Configuration steps on Aruba Mobility controllers are similar, but screens look different. You could check the following series for more details on how to setup controllers, including the connection to ClearPass.
@@hermanrobers can't find the video for the controllers? , is possible to configure one SSID for all employees in different departments and every employee connects to the Vlan to the employee's departments belong? thank you very much
@@mohammadalhaddad1472 Yes, you can do that (at least with Aruba Instant or Controllers). Just return in ClearPass a different role (and/or VLAN) based on role mapping with the OU or Department field or Group membership in AD. Which one is best depends on how your AD is setup and which is most reliable to determine the department of a user. And here is the video series for Aruba controllers: th-cam.com/video/D-wV55N8hgc/w-d-xo.html
thank you for your reply, We try to use OU for a department name but can't make the filter work, in AD I can see the department name in OU. and I am still confused about how to step the Role :(. I will watch the video again and try to make work. Thank you very much
Hi Herman, once again a great and helpful video! Thank you very much for it! Will there also be videos on Mobility Master and ClearPass? I would find that very helpful, as not everyone has a setup with IAPs. Thank you very much!
@@hermanrobers Great, that would be a real help for me and I'm sure for many others! In the Airheads community, I have often seen questions about CPPM and Mobility Master that refer to your videos, such as the wireless network, or wireless network with self-registration, but in which the answers are more related to IAP.
Thanks for your tutorial. I would like to ask if I have a wireless controller, are the configuration steps much different from configuring on instant AP?
These steps are similar, it just looks different on an Aruba controller. You can check th-cam.com/video/ziYmGBu1VWM/w-d-xo.html to see how the workflow is on a controller.
Thanks for this detailed walkthrough. I am trying to follow along with a new VM we spun up to migrate our clearpass. I have successfully followed up until the last check of the access tracker. I am getting a " RADIUS EAP: Client doesn't support configured EAP methods" error in the alerts with a 9015 error code. Am I doing something wrong?
First make sure that you see the request matched to the right service. Then if you still see this message, it means that what you configured as Authentication Methods (like EAP-TLS) does not match what the client is capable to do. In the workshop, I use certificates issued by Active Directory. If the client does not have a client certificate that if could use for client authentication, it may reject the EAP-TLS method with this error as a result. Please check that you have a client certificate, and configured EAP-TLS on the client (where on Windows that is called Smartcard or other certificate).
Hi Herman, thx for your great workshop! I tried to follow your set up, can you explain why you see two entries in the acces tracker? One for machine authenication and one for user authentication? In my access tracker i only have on entry (Roles: Machine Authenticated + User Authenticated)
Matthias, what is the username that you see? The User's or the Machine? With EAP-TLS there are two separate entries for just the user authentication (once the client is logged in) and one for the computer authentication (if the client is logged out, and most times when you first connect to a network). If you see the role Machine Authenticated for a user authentication, that means that ClearPass has seen a computer authentication as well. You can check the video on User+Computer authentication, and the one on TEAP that combines both User and Computer in the same authentication.
Hello Herman, thank you for your videos, I have question regarding the connection for wifi. When i change the settings and put it WPA-Enterprise, to let the user connect again to a different wifi they have to forget the old WIFI and connect to it again, which will change the WPA-Enterprise settings which will cause headache, is there a way to mitigate this issue ?
You could preconfigure the client through Group Policies or other Device Management. Networks normally don't switch security types, and if they do it's recommended to use a different SSID name to avoid the issue that you see. You probably won't want that your clients connect to an open SSID with the same name as your WPA2-Enterprise SSID, so consider this more a security measure.
@@hermanrobers thank you for the reply, regarding the group policy on the AD I can specify such an option ? and regarding the SSID I think there is misunderstood. the users will connect with there laptops inside and outside the office, so when they want they connect externally the SSID will not be WPA-Enterprise
@@mohammedkeswani2494 not sure if I still understand... if you want your users to connect to your company SSID internally with WPA-Enterprise and on other locations with WPA-PSK (example), you should have different SSID names because the same SSID name cannot (should not) be used with different security mechanisms. If you want users inside your company connect to the corporate network with WPA-Enterprise, and at home or on the road to the home network or hotspots, there is no issue as those will be different SSID names.
