Managing AP Whitelists

Campus or remote APsRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. appear as valid APs in the campus or remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. whitelists when you manually enter their information into the campus or remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. whitelists through the WebUI or CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. of a controller or after a controller sends a certificate to an AP as part of automatic certificate provisioning and the AP connects to the controller over a secure tunnel. APs that are not approved or certified on the network are included in the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. whitelists, but these APs appear in an unapproved state.

Use the AP whitelists to grant valid APs secure access to the network or to revoke access from suspected rogue APs. When you revoke or remove an AP from the campus or remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. whitelists on a controller that uses CPsecControl Plane Security. CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each master controller. , that AP will not able to communicate with the controller again, unless the AP obtains a new certificate.

Adding an AP to the Campus or Remote AP Whitelists

You can add an AP to the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. or remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. whitelists using the WebUI or CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

In the WebUI

To add an AP to the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. or remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. whitelist:

1. In the Managed Network node hierarchy, navigate to the Configuration > Access Points > Whitelist tab.
2. Click Campus AP Whitelist or Remote AP Whitelist tab.
3. Click +.
4. Define the following parameters for each AP you want to add to the AP whitelist:

Table 1: AP Whitelist Parameters

Parameter

Description

Campus AP whitelist configuration parameters

MAC address

MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. that supports secure communications to and from its controller.

AP name

Name of the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on.. If you do not specify a name, the AP uses its MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address as AP name.

AP group

Name of the AP group to which the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. is assigned. If you do not specify an AP group, the AP uses default as its AP group.

Description

Brief description of the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on..

Remote AP whitelist configuration parameters

MAC address

MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link., in colon-separated octets.

AP name

Name of the Remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link.. If you do not specify a name, the AP uses its MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address as AP name.

AP group

Name of the AP group to which the Remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. is assigned.

Description

Brief description of the Remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link..

5. Click Submit.
6. Click Pending Changes.
7. In the Pending Changes window, select the check box and click Deploy changes.

In the CLI

To add an AP to the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. whitelist:

(host) [mynode] (config) #whitelist-db cpsec add mac-address <address>

ap-group <ap_group>

ap-name <ap_name>

description <description>

To add an AP to the remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. whitelist:

(host) [mynode] (config) #whitelist-db rap add mac-address <mac-address>

ap-group <ap-group>

ap-name <ap-name>

description <description>

full-name <name>

remote-ip <inner-ip-adr>

remote-ipv6 <ipv6 address>

Viewing AP Whitelist Entries

The WebUI displays the table of entries in the selected AP whitelist. The table of entries page displays a list of AP whitelist entries.

The Configuration > Access Points > Whitelist tab displays the list of the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. whitelists by default. To view the list of remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. whitelists, click Remote AP whitelist.

The remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. whitelist entries page displays only the information you can manually configure. The campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. whitelist entries page displays both user-defined settings and additional information that is updated when the status of a campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. changes.

Table 2: Campus AP Parameters

Parameter

Description

Status

Displays the status of the AP whitelist entry.

Revoke

Shows if the secure status of the AP is revoked.

Revoke text

Brief description for revoking the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on..

Updated

Time and date of the last AP status update.

To view information about the campus and remote AP whitelists using the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions., use the following commands:

(host) [mynode] #show whitelist-db cpsec

Control-Plane Security Whitelist-entry Details

----------------------------------------------

MAC-Address AP-Group AP-Name Enable State Cert-Type Description Revoke Text Last Updated

----------- -------- ------- ------ ----- --------- ----------- ----------- ------------

6c:f3:7f:cc:42:25 Enabled certified-factory-cert factory-cert Thu Jul 7 03:42:21 2016

9c:1c:12:c0:7c:a6 default san225 Enabled certified-factory-cert factory-cert Wed Aug 3 10:34:13 2016

24:de:c6:ca:94:ba Enabled certified-factory-cert factory-cert Fri Apr 22 06:28:46 2016

94:b4:0f:c0:cc:42 Enabled certified-factory-cert factory-cert Fri Aug 5 06:54:43 2016

