Herman,
Our deployment was set this way from the beginning, but it has been a limited deployment until next month, when we take it live for everyone. This dual-interface is getting strange, since we now have a pub and sub, and the sub doesn't even have an address on data port.
We just got approval to replace the old network (31 switches,~20 buildings, ~400ap's) and I'm now trying to configure SSO onboard with Azure AD, wired policy enforcement, and student/guest self registration for devices.
Knowing what I know now (which isn't much), I would definitely have made different config choices.
How would you recommend (order of operations) to go through configuring if you were going to deploy (or re-deploy) a basically new network with CPPM using Mobility Gateway, 7210 (x2) controllers, 505h (dorms)/515-555(public buildings/classrooms), 6200/6300, and 8325's for core and data center top of rack.
We have the concept, but as you can see, some of the details are a bit quirky. We plan to use onboard for employees devices (local AD, but want to migrate to Azure AD instead if possible - we have intune, defender ATP). We're using domain authentication for students, but we have yet to solve the IOT (MPSK looks ideal for the rokus and such).
We have Airwave, but it's all monitor only, and we have NetEdit, but only a pair of CX switches that just came in, so we have most of the ingredients - it's just the recipe is all jumbled.
I see a guide for Clearpass Onboard Cloud Identity Provider setup: https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=32043
And a guide for Defender ATP setup:
https://support.hpe.com/hpesc/public/docDisplay?docId=a00100312en_us
And a guide for Palo Alto Firewall integration:
https://support.hpe.com/hpesc/public/docDisplay?docId=a00101503en_us
I'd like to use user based tunnel and/or port based tunnel with DUR to simplify the switch configs, but that doesn't seem finished in the CX switches.
If there were a validated reference guide, I'd try that, but that link is busted..
------------------------------
Phillip Horn
------------------------------
Original Message:
Sent: Nov 06, 2020 04:32 AM
From: Herman Robers
Subject: Clearpass blank screen when switching context
Philip,
I share the idea that having separate interfaces for management and data is not best-practice for ClearPass, where my main concern is that you make the deployment overly complex and it adds very few security. One point of attention is that you mention that 'everything else works within the management port network', however by default all outgoing traffic is routed from the data port. If it has been deployed like this, from a distance it's hard to tell if it is worth moving back to a single interface deployment. Dual-interface deployment is fully supported. I would probably postpone such a change till you have other things to change where the dual interface may interfere with what you are doing, or IP changes where you need to change surrounding routers/firewalls anyway.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
Original Message:
Sent: Nov 04, 2020 08:36 AM
From: Phillip Horn
Subject: Clearpass blank screen when switching context
Hey thanks,
Yes, the status of the cluster is good from the dashboard. (Not sure if there's somewhere else to check)
I'll check with support on that ticket (closed) and see about getting some escalation.
On other thing that may or may not matter for this issue (and may itself be another configuration error), there is a management port and a data port.
The integrator that set it up told us that in order to secure the guest wifi, we should use a different vlan for the data port, put the guests there, and then everything else should go to the management port. See below:
We ended up with 192.168.x.x/22 from the Palo Alto Fw DMZ set up as the data port, and the guest wifi all works off that network. Everything else works within the 10.x network to provide connectivity. Should I fix this? I hadn't had any training when it was configured, so I didn't really know about the role based firewall built in. After attending training (ATM18), I learned that many of the things done were not best practice. Anyway - that probably has nothing to do with the above issue, and I'll check in with support, but I wanted thoughts on this config.
Thanks.
------------------------------
Phillip Horn
Original Message:
Sent: Nov 04, 2020 07:01 AM
From: Herman Robers
Subject: Clearpass blank screen when switching context
I have seen only occasionally single-sign-on issues between Policy Manager and Guest, just after an upgrade, which most times went away after clearing the cache of my browser and restarting the browser or use another browser. This message that you see seems related to the fact that your ClearPass publisher 'thinks' it is a subscriber for Guest operations.
May I assume that if you check the cluster from your publisher all looks good? Publisher is ok, all subscribers are ok and in sync?
Aruba support is probably the only team that can fix this for you as I assume that this is somewhere low-level in the configuration database. If you still have the case open, have it escalated. If it is closed, ask to have it re-opened.
If you can afford down-time, what you might do is to see if you make one of your subscribers the publisher, see if that fixes the SSO. Then if you like move back to the original publisher. But working with TAC is the safer option.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
Original Message:
Sent: Nov 03, 2020 04:53 PM
From: Phillip Horn
Subject: Clearpass blank screen when switching context
------------------------------
Phillip Horn
------------------------------