Hello, my name is Tyler McMahon with Aruba, Hewlett-Packard Enterprise company. This is our part two, video number 20, lab five video where we are going to finish off our tasks in lab five. In the last video, we did tasks one, two, three, where we enabled the firewall. We created a WPA3-Enterprise wireless LAN, and we set up the access for the wireless VLAN on our switch port coming off of the mobility controller, or I should say on the controller facing our switch. In this video, we're going to continue on, we're going to quickly enable RadSec on the mobility controller, just enabling secure radius between our controller, the RADIUS client, and our ClearPass server, the radius server. The final task, the one I'm most excited about, is connecting the wireless client to the wireless LAN using the certificate that we installed back in lab four with the onboard tool, so cross your fingers, let's jump on in. So the first thing we're going to do in task for here for lab five, is we're going to get this mobility controller to establish a radius secure connection or a RadSec connection to the clear path server. Then we're going to jump on our test machine and validate that it can authenticate using that table 14, A certificate to our wireless LAN that we just established. Let's jump in on our management machine where we have a graphical user connection to our mobility controller. We want to make sure that we've set up that authentication server so that it'll do RadSec. In the previous lab when we did our wireless LAN, we had set up the authentication server through the wizard right here and had added the ClearPass server, although we didn't set it up for RadSec. What that does in the wizard, is it goes into your configuration behind the scenes and it actually creates the server group for the employee wireless LAN, there's our server member and all the settings that we put in are saved here. There are more settings though that you can put down below. As I draw down, you can see that the group was created and it's ready to go. We're going to do this from the command line. There's a quick little command line option that we could use among the controller right now and configure terminal and from there, let's go ahead and turn on the authentication server requirement for radius. You're not really going to need to memorize this, the only thing is just to demonstrate that it's not terribly difficult to do. There's not licensing requirements to turn on RadSec. There we go. I think we're good. In the GUI, I do a 'Pending Changes' button and that applies everything in the command line. We do a command call write memory, and that applies everything. It actually saves it and deploys it. So at this point we should be good. I can validate by doing a show AAA authentication server radius and then specify my ClearPass server that I set up when I did my wireless LAN wizard and check the status between my controller and that server. It says, yes, I have a ClearPass status is in-service and I have a connection. We're looking really good. Everything is basically done. I am ready to test this between all my wireless machines. So let's go to my wireless machine here and previously we had connected on the wired side. What we're going to do is we're going to disable this wired connection that goes from my Wireless Test Client on the wired link on port 16 here that's disabled. My port to 63 is disabled. The only thing that's available now is my access point over here on the right. There it is. Good news, when we did the onboarding, it automatically installed the wireless LAN that my wizard had configured or that I configured through the wizard, this 14 dash employees. I can validate that on the dashboard of my controller. I go to the dashboard just to overview, you'll see your wireless LAN as being advertised here, so we go to our wireless client, analysts tested. Because it's already pre-configured, it should show up as a saved profile, ready to go, and it's already queued up to use my certificate. Let's go and just connect. I don't have to specify TLS. Sure enough, the connection is secure. You can see on the background here the connection shows the domain that we're connected to. If I open up my command prompt, I can do it IP config and look at that, we are connected to our private network in the VLAN 142, just like we wanted to. I can pin everything in my network to as fine. I am up and online. The real proof is go to your wired client, check out your mobility controller. We now have a client here and in overview you can see the Client status has popped up. I can click on the client or go to it any which way I want. You can see the user that's logged in is this user called table 14a, that's my Identifying certificate at this domain. Fully authenticated, ready to go on the employee wireless LAN. Let's check the ClearPass server. I'm going to log in again because my session timed out. Go down to the access tracker and have a look at the access tracker. Look at that, we've got our radius authentication that occurred here. Just to open up the most recent one, it was logging in on the switch called 10.1.140.100, which is my mobility controller. So that's the switch connection. The SSID that's associated to, is a tie there. But you can see the username is table 14, and it was using the wireless service that was pre-set up in ClearPass. It logged in successfully as table 14, allowing the user full access to the network. Awesome. This is everything that goes on behind the scenes at an enterprise level and the use of ClearPass to be able to make this happen. At your home or at a small environment like that, the difference would be that instead of having a TLS connection or a wireless LAN setup with ETLs and involving a radius server and certificates and issuing all of that, what we do in small environments is we usually add a wireless LAN like home network or something like that. We can leave it as an employee network, that's fine. Put in whenever VLAN, that's fine. Then for security, we just change it to personal. We do personal, WPA3, WPA2, whatever you want do, that's fine. You just put a little password here. That's pretty much it. Specify the access that you're going to give and is now up and running once I apply my pending changes. It's very fast and easy to just set up pre-share keys because you're not involving certificates, you're not involving ClearPass or a AAA server. However, doing the full blown enterprise with ClearPass demonstrates the certificate authority, the client public, private key pairs certificate that was created and issued with that onboard tool and validating that you can assign that not only to your wireless connections like we just did in lab five, but also on the wired port, like we showed on lab four. That means my user can cryptographically login and authenticate whether they're docked, whether they're roaming around wirelessly, whether they connect to this switch or that switch, this API or that API, we can guarantee that no matter where they are, they're still going to abide by our security policies centralized on ClearPass and requires their login through a certificate or username and password to active directory or validate it and signed by the certificate authority throughout the whole process. I hope that this has been informative for you. We are closed out with lab five. We'll come on back for one final video to close out the course. I'll see you in the next one.