18:64:72:cf:e6:9c Enabled certified-factory-cert factory-cert Tue Aug 9 07:35:41 2016

ac:a3:1e:c0:e6:82 Enabled certified-factory-cert factory-cert Wed Aug 10 09:12:23 2016

ac:a3:1e:cd:36:84 Enabled certified-factory-cert factory-cert Fri Jun 17 05:50:02 2016

ac:a3:1e:c0:e6:9a Enabled certified-factory-cert factory-cert Thu May 26 06:31:13 2016

Total Entries: 8

 

(host) [mynode] #show whitelist-db cpsec-status

My Mac-Address 00:1a:1e:00:1a:b8

My IP-Address 10.15.28.16

Master IP-Address 10.15.28.16

Switch-Role Master

Whitelist-sync is disabled

Entries in Whitelist database

Total entries: 5

Approved entries: 0

Unapproved entries: 2

Certified entries: 2

Certified hold entries: 1

Revoked entries: 0

Marked for deletion entries: 0

Current Sequence Number: 147

 

(host) [mynode] #show whitelist-db rap

Entries in Whitelist database

Total entries: 0

Revoked entries: 0

Marked for deletion entries: 0

AP Entries: 4

Modifying an AP in the Campus AP Whitelist

Use the following procedures to modify the AP group, AP name, certificate type, state, description, and revoked status of an AP in the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. whitelist.

In the WebUI

To modify an AP in the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. whitelist:

1. In the Managed Network node hierarchy, navigate to the Configuration > Access Points > Whitelist tab.
2. Click Campus AP Whitelist tab.
3. Select the check box of the AP that you want to modify.
4. Modify the settings of the selected AP. Some of the following parameters are available when adding an AP to the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. whitelist.

AP name: The name of the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on.. If you not specify a name, the AP uses its MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address as a name.

AP group: The name of the AP group to which the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. is assigned.

Description: Brief description of the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on..

Status: Select Revoked or Accepted.

Revoked string: Enter a value for this string.

5. Click Submit to update the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. whitelist entry with its new settings.
6. Click Pending Changes.
7. In the Pending Changes window, select the check box and click Deploy changes.

In the CLI

To modify an AP in the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. whitelist:

(host) #whitelist-db cpsec modify mac-address <name>

ap-group <ap_group>

ap-name <ap_name>

cert-type {switch-cert|factory-cert}

description <description>

mode {disable|enable}

revoke-text <revoke-text>

state {approved-ready-for-cert|certified-factory-cert}

Revoking an AP from the Campus AP Whitelist

You can revoke an invalid or rogue AP either by modifying its revoke status (as described in Modifying an AP in the Campus AP Whitelist) or by directly revoking it from the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. whitelist without modifying any other parameter. When revoking an invalid or rogue AP, enter a brief description why the AP is being revoked. When you revoke an AP from the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. whitelist, the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. whitelist retains the information of the AP. To revoke an invalid or rogue AP and permanently remove it from the whitelist, delete that entry.

In the WebUI

To revoke an AP from the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. whitelist:

1. In the Managed Network node hierarchy, navigate to the Configuration > Access Points > Whitelist tab.
2. Click Campus AP Whitelist tab.
3. Click on the check box next to the AP you want to revoke and click Revoke. The Revoke window is displayed.
4. Enter a brief description of why the AP is being revoked in the Revoke text field.
5. Click Submit.
6. Click Pending Changes.
7. In the Pending Changes window, select the check box and click Deploy changes.

In the CLI

To revoke an AP via the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. whitelist:

(host) [mynode] (config) #whitelist-db cpsec revoke mac-address <name> revoke-text <comment>

Deleting an AP from the Campus AP Whitelist

Before deleting an AP from the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. whitelist, verify that auto certificate provisioning is either enabled or disabled only for IP addresses that do not include the AP being deleted. If you enable automatic certificate provisioning for an AP that is still connected to the network, you cannot delete it from the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. whitelist; the controller immediately re-certifies the AP and re-creates its whitelist entry.

