Link Search Menu Expand Document
calendar_month 07-Mar-24

Configure ClearPass Appliances and Cluster

After gathering information cited in the previous chapter, continue with ClearPass appliance and cluster configuration.

This chapter outlines the steps to deploy one Aruba ClearPass Publisher and one Subscriber in a cluster for Orange Widget Logistics (OWL), the fictional customer described on the Reference Customer page. Although the instructions are specific to the scope of the sample deployment, they can be used as a reference point to deploy other ClearPass Policy Manager clusters.

Table of contents

Appliance Configuration

System Configuration Wizard

Follow the steps below to complete the initial setup of the new appliances and make them network-accessible.

Note: The System Configuration Wizard steps in this subsection are the same for both physical and virtual appliances.

Step 1 With the virtual machine’s management access information obtained in the last step of the previous chapter, open the command line interface (CLI) from the console of the first ClearPass appliance.

  • In ESXi, go to Virtual Machines > RSVCP-CPPM-1 > Console

ESXI Console

Step 2 Log in using the following default credentials:

  • User: appadmin
  • Password: eTIPS123

Startup Config Login

Step 3 Enter the information for the first ClearPass server as prompted in the System Configuration Wizard. Remember that this is information collected in the Authentication Servers (ClearPass Appliances) section of the previous chapter.

  • Enter hostname: RSVCP-CPPM-1
  • Enter Management Port IPv4 Address/PrefixLen (Ex: 1.1.1.1/24): 10.2.120.195/24
  • Enter Management Port IPv4 Gateway: 10.2.120.1
  • Enter Management Port IPv6 Address/PrefixLen: Press ENTER to skip
  • Enter Data Port IPv4 Address/Prefix/Len: Press ENTER to skip
  • Enter Data Port IPv6 Address/PrefixLen: Press ENTER to skip
  • Enter Primary DNS: 10.2.120.99
  • Enter Secondary DNS: 10.2.120.98
  • Do you want to enable SLAAC mode? n
  • New Password: Aruba123!
  • Confirm Password: Aruba123!
  • Do you want to configure system date time information? y
  • Please select the date time configuration options: 2
  • Enter Primary NTP Server: 10.2.120.99
  • Enter Secondary NTP Server: 10.2.120.98
  • Do you want to configure the timezone? y
  • Please select a continent or ocean: 2
  • Please select a country: 49
  • Please select one of the following time zone regions: 21
  • Is the above information OK? 1
  • Do you want to enable FIPS Mode? n
  • Proceed with the configuration. Enter the choice: y

A sample console session is shown below. (Entered values appear in orange font for emphasis. The actual console session is monochrome.)

System Configuration Wizard

Step 4 After completing the last prompt to confirm the configuration, repeat the above steps for the second CPPM server.

Step 5 Wait for both servers to become available in the web browser, then move to the following section.

Licensing

The license activation keys collected during the ClearPass Preparation chapter are added in the following steps. The required keys are used in the following manner:

  • Two (2) Platform Licenses, one for each virtual appliance.
  • One (1) Access License, added to the first virtual appliance and shared between both nodes when the cluster is formed.

Add Licenses

First-time log in to a ClearPass virtual appliance’s web interface generates a prompt for an appliance license key (collected in the prevous chapter). Follow the steps below to apply the licenses.

Step 1 Retrieve the license keys listed in the License Gathering steps in the ClearPass Preparation chapter.

Step 2 Open a web browser and connect to the first ClearPass appliance using its IP address.

Step 3 Click on ClearPass Policy Manager button

CPPM Welcome Screen

Step 4 On the next page, in the Enter license key text box, paste one of the two ClearPass Platform Activation Keys obtained previously, then click the Add License button.

Platform Activation Key

Step 5 Log in with the password created in the System Configuration Wizard section earlier in this chapter.

  • Username: admin
  • Password: Aruba123!

Note: The password generated during the System Configuration Wizard can be used to log in to both the web UI through either console or SSH. However, it is important to remember that the username for the web UI is admin and the username for the CLI is appadmin.

Step 6 After log in, go to Administration > Server Manager > Licensing and click the Add License link at the upper right. In the Add License window, paste the Access activation key obtained previously. Review and accept the terms and conditions, then click the Add License button.

Add Access License

Step 7 Confirm that the Access license total count increased to the amount expected. The total count is found in the License Summary tab of the Licensing page.

