Configure ClearPass Appliances and Cluster
After gathering information cited in the previous chapter, continue with ClearPass appliance and cluster configuration.
This chapter outlines the steps to deploy one Aruba ClearPass Publisher and one Subscriber in a cluster for Orange Widget Logistics (OWL), the fictional customer described on the Reference Customer page. Although the instructions are specific to the scope of the sample deployment, they can be used as a reference point to deploy other ClearPass Policy Manager clusters.
Table of contents
Appliance Configuration
System Configuration Wizard
Follow the steps below to complete the initial setup of the new appliances and make them network-accessible.
Note: The System Configuration Wizard steps in this subsection are the same for both physical and virtual appliances.
Step 1 With the virtual machine’s management access information obtained in the last step of the previous chapter, open the command line interface (CLI) from the console of the first ClearPass appliance.
- In ESXi, go to Virtual Machines > RSVCP-CPPM-1 > Console
Step 2 Log in using the following default credentials:
- User: appadmin
- Password: eTIPS123
Step 3 Enter the information for the first ClearPass server as prompted in the System Configuration Wizard. Remember that this is information collected in the Authentication Servers (ClearPass Appliances) section of the previous chapter.
- Enter hostname: RSVCP-CPPM-1
- Enter Management Port IPv4 Address/PrefixLen (Ex: 1.1.1.1/24): 10.2.120.195/24
- Enter Management Port IPv4 Gateway: 10.2.120.1
- Enter Management Port IPv6 Address/PrefixLen: Press ENTER to skip
- Enter Data Port IPv4 Address/Prefix/Len: Press ENTER to skip
- Enter Data Port IPv6 Address/PrefixLen: Press ENTER to skip
- Enter Primary DNS: 10.2.120.99
- Enter Secondary DNS: 10.2.120.98
- Do you want to enable SLAAC mode? n
- New Password: Aruba123!
- Confirm Password: Aruba123!
- Do you want to configure system date time information? y
- Please select the date time configuration options: 2
- Enter Primary NTP Server: 10.2.120.99
- Enter Secondary NTP Server: 10.2.120.98
- Do you want to configure the timezone? y
- Please select a continent or ocean: 2
- Please select a country: 49
- Please select one of the following time zone regions: 21
- Is the above information OK? 1
- Do you want to enable FIPS Mode? n
- Proceed with the configuration. Enter the choice: y
A sample console session is shown below. (Entered values appear in orange font for emphasis. The actual console session is monochrome.)
Step 4 After completing the last prompt to confirm the configuration, repeat the above steps for the second CPPM server.
Step 5 Wait for both servers to become available in the web browser, then move to the following section.
Licensing
The license activation keys collected during the ClearPass Preparation chapter are added in the following steps. The required keys are used in the following manner:
- Two (2) Platform Licenses, one for each virtual appliance.
- One (1) Access License, added to the first virtual appliance and shared between both nodes when the cluster is formed.
Add Licenses
First-time log in to a ClearPass virtual appliance’s web interface generates a prompt for an appliance license key (collected in the prevous chapter). Follow the steps below to apply the licenses.
Step 1 Retrieve the license keys listed in the License Gathering steps in the ClearPass Preparation chapter.
Step 2 Open a web browser and connect to the first ClearPass appliance using its IP address.
Step 3 Click on ClearPass Policy Manager button
Step 4 On the next page, in the Enter license key text box, paste one of the two ClearPass Platform Activation Keys obtained previously, then click the Add License button.
Step 5 Log in with the password created in the System Configuration Wizard section earlier in this chapter.
- Username: admin
- Password: Aruba123!
Note: The password generated during the System Configuration Wizard can be used to log in to both the web UI through either console or SSH. However, it is important to remember that the username for the web UI is admin and the username for the CLI is appadmin.
Step 6 After log in, go to Administration > Server Manager > Licensing and click the Add License link at the upper right. In the Add License window, paste the Access activation key obtained previously. Review and accept the terms and conditions, then click the Add License button.
Step 7 Confirm that the Access license total count increased to the amount expected. The total count is found in the License Summary tab of the Licensing page.
Note: If the total license count is different than expected, check if additional keys must be added. Verify that the correct license quantities were selected during the activation process. Check if licenses were split into multiple line items: for example, two NL AC 500 license keys are listed instead of one NL AC 1K.
Step 8 After applying the licenses to RSVCP-CPPM-1, repeat steps 1 to 5 above for RSVCP-CPPM-2.
Note: Step 6 is not performed for the second CPPM server. The Access license added in Step 6 is shared by both appliances when they form a cluster.
Configure HPE Passport Credentials
To activate licenses on the newly created ClearPass appliances, the HPE Passport Credentials must first be configured in the Software Updates section. Follow the steps below to complete activation.
Step 1 Open a web browser and connect to the first ClearPass appliance using its IP address.
Step 2 Go to Administration > Agents and Software Updates > Software Updates and click the Generate Token button on the upper right. Follow the prompts to enter the HPE Passport Credentials.
Activate Licenses
Step 1 After saving credentials for the ClearPass server, return to the Administration > Server Manager > Licensing > Servers tab. Click the red Click to Activate link. When the Activate License window appears, click the Activate Now button.
Step 2 Repeat the previous step for the Applications tab to activate the Access license.
Step 3 Verify that activation is successful, click both the Servers and Applications tabs and verify the green and white checkmark icon in the Activation Status column.
Step 4 With server and application licenses activated, repeat step 1 for ClearPass server 2.
Cluster Configuration
Deploying an Aruba ClearPass cluster requires creating a logical connection between any combination of ClearPass hardware or virtual appliances. This section outlinea the steps to deploy a two-node cluster consisting of one Publisher and one Subscriber.
Add Subscriber
Configuring the cluster starts with RSVCP-CPPM-2, which acts as the subscriber to RSVCP-CPPM-1.
Step 1 Open a web browser and connect to RSVCP-CPPM-2.
Step 2 Log in using the admin credentials.
- Username: admin
- Password: Aruba123!
Step 3 From the CPPM Dashboard, go to Administration > Server Manager > Server Configuration and click the Make Subscriber link on the upper right of the window. When the Add Subscriber Node window appears, enter the IP address and admin password for RSVCP-CPPM-1, check the second checkbox, and click the Proceed button.
Step 4 When prompted, click the “Enable..” checkbox, then click Save button as illustrated below.
Step 5 Allow activation time (typically 5-15 minutes), then log into RSVCP-CPPM-1’s web UI.
Step 6 Verify that the cluster was formed. Dashboard > Cluster Status pane displays both servers with a green icon and a status of OK at the far right for each nodes.
Step 7 When the cluster is formed, proceed to next section.
Note: After the cluster is formed, all subsequent configuration is performed using the Publisher node. See the Cluster Configuration Options page for more details.
Configure Virtual IP Addresses
Two nodes in a cluster can be configured to share one or more virtual IP addresss. Each virtual IP address is bound to the Primary node by default. The Secondary node takes over when the Primary node is unavailable. For OWL’s ClearPass deployment, two virtual IPs are configured according to the following table.
Virtual IP | Primary Node | Secondary Node | Interface | Virtual Host ID |
---|---|---|---|---|
10.2.120.192 | RSVCP-CPPM-1 | RSVCP-CPPM-2 | MGMT | 1 |
10.2.120.193 | RSVCP-CPPM-2 | RSVCP-CPPM-1 | MGMT | 2 |
Note: Although not required, this sample cluster is configured with two virtual IP addresses for load balancing. This is achieved by configuring one virtual IP address as the primary RADIUS server for switches and gateways from half of the sites and the other as the primary RADIUS server for the other half, ensuring that both ClearPass appliances actively serve clients at all times.
Note: If a ClearPass cluster design requires configuring Virtual IP address(es) in a virtual machine deployment similar to this sample deployment, then “forged transmits” must be enabled on the VMWare distributed virtual switch to allow the Virtual IP feature.
Follow the steps below to configure the Virtual IP Settings.
Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.
Step 2 Log in using the admin credentials.
- Username: admin
- Password: Aruba123!
Step 3 Go to Administration > Server Manager > Server Configuration and click the Virtual IP Settings link at the upper right area.
Step 4 In the Virtual IP Settings window, enter the first Virtual IP configuration using the table at the beginning of this subsection. Click the Save button.
Step 5 Repeat step 4 above for the second Virtual IP configuration.
Step 5 Click the Close button and re-open the Virtual IP Settings window to verify that both addresses show a Status of Enabled similar to the screenshot below.
Join Domain
This procedure describes the steps to integrate Policy Manager and Microsoft Active Directory. For some use cases, Policy Manager is required to join the Active Directory, for example: 802.1X authentication with EAP-PEAP-MSCHAPv2. In other use cases, such as with Captive Portal authentication, joining Policy Manager to Active Directory is optional.
A one-time procedure to join Policy Manager to the domain must be performed from an account that has the ability to join a computer to the domain. For this deployment, use the credentials recorded in the External Authentication Sources subsection of the ClearPass Preparation page.
- Username: olwservice@owllab .net
- Password: Aruba123!
Follow the steps below to join both ClearPass appliances to the domain.
Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.
Step 2 Log in using the admin credentials.
- Username: admin
- Password: Aruba123!
Step 3 Go to Administration > Server Manager > Server Configuration and click anywhere along the line of RSVCP-CPPM-1 indicated by the red box below. Do not click the radio button next to the server name.
Step 4 In the Server Configuration details page for RSVCP-CPPM-1, in the System tab, enter the fully qualified domain name for the appliance. Click the Save button.
Step 5 After saving the FQDN setting, scroll to the bottom of the page, click the Join AD Domain button on the lower right, and enter the required information in the Join AD Domain window. Click Save to close the window.
Step 6 Wait for the domain join process to finish and click the Close button.
Step 7 Repeat steps 3 to 6 for RSVCP-CPPM-2, then proceed to the next section.
Enable Insight
Multiple functions depend on Policy Manager Insight. For example, to use MAC caching, Policy Manager Insight must be enabled on at least one server within a cluster. Enabling Policy Manager Insight on at least two servers in a cluster is recommended. For more details, see the Policy Manager Insight section of the CPPM User Guide.
Follow the steps below to enable Policy Manager Insight.
Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.
Step 2 Log in using the admin credentials.
- Username: admin
- Password: Aruba123!
Step 3 Go to Administration > Server Manager > Server Configuration and click anywhere along the line of RSVCP-CPPM-1 indicated by the red box below. Do not click the radio button next to the server name.
Step 4 In the Server Configuration details page for RSVCP-CPPM-1, in the System tab, check both boxes in the Insight Setting section and click the Save button to enable Insight for the publisher and set it as the primary Insight server.
Step 5 Repeat the steps above for RSVCP-CPPM-2, but do not check the box to set it as the primary Insight server as shown below.
Step 6 With Insight enabled on both nodes in this cluster, proceed to the next steps.
Enable Log Interim Accounting
Follow the steps below to enable ClearPass to collect more granular RADIUS accounting information.
Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.
Step 2 Log in using the admin credentials.
- Username: admin
- Password: Aruba123!
Step 3 Go to Administration > Server Manager > Server Configuration and click anywhere along the line of RSVCP-CPPM-1 indicated by the red box below. Do not click the radio button next to the server name.
Step 4 In the Server Configuration details page for RSVCP-CPPM-1, in the Service Parameters tab, select the Radius server option from the Select Service dropdown. Scroll to the Accounting section, set the Log Accounting Interim-Update Packets option to TRUE, and click the Save button.
Step 5 Repeat the steps above for RSVCP-CPPM-2 and proceed to the next section.
Update Cluster Software
ClearPass Policy Manager regularly checks for available updates on the Policy Manager Webservice server. Appliances can be updated individually or as a cluster using Cluster Update. The Cluster Update page automates the process of updating a cluster. The Publisher is automatically updated first before selected Subscribers.
Follow the steps below to update the cluster. Find more information in the Software Updates section of the ClearPass User Guide.
Note: Valid HPE Passport Credentials must be configured to receive updates. Please refer to the Configure HPE Passport Credentials section earlier in this guide for details.
Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.
Step 2 Log in using the admin credentials.
- Username: admin
- Password: Aruba123!
Step 3 Go to Administration > Agents and Software Updates > Software Updates > Firmware & Patch Updates and click the Download buttons for the required patches. The new guest skin and the latest patch are downloaded for this sample deployment.
Step 4 After both updates are complete, verify that the Download buttons changed to Install. Click the Cluster Update link at the upper right.
