Link Search Menu Expand Document
calendar_month 07-Mar-24

Preparing for ClearPass Deployment

ClearPass deployment requires gathering specific information about infrastructure, client devices, and access levels, among others.

This chapter provides implementation details for IT administrators deploying the ClearPass solution at Orange Widget Logistics (OWL), a fictional customer described on the Reference Customer page.

Table of contents

Licensing

After a ClearPass Policy Manager (CPPM) purchase, Aruba Licensing Management sends licensing details to the customer email address provided in the ordering process.

Gather License

The licensing email is formatted like the sample below:

License Management Email

Note: If the expected recipient does not receive the license email, contact the Aruba sales representative, partner account manager, or Aruba Support to request assistance.

The table below lists the licenses needed to deploy OWL’s two-node ClearPass cluster with the ability to authenticate up to 1,000 concurrent endpoints. One VM-based license is used for each virtual appliance, and one 1,000-endpoint license is applied at the Publisher node and shared between both appliances when the cluster is created.

Part NumberDescriptionQuantityVersion
JZ399AAEAruba ClearPass Cx000V VM-Based Appliance E-LTU26.8.X.X
JZ402AAEAruba ClearPass New Licensing Access 1K Concurrent Endpoints E-LTU16.8.X.X

Activate License

After the proper license and order information is collected, use the steps below to activate the license.

Step 1 Open a web browser and log into the Aruba Support Portal.

Step 2 After log in, on the Support Portal page, click the License Management link in the center of the page. The License Management page appears.

ASP License Management

Step 3 On the License Management page, click the Activate button.

Step 4 On the Activate page, enter the order and confirmation number provided in the licensing email, then click the Load button.

ASP License Activate

Step 5 When the order details appear, select the part numbers and quantities to be used. Enter the required information at the bottom of the page and click Activate.

License Activation 2

Step 6 When the Activate-Summary page appears, save the Activation Key for each part number to apply later in the project and click the Done button.

License Activation 3

Download Software

To download the software:

Step 1 Open a web browser and log into the Aruba Support Portal.

Step 2 After log in, on the Support Portal page, click the Software & Documents tab, then click the ClearPass Policy Manager (CPPM) link.

ASP Software Download

Step 3 When the Software and Documents page appears, use the FILTERS on the left to find the required image. Click the Download button at the right of the selected image.

Software Download

Step 4 After the download is complete, proceed to Information Sharing, below.

Gather Infrastructure Information

This section outlines the information that must be gathered or shared with other parties. It is important to include all the details needed to prevent delays or service interruptions.

Network Administrator

As part of the discovery and design session, the information below is used implementation.

Authentication Servers (ClearPass Appliances)

The authentication servers in this deployment are the ClearPass appliances. The table lists information needed for initial configuration.

 Appliance 1Appliance 2
FunctionPublisherSubscriber
Host NameRSVCP-CPPM-1RSVCP-CPPM-2
Management Port IP Address10.2.120.19510.2.120.194
Management Port Mask255.255.255.0255.255.255.0
Management Port Gateway10.2.120.110.2.120.1
Virtual IP 110.2.120.192*10.2.120.192
Virtual IP 210.2.120.19310.2.120.193*
DNS Server 110.2.120.9910.2.120.99
DNS Server 210.2.120.9810.2.120.98
Administrator PasswordAruba123!Aruba123!
NTP Server 110.2.120.9910.2.120.99
NTP Server 210.2.120.9810.2.120.98
Time ZonePacific TimePacific Time

*Indicates the appliance to be set as the primary node for that virtual IP.

Network Devices (Authenticators)

The deployment calls for two types of authenticators: Aruba switches and gateways. ClearPass requires adding these devices to the Network Devices section in order to accept authentication requests sourced from them.

Individual Network Device Information

The table below lists information for each authenticator that must be added to Network Devices later in the implementation process.

Host NameIP AddressDevice Type
RSVCP-TEST-AC110.15.55.245Aruba Switch
RSVCP-AG3-AC110.3.2.105Aruba Switch
RSVCP-AG3-AC210.3.2.112Aruba Switch
RSVCP-AG3-AC410.3.2.10Aruba Switch
RSVCP-TEST-GW110.15.55.2Aruba Gateway
RSVCP-SS2-CL1-110.6.15.11Aruba Gateway
RSVCP-SS2-CL1-210.6.15.12Aruba Gateway

Note: ClearPass allows adding multiple devices simultaneously in the form of a subnet, or as individual IPs. For the reference customer list above, they are entered individually to allow greater control over the authentication requests that ClearPass accepts.

