Trying something different with this one. The content is largely covered already on the channel so I've edited this down to give a single video overview of each step I took to build my lab.
And I shall quote this as well for the tricky clever folks. "The intentional onboarding of large numbers of devices by a single user to avoid purchasing Onboard licenses is a violation of the End-User Software License Agreement."
I made the video based off a home lab build and was trying to work out user and machine cert deploy around that time. I just left in the extra details in case someone found them useful.
Thanks for sharing your knowledge. Great video!!! I'm trying to follow your tutorial using version 6.6.0.81015 (CP-SW-EVAL) but I am having a hard time with the licence. How do I skip it? AL
You should not use ClearPass 6.6, it is old. I think if you register on the Aruba Support Portal (asp.arubanetworks.com) you can request an evaluation license for ClearPass, and as well download the latest version (6.9). If that doesn't work, find your local Aruba SE and ask him or her for a ClearPass evaluation.
How do you authenticate against office 365 users ? Also how do you authenticate a user against AD if the subnet and vlan are different from the vlan or subnet the DC is one; without having any unauthorized communicating being processed ?
@@AirheadsBroadcasting I have configured and successfully connected to the network using domain username and password. but i cannot enroll the certificate like on 25:00 , it shows that the template was unavailable
@@greatescape121 That can be a bit tricky because you need to check multiple factors are configured correctly. Firstly, I would go to the Wins CA server tool and see if there are 'Failed Requests'. There might be details there. If not it is a case of checking off all of the steps. Look at AD Users and Computers. Check the user account that you are trying to auto enroll with. Does it have an email address? Ensure that it does. Check the security groups / admin privs of that account. Next look at the certificate template security settings and ensure the template covers the security group of your test user. Ensure that the template Security setting allow 'Read, Enroll & Auto-Enroll'. If you are issuing client certs then picking 'Authenticated Users' is the group with the widest coverage. Other factors can be that you need to push the group-policy (or wait for it to update), that's 'gpupdate /force' on the DC. Finally, always ensure you are completely logging the user in and out, not just 'lock screen' or 'switch user'.
@@null_zero Hi Joe, now i'm able to see certificate on MMC. i tried to allow 'Read, Enroll & Auto-Enroll' for authenticated user. Thanks for your help! now i will try to do it with Mac Users & Computers.
@@greatescape121 Good stuff. If you want to lessen the scope, you can just apply those security settings to the user group of your choice and put your desired users in that group i.e. it doesn't have to be all authenticated users for it to work. The main sticking point I encountered was users needing to have email addresses.
Joe, what aspects of the certs that are issued are unique? Does my question make sense? Like is it the email address, username, hostname in the case of the computer cert?
Hi Chris, it has been a while since I last did this, but the user certs use email address, I believe. I haven't got a AD domain running in my lab at the moment to check details though, I'm afraid.
@@null_zero Thanks Joe. I've got this all set up in my lab now and it's working. Your video was extremely helpful. There was one little thing that didn't work the way you showed. When you added the certificates snap-in to mmc, mine didn't show users or computers. That dialog never came up and it just installed the snap-in for user certs. Not a big deal as I could see that the computer cert was issued from the server. Again thanks for the help.
@@chrisyoung8062 Bit late, but I'm building a new home lab, and experienced the same (mmc didn't show computer certs) - this is the type of user you are logging in as. If you are an administrator, or user copied from the administrator account, you'll get the option for user or computer. The note here confirms this 👉 learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in
can you please help me with My ClearPass server showing the error"The Radius Server Certificate will expire in 18 day(s)" how can renew the radius certificate in AD server.
That means that you will need to renew your radius certificate as it will expire. ClearPass requires a valid Radius certificate or authentications from your clients will fail. If you don't know how to do this, I would reach out to your Aruba partner or Aruba support as it is not too hard, but it has to be done in the right way depending on your current certificate (public, private, self-signed). You could also try to seek assistance on the Airheads community community.arubanetworks.com. I expect similar advice to work with your partner or support if you don't know what to do there, but you might get a better discussion than below a RUclips video.
What are you looking for? What is configured in this video is in the description, and this video on most useful if you are looking how to setup EAP-TLS with Active Directory, Group Policies, Aruba ClearPass.
one of the most powerful consolidated video I have ever seen
This is very helpful and came at the right time.
Trying something different with this one. The content is largely covered already on the channel so I've edited this down to give a single video overview of each step I took to build my lab.
Joe Neville Appreciate that, great content perfectly condensed!
@@ulis1821 Thanks, glad you think so.
Nice vid. FYI for other folks watching. Clearpass can be a CA as well and you can deploy EAP-TLS with Onboard.
Thanks and good point. This isn't the only way to achieve these things, it was a lab I wanted to build for some other work and I recorded the process.
Right, but in real life you need an Onboard lic for every client, so M$-CA is a more reasonable solution.
@@ulis1821 Sure but keep in mind the license evolved from Unique device to USER now.
