Aruba ClearPass Advanced Configuration, Rev. 22.43

This advanced course uses a real-world case study on which participants will learn how to design, deploy and troubleshoot several aspects of the ClearPass security product.

This 5-day training is focused on active student participation, design exercises, introduction of new features and hands-on labs.

The lectures introduce different customer requirements and explain the fundamentals under the technologies required to fulfill them, while the lab guide displays the entire process from planning all the way up to implementation, testing and troubleshooting if required. Through this process the candidates will acquire skill sets that prepare them to face any challenging scenario.

This advanced level course is taught as a workshop. Participants will be led through a real-world design and implementation scenario encompassing all aspects of the Aruba ClearPass security product.

This 5-day course will cover the design, implementation and troubleshooting of ClearPass solutions.

The course is presented as a workshop, meaning that it is focused on student participation and hands-on labs to reinforce concepts, through design exercises and lab debriefs as well as planning and implementation of the design. This is not a course that relies on a step by step lab guide and you will be challenged to find creative solutions to the scenario and by the nature of this workshop you will master troubleshooting techniques in ClearPass.

After you successfully complete this course, expect to be able to:

• Multi – Server ClearPass Cluster Design
• Administrative Access Control
• Guest Network Access
• Secure Network Access
• Advanced ClearPass Modules
• Wired Authentication

Multi – Server ClearPass Cluster Design

• Placement of servers in the physical environment
• High-availability concepts
• EAP/RADIUS and HTTPS Certificates document

Administrative Access Control

• TACACS + access for Network Devices
• Policy Manager Administrative Profiles
• ClearPass Guest Operator Profiles

Guest Network Access

• Web Page Design
• Advanced Self – Registration design
• Advanced Guest Access Services
• AirGroups Configuration
• Guest Device Registration

Secure Network Access

• Advanced Service Design
• Advanced Enforcement
• Authentication Source Configuration

Advanced ClearPass Modules

• Onboard and BYOD Deployment
• Endpoint Posture Design
• Advanced Profiler Configuration

Wired Authentication
Note: This course focuses on the ClearPass integration aspect of the design, students should already be familiar with basic switch configuration.

• Configuration of Multi-Service Ports
• OnConnect and SNMP Based Enforcement
• Downloadable Roles
• Dynamic Segmentation

Network Requirements

• ClearPass Goals
• Network Topology
• List of available resources
• Scenario Analysis
• Authentication requirements
• Multiple user account databases
• User Account attributes
• High Level Design

PDI and Digital Certificates

• Certificate Types
• PKI
• Certificate Trust
• Certificate File Formats
• ClearPass as CA
• Certificate Use cases:
  • EAP
  • HTTPS
  • Service-based certificates
  • Onboarding
  • Clustering
  • RadSec
  • NAD Captive Portal
  • Installing Certificates
  • Enrollment over Secure Transport

Cluster Design

• ClearPass Server Placement
• Determine the layout of the Cluster
• High-Availability Schema
• Design High-Availability
• VIP Failover
• VIP Mapping
• Insight Primary and Secondary

Network Integration

• Authentication Sources
  • Local User Repository
  • Endpoint Repository
  • Admin User Repository
  • Guest User Repository
  • Guest Device Repository
  • Onboard Device Repository
  • Active Directory
  • SQL Server
• Define External Servers
  • Unified Endpoint Management
  • Email Server
• Endpoint Profiling
  • IF-MAP
  • Active Scans (SNMP)
  • DHCP
  • HTTPS
• Network Devices
• RadSec
• Dynamic Authorization
• Logging of RADIUS Accounting
• Device-groups
• Location Attributes
• Policy Simulation

Corporate Access Design

• Define the Requirements
• High-level design
• Services Design
• Plan TIPs Roles
• User Authentication
• Machine Authentication
• Tunneled EAP, EAP-TLS and Protected EAP
• One versus Multiple Services
• Plan Enforcement
• Device-groups based Enforcement
• Service Implementation
• OnGuard Design and implementation
  • Quarantine users
  • Remediation
• Onboard Design and implementation
  • User and device authorization
• Informational Pages
• Authorization validation
• Troubleshooting Enforcement

• Downloadable Roles

Guest Access Design

• Guest Network Design
• Captive Portal Flow
• Design Tasks
• Define Web Pages
• Guest Services Design
• Guest Services
• Guest Access Controls
• Configure Network Access Devices
• Guest Account Creation
• Guest Self-Registration
• Guest Sponsor Approval
• Self-Registration AD Drop-Down List
• Requirements for Guest Enforcement

Multi-Pre Shared Key

• Define the Requirements
• High-level design
• Device authorization
• Service Design and implementation

Wired Access

• AAA configuration
• 1X and MAC auth
• Using client profiling for authorization
• Using conflict attribute for authorization
• User Roles configuration in ArubaOS-S
• User Roles configuration in ArubaOS-CX
• Web Redirection
• Multi-Service Ports
• Downloadable User Roles Enforcement Profiles
• Downloadable User Roles Configuration and Validation

Administrative Access

• TACACs+ based NAD administration
• TACACs+ command Authorization
• Policy Manager Administrators
• Guest and Onboard Operators
• Register devices for MPSK
• Insight Operators
• Insight Reports and Alerts