Common Network Device Information

The information below is the same across all devices listed in the table above. Both are needed when configuring the authenticators in the Network Devices list later in the implementation process.

  • RADIUS Shared Secret: Aruba123!
  • TACACS+ Shared Secret: Aruba123!
  • Vendor Name: Aruba

Network Device Groups

Authentication requests are filtered using Device Groups, during Services configuration later in the implementation process. The table below lists the three groups to be created and the device types.

Device GroupsDevices (from Device Type column above)
SwitchesAruba Switch
GatewaysAruba Gateway

External Authentication Sources

This deployment authenticates client devices against several authentication sources, including internal databases in ClearPass and in Windows Domain Controllers. Internal databases are created later in the process, Note the Windows Domain Controller information ahead of time:

 Domain Controller 1Domain Controller 2
Host Namersvcp-ad1.owllab.netrsvcp-ad2.owllab.net
TypeActive DirectoryActive Directory
Bind DNservice@owllab.netservice@owllab.net
Bind PasswordAruba123!Aruba123!

VM Server Administrator

ESXi Virtual Appliance Software and Requirements

The OWL must accommodate a maximum of 1,000 concurrent client devices in the first phase, with plans to increase to 5,000 in the second phase. As a result, the two virtual appliances are scoped as C2000V.

Provide the following information to the systems administrator responsible for deploying virtual appliances.

Note: Aruba ClearPass supports both physical and virtual appliance deployments. For complete details, refer to the ClearPass Installation Guide.

Note: When a ClearPass cluster design requires configuring Virtual IP addresses in a virtual machine deployment, forged transmits must be enabled on the VMWare distributed virtual switch.

Network Administrator

Network Ports to Enable

The table below lists the network ports that must be open between the Publisher and Subscriber servers.

PortProtocolDescription
80HTTPInternal Proxy
123UDPTNTP: Time synchronization
443TCPHTTPS: Internal proxy and server-to-server service
5432TCPPostgreSQL: Database replication

Because any Subscriber server can be promoted as the Publisher server, all port/protocol combinations listed above should be:

  • Bidirectional
  • Open between any two servers in the cluster

IP Helper Addresses

To profile devices on the OWL network, ClearPass uses DHCP fingerprinting. To enable ClearPass to receive and collect DHCP request information, add the following IP Addresses as IP helper addresses to VLAN interfaces where client devices are present.

RSVCP-CPPM1: 10.2.120.194

RSVCP-CPPM2: 10.2.120.195

Gather Client Device Information

The client information below is used to configure services later in the implementation process.

User Role/CPPM Role Information

The table below contains user roles that switches, gateways, and ClearPass use to secure client devices.

Role NameDescriptionAuthorization Method
MACHINE-AUTHOWL domain computersActive Directory
EMPLOYEEDefault role for trusted employee users and computersActive Directory
IT-SUPPORTRead-only/Limited access to infrastructure devicesActive Directory
IT-ADMINFull access to infrastructure devicesActive Directory
INFRA-DEVICEAPs, UXI Sensors, and other infrastructure devicesEndpoint Repository
LND-STAFFLearning & Development StaffActive Directory
LND-STUDENTLearning & Development StudentActive Directory
VOIPVoIP PhonesEndpoint Repository
PRINTERPrintersEndpoint Repository
GUESTOWL GuestGuest User Repository
CONTRACTORLimited access to specific internal OWL resources and internetActive Directory
SECURITYCameras, door locks, and other OWL security devicesEndpoint Repository
IOT-LIMITEDHVAC, lighting, A/V, and other OWL-owned headless devicesGuest Device Repository

VLAN Information

The table below contains VLAN information used to configure Enforcement Policies (where applicable) later in the implementation process.

VLAN IDVLAN Name
10Employee
20Management
30Voice
40Printer
50Guest
60IoT

Virtual Appliance Console Access

The final step is to gather the required information to access the console of the two new ClearPass virtual appliances after the server administrator has created the VMs. This is needed to access the System Configuration Wizard. For physical appliances, this configuration is performed using a a physical console connection. For virtual appliances, a VM management interface is used.

After gathering all the information above, proceed to the ClearPass Appliance and Cluster Configuration chapter.