Aruba ClearPass Policy Manager C1000, Getting Started Manual

Page 1: ...ontains the following information l ClearPass Access Management System Overview l Supported Browsers l Key Features l Advanced Policy Management l ClearPass Policy Manager Hardware and Virtual Appliances l ClearPass Specifications ClearPass Access Management System Overview The Aruba ClearPass Access Management System provides a window into your network and covers all your access security requirem...

Page 2: ...t to leverage device inventory and posture information which enables better informed policy decisions Supported Browsers The supported browsers for ClearPass are l Mozilla Firefox on Windows 7 Windows 8 x Windows 10 and macOS l Google Chrome for macOS and Windows l Apple Safari 9 x and later on macOS l Mobile Safari 5 x on iOS l Microsoft Edge on Windows 10 l Microsoft Internet Explorer 10 and lat...

Page 3: ...n security in any environment you can concurrently use multiple authentication protocols such as PEAP EAP FAST EAP TLS EAP TTLS and EAP PEAP Public For fine grained control you can use attributes from multiple identity stores such as Microsoft Active Directory LDAP compliant directory ODBC compliant SQL database token servers and internal databases across domains within a single policy Additionall...

Page 4: ...virtual appliances as well as the hardware appliances within a cluster l For hardware and virtual appliance installation and deployment procedures see ClearPass 6 7 Getting Started Guide Virtual appliances are supported on the following platforms l VMware ESX and ESXi For installation and deployment procedures see Using the VMware vSphere Hypervisor Web Client to Install ClearPass on a Virtual Mac...

Page 5: ... LEEF l Simple Certificate Enrollment Protocol SCEP l Enrollment over Secure Transport EST Supported Identity Stores l Microsoft Active Directory l Kerberos l Any LDAP compliant directory l Microsoft SQL PostgreSQL MariaDB and Oracle 11g ODBC compliant SQL server l Built in SQL store l Built in static hosts list l Token servers l Built in SQL store static hosts list l Microsoft Azure Active Direct...

Page 6: ...rovides three hardware appliance platforms l ClearPass Policy Manager C1000 l ClearPass Policy Manager C2000 l ClearPass Policy Manager C3000 Table 1 Functional Description of the ClearPass Hardware Appliance Ports Port Description Data port Gigabit Ethernet The Data port ethernet 1 provides a point of contact for RADIUS TACACS Web authentication and other dataplane requests This configuration is ...

Page 7: ...e the VGA Connector to connect the ClearPass hardware appliance to a monitor and keyboard ClearPass C1000 Hardware Appliance The ClearPass Policy Manager C1000 hardware appliance SKU JZ508A is a RADIUS TACACS server that provides advanced policy control for up to 500 simultaneous sessions The ClearPass C1000 appliance has a single 1 TB SATA disk with no RAID disk protection Figure 1 shows the port...

Page 8: ...ications ClearPass C1000 Appliance Specifications Hardware Model Unicom S 1200 R4 CPU 1 Eight Core 2 4 GHz Atom C2758 Memory 8 GB 2 x2 GB Hard drive storage l 1 SATA 7 3K RPM Serial ATA l 1 TB hard drive Serial Port Yes RJ 45 Performance Scale Please refer to the ClearPass Scaling Ordering Guide Form Factor Rack mount Included Dimensions WxHxD 17 2 x 1 7 x 11 3 Weight max configuration 8 5 lbs Pow...

Page 9: ... 1TB SATA disk drives These drives are managed by an LSI RAID 1 controller The drives are configured as a RAID 1 pair The LSI controller presents to ClearPass a single virtual 1TB drive masking the two underlying physical drives Figure 2 shows the ports and components on the rear panel of the ClearPass C2000 hardware appliance The function of each of these ports and components is described in Tabl...

Page 10: ...lects the state of the UID Light click on the Virtual Indicators link to update the page 7 Power Supply 8 Optional redundant Power Supply You can also access the ClearPass hardware appliance by connecting a monitor and keyboard to the hardware appliance Table 3 provides the specifications for the ClearPass C2000 hardware appliance Table 3 ClearPass C2000 Appliance Specifications ClearPass C2000 Ap...