Note: If the total license count is different than expected, check if additional keys must be added. Verify that the correct license quantities were selected during the activation process. Check if licenses were split into multiple line items: for example, two NL AC 500 license keys are listed instead of one NL AC 1K.

Step 8 After applying the licenses to RSVCP-CPPM-1, repeat steps 1 to 5 above for RSVCP-CPPM-2.

Note: Step 6 is not performed for the second CPPM server. The Access license added in Step 6 is shared by both appliances when they form a cluster.

Configure HPE Passport Credentials

To activate licenses on the newly created ClearPass appliances, the HPE Passport Credentials must first be configured in the Software Updates section. Follow the steps below to complete activation.

Step 1 Open a web browser and connect to the first ClearPass appliance using its IP address.

Step 2 Go to Administration > Agents and Software Updates > Software Updates and click the Generate Token button on the upper right. Follow the prompts to enter the HPE Passport Credentials.

Generate Token

Activate Licenses

Step 1 After saving credentials for the ClearPass server, return to the Administration > Server Manager > Licensing > Servers tab. Click the red Click to Activate link. When the Activate License window appears, click the Activate Now button.

Activate Now

Step 2 Repeat the previous step for the Applications tab to activate the Access license.

Step 3 Verify that activation is successful, click both the Servers and Applications tabs and verify the green and white checkmark icon in the Activation Status column.

Activated

Activated2

Step 4 With server and application licenses activated, repeat step 1 for ClearPass server 2.

Cluster Configuration

Deploying an Aruba ClearPass cluster requires creating a logical connection between any combination of ClearPass hardware or virtual appliances. This section outlinea the steps to deploy a two-node cluster consisting of one Publisher and one Subscriber.

Add Subscriber

Configuring the cluster starts with RSVCP-CPPM-2, which acts as the subscriber to RSVCP-CPPM-1.

Step 1 Open a web browser and connect to RSVCP-CPPM-2.

Step 2 Log in using the admin credentials.

  • Username: admin
  • Password: Aruba123!

Step 3 From the CPPM Dashboard, go to Administration > Server Manager > Server Configuration and click the Make Subscriber link on the upper right of the window. When the Add Subscriber Node window appears, enter the IP address and admin password for RSVCP-CPPM-1, check the second checkbox, and click the Proceed button.

Make Subscriber

Step 4 When prompted, click the “Enable..” checkbox, then click Save button as illustrated below.

Add Subscriber Node

Step 5 Allow activation time (typically 5-15 minutes), then log into RSVCP-CPPM-1’s web UI.

Step 6 Verify that the cluster was formed. Dashboard > Cluster Status pane displays both servers with a green icon and a status of OK at the far right for each nodes.

Verify Cluster Status

Step 7 When the cluster is formed, proceed to next section.

Note: After the cluster is formed, all subsequent configuration is performed using the Publisher node. See the Cluster Configuration Options page for more details.

Configure Virtual IP Addresses

Two nodes in a cluster can be configured to share one or more virtual IP addresss. Each virtual IP address is bound to the Primary node by default. The Secondary node takes over when the Primary node is unavailable. For OWL’s ClearPass deployment, two virtual IPs are configured according to the following table.

Virtual IPPrimary NodeSecondary NodeInterfaceVirtual Host ID
10.2.120.192RSVCP-CPPM-1RSVCP-CPPM-2MGMT1
10.2.120.193RSVCP-CPPM-2RSVCP-CPPM-1MGMT2

Note: Although not required, this sample cluster is configured with two virtual IP addresses for load balancing. This is achieved by configuring one virtual IP address as the primary RADIUS server for switches and gateways from half of the sites and the other as the primary RADIUS server for the other half, ensuring that both ClearPass appliances actively serve clients at all times.

Note: If a ClearPass cluster design requires configuring Virtual IP address(es) in a virtual machine deployment similar to this sample deployment, then “forged transmits” must be enabled on the VMWare distributed virtual switch to allow the Virtual IP feature.

Follow the steps below to configure the Virtual IP Settings.

Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.

Step 2 Log in using the admin credentials.

  • Username: admin
  • Password: Aruba123!

Step 3 Go to Administration > Server Manager > Server Configuration and click the Virtual IP Settings link at the upper right area.

Virtual IP Settings 1

Step 4 In the Virtual IP Settings window, enter the first Virtual IP configuration using the table at the beginning of this subsection. Click the Save button.

Virtual IP Settings 2

Step 5 Repeat step 4 above for the second Virtual IP configuration.

Step 5 Click the Close button and re-open the Virtual IP Settings window to verify that both addresses show a Status of Enabled similar to the screenshot below.

