Security

As suggested by TAC Arubanetworks, we have enabled internet access through the management interface for the Live Updates feature of CPPM. However, when clicking Generate Token and following the subsequent actions (such as redirecting to the web auth of HPE or Arubanetworks...), I still encounter a failure. There is also no event logged in the Event Viewer for this action. What should I do to activate the live update for my CPPM system?

Error validating credential.... 

But nothings at Event Viewer: 

Hi

To be able to authenticate and download the updates, make sure your ClearPass servers have internet access.

Verify:

• Working DNS to internet
• Do you have proxy servers? If so, configure the correct proxy settings on each ClearPass server
• Also verify that you have an active support agreement added for your hardware serial number or virtual server PAK license in the networking support site

As suggested by TAC Arubanetworks, we have enabled internet access through the management interface for the Live Updates feature of CPPM. However, when clicking Generate Token and following the subsequent actions (such as redirecting to the web auth of HPE or Arubanetworks...), I still encounter a failure. There is also no event logged in the Event Viewer for this action. What should I do to activate the live update for my CPPM system?

Error validating credential.... 

But nothings at Event Viewer: 

Hi, Tks for your reply. 
We're opening server access to internet. But we just open at mgmt interface. i'm so confusing here, cus i think ClearPass access to Update Server with mgmt interface right ? When try to ping internet i got result traffic go through data interface ... 

Hi

To be able to authenticate and download the updates, make sure your ClearPass servers have internet access.

Verify:

• Working DNS to internet
• Do you have proxy servers? If so, configure the correct proxy settings on each ClearPass server
• Also verify that you have an active support agreement added for your hardware serial number or virtual server PAK license in the networking support site

As suggested by TAC Arubanetworks, we have enabled internet access through the management interface for the Live Updates feature of CPPM. However, when clicking Generate Token and following the subsequent actions (such as redirecting to the web auth of HPE or Arubanetworks...), I still encounter a failure. There is also no event logged in the Event Viewer for this action. What should I do to activate the live update for my CPPM system?

Error validating credential.... 

But nothings at Event Viewer: 

If you have both MGMT and Data enabled, the Data interface will be the default interface for all outgoing sessions.

Except the following:

• Traffic sent to a host on the same subnet as the MGMT interface
• Reply to traffic send directly to the MGMT interface
• Any traffic sent to a host on a subnet with specific routing entry created from CLI making the MGMT interface the source interface

Hi, Tks for your reply. 
We're opening server access to internet. But we just open at mgmt interface. i'm so confusing here, cus i think ClearPass access to Update Server with mgmt interface right ? When try to ping internet i got result traffic go through data interface ... 

Hi

To be able to authenticate and download the updates, make sure your ClearPass servers have internet access.

Verify:

• Working DNS to internet
• Do you have proxy servers? If so, configure the correct proxy settings on each ClearPass server
• Also verify that you have an active support agreement added for your hardware serial number or virtual server PAK license in the networking support site

As suggested by TAC Arubanetworks, we have enabled internet access through the management interface for the Live Updates feature of CPPM. However, when clicking Generate Token and following the subsequent actions (such as redirecting to the web auth of HPE or Arubanetworks...), I still encounter a failure. There is also no event logged in the Event Viewer for this action. What should I do to activate the live update for my CPPM system?

Error validating credential.... 

But nothings at Event Viewer: 

Yes, but I don't know how to configure it so that the live update traffic goes through the management interface. Can you help me with this?

If you have both MGMT and Data enabled, the Data interface will be the default interface for all outgoing sessions.

Except the following:

• Traffic sent to a host on the same subnet as the MGMT interface
• Reply to traffic send directly to the MGMT interface
• Any traffic sent to a host on a subnet with specific routing entry created from CLI making the MGMT interface the source interface

Hi, Tks for your reply. 
We're opening server access to internet. But we just open at mgmt interface. i'm so confusing here, cus i think ClearPass access to Update Server with mgmt interface right ? When try to ping internet i got result traffic go through data interface ... 

Hi

To be able to authenticate and download the updates, make sure your ClearPass servers have internet access.

