Advanced Network
Management with HPE Aruba
Networking Central
LAB GUIDE
Version: 24.21
Management Series
© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice.
The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Open Source Code
This product includes code licensed under the GNU General Public License, the GNU Lesser General Public License, and/or certain other
open source licenses. A complete machine-readable copy of the source code corresponding to such code is available upon request. This
offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this
product version by Hewlett Packard Enterprise Company. To obtain such source code, send a check or money order in the amount of US
$10.00 to:
Hewlett Packard Enterprise Company
1701 E Mossy Oaks Rd
Spring, TX 77389
USA
Notices
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and
services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions
contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or copying. Consistent with
FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items
are licensed to the U.S. Government under vendor's standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard Enterprise has no control over
and is not responsible for information outside the Hewlett Packard Enterprise website.
Acknowledgments
All third-party marks are property of their respective owners.
Contents
Contents
Contents
i
Lab 0: Remote lab information
1
Lab information
Lab equipment
Task 0-1: Remote training lab access
Topology
3
Remote lab dashboard interface
3
Task 0-2: Reference sheet
Task 0-3: HPE Aruba Networking Central account
Lab 1a: Set up the environment
Task 1a-1: Group configuration
Task 1a-2: Sites
Task 1a-3: Configure your group for gateways
Task 1a-4: Configure your group for APs
Task 1a-5: Move APs and gateways to the new group
Task 1a-6: AP specific configuration
Task 1a-7: Gateways specific configuration
Task 1a-8: Tunneled WLAN configuration
Task 1a-9: SSID test
Lab 1b: Client Insights
Task 1b-1: Check client connectivity
Task 1b-2: Global clients profile
Task 1b-3: Client profile
Lab 2a: HPE Aruba Networking Central Cloud Authentication and
Policy – User access policy with Entra ID
Task 2a-1: Configure a WLAN using HPE Aruba Networking Central Cloud
Authentication and Policy for authentication
Contents
1
1
2
4
5
9
9
11
13
23
24
26
28
35
39
41
41
42
46
49
49
i
Task 2a-2: Configuring HPE Aruba Networking Central Cloud Authentication
and Policy and Entra integration and a user access policy
53
Task 2a-3: Onboarding clients
57
Task 2a-4: Testing a different user (OPTIONAL TASK)
63
Lab 2b: HPE Aruba Networking Central Cloud Authentication and
Policy – Client access policy
Task 2b-1: Client Access Policy
Task 2b-2: Monitoring authentication and policy
Lab 3: HPE Aruba Networking Central API
Task 3-1: Streaming API
Task 3-2: Streaming API – Monitoring the communication
Task 3-3: Webhook API
Task 3-4: Webhook API - Test
Lab 4: Managing certificates
Task 4-1: Captive portal certificate
Task 4-2: Captive portal certificate – Custom certificate
Lab 5: AOS-S switch configuration
Task 5-1: Creating a switch template
Task 5-2: Editing the switch template
Task 5-3: Editing the switch template using variables
Task 5-4: Customizing the variables file
Task 5-5: Check switch configuration
Task 5-6: Switch UI configuration group
Lab 6: AOS-CX switch configuration
Task 6-1: Configure switch settings at the group level
Task 6-2: Configure the switch at the device level
Task 6-3: Deploy switch configuration using MultiEdit
ii
67
67
72
75
75
83
86
91
95
95
102
107
107
111
114
116
118
120
123
123
126
128
Contents
Lab 0: Remote lab information
Lab 0: Remote lab information
The HPE Aruba Networking Education Services Remote Lab Dashboard provides you with HPE Aruba
Networking gateways, an AOS-10 access point, AOS-CX switch, virtual laptops, as well as the servers
you need for your training. In this lab, you learn the procedures to access each device and client available in the remote labs.
Objectives
After completing this lab, you will have all the information needed to log in to your labs and operate the
remote lab environment.
Lab information
Your class has been assigned a POD and table numbers.
Your instructor will give you the information to access the specific remote lab. All students will have different logins. In this section, write down the information for your access to the remote lab.
n
n
What is your user/ password login to the remote lab?
l
Username: _______________________
l
Password: _______________________
What are your pod and table numbers?
l
Pod: _______________________
l
Table: _______________________
Lab equipment
These labs were designed for the following equipment:
n
One HPE Aruba Networking 500 Series Campus Access Points (model 505) (AOS-10)
n
One HPE Aruba Networking CX 6300 Switch Series
n
Two HPE Aruba Networking gateways (Branch gateway)
n
One client VLT (Windows 10 Test Client – Orange background), runs Windows 10 with two Ethernet NICs that connect to the AOS-S and AOS-CX switches and a wireless NIC for Wi-Fi testing.
n
One client VLT (Windows 10 MGMT Client – Green background), runs Windows 10 with a wireless NIC and a management interface that connects servers such as HPE Aruba Networking
ClearPass.
Lab 0: Remote lab information
1
This equipment list is also used for other workshops. You will not use all the devices in the
lab.
Task 0-1: Remote training lab access
Objectives
During this training, you will use HPE's remote lab environment. You will be able to log in to the lab
environment and verify access to your equipment.
Steps
1. Launch a web browser and browse to the Remote Lab portal at the following URL:
Remote Lab access: https://arubatraininglab.computerdata.com/login
2. Enter the username and the password (if you do not have one, ask your instructor for the credentials) and click the Login or Sign in button.
2
Task 0-1: Remote training lab access
Topology
Lab 0: Remote lab information
Remote lab dashboard interface
Students are asked to connect to devices and client PCs throughout the lab guide. A left mouse click
will either open an access window to the device/PC or a menu to select an option.
Windows 10 Test Client: You will use this client primarily for wireless connectivity and testing.
Windows 10 MGMT Client: You will use this client to access the switches and the IAPs.
AP2 (AOS-10): This is your second access point (AOS-10) used in the Main Campus's new building.
Table Switch: This is the one of your HPE Aruba Networking switches for lab connections that
HPE Aruba Networking Central will not manage during this class.
Access Switch (AOS-CX): This is an AOS-CX switch.
Access Switch (AOS-S): This is an AOS-S switch.
GW-1/GW-2: These are branch gateways located in the new building.
AD/DNS/DHCP: You have no access to this server.
ClearPass: This is the primary authentication server and will integrate with HPE Aruba Networking Central.
Task 0-1: Remote training lab access
3
To manage your devices, right-click the device you want to work with. An overlay menu will display.
The displayed options may vary based on the device you have clicked. Following is a list of the available options:
n
Open Console will give you CLI access to the device.
n
Power Off will power off the device.
n
Power On will power on the device
n
Reboot will reboot the device.
n
Open Desktop will open a Remote Desktop session to the client.
You will now complete the following reference sheet. If you can, print this sheet or keep a copy on your
laptop as a reference. Use the remote lab screen to help you fill in the fields.
Task 0-2: Reference sheet
Objectives
Your instructor has assigned you a pod number, table number, and server IP addresses (for those
classes using servers). Please complete the following information.
4
Task 0-2: Reference sheet
Steps
Lab 0: Remote lab information
Keep this sheet close by as you will reference it throughout the labs.
Remote Lab URL
Pod number
Table number
Username and password for access to remote lab
HPE Aruba Networking Central URL
HPE Aruba Networking Central credentials (Username/Password)
Task 0-3: HPE Aruba Networking Central account
Objectives
Access the HPE Aruba Networking Central account via the HPE GreenLake home page
Steps
1. Launch a web browser and browse to the HPE GreenLake Could Platform.
https://common.cloud.hpe.com/home
Task 0-3: HPE Aruba Networking Central account
5
2. Click Sign in with SSO.
3. Log in to GreenLake using the HPE Aruba Networking Central credentials provided in the
Remote Lab Dashboard.
4. You will be redirected to a ClearPass login screen. Enter the HPE Aruba Networking Central credentials provided in the Remote Lab Dashboard.
ClearPass is being used to provide SSO for remote lab users.
6
Task 0-3: HPE Aruba Networking Central account
5. Under the HPE GreenLake menu, click Applications.
The Applications My Apps page is displayed.
6. In the Choose Region drop-down list, select All Regions or the region in which you want to
access the HPE Aruba Networking Central app.
Lab 0: Remote lab information
7. On the HPE Aruba Networking Central tile, click Launch.
You should now be in your HPE Aruba Networking Central account.
8. In the HPE Aruba Networking Central UI, click the user icon (
) on the right of the header pane.
9. Click Logout. Now you are logged out of HPE Aruba Networking Central.
Task 0-3: HPE Aruba Networking Central account
7
[This page intentionally left blank]
8
Task 0-3: HPE Aruba Networking Central account
Lab 1a: Set up the environment
Lab 1a: Set up the environment
Objectives
After completing this lab, you will have your gateways and APs onboarded and configured. You will also
create a tunneled WLAN to connect your wireless client.
In this lab, you will:
n
Create a group for AOS-10 gateways and access points.
n
Perform the required configuration at the group level.
n
Move gateways and access points to the groups and perform the device-level configuration.
n
Create a tunneled WLAN.
In this lab, you will find the required configuration to onboard AOS-10 gateways to
HPE Aruba Networking Central and create a gateway cluster (group based). Those steps
are needed for the upcoming labs in this course. You may find more details on AOS-10 configuration in the Introduction to AOS-10 course.
Task 1a-1: Group configuration
Objectives
n
Create a new group to manage your gateways and access points.
Steps
1. Open a browser page and access the HPE Aruba Networking Central account.
2. Log in with your user ID and password.
3. From the Context Menu on the left, navigate to Global > Organization.
Lab 1a: Set up the environment
9
4. You should be in the Network Structure section. Click in the Groups section to add a new group.
5. Click the + icon to create a new group.
6. Add the group with the following information
n
Name: Main-Building-1
n
Group will contain: Access points, Gateways, and Switches
n
Make sure Configure using templates is unselected. (Keep default)
n
Click Next to configure the group's persona.
