Preparing for ClearPass Deployment
ClearPass deployment requires gathering specific information about infrastructure, client devices, and access levels, among others.
This chapter provides implementation details for IT administrators deploying the ClearPass solution at Orange Widget Logistics (OWL), a fictional customer described on the Reference Customer page.
Table of contents
Licensing
After a ClearPass Policy Manager (CPPM) purchase, Aruba Licensing Management sends licensing details to the customer email address provided in the ordering process.
Gather License
The licensing email is formatted like the sample below:
Note: If the expected recipient does not receive the license email, contact the Aruba sales representative, partner account manager, or Aruba Support to request assistance.
The table below lists the licenses needed to deploy OWL’s two-node ClearPass cluster with the ability to authenticate up to 1,000 concurrent endpoints. One VM-based license is used for each virtual appliance, and one 1,000-endpoint license is applied at the Publisher node and shared between both appliances when the cluster is created.
Part Number | Description | Quantity | Version |
---|---|---|---|
JZ399AAE | Aruba ClearPass Cx000V VM-Based Appliance E-LTU | 2 | 6.8.X.X |
JZ402AAE | Aruba ClearPass New Licensing Access 1K Concurrent Endpoints E-LTU | 1 | 6.8.X.X |
Activate License
After the proper license and order information is collected, use the steps below to activate the license.
Step 1 Open a web browser and log into the Aruba Support Portal.
Step 2 After log in, on the Support Portal page, click the License Management link in the center of the page. The License Management page appears.
Step 3 On the License Management page, click the Activate button.
Step 4 On the Activate page, enter the order and confirmation number provided in the licensing email, then click the Load button.
Step 5 When the order details appear, select the part numbers and quantities to be used. Enter the required information at the bottom of the page and click Activate.
Step 6 When the Activate-Summary page appears, save the Activation Key for each part number to apply later in the project and click the Done button.
Download Software
To download the software:
Step 1 Open a web browser and log into the Aruba Support Portal.
Step 2 After log in, on the Support Portal page, click the Software & Documents tab, then click the ClearPass Policy Manager (CPPM) link.
Step 3 When the Software and Documents page appears, use the FILTERS on the left to find the required image. Click the Download button at the right of the selected image.
Step 4 After the download is complete, proceed to Information Sharing, below.
Gather Infrastructure Information
This section outlines the information that must be gathered or shared with other parties. It is important to include all the details needed to prevent delays or service interruptions.
Network Administrator
As part of the discovery and design session, the information below is used implementation.
Authentication Servers (ClearPass Appliances)
The authentication servers in this deployment are the ClearPass appliances. The table lists information needed for initial configuration.
Appliance 1 | Appliance 2 | |
---|---|---|
Function | Publisher | Subscriber |
Host Name | RSVCP-CPPM-1 | RSVCP-CPPM-2 |
Management Port IP Address | 10.2.120.195 | 10.2.120.194 |
Management Port Mask | 255.255.255.0 | 255.255.255.0 |
Management Port Gateway | 10.2.120.1 | 10.2.120.1 |
Virtual IP 1 | 10.2.120.192* | 10.2.120.192 |
Virtual IP 2 | 10.2.120.193 | 10.2.120.193* |
DNS Server 1 | 10.2.120.99 | 10.2.120.99 |
DNS Server 2 | 10.2.120.98 | 10.2.120.98 |
Administrator Password | Aruba123! | Aruba123! |
NTP Server 1 | 10.2.120.99 | 10.2.120.99 |
NTP Server 2 | 10.2.120.98 | 10.2.120.98 |
Time Zone | Pacific Time | Pacific Time |
*Indicates the appliance to be set as the primary node for that virtual IP.
Network Devices (Authenticators)
The deployment calls for two types of authenticators: Aruba switches and gateways. ClearPass requires adding these devices to the Network Devices section in order to accept authentication requests sourced from them.
Individual Network Device Information
The table below lists information for each authenticator that must be added to Network Devices later in the implementation process.
Host Name | IP Address | Device Type |
---|---|---|
RSVCP-TEST-AC1 | 10.15.55.245 | Aruba Switch |
RSVCP-AG3-AC1 | 10.3.2.105 | Aruba Switch |
RSVCP-AG3-AC2 | 10.3.2.112 | Aruba Switch |
RSVCP-AG3-AC4 | 10.3.2.10 | Aruba Switch |
RSVCP-TEST-GW1 | 10.15.55.2 | Aruba Gateway |
RSVCP-SS2-CL1-1 | 10.6.15.11 | Aruba Gateway |
RSVCP-SS2-CL1-2 | 10.6.15.12 | Aruba Gateway |
Note: ClearPass allows adding multiple devices simultaneously in the form of a subnet, or as individual IPs. For the reference customer list above, they are entered individually to allow greater control over the authentication requests that ClearPass accepts.