And I shall quote this as well for the tricky clever folks. "The intentional onboarding of large numbers of devices by a single user to avoid purchasing Onboard
licenses is a violation of the End-User Software License Agreement."
@@null_zero Yep I appreciate the video as the resources for a Windows CA deployment is scarce. Definitely saved.
Great vid! One question, why was the user certificate issued if it wasn't used?
I made the video based off a home lab build and was trying to work out user and machine cert deploy around that time. I just left in the extra details in case someone found them useful.
thanks, very instructive
great video thanks, looking for official documentation with regards to this ?
Thanks for sharing your knowledge. Great video!!!
I'm trying to follow your tutorial using version 6.6.0.81015 (CP-SW-EVAL) but I am having a hard time with the licence. How do I skip it?
AL
You should not use ClearPass 6.6, it is old. I think if you register on the Aruba Support Portal (asp.arubanetworks.com) you can request an evaluation license for ClearPass, and as well download the latest version (6.9). If that doesn't work, find your local Aruba SE and ask him or her for a ClearPass evaluation.
Already solved! Has to be requested to Aruba.
How do you authenticate against office 365 users ? Also how do you authenticate a user against AD if the subnet and vlan are different from the vlan or subnet the DC is one; without having any unauthorized communicating being processed ?
Nice vid, is the walkthrough works for Aruba WLC too?
Yes, just swap out the relevant infra'. Windows server setup is the same.
@@AirheadsBroadcasting I have configured and successfully connected to the network using domain username and password. but i cannot enroll the certificate like on 25:00 , it shows that the template was unavailable
@@greatescape121 That can be a bit tricky because you need to check multiple factors are configured correctly. Firstly, I would go to the Wins CA server tool and see if there are 'Failed Requests'. There might be details there. If not it is a case of checking off all of the steps. Look at AD Users and Computers. Check the user account that you are trying to auto enroll with. Does it have an email address? Ensure that it does. Check the security groups / admin privs of that account. Next look at the certificate template security settings and ensure the template covers the security group of your test user. Ensure that the template Security setting allow 'Read, Enroll & Auto-Enroll'. If you are issuing client certs then picking 'Authenticated Users' is the group with the widest coverage.
Other factors can be that you need to push the group-policy (or wait for it to update), that's 'gpupdate /force' on the DC. Finally, always ensure you are completely logging the user in and out, not just 'lock screen' or 'switch user'.
@@null_zero Hi Joe, now i'm able to see certificate on MMC. i tried to allow 'Read, Enroll & Auto-Enroll' for authenticated user. Thanks for your help! now i will try to do it with Mac Users & Computers.
@@greatescape121 Good stuff. If you want to lessen the scope, you can just apply those security settings to the user group of your choice and put your desired users in that group i.e. it doesn't have to be all authenticated users for it to work. The main sticking point I encountered was users needing to have email addresses.
Joe, what aspects of the certs that are issued are unique? Does my question make sense? Like is it the email address, username, hostname in the case of the computer cert?
Hi Chris, it has been a while since I last did this, but the user certs use email address, I believe. I haven't got a AD domain running in my lab at the moment to check details though, I'm afraid.
@@null_zero Thanks Joe. I've got this all set up in my lab now and it's working. Your video was extremely helpful. There was one little thing that didn't work the way you showed. When you added the certificates snap-in to mmc, mine didn't show users or computers. That dialog never came up and it just installed the snap-in for user certs. Not a big deal as I could see that the computer cert was issued from the server. Again thanks for the help.
@@chrisyoung8062 Bit late, but I'm building a new home lab, and experienced the same (mmc didn't show computer certs) - this is the type of user you are logging in as. If you are an administrator, or user copied from the administrator account, you'll get the option for user or computer.
The note here confirms this 👉 learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in
can you please help me with My ClearPass server showing the error"The Radius Server Certificate will expire in 18 day(s)" how can renew the radius certificate in AD server.
That means that you will need to renew your radius certificate as it will expire. ClearPass requires a valid Radius certificate or authentications from your clients will fail. If you don't know how to do this, I would reach out to your Aruba partner or Aruba support as it is not too hard, but it has to be done in the right way depending on your current certificate (public, private, self-signed). You could also try to seek assistance on the Airheads community community.arubanetworks.com. I expect similar advice to work with your partner or support if you don't know what to do there, but you might get a better discussion than below a RUclips video.
I have a doubt on root CA and user certificate..
CAN SOMEONE EXPLAIN ME PLZZZ WHTS HES TRYING TO CONFIGURE I UNDERSTAND ONLY SOME PARTS OF THE VIDEO BUT DNT UNDERSTAND THE WHOLE GOAL OF IT
What are you looking for? What is configured in this video is in the description, and this video on most useful if you are looking how to setup EAP-TLS with Active Directory, Group Policies, Aruba ClearPass.
in 16:09 your are downloading CA certificate what its...
recommend watching this one at .75 speed.
Or x2 it for the full effect. The long form videos are on my own channel. This is the super-edit.
@@null_zero Didn't realize you had a channel. Just sub'd.