Page 11: ... 2 G s Operating altitude 3 050 m 10 000 ft ClearPass C3000 Hardware Appliance The ClearPass Policy Manager C3000 hardware appliance SKU JZ510A is a RADIUS TACACS server that provides advanced policy control for up to 25 000 simultaneous sessions The ClearPass C3000 appliance ships with six Serial Attach SCSI SAS 10K RPM 600GB Hot Plug hard drives RAID 10 controller The LSI controller presents to ...

Page 12: ...g this new state becomes the current state and takes effect when the UID stops blinking NOTE The Unit ID Light web page does not automatically refresh itself if the state of the actual light changes after the page is loaded To ensure the page accurately reflects the state of the UID Light click on the Virtual Indicators link to update the page 2 USB ports 2 3 Serial port 4 iLO Integrated Lights Ou...

Page 13: ...ed Serial Port Yes DB 9 Performance Scale Please refer to the ClearPass Scaling Ordering Guide Form Factor Rack mount l 1U SFF Easy Install Rail l 1U Cable Management Arm Dimensions WxHxD 17 1 x 1 7 x 27 5 Weight max configuration Up to 33 3 lbs Power Specifications Power supply HPE 500W Flex Slot Platinum Hot Plug Power Supply Power Redundancy Optional AC input voltage 100 240 VAC auto selecting ...

Page 14: ... the corresponding values for the parameters listed in Table 5 and keep it for your records Table 5 ClearPass Server Configuration Reference Required Information Value for Your Installation Host name Policy Manager server Management port IP address Management port subnet mask Management port gateway Data port IP address optional NOTE Make sure that the Data port IP address is not in the same subne...

Page 15: ...laceholder entries in the following illustration with the information you entered in Table 5 n Enter hostname n Enter Management Port IP Address n Enter Management Port Subnet Mask n Enter Management Port Gateway n Enter Data Port IP Address n Enter Data Port Subnet Mask n Enter Data Port Gateway n Enter Primary DNS n Enter Secondary DNS 5 Specify the cluster password Setting the cluster password ...

Page 16: ...isted in Table 5 2 Accept any security warnings from your browser regarding the self signed SSL certificate which comes installed in ClearPass by default The Admin Login screen appears with a message indicating that you have 90 days to activate the product and a link to activate the product Figure 4 Activating ClearPass 3 To activate ClearPass on this hardware appliance click Activate Now When you...

Page 17: ...to the ClearPass Hardware Appliance After a successful activation the Admin Login dialog appears Figure 6 Logging in to the ClearPass Hardware Appliance 1 Log in to the ClearPass hardware appliance with the following credentials n Username admin n Password Enter the cluster password defined in Configuring the ClearPass Hardware Appliance 2 Click Log In The ClearPass Policy Manager Landing Page ope...

Page 18: ...e same password see Configuring the ClearPass Hardware Appliance If you wish to assign a unique admin password use this procedure to change it To change the administration password 1 In ClearPass navigate to Administration Users and Privileges Admin Users The Admin Users page opens Figure 8 Admin Users Page 2 Select the appropriate admin user The Edit Admin User dialog opens ClearPass 6 7 Getting ...

Page 19: ...defaults you must first generate a password recovery key then log in as the apprecovery user to reset the system account passwords Generating the Password Recovery Key To generate the password recovery key 1 If you are employing a hardware connection connect to the ClearPass Policy Manager hardware appliance using the serial port using any terminal program See Configuring the ClearPass Hardware Ap...

Page 20: ...values enter y 4 You can now log in with the new administrator password emailed to you by Aruba Technical Support Using the VMware vSphere Hypervisor Web Client to Install ClearPass on a Virtual Machine This section documents the procedures for using the VMware vSphere Web Client to install ClearPass on a vSphere Hypervisor ESXi host as well as completing important administrative tasks such as reg...

Page 21: ...are ships with a 30 GB hard disk volume This must be supplemented with additional storage hard disk by adding a virtual hard disk see Adding a Virtual Hard Disk on page 26 for details The additional space required depends on the ClearPass virtual appliance version Processing and Memory Requirements To ensure scalability dedicate or reserve the processing and memory to the ClearPass VM instance You...

Page 22: ... your network note the corresponding values for the parameters listed in Table 6 and keep it for your records Table 6 ClearPass Server Configuration Information Required Information Value for Your Installation Host name Policy Manager server Management interface IP address Management interface subnet mask Management interface gateway Data port IP address optional NOTE Make sure that the Data inter...