Verify:

• Working DNS to internet
• Do you have proxy servers? If so, configure the correct proxy settings on each ClearPass server
• Also verify that you have an active support agreement added for your hardware serial number or virtual server PAK license in the networking support site

As suggested by TAC Arubanetworks, we have enabled internet access through the management interface for the Live Updates feature of CPPM. However, when clicking Generate Token and following the subsequent actions (such as redirecting to the web auth of HPE or Arubanetworks...), I still encounter a failure. There is also no event logged in the Event Viewer for this action. What should I do to activate the live update for my CPPM system?

Error validating credential.... 

But nothings at Event Viewer: 

In this case I think you have two options:

1. Open internet access from the Data interface
2. Add custom routing entries for the traffic to the update server, Aruba SSO servers etc

I would recommend the first option, as this doesn't require any special configuration of your ClearPass hosts. Just open the outgoing ports for HTTPS on port 443, as well as external DNS.

The second option to create special routing out from the MGMT interface will be harder to implement. First you need to find the correct addresses/subnets to  add in your routing table, second add them  and finaly hope that Aruba doesn't update any of the IP addresses in the future...

The command to add routing entries in the CLI is:

network ip add <mgmt|data|greN> [-i <id>] <[-s <SrcAddr>] [-d <DestAddr>]> [-g <ViaAddr>]
Where
greN -- Name of the gre tunnel where N corresponds to the gre
tunnel number ranging from 1,2,3...N
-i -- Optional parameter. Id of the network ip rule. If unspecified the
system will auto generate the Id
-s <SrcAddr> -- Optional parameter. The source interface ip address or netmask from
where the network ip rule is specified. The allowed values are -
valid IP Address or Netmask or '0/0'
-d <DestAddr> -- Optional parameter. The destination interface ip address or netamsk
where the network ip rule is specified. The allowed values are -
valid IP Address or Netmask or '0/0'
-g <ViaAddr> -- Optional parameter. The via or gateway ip address through which the
network traffic should flow. The allowed value is valid IP Address"

I usually use:

network ip add mgmt -d <Destination CIDR> -g <Gateway IP address>

Yes, but I don't know how to configure it so that the live update traffic goes through the management interface. Can you help me with this?

If you have both MGMT and Data enabled, the Data interface will be the default interface for all outgoing sessions.

Except the following:

• Traffic sent to a host on the same subnet as the MGMT interface
• Reply to traffic send directly to the MGMT interface
• Any traffic sent to a host on a subnet with specific routing entry created from CLI making the MGMT interface the source interface

Hi, Tks for your reply. 
We're opening server access to internet. But we just open at mgmt interface. i'm so confusing here, cus i think ClearPass access to Update Server with mgmt interface right ? When try to ping internet i got result traffic go through data interface ... 

Hi

To be able to authenticate and download the updates, make sure your ClearPass servers have internet access.

Verify:

• Working DNS to internet
• Do you have proxy servers? If so, configure the correct proxy settings on each ClearPass server
• Also verify that you have an active support agreement added for your hardware serial number or virtual server PAK license in the networking support site

As suggested by TAC Arubanetworks, we have enabled internet access through the management interface for the Live Updates feature of CPPM. However, when clicking Generate Token and following the subsequent actions (such as redirecting to the web auth of HPE or Arubanetworks...), I still encounter a failure. There is also no event logged in the Event Viewer for this action. What should I do to activate the live update for my CPPM system?

Error validating credential.... 

But nothings at Event Viewer: 

Hi, i opened data interface to internet but still get Error Validating Credential from CPPM :( 

From Publisher, i can ping to internet (via Data Interface) but cannot traceroute to ClearPass update server below 

i also capture pcap packet and see our CPPM auto tried send icmp to ClearPass update server (ip 104.36.248.89) but No response ....

Please tell me what mistaken from our CPPM :( 

In this case I think you have two options:

1. Open internet access from the Data interface
2. Add custom routing entries for the traffic to the update server, Aruba SSO servers etc

I would recommend the first option, as this doesn't require any special configuration of your ClearPass hosts. Just open the outgoing ports for HTTPS on port 443, as well as external DNS.

