Welcome back. My name is Tyler with Aruba, Hewlett Packard Enterprise company, and you're watching part 2, video 19, where we are going through lab 5 tasks, starting with task 1, enabling firewall visibility and creating a WPA3 Enterprise Wireless LAN. Let's get started. In the last lab 4, what we did was we took the wireless client, took their wire connection on port 16 to this 3810 switch. We enabled the 3810 to pass radius authentication to clear pass using a secure lab set connection. In this lab, what we're going to do is we're going to disable the wired side because we've already on boarded the user with a secure client certificate table 14 A or as the identifier there, using the onboard feature clear paths. With that certificate installed, along with the onboard connection, we got not only our client certificate, also we got the certificate authority root CA installed, and we had a third feature install, which was a wireless profile to automatically connect to our wireless network on these Aruba AP. Really, I could disable the ports here and simply connect up to that access point, and it should just automatically authenticate. What we need to do is make sure that, that wireless LAN is set up the way we want it. In previous labs, we would have left it as just a pre-shared key. Now we're going to step it up and actually use full 802.1x EAP TLS certificate based authentication, the strongest authentication you can get. First things first, I need to get on the mobility controller. I'm not going to use the wireless client, although I guess I could. I'm going to go to the wired management where an administrator's machine or a management machine, I can go ahead and jump in on my controller. I'll just go ahead and cheap, just log right in. Once you're logged in on the machine, you want to go down to your configuration here. The first step is we're going to enable the firewall visibility. I can take advantage of deep-packet inspection and be able to look on my dashboard and see what applications my users are running and ways that I can go ahead and do some traffic analysis or whatever else. If you look at it right now, it says traffic analysis information is unavailable because firewall visibility is disabled and they even give us a nice little link that'll take us right there Or I could go into configuration, go to services, go to firewall. While there's a ton of settings here, the one I want is down at the way bottom where it says enable firewall visibility, and for good measure, I'm also going to turn on jumbo frames and enabled deep-packet inspection. Once all this is done, then I can go ahead and hit Submit. With that applied, I'll go ahead and hit Pending Changes, hit Deploy, and it says warning. This change would take effect after reloading my controller, which means I need to reboot the controller. To reboot the controller, you just go to maintenance. Under maintenance there's an option to reboot and make sure you save. It's already saved though, and hit Okay. It takes 10 seconds before it kicks the reboot. It takes about five minutes or less and the controller should be backup. Once you're back in credit configuration, if I look at dashboard real quick, should be able to see that traffic analysis is popping up, but we don't have any actual clients to fill this in. This should be real time information about what your clients are doing on your network. Whatever traffic is passing through this controller from your wireless or even tunneled wired traffic, you'd be able to see that inside this traffic analysis. Next thing we want to do is task 2. We're going to go ahead and create the WPA3 Enterprise Wireless LAN. Go to configuration here, pretty easy to do. Go down to wireless LANs, hit the little plus icon and you're good to go. You could also go down to config and tasks and that would launch give you the option to launch the same feature. What should we call this? Let's go ahead and call this 14 employees. This is going to be the broadcasted SSID and employee network is going to give us more secure options than a guest network, which would, I guess we'd give you a captive portal. Employees give you pre-shared key or would give you 802.1X. We'd like the 802.1X. We could select the AP group that our AP belongs to and lead the 40 mode is tunnel rather than decrypting or bridging a light like that. With that said, I'll go ahead and make sure that I'm dropping this in the correct VLAN. In my case doesn't look like I have the VLAN in there. Let's go ahead and add that in. If you're missing the VLAN, you can just pop it in right here. I'll just give it a local name that I want to use or descriptive name. Give it the appropriate VLAN that this lab is expecting. You would check yours. Once we're done, go ahead and hit Next there. If I made a mistake or I want to go back, I can go back and check and look there it is. Make sure it says wireless users, there we are. Then under security it's default to choose WPA3 here as your secure option. I could go back to personal mode or I could leave it open just by using this little slider bar here. But I'm going to go ahead and leave it at enterprise. Under enterprise, this means that it's going to use full on WPA2, or WPA3, WPA enterprise with 802.1X authentication. We're going to leave it at WPA3 and just do a simple 128 bit so we don't have any issues with these machines that were testing this on. What we're missing here is the authentication server. I need to be able to point to that auto server. If I hit plus, I don't see it in there I've got to add it in. Now you might think, well, wait, didn't we already point to clear paths with attack acts labs? We did, but that was tack acts not radius. We're going to go ahead and add this in as a RADIUS server, put that in the shared secret, and I'm going to want to set up rad sec, but for now this will at least get us started Verify that the ClearPass server is there and it is. Finally we'll hit Next. Last, what role do we want to give our user? If it's not overcome by the AAA server, the AAA server will actually overwrite this firewall policy or role as we call it. For now though, just for testing, we'll leave it as authenticated and hit Finish. It says the wireless LAN will use WPA2 encryption, and it's making sure that you have the appropriate access points to be able to support WPA3 with 300 series and 500 series Aruba access points, as well as your operating system as 8.4 or later. We're fine on all of that. If you have a 200 series access point, that would be supported any 8.6. This will be updated to make sure it has accurate information. That's it. The final step you might want to do is make sure that VLAN that I added, which was the wireless VLAN on VLAN 142. You can add that under your interface, just like you would a regular switch, except we have ports in the GUI. I'll find the port that I'm connecting. Go down once it's selected. It's hard to see because I'm so zoomed in but go down and validate that it is trusted and that your VLAN is appropriately assigned for the traffic that you're passing. Normally we would really do a access port. You do a trunk port and pass all VLANs. As long as we allow all that's fine, or you could allow just specific VLANs that you wanted to, which would be a little bit more secure. For now though, I'll just leave it as this and submit. In the next video what I'm going to do is enable the rad sec and then we'll actually test our client connection. If it works, we did good. I'll see you in the next video.