7. Configure the group's persona as follows:
10
Task 1a-1: Group configuration
n
Architecture for access points and gateways in this group: ArubaOS 10
n
Network role of the access points in this group: Campus/Branch
n
Network role of the gateways in this group: Mobility
n
Type of switches used in this group: AOS-CX only
Lab 1a: Set up the environment
8. Click Add.
Task 1a-2: Sites
Objectives
n
In this task, you will create a site and assign devices to it. Sites play a very important role in
HPE Aruba Networking Central services. They are used for gateway cluster auto-config, live
upgrades, AirMatch, and much more.
Steps
Step 1: Creating sites
1. From the Context Menu on the left, navigate to Global > Organization.
Task 1a-2: Sites
11
2. Click Sites.
3. At the bottom of the site list, click + New Site (
).
4. In the Create New Site overlay window, enter the following information:
n
Site Name: Main Campus
n
Street Address: 6280 America Center Dr
n
City: San Jose
n
Country: United States
n
State/Province: California
n
Zip/Postal code: 94089
n
Click the Add button.
Step 2: Place devices into the sites
1. Click Unassigned under Site Name. On the right-hand side, select all devices (to select multiple
devices, shift+click or ctrl+click) and drag them over to Main Campus. Click YES to confirm.
12
Task 1a-2: Sites
Step 3: Verify sites
1. Select Global > Overview (
) on the left. You should see the site shown on the map.
Hover over the site, and you should see the number of devices in the site.
You may need to wait few minutes to see the devices showing on the sites.
Lab 1a: Set up the environment
Task 1a-3: Configure your group for gateways
Objectives
n
In this task, you will perform the group configuration for gateways, with common configuration
across all the gateways in the groups, like port config, VLANs, and NTP server.
Steps
1. In the context filter box in the top left corner, click Global.
2. Select your new gateway group, Main-Building-1 from the context filter.
3. In the context menu, navigate to Devices.
4. Navigate to the Gateways tab.
5. Click the Config icon to edit the configuration for the group.
6. A guided setup will appear. Click Begin.
Task 1a-3: Configure your group for gateways
13
Guided Setup configures the group with the common configs needed to manage gateways properly.
7. Under the Platform tab, select A9004 as the gateway model for the group.
8. Leave the Auto-Cluster mode as Group-based.
9. Click Next.
10. On the Time tab, click the + icon to add a new NTP server.
11. Enter 10.254.1.21 as the NTP server IP address.
12. Select America/Chicago (UTC-06:00) as the group Timezone.
14
Task 1a-3: Configure your group for gateways
13. Click Next.
14. On the DNS tab, click the + icon to add a new DNS server to the group.
Lab 1a: Set up the environment
15. Select User Defined for Provider.
16. Enter 10.254.1.21 as the IPv4 address of the DNS server.
17. Click Next
18. On the Management User tab, click the + icon to add a new local management user and enter the
following configuration in the overlay windows displayed:
n
Name: admin
n
Password: @ruba123
n
Retype password: @ruba123
Task 1a-3: Configure your group for gateways
15
n
Role: Super user role
n
Click Save.
19. Click Next.
20. On the Summary tab, review the configuration you have entered. If you notice any configuration
error, use the Back button to navigate and fix it. If the configuration presented is correct, click
Finish.
16
Task 1a-3: Configure your group for gateways
21. Now that the System configuration is complete, it is time to configure gateway VLANs and ports.
Click Continue.
n
Name: MGMT-VLAN
n
VLAN ID: 10
n
Click Save.
Lab 1a: Set up the environment
22. The second part of the guided setup is started. On the VLANs tab, click the + icon to add a new
VLAN. Enter the following configuration:
23. Click the + icon to add a new VLAN.
Task 1a-3: Configure your group for gateways
17
n
Name: Tunneled-VLAN
n
VLAN ID: 40
n
Click Save.
24. Click Next.
25. On the LAN ports tab, click the + icon to add a new port to be configured. Enter the following configuration:
n
Name: ZTP
n
Port: GE-0/0/0
n
VLAN mode: Access
n
Access VLAN: 1
n
Click Save.
26. Click the + icon to add a new VLAN. Enter the following configuration:
18
n
Name: MGMT Port
n
Port: GE-0/0/1
Task 1a-3: Configure your group for gateways
n
VLAN mode: Trunk
n
Native VLAN: 10
n
Allowed VLAN: 10,40
n
Click Save.
27. Click Next.
Even though your gateway may have more ports, we are now adding ports that we
will pre-configure.
Lab 1a: Set up the environment
28. On the Summary tab, review the configuration you have entered. If you notice any configuration
error, use the Back button to navigate and fix it. If the configuration presented is correct, click
Finish.
29. Click Continue to close the guided setup and configurations to be applied to the group config.
30. Once the guided setup is finished, you will be placed in the System tab, platform sub-tab. Click on
Advanced Mode. The button is in the top right corner.
31. If a warning appears, click OK.
Task 1a-3: Configure your group for gateways
19
32. Click the Interface tab.
33. Click the VLANs sub-tab.
34. Click the + icon to add new VLAN.
35. Enter the following information:
n
VLAN name: ZTP-VLAN
n
VLAN ID/Range: 4094
VLAN 4094 is reserved for Zero Touch Provisioning. It is not allowed to create
that VLAN in the Guided Setup. You are creating that VLAN now, matching the
config of ZTP onboarded gateways.
36. Click Save Settings.
20
Task 1a-3: Configure your group for gateways
37. In the VLANs table, select ZTP-VLAN.
38. Scroll down and select VLAN 4094.
39. Scroll down and enter the following configuration:
IP Assignment: DHCP
n
Click Save Settings.
Lab 1a: Set up the environment
n
40. Click the Ports sub-tab.
41. Select port GE-0/0/0 in the list.
42. Scroll down and enter the following configuration:
n
Admin state: Check
n
Trust: Check
n
Mode: Access
n
VLAN: 4094
Task 1a-3: Configure your group for gateways
21
n
Click Save Settings.
43. Navigate to the Applications sub-tab on the Security tab.
44. Expand Application Visibility.
45. Check (enable) the following features:
n
Firewall visibility
n
Deep packet inspection
n
App performing monitoring
46. Click Save settings.
47. An overlay prompt will be displayed. Click Yes.
22
Task 1a-3: Configure your group for gateways
Enabling security features such as Firewall visibility, Deep packet inspection (DPI),
and App performance monitoring requires gateways to reboot. A maintenance window is recommended to avoid any network disruption.
48. Occasionally, a warning message could be displayed alerting you to an auto reload (reboot) of
the gateways. Click OK at the overlay prompt.
Lab 1a: Set up the environment
Task 1a-4: Configure your group for APs
Objectives
n
In this task, you will perform the group configuration for access points, with common configuration across all the access points in the groups, like radio management, AppRF, and NTP
server.
Steps
1. Click the Access Points tab.
An overlay window will be displayed, asking for an admin password for APs placed on that group.
Enter the password @ruba123 in the Password and Confirm Password fields.
2. Click Set Password.
3. Navigate to the System sub-tab.
4. Enter the following configuration:
Task 1a-4: Configure your group for APs
23
n
Timezone: Eastern-Time UTC-05
n
NTP Server: 10.254.1.21
n
URL Visibility: Active
n
Click Save Settings
5. Navigate to the Services sub-tab.
6. Scroll down and expand the AppRF section.
7. Enter the following configuration:
n
Deep Packet Inspection: All
n
Application Monitoring: Active
n
Click Save Settings.
Task 1a-5: Move APs and gateways to the new group
Objectives
n
24
Now that your group is configured, is time to move your devices to the group, allowing gateways
and APs to receive the group configuration you have created.
Task 1a-5: Move APs and gateways to the new group
Steps
1. In the context filter box in the top left corner, click Main-Building-1.
2. Select Groups.
3. Expand the Unprovisioned devices section.
5. Click the Move Device icon.
6. Select Main-Building-1 as destination group.
7. Click Move.
8. Click OK to confirm.
Your devices will reboot. It will take a few minutes to get them back. You can monitor
the process from the console.
9. While your gateways are booting and downloading the group configuration, move your AP to the
group.
10. Expand the Default group.
Some tables have several APs, as labs are used in multiple classes. You may have two
AOS-10 APs. If that is the case, for the next step, select Global Group > Devices >
Access Points. Write down the AP name that is using the 10.10.10.xx IP address (it
should be the AP's MAC address). Navigate back to the group setting under Step 1 of
this section and continue. In the next step, we are only moving the one AP you just
discovered.
11. Select your access point.
12. Click the Move Device icon.
Task 1a-5: Move APs and gateways to the new group
25
Lab 1a: Set up the environment
4. Select both gateways (BGW-1 and BGW-2) and the AOS-CX switch.
13. Select Main-Building-1 as the destination group.
14. Click Move.
Task 1a-6: AP specific configuration
Objectives
n
In this task, you will perform access point configuration for a specific AP, changing the AP name
and its Country Code.
Steps
1. In the context filter box in the top left corner, select your group Main-Building-1.
2. In the left menu, select Devices and navigate to the Access Points tab and enter the Config
mode.
3. Navigate to the Access Points sub-tab.
4. Select your AP and click on the pencil icon to edit the AP configuration.
5. Change the AP name to AP-1.
6. Click Save Settings.
26
Task 1a-6: AP specific configuration
7. Navigate to the list view, using the list icon (
).
8. Navigate to the device details page by clicking the AP name.
Lab 1a: Set up the environment
It might take a few minutes for the name change to be displayed in the list view.
9. In the context menu, click Device.
10. Navigate to the System sub-tab.
11. Select the Country Code US – United States.
12. Click Save settings.
13. Check the device configuration sync by navigating to the Configuration Audit sub-tab.
14. Observe the Configuration Status, it should say "Config in Sync". If the config is not in sync, click
Re-Sync Configuration.
Task 1a-6: AP specific configuration
27
Task 1a-7: Gateways specific configuration
Objectives
n
In this task, you will perform gateway configuration at the device level, allowing you to enter a
configuration specific to a gateway, like IP address, gateway name, and so on.
