Clearpass Certificate Download to AOS-Switch

Downloadable user roles are a great feature on Aruba controllers, switches, and even IAPs.  They allow Clearpass to be the true policy definition point for both the Aruba wired and wireless networks and allows the policy to be modified in a single location. The hardest part of the configuration was uploading the Clearpass certificate to each switch. The latest code release (16.08) eliminates this pain point.  The switch can now automatically download the certificate from Clearpass by modifying a single line of configuration.   Here is a breakdown of the process.

My lab switch already contained the needed certs so the first step to test the new feature was to delete all of the existing CA certs.  This can be accomplished using the “crypto pki zeroize” command.

aos_s_remove_old_certs

Next I decided to default my switch configuration to make sure I was starting the configuration from scratch.

aos_s_erase_start

Once the switch rebooted I validated that the switch no longer had the certificate from my lab Clearpass server:

aos_s_default_certs.png

Basic switch configuration commands were added to ensure time is synchronized to make sure my certificates will be valid and also make any troubleshooting easier:

hostname <hostname>

ntp server <server ip>

time daylight-time-rule continental-us-and-canada

time timezone -240

password manager user-name <username> plaintext <password

The switch will need to be configured with a Clearpass user account to gain access to the certs and downloadable user roles.  I used a read-only account in my lab:

Clearpass_user

The final configuration step is to add the Clearpass server as a RADIUS server on the switch:

radius-server host <CPPM IP address> clearpass

radius-server cppm identity <CPPM user> key <password>

radius-server host <CPPM IP address> key <shared secret>

radius-server host <CPPM IP address> dyn-authorization

radius-server host <CPPM IP address> time-window plus-or-minus-time-window

radius-server host <CPPM IP address> time-window 30

This configuration should look very familiar compared to previous code versions.  The only configuration that has changed is that I added “clearpass” to the end of the first command to indicate that this RADIUS server will be a Clearpass server. That is the command that triggers the auto-certificate download.

Here is my test switch configuration:

aos_s_CPPM_config

Once the RADIUS server configuration has been added you can check the switch security logs to see if the switch has checked in with the Clearpass server and received the server certificate.  I enabled security logging using the “debug security” command.  Here is the output of show log -r

aos_s_download_cert_success

To validate which certificates have been downloaded use the “show crypto pki ta-profile” command:

aos_s_ta_profile

My lab Clearpass server is using a certificate from Comodo.

As you can see this process is much simpler than having to manually upload the certificate to every switch.  This process will also help eliminate extra steps when trying to utilize zero touch provisioning to roll out your switch infrastructure.

Advertisements

Upgrade Code on a HPE Provision Switch

I’m currently having to dig into the HPE Provision line of switches.  Here are a few notes to document the process of upgrading the code on a HPE 2920.

 

Step 1 – Validate current code version using show version command:

initial_sh_version

Step 2 – Copy new code to flash using copy tftp flash command:

copy_command.png

Once the file transfer is complete the system will validate the new code:

validate

Step 3 – Verify the system is configured to boot of the partition with the new code installed using the show flash command:

final_sh_version

Step 4 – Reboot the switch using the reboot command (make sure to save changes if needed)

Clearpass – Ports needed between CPPM and Active Directory

UDP 88 – Kerberos Auth

TCP 464 – Kerberos Password

UDP/TCP 135 – Domain Controller

TCP 636 – LDAP SSL

UDP/TCP 389 – LDAP

UDP 53 – DNS

TCP 3268 – Global Catalog

TCP/UDP 3269 – Global Catalog over SSL

Clearpass – Ports Needed between Two CPPM servers

TCP 5432 – Database Replication

TCP 443 – HTTPS

UDP 123 – NTP

TCP 80 – Change Status

Clearpass – Ports Needed between Client and CPPM server

TCP 80 – HTTP

TCP 443 – HTTPS

TCP 6658 – OnGuard Agent

UDP 1812/1813 – RADIUS

UDP 3779 – RADIUS CoA

UDP 67 – DHCP

UDP 161/162 – SNMP

UDP 5999 AirGroup RADIUS CoA

Where is the SSID that I just configured?

I was playing in my lab today and ran into an issue where my Aruba access point would not advertise my newly created SSID on my local controller. I started digging around and first noticed my AP was up but  was flagged inactive:

acmx_-_troubleshooting_ap_not_active

Next I checked to see if that access point was advertising a bss:

acmx_-_troubleshooting_ap_not_active_-_sh_ap_bss

The next step was to check and see if I had any profile errors:

acmx_-_troubleshooting_ap_not_active_-_sh_profile-errors

And there is the problem.  I configured my VLAN on my master controllers but forgot about the locals.  As soon as I added VLAN 100 to my local I could see  and connect to my SSID:

acmx_-_troubleshooting_ap_not_active_-_fixed_by_adding_VLAN

The point of this story is to not get in a hurry when configuring your controllers and make sure your networking config is solid on your local controllers.