@@hermanrobers thank you, that is what I wanted to know. as when I tested the SSID that I wanted to connect to it is testing fine, when I want to revert to the other SSID on the same office "that doesn't use WPA-Enterprise" I had to forget that network then join to it again.
For the Radsec Cert on the IAP, you will need to upload a client certificate (plus private key) for that IAP. That client certificate needs to be issued by a CA that is in ClearPass in the Trust List enabled for purpose RadSec. A p12 file will work best. The RadSec CA should be the root CA certificate that issued the RadSec certificate that is installed on your ClearPass server. For that cert, I prefer to use a .pem file.
@@hermanrobers for radsec cert you have mentioned client cert to be uploaded. Can we use same cert on a client devices (such as laptop) or do we need to generate a new cert just for iap's. Do we need chain it in the order server, inter, root, private key Or Just server and private key? Thanks
@@rajum3386 For the client certificate, the one on for your AP, you should 'chain' it to have client-cert and intermediates up-to the root (root CA should not be in the chain). While it technically would work to have the same certificate for laptops and IAPs, that is strongly deprecated. Certificates should be device or user unique, so in case you lose a certificate, you don't need to replace the certificates on all of your devices. As well with different certificates, you can use the attributes in the certificate in your access decision, or for RadSec to link a Network Device in ClearPass to a specific certificate.
Hi Herman, Thank you for making these videos
Hello
thank you for the video,
question we have Aruba MOBILITY CONTROLLER is the configure same as Aruba Instant?
Configuration steps on Aruba Mobility controllers are similar, but screens look different. You could check the following series for more details on how to setup controllers, including the connection to ClearPass.
@@hermanrobers can't find the video for the controllers? ,
is possible to configure one SSID for all employees in different departments and every employee connects to the Vlan to the employee's departments belong?
thank you very much
@@mohammadalhaddad1472 Yes, you can do that (at least with Aruba Instant or Controllers). Just return in ClearPass a different role (and/or VLAN) based on role mapping with the OU or Department field or Group membership in AD. Which one is best depends on how your AD is setup and which is most reliable to determine the department of a user. And here is the video series for Aruba controllers: th-cam.com/video/D-wV55N8hgc/w-d-xo.html
thank you for your reply, We try to use OU for a department name but can't make the filter work, in AD I can see the department name in OU.
and I am still confused about how to step the Role :(.
I will watch the video again and try to make work.
Thank you very much
Hi Herman, once again a great and helpful video! Thank you very much for it! Will there also be videos on Mobility Master and ClearPass? I would find that very helpful, as not everyone has a setup with IAPs. Thank you very much!
Sounds like a good addition to the series. Did not plan that, but let me see if I can include MM/AOS8.
@@hermanrobers Great, that would be a real help for me and I'm sure for many others! In the Airheads community, I have often seen questions about CPPM and Mobility Master that refer to your videos, such as the wireless network, or wireless network with self-registration, but in which the answers are more related to IAP.
@@hermanrobers Yes it will be Great as the most of implementation now a days with MM and MC but in general I believe the concepts are same .
Thanks for your tutorial. I would like to ask if I have a wireless controller, are the configuration steps much different from configuring on instant AP?
These steps are similar, it just looks different on an Aruba controller. You can check th-cam.com/video/ziYmGBu1VWM/w-d-xo.html to see how the workflow is on a controller.
@@hermanrobers thank you, just one more question, is it mandatory to setup the AP in tunnel mode if we use controller as a radius client?
Thanks for this detailed walkthrough. I am trying to follow along with a new VM we spun up to migrate our clearpass. I have successfully followed up until the last check of the access tracker. I am getting a " RADIUS EAP: Client doesn't support configured EAP methods" error in the alerts with a 9015 error code. Am I doing something wrong?