Steps
1. In your local browser, navigate to the Remote Lab Dashboard tab.
2. Right-click BGW-1 and select Open Console.
A new browser tab will be displayed.
3. Log in to the gateway with the following credentials:
n
Username: admin
n
Password: @ruba123
Notice that the prompt of the console shows the gateway hostname. Take note of the GW-1 hostname.
4. In your local browser, navigate back to the HPE Aruba Networking Central tab.
28
Task 1a-7: Gateways specific configuration
5. In the context filter box in the top left corner, select your group Main-Building-1.
6. Navigate to the Gateways tab.
7. In the List view, select the gateway that matches the hostname you took note of for BGW-1. This
will take you to the Device Overview Page.
8. Using the left menu, go to the Device page.
Lab 1a: Set up the environment
9. A Guided Setup wizard will be displayed. Click Cancel.
10. Confirm that action by clicking Exit.
11. Navigate to the General sub-tab under the System tab.
12. Change the hostname to GW-1.
13. Click Save settings.
Task 1a-7: Gateways specific configuration
29
14. Navigate to the VLANs sub-tab under the Interface tab.
15. Select the MGMT-VLAN.
16. Scroll down and in the VLAN IDs list, select VLAN 10.
17. Scroll down and enter the following configuration:
30
n
Enable routing: Checked
n
IP assignment: Static
n
IPv4 address: 10.10.10.100
n
Netmask: 255.255.255.0
n
Admin state: checked
n
Click Save settings.
Task 1a-7: Gateways specific configuration
18. Navigate to the IP Routes sub-tab under the Routing tab.
19. Expand Static Default Gateway.
n
IP version: IPv4
n
Default gateway IP: 10.10.10.1
n
Cost: 1
n
Click Save Settings.
Lab 1a: Set up the environment
20. Add a new default gateway by clicking the + icon.
21. Navigate to the General sub-tab under the System tab.
22. Expand System IP Address.
23. For the IPv4 address, select the address have entered for VLAN 10.
24. Click Save Settings.
Task 1a-7: Gateways specific configuration
31
25. Navigate to the Config Audit tab
26. Make sure the Config Status is UPDATE SUCCESSFUL.
It might take a few moments for the config to be pushed and verified. Refresh your
screen a few times until you see the UPDATE SUCCESSFUL status.
Now your gateway has a static IP address and a System IP configured. You will disable interface
0/0/0 and VLAN 4094 used for ZTP.
27. Navigate to the Ports sub-tab under the Interface tab.
28. Select interface GE-0/0/0.
29. Uncheck the Admin State checkbox.
30. Click Save Settings.
31. Navigate to the VLANs sub-tab.
32. Select ZTP-VLAN.
33. Select VLAN 4094.
34. Uncheck the Admin state checkbox.
32
Task 1a-7: Gateways specific configuration
35. Click Save settings.
Now you will repeat the previous steps on the second gateway.
36. In the context menu, click the arrow beside the gateway name to go back to the gateway list.
37. In the List view, select the second gateway. it will take you to the Device Overview Page.
38. Using the left menu, go to the Device page.
39. A Guided Setup wizard will be displayed. Click Cancel.
40. Confirm that action by clicking Exit.
Lab 1a: Set up the environment
41. Navigate to the General sub-tab under the System tab.
42. Change the hostname to GW-2.
43. Click Save settings.
44. Navigate to the VLANs sub-tab under the Interface tab.
45. Select the MGMT-VLAN.
46. Scroll down and in the VLAN IDs list, select VLAN 10.
47. Scroll down and enter the following configuration:
n
Enable Routing: Checked
n
IP assignment: Static
n
IPv4 address: 10.10.10.101
n
Netmask: 255.255.255.0
n
Admin state: Checked
n
Click Save settings.
48. Navigate to the IP Routes sub-tab under the Routing tab.
49. Expand Static Default Gateway.
50. Add a new default gateway by clicking the + icon.
n
IP version: IPv4
n
Default gateway IP: 10.10.10.1
Task 1a-7: Gateways specific configuration
33
n
Cost: 1
n
Click Save Settings.
51. Navigate to the General sub-tab under the System tab.
52. Expand System IP Address.
53. For the IPv4 address, select the address you entered for VLAN 10.
54. Click Save Settings.
55. Navigate to the Config Audit tab.
56. Make sure the Config Status is UPDATE SUCCESSFUL.
Now, your gateway has a static IP address and a system IP configured. You will disable interface
0/0/0 and VLAN 4094 used for ZTP.
57. Navigate to the Ports sub-tab under the Interface tab.
58. Select interface GE-0/0/0.
59. Uncheck the Admin state checkbox.
60. Click Save settings.
61. Navigate to the VLANs sub-tab.
62. Select ZTP-VLAN.
63. Select VLAN 4094.
64. Uncheck the Admin state checkbox.
65. Click Save settings.
66. In the context menu, click the arrow beside the gateway name to go back to the gateway list.
67. Change the view mode to Config view.
68. Navigate to the Config Audit tab.
69. Make sure both of your gateways show the Config Status as UPDATE SUCCESSFUL.
34
Task 1a-7: Gateways specific configuration
You will now verify your gateway cluster.
70. Navigate to the list view under the Gateways tab and select the Cluster sub-tab and expand the
cluster.
Lab 1a: Set up the environment
You should see both gateways listed in the cluster.
Task 1a-8: Tunneled WLAN configuration
Objectives
n
Now that you have your gateways and APs with the proper configuration, it is time to create a
WLAN (SSID) for your clients to connect to. In this task, you will configure a tunneled WLAN
since gateways send more telemetry data to HPE Aruba Networking Central, allowing better client profiling.
Steps
1. In the context filter box in the top left corner, select your group Main-Building-1.
2. Navigate to the Access Points tab.
3. Enter the Config mode.
Task 1a-8: Tunneled WLAN configuration
35
4. In the WLANs sub-tab, click Add SSID.
5. Enter the following configuration:
n
n
n
36
General tab
l
Name (SSID): PXTY-WLAN (Where X is your pod number and Y is your table number)
l
Click Next.
VLANs tab
l
Traffic Forwarding Mode: Tunnel
l
Primary Gateway Cluster: Select your cluster
l
Secondary Gateway Cluster: None
l
Client VLAN assignment: Static
l
Client VLAN Assignment: Tunneled-VLAN 40
l
Click Next.
Security tab
Task 1a-8: Tunneled WLAN configuration
l
Security Level: Enterprise
l
Key Management: WPA2-Enterprise
l
Primary Server: Click the + icon to add a new RADIUS server
o
Server Type: RADIUS
o
Name: clearpass
o
IP Address: 10.254.1.23
o
Shared Key: aruba123
o
Retype Key: aruba123
o
Click OK.
Lab 1a: Set up the environment
l
Select the server you created as Primary Server.
l
Click Next.
Task 1a-8: Tunneled WLAN configuration
37
n
n
Access tab
l
Access rule: Unrestricted
l
Click Next.
Summary tab
l
38
Check the configuration you have entered. If something needs to be fixed, use the
Back button to go back and fix it. If the configuration is OK, click Finish.
Task 1a-8: Tunneled WLAN configuration
Lab 1a: Set up the environment
Task 1a-9: SSID test
Objectives
n
In this task, you will test the client connectivity to the WLAN you created.
Steps
1. Launch a web browser and browse to the Remote Lab Dashboard (WebGate) at the following
URL: https://arubatraininglab.computerdata.com/login
In the rest of the lab guide, you will refer to the Remote Lab Dashboard.
2. Enter the username and password provided by your instructor and click Sign in.
3. You will see the lab topology. Click Windows 10 Test Client and select Open Desktop.
Task 1a-9: SSID test
39
Notice that your VLT should have an orange background which means it is the testing client.
4. Click the network icon on the top. Connect PXTY-WLAN SSID with the following credentials:
n
Username: employee
n
Password: aruba123
n
Click Connect.
5. in HPE Aruba Networking Central, using the context filter, navigate to the Global view.
6. Using the left menu, navigate to the Clients page.
7. Check that your client is now displayed in the clients list and its status is connected.
40
Task 1a-9: SSID test
Lab 1b: Client Insights
Lab 1b: Client Insights
Objectives
After completing this lab, you will know how to monitor a client's profile from the clients on your network. In addition, you will learn how to monitor clients' behavior, such as flow attributes and network
activity.
In this lab, you will:
n
Monitor the global client's profile
n
Monitor a specific client profile
n
Monitor client activity
Task 1b-1: Check client connectivity
Objectives
n
Make sure your client is connected to the WLAN and browse some internet pages to generate
data to be displayed.
Steps
1. Launch a web browser and browse to the Remote Lab portal (WebGate) at the following URL:
https://arubatraininglab.computerdata.com/login
In the rest of the lab guide, you will refer to the Remote Lab portal as WebGate.
2. Enter the username and password and click Sign in.
3. You will see the lab topology. Click Windows 10 Test Client and select Open Desktop.
Lab 1b: Client Insights
41
Notice that your VLT should have an orange background which means it is the testing client.
Click the network connection icon on the top.
4. Check that your client is connected to the SSID PXTY-WLAN.
5. If your client is not connected, click the network icon on the top. Connect to the PXTY-WLAN
SSID with the following credentials:
n
Username: employee
n
Password: aruba123
n
Click Connect.
6. On your test client, open a web-browser and navigate to youtube.com.
7. In the search bar, search for Airheads broadcasting and click to start the videos. This will generate traffic to be analyzed/monitored.
Task 1b-2: Global clients profile
Objectives
n
Monitor the client's profile in the global level view.
Steps
1. From the Context Menu on the left, select Global.
2. Using the left menu, navigate to the Clients page.
42
Task 1b-2: Global clients profile
Notice that your client (employee) is displayed on the list.
3. Navigate to the Clients Profile tab.
Notice that a list with all client types detected on the network will be displayed, along with a percentage for each client type.
Note that you have just one client. Therefore, there is not much to see here. However,
in a real world network, several client types and their percentage (relevance) to the
network will be displayed.