Page 23: ...e installation on a host that runs VMware vSphere Web Client consists of four stages 1 Download the Release Notes for the version of ClearPass that you want to install as a virtual appliance Release Notes are available in the appropriate version folder under Aruba Support Center Documentation Software User Reference Guides ClearPass Release Notes 2 Then check the recommended virtual hardware speci...

Page 24: ... Select Name and Folder dialog The name of the template is set by default to ClearPass Policy Manager Appliance a Change the name to the desired virtual appliance name b Select the virtual appliance folder or data center where you want to deploy the ClearPass OVF file then click Next The Select a Resource screen opens Figure 12 Selecting a Resource 11 If required choose the VMware host where Clear...

Page 25: ...ace Aruba recommends using the Thick Lazy Zeroed virtual disk format The Setup Networks screen appears Figure 14 Configuring the Networks for VM Deployment 13 Specify the virtual network where ClearPass will reside then click Next The Ready to Complete screen opens which displays all the settings you chose for this OVF file deployment 14 Review the settings for accuracy and make any changes if nec...

Page 26: ...ual hard disk to the virtual machine hardware and make sure that the network adapters are assigned correctly 1 From the ClearPass Policy Manager Appliance select the Summary tab Figure 15 Virtual Appliance Summary Tab 2 Click Edit Settings The Edit Settings dialog opens ClearPass 6 7 Getting Started Guide 26 ...

Page 27: ...he correct size of the virtual hard disk to add to your ClearPass virtual appliance b From the New Device drop down select New Hard Disk c Click Add The Virtual Hardware dialog opens Figure 17 Specifying the Size of the New Hard Disk d Specify the size of the new hard disk as shown in Figure 17 then click OK 27 ClearPass 6 7 Getting Started Guide ...

Page 28: ... To launch the VM console choose Actions Launch Console The initial virtual machine console screen is displayed At the bottom of the console screen is the following prompt Enter y or Y to proceed 3 To proceed enter y ClearPass setup and installation begins The console screen appears 4 Enter the number for the appropriate appliance type do not enter the appliance model itself For example to specify...

Page 29: ...th the information you entered in Table 6 n Enter hostname n Enter Management Port IP Address n Enter Management Port Subnet Mask n Enter Management Port Gateway n Enter Data Port IP Address n Enter Data Port Subnet Mask n Enter Data Port Gateway n Enter Primary DNS n Enter Secondary DNS 4 Specify the cluster password Setting the cluster password also changes the password for the CLI user appadmin...

Page 30: ...upon initial login 1 After the configuration has been applied at the virtual appliance console open a web browser and go to the management interface of ClearPassPolicy Manager https x x x x tips where x x x x is the IP address of the management interface defined for the ClearPass server in Table 6 2 Log in to the ClearPass 6 7 server 3 Accept any security warnings from your browser regarding the s...

Page 31: ...e Offline Activation section shown in Figure 21 Figure 21 Performing Offline Activation After successfully activating ClearPass online you will see a message above the Admin Login screen indicating that the product has been successfully activated Logging in to the ClearPass Virtual Appliance After a successful activation the Admin Login dialog appears Figure 22 Logging in to the ClearPass Virtual ...

Page 32: ... updates These updates include AntiVirus version updates The ClearPass server uses these updates to check if the versions of the AntiVirus and the DAT file are the latest version l Windows Hotfixes updates These updates include a list of available Windows Hotfixes for supported Windows operating systems The ClearPass server uses these updates to show a list of the available hotfixes in the Windows...

Page 33: ... Updates Page To update the software on the current ClearPass server 1 Navigate to Administration Agents and Software Updates Software Updates Figure 24 displays the Software Updates page Figure 24 Software Updates Page The following describes the Software Updates parameters 33 ClearPass 6 7 Getting Started Guide ...

Page 34: ...osture and Profile Data Updates Import Updates button to import the downloaded file into ClearPass NOTE In a ClearPass cluster the Import Updates option is available on the Publisher node only By default updates for Posture Signature Windows Hotfixes and Endpoint Profile Fingerprints are not automatically downloaded and installed To set these updates to be automatic you must set the following Clus...

Page 35: ...tall for details see Using the VMware vSphere Hypervisor Web Client to Install ClearPass on a Virtual Machine NOTE You cannot uninstall cumulative or point patch updates Needs Restart The Needs Restart link appears when an update needs a reboot of the server in order to complete the installation Clicking this link displays the Install Update dialog box which shows the log messages generated during...