The second option to create special routing out from the MGMT interface will be harder to implement. First you need to find the correct addresses/subnets to  add in your routing table, second add them  and finaly hope that Aruba doesn't update any of the IP addresses in the future...

The command to add routing entries in the CLI is:

network ip add <mgmt|data|greN> [-i <id>] <[-s <SrcAddr>] [-d <DestAddr>]> [-g <ViaAddr>]
Where
greN -- Name of the gre tunnel where N corresponds to the gre
tunnel number ranging from 1,2,3...N
-i -- Optional parameter. Id of the network ip rule. If unspecified the
system will auto generate the Id
-s <SrcAddr> -- Optional parameter. The source interface ip address or netmask from
where the network ip rule is specified. The allowed values are -
valid IP Address or Netmask or '0/0'
-d <DestAddr> -- Optional parameter. The destination interface ip address or netamsk
where the network ip rule is specified. The allowed values are -
valid IP Address or Netmask or '0/0'
-g <ViaAddr> -- Optional parameter. The via or gateway ip address through which the
network traffic should flow. The allowed value is valid IP Address"

I usually use:

network ip add mgmt -d <Destination CIDR> -g <Gateway IP address>

Yes, but I don't know how to configure it so that the live update traffic goes through the management interface. Can you help me with this?

If you have both MGMT and Data enabled, the Data interface will be the default interface for all outgoing sessions.

Except the following:

• Traffic sent to a host on the same subnet as the MGMT interface
• Reply to traffic send directly to the MGMT interface
• Any traffic sent to a host on a subnet with specific routing entry created from CLI making the MGMT interface the source interface

Hi, Tks for your reply. 
We're opening server access to internet. But we just open at mgmt interface. i'm so confusing here, cus i think ClearPass access to Update Server with mgmt interface right ? When try to ping internet i got result traffic go through data interface ... 

Hi

To be able to authenticate and download the updates, make sure your ClearPass servers have internet access.

Verify:

• Working DNS to internet
• Do you have proxy servers? If so, configure the correct proxy settings on each ClearPass server
• Also verify that you have an active support agreement added for your hardware serial number or virtual server PAK license in the networking support site

As suggested by TAC Arubanetworks, we have enabled internet access through the management interface for the Live Updates feature of CPPM. However, when clicking Generate Token and following the subsequent actions (such as redirecting to the web auth of HPE or Arubanetworks...), I still encounter a failure. There is also no event logged in the Event Viewer for this action. What should I do to activate the live update for my CPPM system?

Error validating credential.... 

But nothings at Event Viewer: 

It's quite normal these days that ping and traceroute are filtered/blocked in many networks. I can't traceroute beyond where you get the latest response, also can't ping clearpass.arubanetworks.com. So what you see seems expected.

Error validating credential more sounds like an expired update token, or not having a valid subscription in the account used to generate the update token. It even suggests that ClearPass can reach the update server as otherwise you would see a timeout/unreachable or so.

For the updates, make sure that the account you use to sign in has your ClearPass serial number registered with an active support contract for that same appliance.

Then when you generate the token, that happens in your browser, so you browser signs in, and based on the signed into account, you will get a token, which then is transferred from your browser into your ClearPass. ClearPass does not have a part in the token generation, but uses the generated token once it is generated in your browser.

Not using the same account as where ClearPass and it's support is registered in is the most common issue, so please verify that first.

Also, this type of issue is probably easier to work on with Aruba TAC as they can have a look in the different systems that hold contract information. As a community we can just guess what may be wrong.

I check again your screenshot and it seems like you didn't even generate a token, as the Username in the update screen is empty. Please click 'Generate Token' there and sign in with the same (HPE Networking Support Portal) account where your ClearPass and contract are registered.

Hi, i opened data interface to internet but still get Error Validating Credential from CPPM :( 

From Publisher, i can ping to internet (via Data Interface) but cannot traceroute to ClearPass update server below 

i also capture pcap packet and see our CPPM auto tried send icmp to ClearPass update server (ip 104.36.248.89) but No response ....