Common Network Device Information
The information below is the same across all devices listed in the table above. Both are needed when configuring the authenticators in the Network Devices list later in the implementation process.
- RADIUS Shared Secret: Aruba123!
- TACACS+ Shared Secret: Aruba123!
- Vendor Name: Aruba
Network Device Groups
Authentication requests are filtered using Device Groups, during Services configuration later in the implementation process. The table below lists the three groups to be created and the device types.
Device Groups | Devices (from Device Type column above) |
---|---|
Switches | Aruba Switch |
Gateways | Aruba Gateway |
External Authentication Sources
This deployment authenticates client devices against several authentication sources, including internal databases in ClearPass and in Windows Domain Controllers. Internal databases are created later in the process, Note the Windows Domain Controller information ahead of time:
Domain Controller 1 | Domain Controller 2 | |
---|---|---|
Host Name | rsvcp-ad1.owllab.net | rsvcp-ad2.owllab.net |
Type | Active Directory | Active Directory |
Bind DN | service@owllab.net | service@owllab.net |
Bind Password | Aruba123! | Aruba123! |
VM Server Administrator
ESXi Virtual Appliance Software and Requirements
The OWL must accommodate a maximum of 1,000 concurrent client devices in the first phase, with plans to increase to 5,000 in the second phase. As a result, the two virtual appliances are scoped as C2000V.
Provide the following information to the systems administrator responsible for deploying virtual appliances.
OVF Zip files, downloaded earlier
Sizing requirements for the project:
C2000V (5K Virtual Appliance OVF)
- 8 reserved virtual CPUs
- The underlying CPU is recommended to have a PassMark® of 9600 or higher.
- 16 GB RAM
- Disk Space: 1000 GB disk space required (thick provisioned)
- 8 reserved virtual CPUs
Note: Aruba ClearPass supports both physical and virtual appliance deployments. For complete details, refer to the ClearPass Installation Guide.
Note: When a ClearPass cluster design requires configuring Virtual IP addresses in a virtual machine deployment, forged transmits must be enabled on the VMWare distributed virtual switch.
Network Administrator
Network Ports to Enable
The table below lists the network ports that must be open between the Publisher and Subscriber servers.
Port | Protocol | Description |
---|---|---|
80 | HTTP | Internal Proxy |
123 | UDP | TNTP: Time synchronization |
443 | TCP | HTTPS: Internal proxy and server-to-server service |
5432 | TCP | PostgreSQL: Database replication |
Because any Subscriber server can be promoted as the Publisher server, all port/protocol combinations listed above should be:
- Bidirectional
- Open between any two servers in the cluster
IP Helper Addresses
To profile devices on the OWL network, ClearPass uses DHCP fingerprinting. To enable ClearPass to receive and collect DHCP request information, add the following IP Addresses as IP helper addresses to VLAN interfaces where client devices are present.
RSVCP-CPPM1: 10.2.120.194
RSVCP-CPPM2: 10.2.120.195
Gather Client Device Information
The client information below is used to configure services later in the implementation process.
User Role/CPPM Role Information
The table below contains user roles that switches, gateways, and ClearPass use to secure client devices.
Role Name | Description | Authorization Method |
---|---|---|
MACHINE-AUTH | OWL domain computers | Active Directory |
EMPLOYEE | Default role for trusted employee users and computers | Active Directory |
IT-SUPPORT | Read-only/Limited access to infrastructure devices | Active Directory |
IT-ADMIN | Full access to infrastructure devices | Active Directory |
INFRA-DEVICE | APs, UXI Sensors, and other infrastructure devices | Endpoint Repository |
LND-STAFF | Learning & Development Staff | Active Directory |
LND-STUDENT | Learning & Development Student | Active Directory |
VOIP | VoIP Phones | Endpoint Repository |
PRINTER | Printers | Endpoint Repository |
GUEST | OWL Guest | Guest User Repository |
CONTRACTOR | Limited access to specific internal OWL resources and internet | Active Directory |
SECURITY | Cameras, door locks, and other OWL security devices | Endpoint Repository |
IOT-LIMITED | HVAC, lighting, A/V, and other OWL-owned headless devices | Guest Device Repository |
VLAN Information
The table below contains VLAN information used to configure Enforcement Policies (where applicable) later in the implementation process.
VLAN ID | VLAN Name |
---|---|
10 | Employee |
20 | Management |
30 | Voice |
40 | Printer |
50 | Guest |
60 | IoT |
Virtual Appliance Console Access
The final step is to gather the required information to access the console of the two new ClearPass virtual appliances after the server administrator has created the VMs. This is needed to access the System Configuration Wizard. For physical appliances, this configuration is performed using a a physical console connection. For virtual appliances, a VM management interface is used.
After gathering all the information above, proceed to the ClearPass Appliance and Cluster Configuration chapter.