Downloadable user roles are a great feature on Aruba controllers, switches, and even IAPs. They allow Clearpass to be the true policy definition point for both the Aruba wired and wireless networks and allows the policy to be modified in a single location. The hardest part of the configuration was uploading the Clearpass certificate to each switch. The latest code release (16.08) eliminates this pain point. The switch can now automatically download the certificate from Clearpass by modifying a single line of configuration. Here is a breakdown of the process.
My lab switch already contained the needed certs so the first step to test the new feature was to delete all of the existing CA certs. This can be accomplished using the “crypto pki zeroize” command.
Next I decided to default my switch configuration to make sure I was starting the configuration from scratch.
Once the switch rebooted I validated that the switch no longer had the certificate from my lab Clearpass server:
Basic switch configuration commands were added to ensure time is synchronized to make sure my certificates will be valid and also make any troubleshooting easier:
ntp server <server ip>
time daylight-time-rule continental-us-and-canada
time timezone -240
password manager user-name <username> plaintext <password
The switch will need to be configured with a Clearpass user account to gain access to the certs and downloadable user roles. I used a read-only account in my lab:
The final configuration step is to add the Clearpass server as a RADIUS server on the switch:
radius-server host <CPPM IP address> clearpass
radius-server cppm identity <CPPM user> key <password>
radius-server host <CPPM IP address> key <shared secret>
radius-server host <CPPM IP address> dyn-authorization
radius-server host <CPPM IP address> time-window plus-or-minus-time-window
radius-server host <CPPM IP address> time-window 30
This configuration should look very familiar compared to previous code versions. The only configuration that has changed is that I added “clearpass” to the end of the first command to indicate that this RADIUS server will be a Clearpass server. That is the command that triggers the auto-certificate download.
Here is my test switch configuration:
Once the RADIUS server configuration has been added you can check the switch security logs to see if the switch has checked in with the Clearpass server and received the server certificate. I enabled security logging using the “debug security” command. Here is the output of show log -r
To validate which certificates have been downloaded use the “show crypto pki ta-profile” command:
My lab Clearpass server is using a certificate from Comodo.
As you can see this process is much simpler than having to manually upload the certificate to every switch. This process will also help eliminate extra steps when trying to utilize zero touch provisioning to roll out your switch infrastructure.
I’m currently having to dig into the HPE Provision line of switches. Here are a few notes to document the process of upgrading the code on a HPE 2920.
Step 1 – Validate current code version using show version command:
Step 2 – Copy new code to flash using copy tftp flash command:
Once the file transfer is complete the system will validate the new code:
Step 3 – Verify the system is configured to boot of the partition with the new code installed using the show flash command:
Step 4 – Reboot the switch using the reboot command (make sure to save changes if needed)
UDP 88 – Kerberos Auth
TCP 464 – Kerberos Password
UDP/TCP 135 – Domain Controller
TCP 636 – LDAP SSL
UDP/TCP 389 – LDAP
UDP 53 – DNS
TCP 3268 – Global Catalog
TCP/UDP 3269 – Global Catalog over SSL
TCP 5432 – Database Replication
TCP 443 – HTTPS
UDP 123 – NTP
TCP 80 – Change Status
TCP 80 – HTTP
TCP 443 – HTTPS
TCP 6658 – OnGuard Agent
UDP 1812/1813 – RADIUS
UDP 3779 – RADIUS CoA
UDP 67 – DHCP
UDP 161/162 – SNMP
UDP 5999 AirGroup RADIUS CoA
I was playing in my lab today and ran into an issue where my Aruba access point would not advertise my newly created SSID on my local controller. I started digging around and first noticed my AP was up but was flagged inactive:
Next I checked to see if that access point was advertising a bss:
The next step was to check and see if I had any profile errors:
And there is the problem. I configured my VLAN on my master controllers but forgot about the locals. As soon as I added VLAN 100 to my local I could see and connect to my SSID:
The point of this story is to not get in a hurry when configuring your controllers and make sure your networking config is solid on your local controllers.