Virtual IP Settings 3

Join Domain

This procedure describes the steps to integrate Policy Manager and Microsoft Active Directory. For some use cases, Policy Manager is required to join the Active Directory, for example: 802.1X authentication with EAP-PEAP-MSCHAPv2. In other use cases, such as with Captive Portal authentication, joining Policy Manager to Active Directory is optional.

A one-time procedure to join Policy Manager to the domain must be performed from an account that has the ability to join a computer to the domain. For this deployment, use the credentials recorded in the External Authentication Sources subsection of the ClearPass Preparation page.

  • Username: olwservice@owllab .net
  • Password: Aruba123!

Follow the steps below to join both ClearPass appliances to the domain.

Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.

Step 2 Log in using the admin credentials.

  • Username: admin
  • Password: Aruba123!

Step 3 Go to Administration > Server Manager > Server Configuration and click anywhere along the line of RSVCP-CPPM-1 indicated by the red box below. Do not click the radio button next to the server name.

Domain Join 1

Step 4 In the Server Configuration details page for RSVCP-CPPM-1, in the System tab, enter the fully qualified domain name for the appliance. Click the Save button.

Configure FQDN

Step 5 After saving the FQDN setting, scroll to the bottom of the page, click the Join AD Domain button on the lower right, and enter the required information in the Join AD Domain window. Click Save to close the window.

Join AD Domain

Step 6 Wait for the domain join process to finish and click the Close button.

Domain Join Complete

Step 7 Repeat steps 3 to 6 for RSVCP-CPPM-2, then proceed to the next section.

Enable Insight

Multiple functions depend on Policy Manager Insight. For example, to use MAC caching, Policy Manager Insight must be enabled on at least one server within a cluster. Enabling Policy Manager Insight on at least two servers in a cluster is recommended. For more details, see the Policy Manager Insight section of the CPPM User Guide.

Follow the steps below to enable Policy Manager Insight.

Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.

Step 2 Log in using the admin credentials.

  • Username: admin
  • Password: Aruba123!

Step 3 Go to Administration > Server Manager > Server Configuration and click anywhere along the line of RSVCP-CPPM-1 indicated by the red box below. Do not click the radio button next to the server name.

Insight 1

Step 4 In the Server Configuration details page for RSVCP-CPPM-1, in the System tab, check both boxes in the Insight Setting section and click the Save button to enable Insight for the publisher and set it as the primary Insight server.

Enable Insight

Step 5 Repeat the steps above for RSVCP-CPPM-2, but do not check the box to set it as the primary Insight server as shown below.

Enable Insight 2

Step 6 With Insight enabled on both nodes in this cluster, proceed to the next steps.

Enable Log Interim Accounting

Follow the steps below to enable ClearPass to collect more granular RADIUS accounting information.

Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.

Step 2 Log in using the admin credentials.

  • Username: admin
  • Password: Aruba123!

Step 3 Go to Administration > Server Manager > Server Configuration and click anywhere along the line of RSVCP-CPPM-1 indicated by the red box below. Do not click the radio button next to the server name.

Insight 1

Step 4 In the Server Configuration details page for RSVCP-CPPM-1, in the Service Parameters tab, select the Radius server option from the Select Service dropdown. Scroll to the Accounting section, set the Log Accounting Interim-Update Packets option to TRUE, and click the Save button.

Log Interim Accounting

Step 5 Repeat the steps above for RSVCP-CPPM-2 and proceed to the next section.

Update Cluster Software

ClearPass Policy Manager regularly checks for available updates on the Policy Manager Webservice server. Appliances can be updated individually or as a cluster using Cluster Update. The Cluster Update page automates the process of updating a cluster. The Publisher is automatically updated first before selected Subscribers.

Follow the steps below to update the cluster. Find more information in the Software Updates section of the ClearPass User Guide.

Note: Valid HPE Passport Credentials must be configured to receive updates. Please refer to the Configure HPE Passport Credentials section earlier in this guide for details.

Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.

Step 2 Log in using the admin credentials.

  • Username: admin
  • Password: Aruba123!

Step 3 Go to Administration > Agents and Software Updates > Software Updates > Firmware & Patch Updates and click the Download buttons for the required patches. The new guest skin and the latest patch are downloaded for this sample deployment.

Download Updates

Step 4 After both updates are complete, verify that the Download buttons changed to Install. Click the Cluster Update link at the upper right.

