essential information from youtube videos of Airhead Broadcasting channel:


---------------------------------------------------------------------------------------------------
Aruba ClearPass Workshop (2021) - AOS-CX Wired #1 Wired 802.1X
---------------------------------------------------------------------------------------------------
- see also: HPE Aruba Wired Enforcement Guide
- 802.1x on windows: services > Wired AutoConfig > set to automatic
after service is enabled, an "authentication" tab is visable in the network settings of the interface
>> decide between user or computer authentication
- in clearpass create a network device + a shared secret
- port bounce: interface 1/x/x > shutdown > no shutdown
- in clearpass create a a 802.1X Wired service, choose active directory as authenticaton source


---------------------------------------------------------------------------------------------------
Aruba ClearPass Workshop (2021) - AOS-CX Wired #2 Wired User Roles
---------------------------------------------------------------------------------------------------
- Rolebased access with local user roles
- best practise enable accounting: aaa accounting port-access start-stop interim 60 group clearpass
- best practise enable client visability:
client track ip #enable on global level
vlan xx
client track ip #enable per vlan
#on uplink port do a: client track ip disable
- in Clearpass Enforcement profile assign a role: for example admin
- create role on switch:
port-access role admin
vlan access name Management VLAN
- check on switch with: show port-access clients
- make username visable > create enforcement profile that reads out the username and sends it back via radius,
than the "show port-access client" will also show the username,
you can make the same with the computername
- Video about Aruba Dynamic Segmentation on AOS-CX: downloadable user roles and more


---------------------------------------------------------------------------------------------------
Aruba ClearPass Workshop (2021) - AOS-CX Wired #3 Device Profiling
---------------------------------------------------------------------------------------------------
- device profiling: dhcp profiling, ip helper on core switch
- trigger a new dhcp request: Clearpass Access Tracker -> Change Status > choose port bounce


---------------------------------------------------------------------------------------------------
Aruba ClearPass Workshop (2021) - AOS-CX Wired #4 Wired MAC Authentication
---------------------------------------------------------------------------------------------------
- default setting the switch will first try and timeout for 802.1X before it attempts MAC Authentication,
default timeout is 2 minutes and 30 seconds
>> solution: port-access onboarding-method concurrent enable
- configure the Profiling tab in our service to automatically trigger a port bounce as soon as ClearPass profiles a new or changed device.
- Clearpasss Radius Mac Authentication service
- enable Profile Endpoints
- Authentication Method: Allow All Mac Auth (with All only "known" endpoints are considered)
- Authentication Source: Endpoint Repository (so you can use the profiling information)
- Profiler: Radius CoA Action > AOS-CX Bounce Port, triggered it to "Any category / OS Family / Name",
so if the device is connection the first time it will be bounced, and we know the device type


---------------------------------------------------------------------------------------------------
Aruba ClearPass Workshop (2021) - AOS-CX Wired #5 Wired MAC Enforcement
---------------------------------------------------------------------------------------------------
allow role based traffice for the endpoint

- define some classes, like: "class ip class-dns", "class ip class-private", "class ip class-pbx"
- bring the classes together to policies:
port-access policy pol-internet
10 class ip class-dhcp
20 class ip class-dns
30 class ip class-private action drop
40 class ip class-any
- port-access role profiler
associate policy pol-profile
vlan access name Untrusted VLAN
- port-access role machine
vlan access name Corporate VLAN
- port-access role voip
associate policy pol-voip
vlan access name Voice VLAN

- in clearpass define roles, and define rolemapping
- in clearpass define enforcement profiles, to return the role names, for example:
Radius:Aruba > Aruba-User-Role(1) = voip
Radius:Aruba > Aruba-User-Role(1) = profiler

- check with "show port-access clients" on switch

---------------------------------------------------------------------------------------------------
Aruba ClearPass Workshop (2021) - AOS-CX Wired #6 Wired Device behind phone - AP with tagged VLANs
---------------------------------------------------------------------------------------------------
- allow more devices behind a port:
interface 1/1/1-1/1/24
aaa authentication port-access client-limit 3 #default is one
- show client ip
- special role for a accesspoint, the special thing is the "auth-mode":
port-access role instant-ap
vlan trunk native name Management VLAN
vlan trunk allowed name Guest1 VLAN
vlan trunk allowed name Guest2 VLAN
auth-mode device-mode
- auth-mode:
client-mode: authenticate all devices
device-mode: authenticate just the first device
multi-domain: authentication for the native vlan and one for the voice vlan

- check with "show port-access clients" >> Authentication Mode should be seen as "device-mode"

computer2know :: thank you for your visit :: have a nice day :: © 2024