Lab 1b: Client Insights
4. When Clients Profile fails to profile a client, the client will be displayed as "Generic." To check if
there are any generic clients, click the Generic sub-tab.
Since there is no generic client in your environment, the list will be empty.
5. Navigate to the Summary view. In the Summary view, you will have a more graphical view of the
client types on the network. Each client type is displayed as a tile.
Task 1b-2: Global clients profile
43
6. Click Tags located on the top right side of the screen.
Tags are helpful for filtering the clients. There are two types of tags: System tags,
which are native to HPE Aruba Networking Central, and User tags, which users can
create to identify/filter different device types.
7. Expand System tags. Observe the existing system tags.
8. Collapse System tags.
9. Expand User tags. Observe that, by default, there are no user tags.
44
Task 1b-2: Global clients profile
10. You will now create a new tag. Click Create new tag.
11. Enter the following configuration:
n
Tag name: Vending machine
n
Description: IoT - Vending machine
n
Click + Condition to add a condition.
n
Select MAC OUI.
n
Click + Value to add a value.
n
Enter aa:bb:cc
n
Click to add a new condition.
n
Select DHCP Options.
n
Click + Value to add a value.
n
Enter values 1,3,6,15,31.
n
Click Save.
Lab 1b: Client Insights
The MAC OUI and DHCP Options shown here are just examples; they are not related
to any real-world device or application.
Task 1b-2: Global clients profile
45
12. Notice that the tag you created is automatically applied to the list of devices. Since there is no
device matching with your tab, the list will be empty.
13. Click Tags and click Clear to clear the tag filter.
Task 1b-3: Client profile
Objectives
n
In this task, you will learn how to monitor a specific client and its respective information provided
by Client Insights.
Steps
1. Navigate to the Clients tab and change the view mode to List view.
2. Navigate to the Client detail page by clicking the username (employee) on the list.
You will land on the client detail page under the Summary tab. As you learned in the previous
course (Network Management with HPE Aruba Networking Central (AOS-10)), you will find the
data path for the client, details such as username, MAC address, IP address, VLAN, and much
more.
46
Task 1b-3: Client profile
3. To check that client profile information, navigate to the Profile tab.
Lab 1b: Client Insights
The Profile tab displays the classification, static attributes, flow attributes, and network activity
of a specific client.
The Classification section displays the device classification applied to the client. The Static Attributes section shows the attributes applied to the client.
In the Flow Attributes section, you will find the types of applications, destinations, and protocols
used by that client in the network.
Task 1b-3: Client profile
47
The Network Activity section displays the activity of the client in the network. Allowing network
administrators to track the client's behavior and easily identify anomalies.
48
Task 1b-3: Client profile
Lab 2a: HPE Aruba Networking Central Cloud
Authentication and Policy – User access policy with
Entra ID
Lab 2a: HPE Aruba Networking Central Cloud Authentication and Policy – User access policy with
Entra ID
Objectives
After completing this lab, you will know how to integrate the HPE Aruba Networking Central Cloud
Authentication and Policy service with Entra ID to perform user authentication using the cloud-based
identity store and user attributes to perform access control of authenticated users.
In this lab, you will:
n
Integrate Cloud Auth and Entra ID.
n
Configure user access policy to apply the correct access level (firewall role) based on the user
group.
n
Onboard clients.
n
Securely connect to the network.
n
Create user roles to facilitate user access control.
Task 2a-1: Configure a WLAN using HPE Aruba Networking Central Cloud
Authentication and Policy for authentication
Objectives
n
In Lab 1, you configured an SSID with 802.1X authentication using ClearPass as the authentication server. In this lab, you will modify the WLAN to use Cloud Auth as the authentication
server. You will also create user roles for user access control.
Steps
1. From the Context Menu on the left, select your group Main-Building-1.
2. Using the left menu, navigate to the Devices page.
3. Select the Access Points tab and enter the Config mode.
4. In the WLANs sub-tab, select your SSID PXTY-WLAN (where X is your pod number and Y is your
table number).
5. Click the pencil icon to modify your WLAN.
Lab 2a: HPE Aruba Networking Central Cloud Authentication and Policy – User access policy with Entra ID
49
6. Navigate to the Access tab.
7. Change Access rules to Role Based.
8. Click Add Role.
Creating user roles in the WLAN wizard is considered a best practice since user roles
created here will be synced between APs and gateways from the selected cluster.
9. Enter Employee-Role as the Role name.
10. Click OK.
11. Select the Employee-Role in the Roles list.
Note that by default, an Allow any to all destinations rule is created.
50
Task 2a-1: Configure a WLAN using HPE Aruba Networking Central Cloud Authentication and Policy for authentication
That role will be applied to authenticated employees. Now for simplicity, we are giving full access to those users. Some access restrictions could be implemented in a
real-world scenario to control employees' access to specific services and resources.
For example, to block access of regular employees to the management VLAN.
12. You will now create a user role for contractors. Click Add Role.
13. Enter Contractor-Role for the role name and click OK.
14. Select the Contractor-Role in the roles list.
15. Click Add Rule on the right side to add a new access rule.
16. An overlay window will be displayed, enter the following configuration:
Rule Type: Access Control
n
Service: Network - dns
n
Action: Allow
n
Destination: To a particular server
n
IP: 10.254.1.21
n
Click Save.
Task 2a-1: Configure a WLAN using HPE Aruba Networking Central Cloud Authentication and Policy for authentication
Lab 2a: HPE Aruba Networking
Central Cloud Authentication and
n
51
17. In the rules list, click the + icon to add another rule.
18. Scroll down and enter the following configuration:
n
Rule Type: Access Control
n
Service: Network - Any
n
Action: Deny
n
Destination: To a network
n
IP: 10.0.0.0
n
Netmask: 255.0.0.0
n
Click Save.
You now have three rules in your policy. Rules are processed from the top to the bottom of the
list. The "allow all" rule (Allow any source to all destinations on any service) is now at the top,
causing rules 2 and 3 to be ignored. You may reorder your rules by clicking the up or the down
arrow beside each rule.
19. Move the Allow any to all destinations rule to the bottom of the list. Your rule list should be
like this:
52
Task 2a-1: Configure a WLAN using HPE Aruba Networking Central Cloud Authentication and Policy for authentication
This policy aims to allow contractors to communicate with the internal DNS server,
deny access to any other internal resource (network 10.0.0.0/8), and allow access to
anything else.
20. You will now add roles that will be used in the Client Access Policy Lab. Click Add Role.
21. Enter Printer-Role for the Role name and click OK.
22. Click Add Role.
23. Enter Onboarding-Role for the Role name and click OK.
24. Scroll down to the Role Assignment Rules.
25. Click Add role assignment.
26. In the overlay window, enter the following configuration.
n
Attribute: Aruba-User-Role
n
Operator: Is the role
n
Click Save.
27. Click Save Settings.
Objectives
n
Create a User Access Policy to securely authenticate Entra ID users trying to access the network
by applying the proper access level.
Task 2a-2: Configuring HPE Aruba Networking Central Cloud Authentication and Policy and Entra integration and a user access policy 53
Lab 2a: HPE Aruba Networking
Central Cloud Authentication and
Task 2a-2: Configuring HPE Aruba Networking Central Cloud
Authentication and Policy and Entra integration and a user access policy
Steps
1. Using the Context Menu, navigate to the Global level.
2. Using the menu on the left, navigate to the Security page and then to the Authentication &
Policy tab.
3. Enter the Config mode.
4. Click the gear icon (
) in the User Access Policy area.
5. Select Microsoft Entra ID as the identity provider.
6. Ask your instructor for Entra ID integration credentials. (If you are taking the online course,
please check the bottom of your WebUI for the appropriate Entra ID credentials.)
7. Enter the Tenant ID, Client ID (Application ID), and Client secret provided by your instructor. (If
you are taking the online course, please check the bottom of your WebUI for the appropriate Tenant ID, Client ID and Client secret.)
54 Task 2a-2: Configuring HPE Aruba Networking Central Cloud Authentication and Policy and Entra integration and a user access policy
To learn how to set up a Microsoft Entra ID account for the integration with
HPE Aruba Networking Central, click Quick start guide for Microsoft Entra ID.
8. Click CONNECT.
You should get an "CONNECTED SUCCESSFULLY" message.
9. Scroll down to the User groups to the client role mapping section. In this section, you will configure which user role will be applied to authenticated users accordingly with their Entra ID
groups.
11. A new row will be added, under User group click Select an option. Notice that, using an API,
HPE Aruba Networking Central Cloud Authentication and Policy display all the groups that exist
on Entra ID.
12. Select Employees.
Task 2a-2: Configuring HPE Aruba Networking Central Cloud Authentication and Policy and Entra integration and a user access policy 55
Lab 2a: HPE Aruba Networking
Central Cloud Authentication and
10. Click the + icon to add a new mapping.
13. Click Select an option under Client role.
14. Select Employee-Role.
15. Click the + icon to add a new mapping.
16. Select the User Group Contractors.
17. Select the Client Role Contractor-Role.
18. Scroll down to the Network Profile section. Cloud Auth uses EAP-TLS to authenticate users in the
network. Therefore, certificates need to be installed on client devices and a network profile needs
to be created. In the network profile, you will configure the parameters Cloud Auth will use to provision clients.
19. Enter the following configuration:
n
Organization name: Aruba Cloud Auth.
n
WLAN for Non-Passpoint clients: PXTY-WLAN
20. Click SAVE.
In this lab, we are focusing on corporate networks. Therefore, Passpoint will not be
configured.
56 Task 2a-2: Configuring HPE Aruba Networking Central Cloud Authentication and Policy and Entra integration and a user access policy
Passpoint allows cellular users to connect to Wi-Fi networks with credentials
provided by the carrier to allow Wi-Fi calling as well as offloading the user's data to a
Wi-Fi network without needing user intervention to connect. This allows the cellular
carriers the relief in spectrum and bandwidth they need and allows connectivity at
locations with large numbers of users, such as sports venues, large public venues,
and even enterprise locations.
