Published on

Aruba Clearpass Deployment

Authors
  • Name
    Jackson Chen

Aruab Clearpass Policy Manager

Aruba ClearPass Policy Manager Deployment

https://www.arubanetworks.com/techdocs/ClearPass/6.9/Aruba_DeployGd_HTML/Content/home.htm

Implmentation Guide

https://www.arubanetworks.com/techdocs/ClearPass/6.9/Aruba_DeployGd_HTML/Content/About%20ClearPass/Intro_ClearPass.htm

Aruba’s ClearPass Policy Manager, part of the Aruba 360 Secure Fabric, provides role- and device-based secure network access control for IoT, BYOD, corporate devices, as well as employees, contractors and guests across any multivendor wired, wireless and VPN infrastructure.

With a built-in context-based policy engine, RADIUS, TACACS+, non-RADIUS enforcement using OnConnect, device profiling, posture assessment, onboarding, and guest access options, ClearPass is unrivaled as a foundation for network security for organizations of any size. For comprehensive integrated security coverage and response using firewalls, UEM and other existing solutions, ClearPass supports the Aruba 360 Security Exchange Program. This allows for automated threat detection and response workflows that integrate with third-party security vendors and IT systems previously requiring manual IT intervention.

In addition, ClearPass supports secure self-service capabilities, making it easier for end users trying to access the network. Users can securely configure their own devices for enterprise use or Internet access based on admin policy controls.

The result is detailed visibility of all wired and wireless devices connecting to the enterprise, increased control through simplified and automated authentication or authorization of devices, and faster, better incident analysis and response through the integration and orchestration with third-party security solutions. This is achieved with a comprehensive and scalable policy management platform that goes beyond traditional AAA solutions to deliver extensive enforcement capabilities for IT-owned and BYOD security requirements.

Supported Hypervisors

Policy Manager supports the following following hypervisors. Hypervisors that run on a client computer such as VMware Player are not supported.

VMware vSphere Hypervisor (ESXi) 6.0, 6.5, 6.5 U1, 6.5 U2, 6.7, 6.7 U1, 6.7 U2, 6.7 U3, and 7.0.

Policy Manager Server Configuration Information

1. Host name (Policy Manager server)
2. Management interface IP address
3. Management interface subnet mask
4. Management interface gateway
4. Data port IP address (optional)
     NOTE: Make sure that the Data interface IP address is not in the same subnet as the Management interface IP address.
5. Data interface subnet mask (optional)
6. Data interface gateway (optional)
7. Primary DNS
8. Secondary DNS
9. NTP server (optional)

vSphere Web Client Policy Manager Installation Overview

https://www.arubanetworks.com/techdocs/ClearPass/6.9/CPPM_GettingStarted/Content/Get_Start_Guide/Virtual%20Appliances/ESX_virtual_applicance.htm

More Details:

Aruab Clearpass Installation

Initial Installation

  1. Install Clearpass from OVF files, need to select all the files, but do not power on yet.
  2. Add a new hard disk, based on the requirements for your type of virtual machine. (500GB or 1TB)
  3. Power on and configure the virtual appliance.
  4. In the initial machine console screen, enter Y to accept to erase the second hard disk
  5. Enter/select the number for the appropriate appliance type (do not enter the appliance model itself). Options include:
    Enter 1 for CLABV
    Enter 2 for C1000V
    Enter 3 for C2000V
    Enter 4 for C3000V

!Clearpass types](/static/images/Network/Clearpass_appliance_types.png)

So, for example, to install a C1000V, you would enter the number 2.

The system requirements are displayed for the appliance model you entered, along with your current system configuration.

  1. Compare these to make sure your system meets the new system requirements.
  2. When you have verified that your system meets the new requirements, press y. Policy Manager will reboot at least once. Two console screens appear sequentially—the first screen indicates that the Policy Manager Installer is rebooting, and the second screen indicates that the virtual appliance is rebooting. When the rebooting process is complete, the Policy Manager virtual appliance is configured, and the virtual appliance will power on and boot up within a couple of minutes. The whole installation process process typically takes between 30 and 40 minutes.
Important Steps:
1. After the initial installation, Clearpasss appliance will be shutdown. Edit the VM settings:
a. Add the second hard disk with the required size with the licensing model, such as 500GB or 1TB.
b. Set both network adapters MAC to static or manual by using the automatically assigned VM MAC.
Note:
Clearpass RHEL shell (restricted shell) will use the intial VM network adapter MAC for both management and data ports (network).
i. Login as "appadmin", and run "show ip" to verify the MAC addresses
ii. Compare the RHEL network adapters MAC and VM MAC settings, ensure both are the same.
If the MAC are different, spoofguard will drop all network packets. It will appears as no network connection.