Page 36: ...min Users page opens Figure 25 Admin Users Page 2 Select the appropriate admin user The Edit Admin User dialog opens Figure 26 Changing the Administration Password 3 Change the administration password verify the new password then click Save Powering Off the ClearPass Virtual Appliance This procedure gracefully shuts down the virtual appliance without having to log in To power off the ClearPass vir...

Page 37: ...ance Configuration l Initial Login and Activation of the ClearPass Platform License l Logging in to the ClearPass Virtual Appliance l About Software Updates l Software Updates Page l Changing the Administration Password l Powering Off the ClearPass Virtual Appliance Introduction Microsoft Hyper V enables you to create and manage a virtualized computing environment by using virtualization technolog...

Page 38: ...o support a full workload you should consider ordering the ClearPass Policy Manager hardware appliance Supplemental Storage Hard Disk Requirements ClearPassHyper V ships with a 30 GB hard disk volume This must be supplemented with additional storage hard disk by adding a virtual hard disk see Adding a Hard Disk to a Virtual Machine on page 43 for details The additional space required depends on th...

Page 39: ... the same subnet as the Management interface IP address Data interface subnet mask optional Data interface gateway optional Primary DNS Secondary DNS NTP server optional ClearPass Hyper V Virtual Appliance Installation Summary The process of installing the ClearPass Policy Manager virtual appliance on one or more hosts that runs Microsoft Hyper V consists of four stages 1 Download the Microsoft Hy...

Page 40: ... Download the software image from the Download Software ClearPass Policy Manager Current_Release_Number Hyper V folder on the Aruba Support Center and unzip it to a folder on your server to extract the files 2 To extract the files unzip the files to a folder on your server 3 Open up the Hyper V Manager Console 4 From the Hyper V Manager select the name of the Hyper V server then right click and se...

Page 41: ...ng the Import Type 8 In the Choose Import Type step select Copy the virtual machine then click Next When you choose Copy the virtual machine Hyper V creates new and unique identifiers for the virtual appliance The Choose Folders for Virtual Machine Files dialog opens Figure 31 Specifying the Folders for the Virtual Machine Files 41 ClearPass 6 7 Getting Started Guide ...

Page 42: ... 10 Accept the default virtual hard drive storage folder or browse to a new location to change it to your preferred location then click Next If the virtual appliance being imported was configured to use physical disks in pass through mode you will have the opportunity to either remove the storage from the virtual appliance s configuration or attach new physical disks in pass through mode If an err...

Page 43: ...the import virtual appliance configuration that you specified 13 Review the settings displayed in the Summary page and if they are correct click Finish This completes the procedure to import the virtual appliance Adding a Hard Disk to a Virtual Machine Do not create the virtual hard disk in a folder that is marked for encryption Virtual hard disks are stored as vhd files Hyper V does not support t...

Page 44: ...ontroller 0 Hard Drive is selected by default then click Add The Hard Drive dialog opens Figure 36 Configuring the Hard Drive 5 In the Hard Drive dialog a Controller Set to IDE Controller 0 b Location Set to 1 in use 6 Below the Virtual hard disk field click New The New Virtual Hard Disk Wizard opens ClearPass 6 7 Getting Started Guide 44 ...

Page 45: ...Specifying the Disk Format 8 For the disk format choose VHDX then click Next The Choose Disk Type dialog opens Figure 38 Specifying the Virtual Hard Disk Type 9 For the disk type choose Fixed size then click Next The Specify Name and Location dialog opens 45 ClearPass 6 7 Getting Started Guide ...

Page 46: ...the appropriate version folder in the Aruba Support Center at Documentation Software User Reference Guides ClearPass Release Notes b Click Next The Completing the New Virtual Hard Disk Wizard screen opens 12 Review the settings displayed in the Summary page and if they are correct click Finish This completes the procedure to add a virtual hard disk Additional Virtual Hard Disk Considerations Addit...

Page 47: ...annot be stored in a folder that uses New Technology File System NTFS compression l You can make certain changes to a virtual hard disk after you create it For example you can convert it from one type of virtual hard disk to another You can use the Edit Virtual Hard Disk wizard to make these changes Launching the ClearPass Virtual Appliance To launch the ClearPass virtual appliance 1 To power on t...