21. Expand User Access Policy by clicking the > icon to the left of the name, then scroll down and
under User onboarding URL, click Copy URL and paste the URL in a local file. You will need that
URL later in this lab.
The User onboarding URL is used to onboard (provision) clients and should be
shared with end users for device provisioning.
Task 2a-3: Onboarding clients
Objectives
n
The onboard process configures client devices and installs the certificates needed to authenticate clients on your SSID. In this lab, you will onboard your Windows 10 test client to connect to
your SSID.
Steps
1. Launch a web browser and browse to the Remote Lab Dashboard (WebGate) at
https://arubatraininglab.computerdata.com/login.
2. Enter the username and password provided by your instructor and click Sign in.
3. Click Windows 10 Test Client and select Open Desktop.
4. Click the network icon on the top if your client is still connected to the WLAN from the previous
lab. If not, click to join again.
Network: PXTY-WLAN
n
Username: employee
n
Password: aruba123
5. In the Windows 10 Test Client, open a web browser and navigate to the "User Onboard URL" you
copied in Task 2.2.
An onboarding page will be displayed. Notice that three options are presented:
Task 2a-3: Onboarding clients
57
Lab 2a: HPE Aruba Networking
Central Cloud Authentication and
n
n
Yes, I want to install Aruba Onboard—Points you to the HPE Aruba Networking Central
Client Onboarding download page.
n
Yes, I already have Aruba Onboard—Launches the Central Client Onboarding.
n
No thanks, just use my browser—Helps users that do not have permission or do not
want to download the Central Client Onboarding.
6. Click Yes, I want to install Aruba Onboard, then click Download for Windows.
7. Once the download is complete, open the installation file.
8. In the Search for app in the Store prompt, click No.
9. In the User Account Control pop-up, click Yes.
58
Task 2a-3: Onboarding clients
10. In the installation wizard, click Next >.
11. Check the "End user license agreement" and click I agree.
12. Once the installation is finished, click Close.
Task 2a-3: Onboarding clients
59
Lab 2a: HPE Aruba Networking
Central Cloud Authentication and
13. Once HPE Aruba Networking Central Client Onboarding has been installed, on the onboard page,
click Yes, I have the Aruba Onboard app.
14. This will take you to the Microsoft Sign in page. Sign in using the following credentials:
n
Email: employee@advancedcentral.onmicrosoft.com
n
Password: @ruba1234
15. When prompted to stay signed in, click No.
16. Now that you are logged in, a network profile page is displayed, showing you the name of the network (SSID) that will be configured. Click Install using Aruba Onboard app.
17. Click Open Aruba Onboard in the pop-up message.
18. The Central Client Onboarding app will be started. Click Set up network profile to accept and
install the network profile for your SSID.
60
Task 2a-3: Onboarding clients
Once the profile is installed, the Central Client Onboarding app will display the profile name.
19. You will now modify your WLAN to use HPE Aruba Networking Central Cloud Authentication and
Policy as authentication server. Navigate to your HPE Aruba Networking Central browser tab.
20. From the Context Menu on the left, select your group Main-Building-1.
21. Using the left menu, navigate to the Devices page.
22. Select the Access Points tab and enter Config mode.
23. In the WLANs sub-tab, select your SSID PXTY-WLAN. Where X is your pod number and Y is your
table number.
24. Click the pencil icon to modify your WLAN.
25. Navigate to the Security tab.
Lab 2a: HPE Aruba Networking
Central Cloud Authentication and
26. Change the Primary Server to Cloud Auth.
Task 2a-3: Onboarding clients
61
27. Click Save Settings.
28. On your Windows 10 test client, click the network icon at the top. Select your network PXTYWLAN SSID and click Disconnect.
29. Wait a minute for the configuration to be pushed to the AP.
30. Click the network icon, select your WLAN network PXTY-WLAN, and click Connect.
31. If you get prompted to enter a username and password, click Connect using certificate.
32. Click Connect.
Notice that once you have selected to authenticate with a certificate, you no longer need to enter
the user credentials.
62
Task 2a-3: Onboarding clients
33. Now that your client VM is connected to the network, on the local PC browser, go to the
HPE Aruba Networking Central tab and, using the left menu, navigate to the clients page.
Notice that now you have the Entra ID user displayed as the Client Name. Also notice that the
user role applied to the user is the Employee-Role you configured in the Cloud Auth User Access
Policy.
Task 2a-4: Testing a different user (OPTIONAL TASK)
Objectives
n
In the previous task, you onboarded a user with no access restriction on the network since this
user role has just one rule that allows any traffic. In this lab, you will delete the current client profile and onboard your Windows 10 test client using the Contractor user, which should have a
more restrictive access policy (user role).
Steps
In a real deployment, you would not switch security settings back and forth like this.
Instead, you would have 2 SSIDs--one for onboarding and one for EAP-TLS auth postonboarding. We are only switching security in this lab to show how roles work.
1. In HPE Aruba Networking Central, use the Context Menu to select Main-Building-1.
2. Use the Context Menu to navigate to Group > Devices > Access Points.
3. Enter the Config mode.
4. On the Security tab, change the Primary Server back to ClearPass.
5. On your local browser, select the Windows 10 Test Client tab.
6. Delete all known Wi-Fi networks.
7. Join your Wi-Fi network using the following information:
Network: PXTY-Employee
n
Username: employee
n
Password: aruba123
Lab 2a: HPE Aruba Networking
Central Cloud Authentication and
n
8. Before onboarding your client with a different user, open a browser in the test VM and navigate
to http://10.254.1.21.
Task 2a-4: Testing a different user (OPTIONAL TASK)
63
You should see the Windows Server IIS page. Meaning that the Employee user has access to the
internal network.
9. To delete the current client profile, open HPE Aruba Networking Central Client Onboarding
(Aruba Onboard), and right-click the current profile.
10. Click Delete to delete the profile.
11. Confirm the deletion by clicking Delete in the window displayed.
64
Task 2a-4: Testing a different user (OPTIONAL TASK)
12. To onboard using a new client, connect your VM to the PXTY-WLAN SSID and navigate to the
redirect URL you previously saved.
13. On the Welcome page, click Yes, I already have Aruba Onboard.
14. You will be redirected to the Microsoft Sign in page. If your browser "remembers you" from the
previous task, click Use a different account.
15. Sign in with the following user:
n
Email: contractor@advancedcentral.onmicrosoft.com
n
Password: @ruba1234
16. In the protect account pop-up, click Skip for now.
17. On the Network Profile page, click Install using Onboard app.
18. In the pop-up message, click Open Aruba Onboard.
19. Select Set up network profile in HPE Aruba Networking Central Client Onboarding.
20. Once the profiling is complete, on your Windows 10 test client, click the network icon at the top.
Select your network PXTY-WLAN SSID and click Connect.
21. Click Connect using certificate and then click Connect.
22. On the Windows 10 test client, open a web browser and navigate to http://10.254.1.21.
23. Since we have denied access to the 10.0.0.0/8 network in the Contractor-Role, the navigation will
fail. If not, try to close and open the browser since the page could be in the cache.
Lab 2a: HPE Aruba Networking
Central Cloud Authentication and
Task 2a-4: Testing a different user (OPTIONAL TASK)
65
24. On your local PC browser, go to the HPE Aruba Networking Central tab and, using the left menu,
navigate to the clients page.
Notice that the contractor user is connected. Also notice that the user role applied to the user is
the Contractor-Role you configured in the Cloud Auth User Access Policy.
If you performed this OPTIONAL task, you will need to switch the SSID security settings on
your WLAN back to Cloud Auth
66
Task 2a-4: Testing a different user (OPTIONAL TASK)
Lab 2b: HPE Aruba Networking Central Cloud
Authentication and Policy – Client access policy
Lab 2b: HPE Aruba Networking Central Cloud Authentication and Policy – Client access policy
Objectives
After completing this lab, you will know how to configure a Client Access Policy to authenticate devices
that cannot perform 802.1X authentication and how to apply the proper user role to each device category.
In this lab, you will:
n
Create a Client Access Policy.
n
Configure a WLAN for MAC authentication.
Task 2b-1: Client Access Policy
Objectives
n
In this lab, you will configure a Client Access Policy to authenticate your test client using its MAC
address and Client Profile information.
Steps
1. On your local browser, select the Windows 10 test client tab.
2. In the test client, click the windows icon (Start menu), type cmd, and open the Command Prompt.
3. At the command prompt, type ipconfig /all.
4. In the command output, search for your Wi-Fi NIC and take note of its MAC address.
Lab 2b: HPE Aruba Networking Central Cloud Authentication and Policy – Client access policy
67
Remember that many OSs, such as Microsoft Windows, Apple macOS, Android, and
iOS, have MAC address randomization enabled by default. For simplicity, that feature
is disabled on remote lab VMs.
5. On your local browser, open the HPE Aruba Networking Central tab.
6. Using the Context Menu, navigate to the Global level.
7. In the left menu, select Security, then navigate to the Authentication & Policy tab.
8. Enter Config mode.
9. Click Manage MAC Registration in the Client Access Policy area.
The first step in creating a Client Access Policy is entering a list with the allowed MAC addresses.
There are 2 ways to enter MAC addresses:
a. Manually, by clicking the + icon.
b. Bulk upload using a CSV file. To download a sample CSV file, click the download icon
Once the file is populated, click the upload icon
Central.
.
to import it to HPE Aruba Networking
For simplicity, you will enter your test client MAC address manually.
10. Click the + icon.
11. In the overlay window, enter the test client MAC address you took note of in step 4 and a client
name.
12. Click Save.
68
Task 2b-1: Client Access Policy
Lab 2b: HPE Aruba Networking
Central Cloud Authentication and
There are no printers or IoT devices in the Remote Labs environment. In this lab, we
use the test client's MAC address to perform MAC authentication using HPE Aruba
Networking Central Cloud Authentication and Policy authentication.
