second part of this video. Or this for ArubaOS switch. As well in the Wired Policy Enforcement Solution Guide, available from https://www.arubanetworks.com/clearpassdocs, it is described in text.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 12.  RE: Aruba ClearPass Workshop (Video Series 2021)

    MVP
    Posted Jun 10, 2021 10:51 AM
    You were missing the video for configuring OnGuard Agentless (in the videos 2017), where i have learned a lot :D and i really appreciate your efforts to provide so professional and easy to understand videos.

    However, it would be good for everyone who is new to Clearpass, to have a video for configuring the OnGuard Agentless Scenario, since it is a bit of a head-ache when not having sufficient material for configuration :)

    ------------------------------
    Shpat
    ------------------------------

    Original Message


  • 13.  RE: Aruba ClearPass Workshop (Video Series 2021)

    EMPLOYEE
    Posted Jun 15, 2021 09:43 AM
    I'll keep that in mind, although having an OnGuard video with the agent might be more important than the specific agentless. I never got to that point.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 14.  RE: Aruba ClearPass Workshop (Video Series 2021)

    Posted Jul 07, 2021 06:48 AM
    Hi Herman,
    First of all, great videos! They are very educational and I can design a lab environment based on them to eventually build into a production environment.

    In your videos you always mention Technote's for example:

    ClearPass CPPM - Certificates 101 Tech Note V1.2
    https://support.hpe.com/hpesc/public/docDisplay?docId=a00100345en_us&docLocale=en_US


    But I also found others:

    Aruba ClearPass Technical Notes
    https://community.arubanetworks.com/blogs/esupport1/2020/10/19/aruba-clearpass-technical-notes

    CPPM CLUSTERING IN 6.8
    https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedAssets/Clustering%20in%206.8.pdf

    CPPM Services Routing TechNote - V3.docx
    https://www.hpe.com/psnow/doc/a00100349en_us

    I have still problems to understand the routing between mgmt and data port.

    Unfortunately I don't know if these are the latest versions? Or are there updated documents for 6.10.

    Where can you find all the technote's for CPPM?

    Many greetings,
    Michael

    ------------------------------
    Michael Pilling
    ------------------------------

    Original Message


  • 15.  RE: Aruba ClearPass Workshop (Video Series 2021)

    EMPLOYEE
    Posted Jul 07, 2021 07:01 AM
    Michael,

    All of the documents on www.arubanetworks.com/clearpassdocs are great content and according to the product team reviewed on a regular basis to check that the content is still accurate. For example, the concept of Service Routing is still the same, so while the date on the document looks old, it still is valid.

    For me, the main purpose of that Service Routing document is to explain why you should not use separate management and data port. It's basically two interfaces in the same system, so it should not be used for any security purpose/separation. I have seen only very few use-cases where the use of the data port was useful, and that is in situations where you have routing challenges (again, not security challenges). My advice: just use the management port to avoid any riskful situations. If you absolutely require the use of the data port, check with your local Aruba team, or Aruba Support to have its use-case and security validated.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 16.  RE: Aruba ClearPass Workshop (Video Series 2021)

    Posted Jul 09, 2021 02:20 PM
    Thanks for doing this updated series Herman. Your workshops are very helpful!

    ------------------------------
    Steve
    ------------------------------

    Original Message


  • 17.  RE: Aruba ClearPass Workshop (Video Series 2021)

    Posted Oct 13, 2022 09:58 PM
    Thanks for doing all this Herman.  This really helps everyone out!

    Original Message


  • 18.  RE: Aruba ClearPass Workshop (Video Series 2021)

    Posted Dec 07, 2022 08:54 PM
    Hello Herman,

    do you have any info for certificate request for clearpass?  it for RSA try to figure but it still not work with request from clearpass box csr and then request from internal CA and then convert seem like not going any where for me, if you can share some info for it.  thank you very much.  and this is for version 6.9 -6.11
    Original Message


  • 19.  RE: Aruba ClearPass Workshop (Video Series 2021)

    EMPLOYEE
    Posted Dec 08, 2022 08:19 AM
    This one should work to generate a key + CSR with OpenSSL. It mentions controller/instant, but should work for ClearPass as well with the remark that you may need to get a SAN in with DNS:<same as your CN>. That is common practice and commercial CAs will automatically add that, when using an internal CA it's not always clear. I'm not 100% sure if the SAN is required for the EAP certificate, but it is best to have it included.

    Note that if you use the built-in feature to generate a CSR, as soon as you have imported the certificate, you can export key+cert as a PKCS#12 from ClearPass (make sure you add a password during the export). That file can be used to backup or import in other systems. This in case you want to create the certificate externally only for archiving purposes.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 20.  RE: Aruba ClearPass Workshop (Video Series 2021)

    Posted Dec 27, 2022 05:14 PM
    This is great!  Can you go over some details about certificates? There are certificates for the web, radsec, onboard, and maybe more (database cert for cluster, cert for deployment of the quick connect app?)
    Original Message