First make sure that you see the request matched to the right service. Then if you still see this message, it means that what you configured as Authentication Methods (like EAP-TLS) does not match what the client is capable to do. In the workshop, I use certificates issued by Active Directory. If the client does not have a client certificate that if could use for client authentication, it may reject the EAP-TLS method with this error as a result. Please check that you have a client certificate, and configured EAP-TLS on the client (where on Windows that is called Smartcard or other certificate).
Hi Herman, thx for your great workshop! I tried to follow your set up, can you explain why you see two entries in the acces tracker? One for machine authenication and one for user authentication? In my access tracker i only have on entry (Roles: Machine Authenticated + User Authenticated)
Matthias, what is the username that you see? The User's or the Machine? With EAP-TLS there are two separate entries for just the user authentication (once the client is logged in) and one for the computer authentication (if the client is logged out, and most times when you first connect to a network). If you see the role Machine Authenticated for a user authentication, that means that ClearPass has seen a computer authentication as well. You can check the video on User+Computer authentication, and the one on TEAP that combines both User and Computer in the same authentication.
@@hermanrobers Thx for your explanation.I see the User´s username. Makes sense...
hi, in 802.11 protocol put MDID WHAT IS ITS MEANING
Hello Herman,
thank you for your videos, I have question regarding the connection for wifi.
When i change the settings and put it WPA-Enterprise, to let the user connect again to a different wifi they have to forget the old WIFI and connect to it again, which will change the WPA-Enterprise settings which will cause headache, is there a way to mitigate this issue ?
You could preconfigure the client through Group Policies or other Device Management. Networks normally don't switch security types, and if they do it's recommended to use a different SSID name to avoid the issue that you see. You probably won't want that your clients connect to an open SSID with the same name as your WPA2-Enterprise SSID, so consider this more a security measure.
@@hermanrobers thank you for the reply, regarding the group policy on the AD I can specify such an option ? and regarding the SSID I think there is misunderstood.
the users will connect with there laptops inside and outside the office, so when they want they connect externally the SSID will not be WPA-Enterprise
@@mohammedkeswani2494 not sure if I still understand... if you want your users to connect to your company SSID internally with WPA-Enterprise and on other locations with WPA-PSK (example), you should have different SSID names because the same SSID name cannot (should not) be used with different security mechanisms. If you want users inside your company connect to the corporate network with WPA-Enterprise, and at home or on the road to the home network or hotspots, there is no issue as those will be different SSID names.
@@hermanrobers thank you, that is what I wanted to know. as when I tested the SSID that I wanted to connect to it is testing fine, when I want to revert to the other SSID on the same office "that doesn't use WPA-Enterprise" I had to forget that network then join to it again.
Thanks !!! Really helpful
If we enable radsec for dot1x ssid
Could you let me know what cert needs to upload in radsec and radsec ca cert in iap
For the Radsec Cert on the IAP, you will need to upload a client certificate (plus private key) for that IAP. That client certificate needs to be issued by a CA that is in ClearPass in the Trust List enabled for purpose RadSec. A p12 file will work best.
The RadSec CA should be the root CA certificate that issued the RadSec certificate that is installed on your ClearPass server. For that cert, I prefer to use a .pem file.
@@hermanrobers for radsec cert you have mentioned client cert to be uploaded.
Can we use same cert on a client devices (such as laptop) or do we need to generate a new cert just for iap's.
Do we need chain it in the order server, inter, root, private key
Or
Just server and private key?
Thanks
@@rajum3386 For the client certificate, the one on for your AP, you should 'chain' it to have client-cert and intermediates up-to the root (root CA should not be in the chain). While it technically would work to have the same certificate for laptops and IAPs, that is strongly deprecated. Certificates should be device or user unique, so in case you lose a certificate, you don't need to replace the certificates on all of your devices. As well with different certificates, you can use the attributes in the certificate in your access decision, or for RadSec to link a Network Device in ClearPass to a specific certificate.