13. In the client profile tag to role mapping section, click the + icon to add a new role mapping policy.
14. Select [Computers and Servers] in the Client Profile Tag column.
15. Select Printer-Role as the user role to be applied.
Notice that the line of the Client profile to the client role mapping table shows the client profile as "unspecified." Any client with no profile information on HPE Aruba Networking Central Clients Profile will follow that rule. That is, the first time a device
connects to the network, HPE Aruba Networking Central has no data to profile the client. As a best practice, it Is recommended you create a user role that allows the user
to obtain an IP address using DHCP and perform DNS queries, blocking any other
traffic. That way, Client profile will be able to profile the client, and, in the following
connection attempt, it will be able to give the client the proper user role.
16. Select the Onboarding-Role for "Unspecified" clients and click Save.
Now that you have configured a Client Access Policy. You will create a new WLAN that uses MAC
authentication.
17. Using the Context Menu, select Main-Building-1.
18. Navigate to the Devices page and select the Access Points tab.
19. Enter Config mode.
Task 2b-1: Client Access Policy
69
20. In the WLAN sub-tab, click the + icon to add a new SSID.
21. In the WLAN wizard, enter the following configuration:
n
n
n
70
General tab
l
Name (SSID): PXTY-WLAN-MacAuth
l
Click Next.
VLANs tab
l
Traffic forwarding mode: Bridge
l
Client VLAN Assignment: Static VLAN
l
VLAN ID: 1
l
Click Next.
Security tab
l
Security level: Personal
l
Key management: WPA2-Personal
l
Passphrase: @ruba123
l
Retype: @ruba123
l
Expand Advanced Settings
l
Enable MAC Authentication
l
Primary server: Cloud Auth
l
Click Next.
Task 2b-1: Client Access Policy
Access tab
l
Access rules: Role Based
l
Scroll down to the Role Assignment Rules.
l
Click Add role assignment.
l
In the overlay window, enter the following configuration.
l
n
Lab 2b: HPE Aruba Networking
Central Cloud Authentication and
n
o
Attribute: Aruba-User-Role
o
Operator: Is the role
o
Click Save.
Click Next.
Summary tab
l
Click Finish.
22. To test your new WLAN, on your local web browser open the Windows 10 Test client tab.
23. Click the network icon at the top and select your new WLAN PXTY-WLAN-MacAuth.
24. Click Connect.
25. Enter the pre-shared key: @ruba123.
26. Click Next.
27. Click Yes, allowing the computer to be discoverable by other PCs and devices.
28. Now that your client is connected, on your local web browser, go to the HPE Aruba Networking
Central tab.
29. Using the left menu, navigate to the Clients page.
30. Click on your client's name. The client details page will be displayed.
Task 2b-1: Client Access Policy
71
Notice that the AP Role shows the user role defined in the Client Access Policy.
Task 2b-2: Monitoring authentication and policy
Objectives
n
Now that you have learned how to implement user and client access policies, you will learn how
to monitor the access requests and user authentication by HPE Aruba Networking Central Cloud
Authentication and Policy.
Steps
1. Open a web-browser tab, navigate to HPE Aruba Networking Central, and authenticate with the
HPE Aruba Networking Central credentials provided in the remote lab dashboard.
2. Using the context menu, select Global.
3. Using the left menu, navigate to the Security page.
4. Select the Authentication & Policy tab and change the view mode to Summary view.
In the Summary view, you will find a summary of access requests that succeeded and failed over
the selected period.
72
Task 2b-2: Monitoring authentication and policy
Lab 2b: HPE Aruba Networking
Central Cloud Authentication and
5. Scroll down and observe that you have graphics with the mix of Authentication Requests, Client
Roles, and Request Failures.
6. Change to the list view, using the list icon located in the top right corner.
In the list view, a list of accepted and rejected authentications will be displayed.
7. Click Success. The list will be filtered to show only success authentications.
8. Select one of the requests displayed. This will take you to the Details view.
Notice that on the Details page you have much deeper information regarding the access request.
Task 2b-2: Monitoring authentication and policy
73
9. Scroll down and observe the Authorization, Request, and Response sections.
74
Task 2b-2: Monitoring authentication and policy
Lab 3: HPE Aruba Networking Central API
Lab 3: HPE Aruba Networking Central API
Objectives
After completing this lab, you will know how Streaming and Webhook APIs work and how to configure
HPE Aruba Networking Central allowing external applications to connect and receive data from the
APIs
In this lab, you will:
n
Enable the HPE Aruba Networking Central Streaming API for audit.
n
Execute a python script to connect to HPE Aruba Networking Central and receive the Streaming
API data.
n
Create a Webhook endpoint (destination).
n
Create alerts that trigger notifications to the Webhook endpoint.
n
Monitor the interaction between endpoints and HPE Aruba Networking Central APIs.
Task 3-1: Streaming API
Objectives
n
Streaming APIs are a powerful way to extract data from HPE Aruba Networking Central to other
platforms. In this lab, you will learn how to enable Streaming APIs and integrate with external
software to receive the streamed data. In this lab, you will use Visual Studio Code as the external
agent.
Steps
1. Open a browser page and access the HPE Aruba Networking Central customer account.
2. Log in with your user ID and password.
3. From the Context Menu on the left, navigate to Global > Organization.
Lab 3: HPE Aruba Networking Central API
75
4. Navigate to the Platform Integration tab.
5. Select Streaming.
Notice that, by default, all the Streaming API options are disabled.
On the Streaming API page, you will find:
76
n
Endpoint: The Endpoint address is the WebSocket endpoint address for the HPE Aruba
Networking Central instance. This address will be used for the other platform to "connect"
with HPE Aruba Networking Central Streaming API.
n
Streaming key: Your access token for establishing a WebSocket connection.
Task 3-1: Streaming API
n
Streaming Protobuf definition: Definition of the specific topic. All WebSocket response messages are encapsulated in a protocol buffer. When a message is received, use the subject
(topic) to identify the message and invoke an appropriate message processor. To decode
the message, refer to the protocol buffer specification of the respective topic.
n
All the supported Streaming APIs, a toggle to enable/disable each Streaming API, and a
download of the protobuf definition of each Streaming API type.
Lab 3: HPE Aruba Networking
Central API
Streaming API data uses protobuf (protocol buffer) from Google to encapsulate the data. It needs to be decoded. The downloads in this page displays
the protobuf definition for each API.
6. Enable the Audit Streaming API by moving the subscribe toggle to on.
7. Click Copy Streaming Key.
8. Open a text editor of your choice and paste the copied key.
9. Copy the endpoint address and paste it in the text editor.
Keep the text editor open—you will use that information later to authenticate your
script.
10. Launch a web browser and browse to the Remote Lab portal at
https://arubatraininglab.computerdata.com/login.
11. Log in using your username and password.
12. Using the Remote Lab Dashboard, connect to the Windows 10 MGMT Client.
13. Using the icon on the desktop, open Visual Studio Code.
14. In Visual Studio, select Open Folder.
Task 3-1: Streaming API
77
15. In the Open Folder window, select the Streaming API folder under the quick access navigator on
the left.
16. Click Select Folder.
17. If you get an overlay window asking if you trust the authors of the files in the folder, click Yes, I
trust the authors.
78
Task 3-1: Streaming API
18. On the left, in the explorer area, notice that the files and folders contained in the Streaming AP
folder were imported.
Lab 3: HPE Aruba Networking
Central API
19. In the explorer, under the Streaming API files, select Simple_app_audit.py.
Notice that the python script will be loaded.
20. Take a minute to check the script.
Coding skills needed to create your own script are beyond the scope of this training.
To learn more about network automation, see the Configuring Network Automation
Solutions course.
21. Scroll down the script until you find the # URL for WebSocket Connection from Streaming
API page.
a. In the Hostname field, enter the hostname portion of the streaming endpoint address you
copied in step 9. For example, internal-ui.central.arubanetworks.com.
b. In the UserName field, enter the email address you used to log in to HPE Aruba Networking Central.
c. In the Authorization field, enter the streaming key you copied from HPE Aruba Networking Central in step 7.
Values must be entered between quotation marks.
Task 3-1: Streaming API
79
22. Click the Play icon located in the top right corner of the screen to run the script.
Notice that a terminal window will be displayed in the bottom of the window.
23. Scroll up in the terminal window until you see the header request section. Notice that the host,
username, and authorization code you entered are used to establish the connection.
24. Scroll down to the "response header".
Notice that once HPE Aruba Networking Central replies, accepting the connection, a WebSocket
connection is established, and a "Start Streaming Data!" message is displayed.
80
Task 3-1: Streaming API
Lab 3: HPE Aruba Networking
Central API
25. Scroll down and check if there is any audit information being displayed.
For example:
n
Customer_ID (CID): The customer identification inside HPE Aruba Networking Central.
n
Service: Kind of change triggered the audit log.
n
Group_name: HPE Aruba Networking Central group of the device that triggered the notification.
n
Target: Serial number of the device that triggered the notification.
n
Config_info: Event that triggered the notification.
26. Take note of the timestamp on the last notification.
You will now change the configuration of your AP to trigger a new audit notification.
27. In your local browser, open the tab that you are using to connect to HPE Aruba Networking Central.
28. Using the Context Menu, select your group Main-Building-1.
Task 3-1: Streaming API
81
29. Using the Context Menu, on the left, navigate to the Devices page.
30. Navigate to the Access Points tab and click the Config icon.
31. Navigate to the Access Points sub-tab.
32. Hover your mouse over the AP on the list and click the pencil icon to modify the AP's configuration.
33. Change the AP name to include your initials.
34. Click Save Settings.
82
Task 3-1: Streaming API
35. In your local browser, navigate back to the MGMT-Client tab.
36. Check the Visual Studio Code terminal.
Notice that you have a new notification (note that the timestamp is different from the previous
one you took note of).
37. Confirm that the config_info presents: "Access point configuration sync successful", meaning that
a new configuration was pushed to that device.
Lab 3: HPE Aruba Networking
Central API
Task 3-2: Streaming API – Monitoring the communication
Objectives
n
Monitor the communication between the Streaming API Client and HPE Aruba Networking Central.