In the WebUI

To delete an AP from the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. whitelist:

1. In the Managed Network node hierarchy, navigate to the Configuration > Access Points > Whitelist tab.
2. Click Campus AP Whitelist tab.
3. Select the check box of the AP that you want to delete, then click Delete.
4. Click Delete.
5. Click Pending Changes.
6. In the Pending Changes window, select the check box and click Deploy changes.

In the CLI

To delete an AP from the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. whitelist:

(host) [mynode] (config) #whitelist-db cpsec del mac-address <name>

Purging a Campus AP Whitelist

Before adding a new managed device to a network using CPsecControl Plane Security. CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each master controller. , purge the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. whitelist on the new managed device. To purge a campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. whitelist execute the following command:

(host) [mynode] (config) #whitelist-db cpsec purge

Offloading a Controller Whitelist to ClearPass Policy Manager

This feature allows to externally maintain AP whitelist in a ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server. The controller, if configured to use an external server, can send a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  access request to a ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server. The MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the AP is used as a username and password to construct the access request packet. The ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server validates the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  message and returns the relevant parameters for the authorized APs.

The following supported parameters are associated with the following Vendor Specific Attributes (VSAs). The ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server sends them in the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  access accept packet for authorized APs:

ap-group: Aruba-AP-Group

ap-name: Aruba-Location-ID

ap-remote-ip: Aruba-AP-IP-Address

The following defaults are used when any of the supported parameters are not provided by the ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server in the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  access accept response:

ap-group: The default ap-group is assigned to the AP.

ap-name: The MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the AP is used as the AP name.

There is no change in the Remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. role assignment. The Remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. is assigned the role that is configured in the VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. default-rap profile.

In the WebUI

To assign a ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server to a Remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link.:

1. Configure a ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server using the WebUI:
a. In the Mobility Master node hierarchy, navigate to Configuration > Authentication > Auth Servers tab.
b. Click + in the Server Groups table.
c. In the Add Server Group window, enter the server group name in the Name field.
d. Click Submit.
e. Click + in the All Server table.
f. In the New Server window, enter appropriate values in the following fields and click Submit

- Name

- IP address / hostname

- Type

g. Select the server created.
h. In Server Options table, enter a value for the shared Key and re-enter the value in the Retype key field.
i. Click Submit.
j. Click Pending Changes.
k. In the Pending Changes window, select the check box and click Deploy changes.
l. Select the server group created in the previous steps. The Server Group table is displayed.
m. Click + in the Server Group table. A list of servers is displayed.
n. Select the ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server you wish to map to the server group. Click Submit.
o. Click Pending Changes.
p. In the Pending Changes window, select the check box and click Deploy changes.
2. In the Mobility Master node hierarchy, navigate to Configuration > System > Profiles.
3. From All profiles select Wireless LAN > VPN Authentication > default-rap > Server Group.
4. Select the ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server from the Server Group drop-down list.
5. Click Save.
6. Click Pending Changes.
7. In the Pending Changes window, select the check box and click Deploy changes.

To assign a ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server to a Remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. that was initially an Instant AP:

1. Ensure that a ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server is configured on the controller.
2. In the Mobility Master node hierarchy, navigate to Configuration > System > Profiles.
3. From All profiles select Wireless LAN > VPN Authentication > default-iap > Server Group.
4. Select the ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server from the Server Group drop-down list.
5. Click Save.
6. Click Pending Changes.
7. In the Pending Changes window, select the check box and click Deploy changes.

In the CLI

To add a ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server to a Remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link.:

Configure a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server with ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server as host address. In this example cppm-rad is the ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server name and cppm-sg is the server group name.

(host) [md] (config) #aaa authentication-server radius cppm-rad

(host) [md] (RADIUS Server "test") # host 1.1.1.1

Add this server to a server group:

(host) [md] (config) #aaa server-group cppm-sg

(host) (Server Group "cppm-sg") #auth-server cppm-rad

Add this server group to the default-rap vpn profile:

(host) [md] (config) #aaa authentication vpn default-rap

(host)(VPN Authentication Profile "default-rap") #server-group cppm-sg