Please tell me what mistaken from our CPPM :( 

In this case I think you have two options:

1. Open internet access from the Data interface
2. Add custom routing entries for the traffic to the update server, Aruba SSO servers etc

I would recommend the first option, as this doesn't require any special configuration of your ClearPass hosts. Just open the outgoing ports for HTTPS on port 443, as well as external DNS.

The second option to create special routing out from the MGMT interface will be harder to implement. First you need to find the correct addresses/subnets to  add in your routing table, second add them  and finaly hope that Aruba doesn't update any of the IP addresses in the future...

The command to add routing entries in the CLI is:

network ip add <mgmt|data|greN> [-i <id>] <[-s <SrcAddr>] [-d <DestAddr>]> [-g <ViaAddr>]
Where
greN -- Name of the gre tunnel where N corresponds to the gre
tunnel number ranging from 1,2,3...N
-i -- Optional parameter. Id of the network ip rule. If unspecified the
system will auto generate the Id
-s <SrcAddr> -- Optional parameter. The source interface ip address or netmask from
where the network ip rule is specified. The allowed values are -
valid IP Address or Netmask or '0/0'
-d <DestAddr> -- Optional parameter. The destination interface ip address or netamsk
where the network ip rule is specified. The allowed values are -
valid IP Address or Netmask or '0/0'
-g <ViaAddr> -- Optional parameter. The via or gateway ip address through which the
network traffic should flow. The allowed value is valid IP Address"

I usually use:

network ip add mgmt -d <Destination CIDR> -g <Gateway IP address>

Yes, but I don't know how to configure it so that the live update traffic goes through the management interface. Can you help me with this?

If you have both MGMT and Data enabled, the Data interface will be the default interface for all outgoing sessions.

Except the following:

• Traffic sent to a host on the same subnet as the MGMT interface
• Reply to traffic send directly to the MGMT interface
• Any traffic sent to a host on a subnet with specific routing entry created from CLI making the MGMT interface the source interface

Hi, Tks for your reply. 
We're opening server access to internet. But we just open at mgmt interface. i'm so confusing here, cus i think ClearPass access to Update Server with mgmt interface right ? When try to ping internet i got result traffic go through data interface ... 

Hi

To be able to authenticate and download the updates, make sure your ClearPass servers have internet access.

Verify:

• Working DNS to internet
• Do you have proxy servers? If so, configure the correct proxy settings on each ClearPass server
• Also verify that you have an active support agreement added for your hardware serial number or virtual server PAK license in the networking support site

As suggested by TAC Arubanetworks, we have enabled internet access through the management interface for the Live Updates feature of CPPM. However, when clicking Generate Token and following the subsequent actions (such as redirecting to the web auth of HPE or Arubanetworks...), I still encounter a failure. There is also no event logged in the Event Viewer for this action. What should I do to activate the live update for my CPPM system?

Error validating credential.... 

But nothings at Event Viewer: 

Yes, but I don't know how to configure it so that the live update traffic goes through the management interface. Can you help me with this?

If you have both MGMT and Data enabled, the Data interface will be the default interface for all outgoing sessions.

Except the following:

• Traffic sent to a host on the same subnet as the MGMT interface
• Reply to traffic send directly to the MGMT interface
• Any traffic sent to a host on a subnet with specific routing entry created from CLI making the MGMT interface the source interface

Hi, Tks for your reply. 
We're opening server access to internet. But we just open at mgmt interface. i'm so confusing here, cus i think ClearPass access to Update Server with mgmt interface right ? When try to ping internet i got result traffic go through data interface ... 

Hi

To be able to authenticate and download the updates, make sure your ClearPass servers have internet access.

Verify:

• Working DNS to internet
• Do you have proxy servers? If so, configure the correct proxy settings on each ClearPass server
• Also verify that you have an active support agreement added for your hardware serial number or virtual server PAK license in the networking support site

As suggested by TAC Arubanetworks, we have enabled internet access through the management interface for the Live Updates feature of CPPM. However, when clicking Generate Token and following the subsequent actions (such as redirecting to the web auth of HPE or Arubanetworks...), I still encounter a failure. There is also no event logged in the Event Viewer for this action. What should I do to activate the live update for my CPPM system?

Error validating credential.... 

But nothings at Event Viewer: