Hello and welcome back. My name is Tyler McMahon with Aruba, a Hewlett Packard enterprise company. And this is lab five, task 3. In the last video, we covered task 1 and task 2. Where I demonstrated how to connect the test client in the lab to a wire connection on our 3810. And launch a web connection to the Onboard feature, that's installed in ClearPass, or ClearPass policy manager. Onboard allows you to take devices that are not trusted in the network and authenticate them to the network. To automatically provisioned them with the certificate authority needed to take advantage of the chain of trust that. That certificate authority has established by signing all sorts in your network. And to also install a client certificate to uniquely identify this new wireless machine, as well as, set up wired and wireless settings. So we're going to see how we can manually provision that in task 3. And then in the next lab, lab 6, we'll take advantage of the wireless settings that have been set up by Onboard. So without further ado, let's jump into task 3. [MUSIC] All right, so in the lab, we're on this wired wireless connection, where you only using the connection to Aruba 3810. Although you could set this up with the 6300, or any wired switch that the user wants to plug into from now on. But the last step that we need to do, is just test this wired connection with our fancy dancy new root certificate authorities start. And our unique clients start, in order to validate who we are to the rest of the network here to ClearPass when we do our authentication. So we're going to go to the wireless client here and take a look at our wire connection. I'm going to disable this for now and then we'll re enable it. There wasn't any real authentication requirements that we were using to identify ourselves, we were just simply getting connected. Now what I want to do is go to properties, and under authentication, I want to enable authentication. Where instead of protected EAP, which would only require my client know their username and password, I'm going to use a certificate. And then that certificate, I'm going to go to my settings, use a certificate on this computer. And we're going to go down to verify the server's identity by validating the certificate. So scrolling down, I'm looking for the server that I want to connect to. I could put one in, but that's all right, I'm just going to choose this certificate authority cert. If two are in here, that's fine. So we'll go ahead and click Don't prompt again. For trusted search, this way would block your user from just automatically accepting a man in the middle cert, where someone's trying to spoof it. Now we haven't yet set the Aruba 3810 to do radius authentication to ClearPass. We set it up for tack acts to log in with SSH, but if you want to see a demonstration of this authentication actually handing off to ClearPass. Then there's just a few commands that we would put in here. For example, you would indicate who your radius server would be as opposed to attack act server, and that you want to do a secure RadSec connection. Since we already have Search in here, we can do that. If you didn't want to do RadSec, you wouldn't have to, but I will just because we have it set up in the lab. And then once you put in that you want, the 3810, the Aruba will switch to talk to ClearPass. You could validate that it is set up to send a ClearPass by doing a show radius server host information. It would tell you that, yes, radius security RadSec, which is a more secure way of doing radius, is available. Here is the ClearPass IP address, access our radius server and the RadSec connection is established. So we are ready to go ahead and do some triple A authentication for our clients on our wired ports. And I go and turn on accounting. And then on the port itself for port 16, I'll go and put that I want to authenticate users that are connecting to that port. So the port, according to my diagram, is port 16 right here, which is correct. And that's plugging into my wired wireless client right there. So once I press Enter here, we can go ahead and turn on. That we want to do 802.1X with radius, and that authentication is now active. The commands are a little bit different with CX, and you could do a walk through with that if you want to see it. But just for demonstration purposes, I'm going to go and validate that. This is up and we'll go and test it. All right, so with the show Port-access Authenticator command, port 16 is ready. We already have one user already on there, there in their villain, and they are looking good. So we've actually already authenticated as soon as we press Enter. When I go and I take a look at my wireless client, I could trigger the re-authentication again, by simply disabling and re-authenticating. Now, because I have a sign client certificate installed on this wired, I should be able to get connected. And when I do an IP config have a valid address in the network. When I take a look at ClearPass, you can see that a RadSec connection came from my 3810. And the user table 14a, which is my test machine, was able to successfully authenticate using 802.1X. They've been accepted, pretty cool. So the authentication method was ETLS, which meant that we were using a client certificate rather than the user name and password. ClearPass authenticated the user identity, that certificate identity, against active directory. And we were allowed access at the end of the day, we gave the user access. Here's the user name that was presented, and this was the device that they connected to the switch at 10.1.140.5, port 16. And if I look here, that's 10.1.140.5. That's my 3810, and I connected to port 16. So all this information is stored and logged in ClearPass, your triple A server, to validate this. Pretty cool, so that's it for lab five. Hopefully, that demonstration was good for you. You were able to see the user b provisions with an Onboard tool, to just automatically get these sorts in there. You could do that by hand if you'd like to, it just takes a lot longer. It takes a bit longer to do and connect it to the 3810 as a demonstration on the wired side. In the next lab, I'm going to demonstrate how to do this with WPA 3. And authenticate wirelessly, not wired but wirelessly, through our access point to our controller. And the controller is going to be the radius client passing the authentication to ClearPass. Hope you guys like this one, I'll see in the next video.