Completing the Virtual Appliance Setup

  1. Log in to the virtual appliance using the following preconfigured credentials:
login: appadmin
password: eTIPS123

This initiates the Policy Manager Configuration wizard.

  1. Configure the Policy Manager virtual appliance.

Follow the prompts, replacing the placeholder entries in the following illustration with the information you entered in Table 1.

1. Enter hostname:
2. Enter Management Port IP Address:
3. Enter Management Port Subnet Mask:
4. Enter Management Port Gateway:
5. Enter Data Port IP Address:
6. Enter Data Port Subnet Mask:
7. Enter Data Port Gateway:
8. Enter Primary DNS:
9. Enter Secondary DNS:
  1. Specify the cluster password. 
Note: Setting the cluster password also changes the password for the CLI user appadmin, as well as the Administrative user admin. If you want the admin password to be unique, see Changing the Administration Password.

a. Enter any string with a minimum of six characters, then you are prompted to confirm the cluster password.

b. After this configuration is applied, use this new password for cluster administration and management of the Policy Manager virtual appliance.

  1. Configure the system date and time.

a. Follow the prompts to configure the system date and time.

b. To set the date and time by configuring the NTP server, use the primary and secondary NTP server information.

  1. Apply the configuration.

Follow the prompts and do one of the following:

a. To apply the configuration, press Y.

To restart the configuration procedure, press N.

To quit the setup process, press Q.

Press Y to finish the configuraton. Configuration on the virtual appliance console is now complete. The next task is to activate the Policy Manager license.

Synchronizing the Cluster Date and Time with the NTP Server

The option to change the date and time for the cluster is available only on the Publisher node. Subscriber nodes in a cluster will synchronize the date and time from the Publisher node.

Set Date and Time

  1. Log in to the Publisher node.
  2. Navigate to the Administration > Server Manager > Server Configuration page.
  3. Select the Set Date and Time link. The Change Date and Time dialog opens to the Date & Time tab.
  4. Specify the Date & Time parameters
  5. Click Save.
  6. Return to the Server Configuration page by clicking Cancel. Note:The maximum allowed clock skew between the Policy Manager server and the Active Directory server is five minutes.
  7. Compare the clock time displayed at the bottom of the Policy Manager Server Configuration page against the clock time on the Active Directory server.

Specifying the Time Zone on the Publisher Node

  1. Click the Time Zone on Publisher tab.
  2. Select the time zone where the Publisher node resides, then click Save.

Starting or Stopping Policy Manager Services

From the Services Control page, you can view the status of a service (that is, see whether a service is running or not), and stop or start Policy Manager services, including any Active Directory domains to which the current server is now joined.

To access the Services Control page:

  1. In Policy Manager, navigate to Administration > Server Manager > Server Configuration. The Server Configuration page opens.

  2. Click the row that lists the Policy Manager server of interest. The Server Configuration screen for the selected Policy Manager server opens.

Starting Services from the Command Line

service start <service_name>    # start an individual service
service start all   # start all the services

Preparing Clearpass LDAP Authentication Source

1. Navigate to the Configuration > Authentication > Sources page.
   The Authentication Sources > General page opens. 
   The General page labels the authentication source and defines session details.
2. Click Add. The Add Authentication Source page opens.
3. When satisfied with these settings, click Next.
   The Authentication SourcesPrimary page opens.
4. When satisfied with these settings, click Next. 
   The Summary page is displayed, which shows all the settings you have entered for the LDAP authentication source.

Clearpass VM MAC Configuration

Need to ensure the VM property MAC address is the same as show in Clearpass SSH console network MAC address

Set VM MAC to use static MAC to prevent MAC address change after Clearpass installation
Discuss on TwitterView on GitHub