ClearPass 6.
Copyright © 2012 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System®, Mobile Edge Architecture®, People Move. Networks Must Follow®, RFProtect®, Green Island®. All rights reserved.
Table of Contents 1. Preface: ................................................................................................................................................... 4 2. ClearPass 6.0 General Tips ................................................................................................................... 5 3. Joining ClearPass 6.0 to an AD domain .............................................................................................. 6 4. CPPM 6.
1. Preface: This document contains some common issues and the resolutions for these issues that are often encountered during initial deployment of ClearPass 6.0 in a production environment. The target audiences are System Engineers/administrators who are deploying the ClearPass 6.0 Solution (Guest and/or Policy Manager) and have knowledge of AD/LDAP authentication infrastructure as well as an understanding of and experience with Public Key Infrastructure (PKI) concepts and implementation.
2. ClearPass 6.0 General Tips Here are some tips for avoiding common issues when deploying ClearPass. version 1.2 Make sure the system time is set correctly. Use NTP to avoid clock issues caused by clock drift or power outages. Exercise caution when integration systems operating in different time zones. Only the management IP address is required for operation of the ClearPass server. Use the secondary interface if out-of-band management is desired.
3. Joining ClearPass 6.0 to an AD domain Here are some tips when integrating ClearPass with Active Directory. 6 Joining ClearPass 6.0 to an AD domain is only necessary when performing EAP-PEAP authentication. Ensure that all server clocks, (Including AD and ClearPass) are set correctly with preferred NTP synchronization. Ensure that the ClearPass DNS configuration is configured to send requests to the Active Directory server.
4. CPPM 6.0 Authentication sources (AD/LDAP): Here are some tips when using AD/LDAP as an authentication source. version 1.2 An AD/LDAP account is required for EAP-PEAP authentication, for group membership, and etc. The account used for ClearPass requires read rights to the folders/information you want to use in role mapping. The account used must also remain active, and should not be required to change or update its password regularly (setup as a service account).
5. ClearPass Guest 6.0: “/guest/” in URLs With ClearPass Policy Manager (CPPM) v6.0, guest page URLs are preceded with /guest/. The page device provisioning is located at: https:///guest/device_provisioning.php Use the Test feature to easily find to the correct URL. 8 ClearPass 6.
6. ClearPass Guest 6.0 Account Display: passwords are invisible By default in ClearPass v6.0, guest passwords are only visible when initially created. Previous behavior for displaying visible guest passwords in the list of guest accounts can be enabled in the ClearPass Guest configuration UI: Configuration>Guest Manager>Password Display: version 1.
7. ClearPass 6.0 Onboard: no certificate available Switch back to HTTP! HTTPS will not work without a valid certificate! You should also use HTTP when OnBoarding via IP (when no DNS is available). 10 ClearPass 6.
8. ClearPass 6.0 Onboarding: common SSL issues If you enable HTTPS, you are required to have a valid DNS entry, resolvable from the Onboarding device Onboarding via HTTPS via IP address will fail because a trusted certificate can no longer be issued for an IP address. Use NTP so that you do not have any server failures based on timing discrepancies caused by clock drift or other timing issues.
9. ClearPass 6.0 Onboard: iOS certificate invalid error Onboarding on iOS will fail if the server certificate does not contain all intermediates to the CA root. Windows may work because of cert caching but may also experience issues if intermediate certificates are missing.
10. ClearPass Onboard: Certificate Retention/Revocation The delete certificate button is invisible by design! When testing, set the minimum period for Onboard to zero weeks to allow immediate removal. version 1.
11. ClearPass 6.0 Onboard: whitelisting URLs Here are some example URLs that commonly need to be whitelisted for Onboarding to succeed as they are accessed by the client device as part of network setup/detection by the Captive Network Assistant (CNA). Apple CNA: http://www.apple.com/library/test/success.html Kindle Fire CNA: http://spectrum.s3.amazonaws.com/kindle-wifi/wifistub.html Google Play (aka Android Market) android.clients.google.com - google play access .ggpht.