Steps
1. Using the remote lab dashboard, connect to the Windows 10 MGMT Client.
2. On VSC (Visual Studio Code), end the terminal session to end the current connection to
HPE Aruba Networking Central. To do so, click Python on the right side and click Kill Terminal.
3. Click the start menu and open the WireShark App.
Task 3-2: Streaming API – Monitoring the communication
83
4. If a User Access Control pop-up is presented to you, click Yes.
5. In the Wireshark welcome screen, double-click the Lab NIC to start a packet capture.
6. Go back to Visual Studio Code and start the simple_app_audit.py code.
7. Navigate back to Wireshark and stop the packet capture by clicking the stop icon on the top left
side.
84
Task 3-2: Streaming API – Monitoring the communication
Lab 3: HPE Aruba Networking
Central API
8. Scroll down, searching for the DNS request (Standard query) to "internal-ui.central.arubanetworks.com."
As result of that query, a communication between your test client and HPE Aruba Networking
Central will start. Including a TLS connection.
Once the connection is established, you will start to see TLS Application data being sent from
HPE Aruba Networking Central to your client with the streaming data.
Task 3-2: Streaming API – Monitoring the communication
85
Since the connection is secure and encrypted, the packet payload cannot be interpreted.
9. Scroll down and you will see TCP Keep-Alive packets. Those packets keep the connection open,
allowing HPE Aruba Networking Central to stream notifications when events occur.
Task 3-3: Webhook API
Objectives
n
In this lab, you will configure a Webhook endpoint destination and create an alert for an AP Disconnect event that will trigger a webhook notification to an external application.
Steps
1. On your local browser, open a new tab and navigate to https://webhook.site.
A unique URL will automatically be created for you.
2. Copy your unique URL and paste it into a local text editor. You will use that URL later in this lab.
86
Task 3-3: Webhook API
Lab 3: HPE Aruba Networking
Central API
Webhook.site allows you to easily test webhooks and monitor the outputs.
3. Keep the Webhook.site browser tab open to monitor notifications.
Now that you have a webhook endpoint, you will perform the configuration needed in HPE Aruba
Networking Central to send a notification to that endpoint.
4. Open a browser page and access the HPE Aruba Networking Central customer account.
5. Log in with your user ID and password.
6. From the Context Menu on the left, navigate to Global > Organization.
7. Navigate to the Platform Integration tab.
8. Select Webhooks.
Task 3-3: Webhook API
87
9. Click the + icon to add a new Webhook endpoint.
10. Enter the following configuration:
n
Name: Webhook-PXTY. Where X is your pod number and Y is your table.
n
URL: Click the + icon and paste the URL you copied from Webhook.site.
n
Retry Policy: Important
n
Click Add.
11. Your Webhook will be added to the list. Click the arrow icon (
created Webhook.
88
) to expand details on your newly
Task 3-3: Webhook API
Lab 3: HPE Aruba Networking
Central API
12. On the Webhook endpoint list, hover your mouse over your endpoint and click the Test icon.
13. An overlay window will be displayed on the right side of the browser. On the Status column,
check for the status 200 – OK, meaning that the communication from HPE Aruba Networking
Central to the endpoint is working.
If you receive any other response code, like 404 – Not Found, check the URL you
copied from Webhook.site and pasted into HPE Aruba Networking Central. If the
error persists, ask your instructor for assistance.
14. From the Context Menu, navigate to the Alerts & Events page.
15. Enter Config mode and navigate to the ACCESS POINT tab.
16. Click the AP Disconnected.
Task 3-3: Webhook API
89
17. Enter the following configuration:
n
Severity: Major
n
Duration: 5 minutes
n
Group: Main-Building-1
n
Mark the checkbox for Webhook
n
Select your webhook end point: Webhook-PXTY
n
Click Save.
18. Click OK.
90
Task 3-3: Webhook API
Objectives
n
In this lab, you will simulate an AP power failure by disabling the switch port, forcing the AP to go
down and triggering the alert you created, sending a Webhook notification to the endpoint.
Steps
1. Open a browser page and access the Remote Lab Dashboard.
2. Right-click the table switch and select Open Console.
3. Press Enter.
A login prompt should be displayed.
4. Log in with the following credentials:
n
Username: admin
n
Password: Press Enter (No password is configured)
5. In the switch console, enter the following commands:
configure terminal
interface 1/1/12
shutdown
Task 3-4: Webhook API - Test
91
Lab 3: HPE Aruba Networking
Central API
Task 3-4: Webhook API - Test
Your AP is connected on port 1/1/12. Disabling that port will break the communication between HPE Aruba Networking Central and the AP, causing an alarm to
be triggered and generating the Webhook notification to be sent.
6. On your local browser, open the HPE Aruba Networking Central tab.
7. Using the Context Menu, navigate to the Alerts & Events page.
8. Check if an alert for AP disconnect was created.
Remember that the alert will be created five minutes after the AP is disconnected.
Therefore, if you have no AP disconnected alert, wait a couple of minutes. If you have
no alert within 15 minutes, check the alert configuration (Task 3.3, steps 10 to 13)
and confirm that port 1/1/12 is disabled on the table switch.
9. Once you are able to see the alert on HPE Aruba Networking Central, in your local browser, navigate to the Webhook.site tab.
On the left side, notice that you have all the notifications received, from the most recent, at the
top, to the oldest at the bottom.
10. Click the first notification in the list in the Raw content section and check the alert_type. It should
display "AP disconnected."
92
Task 3-4: Webhook API - Test
Lab 3: HPE Aruba Networking
Central API
11. Scroll down, and observe the information sent by HPE Aruba Networking Central to the Webhook
endpoint.
Notice the state of the alarm as "Open", meaning that the alert is still active.
In the bottom of the Raw content, at the "text" line, notice that HPE Aruba Networking Central
sent out information about the faulty device, such as AP name, MAC address, Group and Site.
12. Navigate back to the table switch console tab.
13. Press Enter to ensure your connection is still active.
14. If you connection is active and the switch prompt is displaying p31t13-TableSwitch(config-if),
enter the command: no shutdown.
15. If your session has expired, enter the following list of commands:
username: admin
password: <<enter>>
configure terminal
interface 1/1/12
no shutdown
Task 3-4: Webhook API - Test
93
16. Wait a minute and check the Webhook.site tab of your browser.
17. A new Webhook notification was received. Click the + sign to select it.
Notice that the state line shows "Close" in the Raw content section, meaning that the alert was
closed and the AP is no longer disconnected.
94
Task 3-4: Webhook API - Test
Lab 4: Managing certificates
Lab 4: Managing certificates
Objectives
After completing this lab, you will know how to import certificates into HPE Aruba Networking Central
and how to configure which certificate will be used for captive portal authentication.
In this lab, you will:
n
Import a certificate to the HPE Aruba Networking Central repository.
n
Create a guest SSID with an external captive portal.
n
Install a custom certificate on APs and gateways.
n
Test the installed certificate for guest access.
n
Troubleshoot the certificate for cloud guest.
Task 4-1: Captive portal certificate
Objectives
n
Create an HPE Aruba Networking Central Cloud Guest Splash Page (captive portal) and intentionally cause a certificate error. Fix that error by using the default certificate for devices managed by HPE Aruba Networking Central.
Steps
1. Open a browser page and access the HPE Aruba Networking Central customer account.
2. Using the Context Menu, navigate to your Main-Building-1 group.
3. Using the Context Menu, navigate to the Guests page.
4. Navigate to the List view.
5. Click the + icon to create a new Splash Page.
Lab 4: Managing certificates
95
6. Enter the following configuration:
n
Name: PXTY-SplashPage
n
Type: Authenticated
n
Username/Password: enabled
n
Self-Registration: enabled
n
Verification Required: enabled
n
Bypass Apple Captive Network Assistant (CNA): enabled
n
Email-based: enabled
n
Send Verification Link: disabled
n
Phone-based: enabled
n
Override Common Name: enabled
n
Common Name: securelogin.arubanetworks.com
n
Click Next.
The client device uses the common name to send its credentials to the Network Access Device (NAD, IAP, or gateway), using the local certificate to
secure the data. That common name you entered has no valid/trusted
96
Task 4-1: Captive portal certificate
certificate on your AP, which will generate a certificate error page.
n
Click Next on the Customization tab.
n
Click Finish on the Localization tab.
7. Now that you have created a new Splash Page, you need to create a new WLAN for guests.
8. Using the Context Menu, navigate to the Devices page and select the Access Points tab.
9. Enter Config mode by clicking the gear icon in the top right corner.
10. Navigate to the WLANs tab.
11. Click Add SSID.
12. Enter the following configuration:
n
n
l
Name (SSID): PXTY-WLAN-Guest
l
Click Next.
Lab 4: Managing certificates
n
General tab
VLANs tab
l
Traffic forwarding mode: Bridge
l
Client VLAN Assignment: Static
l
Client VLAN Assignment: 20
l
Click Next.
Security tab
l
Security level: Visitors
l
Type: Cloud Guest
l
Guest Captive Portal Profile: PXTY-SplashPage
Task 4-1: Captive portal certificate
97
l
n
Click Next.
Access tab
l
Access rules: Network Based
l
Click Add rule.
l
In the overlay window, enter the following configuration.
o
Rule type: Access Control
o
Service: Network - Any
o
Action: Deny
o
Destination: To a network
o
98
o
IP: 10.0.0.0
o
Netmask: 255.0.0.0
Click OK.
Task 4-1: Captive portal certificate
l
Click Add Rule.
l
In the overlay window, enter the following configuration.
l
n
o
Rule type: Access Control
o
Service: Network - DNS
o
Action: Allow
o
Destination: To all destinations
o
Click OK.
Lab 4: Managing certificates
As a best practice, always create a rule denying guests access to
the corporate network.
Click Next.
Summary tab
l
Click Finish.
