Security

Customer is currently using Clearpass for 802.1x Auth on existing AOS8 Mobility Conductor + 2 x 7205 Controller architecture and has requested a POC to possibly migrate to cloud.

Standing up the AP's in Aruba Central etc is the easy part but what I would like to understand is the certificate requirement and would appreciate any guidance/advice i.e.

1. Existing certificates (CSR) would have been created on MC and certificates installed on CPPM and user device
2. I assume whilst running the POC in parallel, we would need new certificates created in Aruba Central and also installed on Clearpass and devices
3. If the above is true, how would CPPM know when to use which certificate should a customer for example roam between existing infrastructure and POC or vice versa

Hi

First, let's define some words. I will use POC in the meaning of a small test on the same site as you also have your current production SSID and the clients can see both SSID's at the same time. This phase is to validate the new design, but should not replace the production SSID yet. I will use Pilot for a later step where you only have the Central managed access points on a site. In this phase normal users will use the new design and connect to AP managed with Central.

During the POC, do not use the same SSID! This will possibly cause the clients to jump between different IP subnets and if you run into any issues troubleshooting will be hard as you can't control if the client is connected to the controller managed or Central managed AP's. Instead set up a POC SSID. If you have managed clients, you can configure a subset of the clients to connect to this new SSID as well in addition to the normal SSID.

I'm not sure about what certificates you are referring to as there are a lot of different certificates. This is a short list, maybe I have missed something:

• Root certificate (s), should be installed as trusted in ClearPass and clients. The root should already be in place
• Intermediate(s), if present should be installed as trusted in ClearPass and clients. The intermediate(s) should already be in place
• Client certificates, the certificates that the client already have today. No need to change anything
• ClearPass RADIUS certificate, already installed. No need to change. But in the SSID configuration on managed devices this certificate must be added as a trusted certificate for EAP. Probably you already have this done for the current SSID
• ClearPass https certificate, already installed. No need to change. Most interesting for guest portal if you have a captive portal. No need to change this certificate
• Controller certificates, the controllers can have several different certificates but this is for administrative access you don't need to transfer this certificate to the Central managed AP's

Do you have other certificates in mind?

Customer is currently using Clearpass for 802.1x Auth on existing AOS8 Mobility Conductor + 2 x 7205 Controller architecture and has requested a POC to possibly migrate to cloud.

Standing up the AP's in Aruba Central etc is the easy part but what I would like to understand is the certificate requirement and would appreciate any guidance/advice i.e.

1. Existing certificates (CSR) would have been created on MC and certificates installed on CPPM and user device
2. I assume whilst running the POC in parallel, we would need new certificates created in Aruba Central and also installed on Clearpass and devices
3. If the above is true, how would CPPM know when to use which certificate should a customer for example roam between existing infrastructure and POC or vice versa

Hi Jonas,

Yes, agreed with your view on POC and I already advised the customer to use different SSID's to avoid devices connecting to old SSID through bleed etc.

My issue is understanding the certificates as previously explained so let's try again.

When the customer had their original installation, (My assumption) is that they would have created a CSR through Clearpass and/or their controllers and this CSR would be tied to the TPM of the controller. (I spent days trying to figure out why RAPS won't work on virtual controllers and in the end it all came down to VC's don't have any TPM's and I had to find a workaround)

The above certificate is how the customer is working today i.e. 802.1x EAP-TLS with user and machine auth.

For the POC where w ehave a small area and 50 x devices for example, we will be using a new architecture but again ask Clearpass to do the authentication via EAP-TLS.

If the same certificates can be used with Aruba Central that the customer is using today with the MC environment, then we're all good but in practice if I stand up a brand new CPPM and Aruba Central today for any other client, we would need new certificates for 802.1x EAP-TLS hence why I am asking about either re-using or issuing new certs in case any user wish to "roam" from the POC area to the old environment.

Hi

First, let's define some words. I will use POC in the meaning of a small test on the same site as you also have your current production SSID and the clients can see both SSID's at the same time. This phase is to validate the new design, but should not replace the production SSID yet. I will use Pilot for a later step where you only have the Central managed access points on a site. In this phase normal users will use the new design and connect to AP managed with Central.

During the POC, do not use the same SSID! This will possibly cause the clients to jump between different IP subnets and if you run into any issues troubleshooting will be hard as you can't control if the client is connected to the controller managed or Central managed AP's. Instead set up a POC SSID. If you have managed clients, you can configure a subset of the clients to connect to this new SSID as well in addition to the normal SSID.

I'm not sure about what certificates you are referring to as there are a lot of different certificates. This is a short list, maybe I have missed something:

• Root certificate (s), should be installed as trusted in ClearPass and clients. The root should already be in place
• Intermediate(s), if present should be installed as trusted in ClearPass and clients. The intermediate(s) should already be in place
• Client certificates, the certificates that the client already have today. No need to change anything
• ClearPass RADIUS certificate, already installed. No need to change. But in the SSID configuration on managed devices this certificate must be added as a trusted certificate for EAP. Probably you already have this done for the current SSID
• ClearPass https certificate, already installed. No need to change. Most interesting for guest portal if you have a captive portal. No need to change this certificate
• Controller certificates, the controllers can have several different certificates but this is for administrative access you don't need to transfer this certificate to the Central managed AP's

Do you have other certificates in mind?

Customer is currently using Clearpass for 802.1x Auth on existing AOS8 Mobility Conductor + 2 x 7205 Controller architecture and has requested a POC to possibly migrate to cloud.

Standing up the AP's in Aruba Central etc is the easy part but what I would like to understand is the certificate requirement and would appreciate any guidance/advice i.e.

1. Existing certificates (CSR) would have been created on MC and certificates installed on CPPM and user device
2. I assume whilst running the POC in parallel, we would need new certificates created in Aruba Central and also installed on Clearpass and devices
3. If the above is true, how would CPPM know when to use which certificate should a customer for example roam between existing infrastructure and POC or vice versa