Page 48: ...irements press y ClearPass will reboot at least once Two console screens appear sequentially the first screen indicates that the ClearPass Installer is rebooting and the second screen indicates that the virtual appliance is rebooting When the rebooting process is complete the ClearPass virtual appliance is configured and the virtual appliance will power on and boot up within a couple of minutes Th...

Page 49: ...d secondary NTP server information you entered in Table 8 6 Apply the configuration a To apply the configuration press Y n To restart the configuration procedure press N n To quit the setup process press Q Configuration on the virtual appliance console is now complete The next task is to activate the ClearPass Platform license Initial Login and Activation of the ClearPass Platform License Upon ini...

Page 50: ...y entering the Platform License Key the Admin Login screen appears with a message indicating that you have 90 days to activate the product and a link to activate the product Figure 44 Activating ClearPass 7 To activate ClearPass on this virtual appliance click Activate Now ClearPass Policy Manager attempts to activate the license over the Internet with Aruba license activation servers If the Clear...

Page 51: ...ctivated Logging in to the ClearPass Virtual Appliance After a successful Platform License activation the Admin Login dialog opens Figure 46 Logging in to the ClearPass Virtual Appliance 9 Log in to the ClearPass virtual appliance with the following credentials n Username admin n Password Enter the cluster password defined in Completing the Virtual Appliance Configuration on page 48 10 Click Log I...

Page 52: ...n updates The ClearPass server uses these updates to check if the versions of the AntiVirus and the DAT file are the latest version l Windows Hotfixes updates These updates include a list of available Windows Hotfixes for supported Windows operating systems The ClearPass server uses these updates to show a list of the available hotfixes in the Windows Hotfixes health class l Endpoint Profile Finge...

Page 53: ... Parameter Action Description HPE Passport Credentials HPE Passport Credentials Enter the HPE Passport Credentials provided to you This text box is enabled only on a Publisher node The first time the HPE Passport Credentials are saved the ClearPass server performs the following operations l Contacts the Webservice server to download the latest Posture Profile Data updates depending on the Cluster ...

Page 54: ...g the Import Updates button NOTE Patch residual files under var avenda platform backup var avenda platform patches and var avenda platform store updates seven days old and older are automatically deleted daily Import Updates If the server is not able to reach the Webservice server click Import Updates to import the latest signed Firmware and Update patch binaries obtained via support or other mean...

Page 55: ...ers an error Clicking this link displays the Install Update dialog box which shows the log messages generated during the install Other Check Status Now Click this button to perform an on demand check for available updates Check Status Now applies to updates only on a Publisher node as well as Firmware Patch Updates Delete Use this option to delete a downloaded update Changing the Administration Pa...

Page 56: ...ppliance This procedure gracefully shuts down the virtual appliance without having to log in To power off the ClearPass virtual appliance 1 To connect to the command line interface right click the name of the virtual machine then choose Connect 2 Enter the following commands n login poweroff n password poweroff The ClearPass virtual appliance shuts down ClearPass 6 7 Getting Started Guide 56 ...

Page 57: ... not and stop or start Policy Manager services including any Active Directory domains to which the current server is now joined To access the Services Control page 1 In ClearPass navigate to Administration Server Manager Server Configuration The Server Configuration page opens 2 Click the row that lists the ClearPass server of interest The Server Configuration screen for the selected ClearPass ser...

Page 58: ...If a service is stopped use its Start button to restart it Starting Services from the Command Line l You can also start an individual service from the command line service start service_name l You can start all the services from the command line service start all Summary of the Server Configuration Page The Server Configuration page provides many options Table 10 describes each of the top level se...

Page 59: ...ge to l Configure Application Access Control allow or deny access to network resources l Add SSH Public Keys l Create generic routing encapsulation GRE tunnels l Create IPsec tunnels l Create VLANs related to guest users l A GRE tunnel creates a virtual point to point link between controllers over a standard IP network or the Internet l To create VLANs your network infrastructure must support tagg...

Page 60: ...way gateway address Gateway IP address Configure the Date Configuring the time and time zone is optional appadmin configure date d date t time z timezone Configure the Host Name for the Node appadmin configure hostname hostname Join the ClearPass Policy Manager Appliance to the Active Directory Domain If you are using Active Directory to authenticate users be sure to join the ClearPass Policy Mana...

Page 61: ...r open source licenses A complete machine readable copy of the source code corresponding to such code is available upon request This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Company To obtain such source code send a check or money order in the amount of US 10 00 to He...