Step 5 On the Cluster Update page, select the Cumulative Patch and click the Start Update link on the upper right to open the Start Cluster Update window.
Step 6 On the Start Cluster Update window, click the checkbox for the subscriber node, RSVCP-CPPM-2. Click the Update button.
Step 7 Allow time for updates to complete. For reference, OWL’s two-node cluster took 90 minutes to install the Cumulative Patch on both appliances.
Step 8 Repeat steps 5 and 6 for the Galleria Skin 3 update.
For more information about the Cluster Update page, see the Cluster Update and Upgrade section in the ClearPass Policy Manager User Guide.
Note: When appliances are taken out of a cluster, for each resulting standalone appliance, you must go to Administration > Agents and Software Updates > Software Updates and use the Generate Token button to generate a new software updates token specific to that appliance.
Step 9 When all updates are complete, proceed to the next section.
Configure Certificates
This section covers certificate-related tasks to obtain and install a signed server certificate from Active Directory for 802.1X authentication to support OWL’s ClearPass deployment. Find more options and details in the Certificate Store section of the ClearPass User Guide.
Create Certificate Signing Request (CSR)
Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.
Step 2 Log in using the admin credentials.
- Username: admin
- Password: Aruba123!
Step 3 Go to Administration > Certificates > Certificate Store > Server Certificates tab, choose RSVCP-CPPM-1 from the Select Server dropdown, choose RADIUS/EAP Server Certificate from the Select Usage dropdown, then click the Create Certificate Signing Request link at the upper right of the window.
Step 4 In the Create Certificate Signing Request window, enter the following information for RSVCP-CPPM-1, then click the Submit button:
Common Name (CN): RSVCP-CPPM-1
Organization: *Orange Widget Logistics
Organizational Unit (OU): *IT
Location (L): *Roseville
State (ST): *CA
Country (C): *US
Subject Alternate Name (SAN): *DNS: 10.2.120.194
Private Key Password: Aruba123!
Verify Private Key Password: Aruba123!
Private Key Type: 2048-bit RSA
Digest Algorithm: SHA-512
*Optional
Step 5 After clicking the Submit button, copy the CSR text that appears, paste it to a Notepad or email body, then click the Download CSR button.
Step 6 While still logged into the Publisher node, repeat steps 3 to 5 for RSVCP-CPPM-2’s CSR, changing only the Select Server option in Step 3 and CN and SAN information in Step 4 with RSVCP-CPPM-2’s information.
Step 7 Provide the copied text keys or the downloaded CSR files to the Windows server administrator and request the Root CA and RADIUS server certificates.
Note: The Private Key is automatically stored on the current Policy Manager server. This allows for the upload (import) of the certificate without including the Private Key as part of the import process.
Step 8 When the certificates are received, proceed to the following section.
Import Certificates
Root CA Certificate
Follow the steps below to import the server certificates for both ClearPass servers through the publisher’s web UI.
Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.
Step 2 Log in using the admin credentials.
- Username: admin
- Password: Aruba123!
Step 3 Go to Administration > Certificates > Trust List and click the +Add link at the upper right.
Step 4 In the Add Certificate window, select the .cer file for the Root CA, select EAP from the Usage dropdown, and click the Add Certificate button.
Step 5 After importing the Root CA certificate, proceed to the following section to import the RADIUS server certificates.
RADIUS Server Certificate
Follow the steps below to import the server certificates for both ClearPass servers through the publisher’s web UI.
Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.
Step 2 Log in using the admin credentials.
- Username: admin
- Password: Aruba123!
Step 3 Go to Administration > Certificates > Certificate Store, and click the Create Certificate Signing Request link at the upper right.
Step 4 in the Import Certificate window, enter the following parameters for this deployment, then click the Import button.
- Certificate type: Server Certificate
- Server IP: RSVCP-CPPM-1
- Usage: RADIUS/EAP Server Certificate
- Upload Method: Upload Certificate and Use Saved Private Key
- Certificate File: Select the certificate file for RSVCP-CPPM-1 received from the Windows administrator
Step 5 Repeat steps 3 and 4 and select certificate file RSVCP-CPPM-2 in step 4 to import the second certificate.
After completing these tasks, proceed to the Configure WLAN and LAN Authentication chapter.