Cluster Update

Step 5 On the Cluster Update page, select the Cumulative Patch and click the Start Update link on the upper right to open the Start Cluster Update window.

Cluster Update 2

Step 6 On the Start Cluster Update window, click the checkbox for the subscriber node, RSVCP-CPPM-2. Click the Update button.

Start Cluster Update

Step 7 Allow time for updates to complete. For reference, OWL’s two-node cluster took 90 minutes to install the Cumulative Patch on both appliances.

Step 8 Repeat steps 5 and 6 for the Galleria Skin 3 update.

For more information about the Cluster Update page, see the Cluster Update and Upgrade section in the ClearPass Policy Manager User Guide.

Note: When appliances are taken out of a cluster, for each resulting standalone appliance, you must go to Administration > Agents and Software Updates > Software Updates and use the Generate Token button to generate a new software updates token specific to that appliance.

Step 9 When all updates are complete, proceed to the next section.

Configure Certificates

This section covers certificate-related tasks to obtain and install a signed server certificate from Active Directory for 802.1X authentication to support OWL’s ClearPass deployment. Find more options and details in the Certificate Store section of the ClearPass User Guide.

Create Certificate Signing Request (CSR)

Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.

Step 2 Log in using the admin credentials.

  • Username: admin
  • Password: Aruba123!

Step 3 Go to Administration > Certificates > Certificate Store > Server Certificates tab, choose RSVCP-CPPM-1 from the Select Server dropdown, choose RADIUS/EAP Server Certificate from the Select Usage dropdown, then click the Create Certificate Signing Request link at the upper right of the window.

Generate CSR

Step 4 In the Create Certificate Signing Request window, enter the following information for RSVCP-CPPM-1, then click the Submit button:

  • Common Name (CN): RSVCP-CPPM-1

  • Organization: *Orange Widget Logistics

  • Organizational Unit (OU): *IT

  • Location (L): *Roseville

  • State (ST): *CA

  • Country (C): *US

  • Subject Alternate Name (SAN): *DNS: 10.2.120.194

  • Private Key Password: Aruba123!

  • Verify Private Key Password: Aruba123!

  • Private Key Type: 2048-bit RSA

  • Digest Algorithm: SHA-512

*Optional

Create CSR Window

Step 5 After clicking the Submit button, copy the CSR text that appears, paste it to a Notepad or email body, then click the Download CSR button.

CSR Key

Step 6 While still logged into the Publisher node, repeat steps 3 to 5 for RSVCP-CPPM-2’s CSR, changing only the Select Server option in Step 3 and CN and SAN information in Step 4 with RSVCP-CPPM-2’s information.

Step 7 Provide the copied text keys or the downloaded CSR files to the Windows server administrator and request the Root CA and RADIUS server certificates.

Note: The Private Key is automatically stored on the current Policy Manager server. This allows for the upload (import) of the certificate without including the Private Key as part of the import process.

Step 8 When the certificates are received, proceed to the following section.

Import Certificates

Root CA Certificate

Follow the steps below to import the server certificates for both ClearPass servers through the publisher’s web UI.

Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.

Step 2 Log in using the admin credentials.

  • Username: admin
  • Password: Aruba123!

Step 3 Go to Administration > Certificates > Trust List and click the +Add link at the upper right.

Import Root CA Certificate

Step 4 In the Add Certificate window, select the .cer file for the Root CA, select EAP from the Usage dropdown, and click the Add Certificate button.

Add Root CA Certificate

Step 5 After importing the Root CA certificate, proceed to the following section to import the RADIUS server certificates.

RADIUS Server Certificate

Follow the steps below to import the server certificates for both ClearPass servers through the publisher’s web UI.

Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.

Step 2 Log in using the admin credentials.

  • Username: admin
  • Password: Aruba123!

Step 3 Go to Administration > Certificates > Certificate Store, and click the Create Certificate Signing Request link at the upper right.

Import Server Certificate

Step 4 in the Import Certificate window, enter the following parameters for this deployment, then click the Import button.

  • Certificate type: Server Certificate
  • Server IP: RSVCP-CPPM-1
  • Usage: RADIUS/EAP Server Certificate
  • Upload Method: Upload Certificate and Use Saved Private Key
  • Certificate File: Select the certificate file for RSVCP-CPPM-1 received from the Windows administrator

Import Certificate File

Step 5 Repeat steps 3 and 4 and select certificate file RSVCP-CPPM-2 in step 4 to import the second certificate.

After completing these tasks, proceed to the Configure WLAN and LAN Authentication chapter.


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.