13. Click OK at the success overlay.
14. To test your new Guest WLAN, on your local web browser open the Windows 10 Test Client tab.
15. Click the network icon at the top and select your new WLAN, PXT>Y-WLAN-Guest.
16. Click Connect.
Task 4-1: Captive portal certificate
99
17. Once connected, on the client VM open a web-browser and navigate to arubanetworks.com.
You will be redirected to the captive portal (Splash Page) for authentication.
In a normal situation, the captive portal page will automatically be launched by the client machine. However, in the lab environment, you have more than one active network connection, making it necessary to start the browser for the web redirect to
work.
18. Click Register to register a new guest user.
19. Choose either Email or Phone and enter your email address or phone number.
20. Click Register.
A verification code will be sent to your email or phone.
21. Enter the verification code and click Verify.
Since we had changed the common name to an "old and expired certificate," the browser might
display the message "Your connection is not private" or even "DNS Probe Finish", causing the
authentication to fail:
100
Task 4-1: Captive portal certificate
You will now fix that problem by using the default certificate HPE Aruba Networking Central
uploads to managed devices.
Lab 4: Managing certificates
22. Disconnect your client from the wireless network.
23. On your local web-browser, open the HPE Aruba Networking Central tab.
24. Using the Context Menu, click Guests to navigate to the guests page.
25. Select your Splash Page, PXTY-SplashPage, and click the pencil icon to edit the config.
26. Scroll down until you see the Override common name option.
27. Change the Common name to securelogin.hpe.com.
28. Click Save Settings.
29. In your local browser, go the Windows 10 Test Client tab.
30. Once more, connect to the guest WLAN, PXTY-WLAN-Guest.
Task 4-1: Captive portal certificate
101
31. Open a web-browser and navigate to arubanetworks.com.
The Sign in page will be displayed.
32. Sign in using the credentials you received after your previous registration.
After the login process, you should be redirected to the website you have asked for, with no
security/certificate warning.
33. Disconnect from the wireless network.
Task 4-2: Captive portal certificate – Custom certificate
Objectives
n
Import a new certificate into HPE Aruba Networking Central, map the certificate to be used by
the AP for captive portal authentication, and change the guest Splash Page to use the new certificate to submit guest credentials.
Steps
A set of digital certificates was uploaded to your Windows 10 MGMT Client. Therefore, you will need to
use that client VM to upload certificates into HPE Aruba Networking Central.
1. Using the Remote Lab Dashboard, connect to your Windows 10 MGMT Client.
2. In the MGMT Client, open a web-browser and navigate to the HPE GreenLake portal
(https://common.cloud.hpe.com/).
3. Log in, using the credentials provided in the Remote Lab Dashboard.
4. On the HPE GreenLake homepage, click Launch for HPE Aruba Networking Central.
5. Using the Context Menu, navigate to Organization.
6. Click the Certificates tile.
102
Task 4-2: Captive portal certificate – Custom certificate
7. Click the + icon to import a new certificate to HPE Aruba Networking Central.
8. Enter the following configuration:
n
Name: Arubatraininglab
n
Type: Server Certificate
n
Format: PKCS12
n
Passphrase: Aruba123!
n
Retype Passphrase: Aruba123!
n
Certificate file: click Choose File
l
In the pop-up window, navigate to the Certificates folder and select the certificate
star.arubatraninglab.pfx.
l
Click Open.
Lab 4: Managing certificates
n
Click Add.
Notice that your certificate will be added to the HPE Aruba Networking Central Certificate Store.
Task 4-2: Captive portal certificate – Custom certificate
103
Even though you have your certificate imported to the HPE Aruba Networking Central Certificate
Store, this certificate was not uploaded or mapped for any device to use it. In the upcoming
steps, you will configure your AP to use this certificate for captive portal authentication.
9. Using the Context Menu, navigate to the Main-Building-1 group.
10. Using the Context Menu, navigate to Devices and to the Access Points tab.
11. Enter Config mode by clicking the gear icon in the top right corner.
12. Navigate to the Security tab.
13. Scroll down and expand the Certificate Usage section.
14. Expand the Certificate Usage sub-section.
15. Select your new certificate (Arubatraninglab) in the Captive Portal field.
16. Click Save Settings.
Now that you have mapped the certificate to be used by the AP for captive portal authentication,
the last step is to ensure the Splash Page will use it to submit user credentials to the AP.
17. Using the Context Menu, navigate to Guests.
18. Select your guest Splash Page (PXTY-SplashPage) from the Splash Page list and click the pencil
icon to edit its configuration.
19. Scroll down to Override Common Name and enter the following common name: captiveportallogin.arubatraininglab.com.
20. Click Save Settings.
104
Task 4-2: Captive portal certificate – Custom certificate
21. In your local web browser, navigate to the Windows 10 Test Client tab. If the tab was closed,
relaunch it from the Remote Lab Dashboard.
22. Click the network icon at the top and select your WLAN (PXTY-WLAN-Guest).
23. Click Connect.
24. Once connected, on the client VM, open a web-browser and navigate to arubanetworks.com.
You will be redirected to the captive portal (Splash Page) for authentication.
25. Log in with the credentials you received after the registration and click Login.
After a few seconds, you should be redirected to the website you requested (arubanetworks.com).
Lab 4: Managing certificates
Task 4-2: Captive portal certificate – Custom certificate
105
[This page intentionally left blank]
106
Task 4-2: Captive portal certificate – Custom certificate
Lab 5: AOS-S switch configuration
Lab 5: AOS-S switch configuration
Objectives
In this lab, you will configure AOS-S switches. You will also configure the switches in template mode
and create a new UI-based AOS-S switch group.
In this lab, you will:
n
Create a new template group for AOS-S switches.
n
Create a new template.
n
Import an existing switch configuration as a template.
n
Work with template, variables, and custom variables.
n
Create a UI (GUI) group for AOS-S switches.
Task 5-1: Creating a switch template
Objectives
You will begin this lab by activating port 22 of the table switch to simulate a new switch deployed on
your network. Next, you will create a group and a switch template for your switch.
Steps
1. Open a browser and navigate to the Remote Lab Dashboard.
2. Right-click Table Switch and select Open console.
3. Log in using the following credentials:
n
Username: admin
n
Password: Press Enter (no password is set on the switch)
4. Enter the following commands:
TableSwitch# configure terminal
TableSwitch(config)# interface 1/1/22
TableSwitch(config-if)# no shutdown
TableSwitch(config-if)# end
TableSwitch# write memory
While you wait for the switch to communicate with HPE Aruba Networking Central, you will create a group for you new AOS-S switch.
5. Open a browser page and access the HPE Aruba Networking Central account.
Lab 5: AOS-S switch configuration
107
6. Using the Context Menu, select Groups.
You will be placed on the Groups page (Maintain > Organization > Groups).
7. Click the + icon to create a new group.
8. Enter AOS-S Template as the group name.
9. Select the Switches checkbox.
10. Enable the Configure using templates option.
11. Click Next.
12. Select AOS-S only and click Add.
108
Task 5-1: Creating a switch template
Your switch should be online and communicating with HPE Aruba Networking Central.
13. Navigate to Global > Devices and click the Switches tab. You should see an AOS-S switch with
the default device name and it belongs to the default group by default.
Ensure the "Group" option has been checked in the displaying columns.
14. Navigate to Global > Organization > Groups, expand the Default group, and select the only
HPE Aruba Networking 2930F Switch Series.
15. Click the Move icon at the bottom right, select AOS-S Template, and click Move to confirm.
Lab 5: AOS-S switch configuration
16. Navigate to Groups > AOS-S Template > Devices and select the Switches tab.
17. Enter Config mode.
You will be taken to the Templates page.
18. Click the + icon to add the first template.
Task 5-1: Creating a switch template
109
19. In the pop-up window, define the following:
n
Template Name: AOS-S-template-1
n
Device: Aruba Switch
n
Model: 2930F
n
Select your part name: ALL
n
Version: ALL
n
Click Next.
n
Click IMPORT CONFIGURATION AS TEMPLATE.
n
Select device to import configuration: Select the only 2930F Series in the lab.
n
Before you save, you must include these commands in the template file:
l
include-credentials
This may already be in the config. When configuring a password, you
must add the include-credentials command in the template. This command stores the password in the running config file associated with the
switch. HPE Aruba Networking Central automatically executes this command while reading the switch configuration.
110
Task 5-1: Creating a switch template
l
password manager user-name "admin" plaintext Aruba123!
This should be under the include command. manager in the command
means manager level.
l
n
Click SAVE.
Select List mode by clicking List at the top right and ensure your switch's config Status is
"In sync." You may need to refresh your browser.
Lab 5: AOS-S switch configuration
Notice that your switch credential has been changed to admin/Aruba123!.
Task 5-2: Editing the switch template
Objectives
You have just imported a configuration into a template. You will now make modifications to the template.
Steps
1. Enter config mode by clicking the Config icon (
).
2. In the Templates list, select AOS-S-template-1 and click the pencil icon to edit.
Task 5-2: Editing the switch template
111
3. Scroll down to examine the template.
4. Click Show Variable List in the top right of the window to display the template variables.
5. In the template window, add the following at the end of the template, starting on a blank (new)
line:
vlan
name "employee"
vlan
name "management"
exit
6. Click Save.
7. In the navigation tabs, navigate to Configuration Audit.
Is it out of sync? ______
112
Task 5-2: Editing the switch template
8. Click View Details under Configuration Status.
9. Click the switch on the left and view what is not in sync configuration on the right.
10. What is your invalid input line?
11. What is the error? (You may need to wait for one minute to see the logs shown.)
Lab 5: AOS-S switch configuration
12. Click Close.
You will now fix the configuration error.
13. In the navigation tabs, navigate to the Templates tab.
14. In the Templates list, select AOS-S-template-1 and click the pencil icon to edit.
15. Scroll down to view the template and note the template variables on the right.
16. The VLAN command you entered needs a VID value. Change "vlan" to "vlan 20" for the
employee VLAN and "100" for the management VLAN in the template window.
vlan 20
name "employee"
vlan 100
name "management"
exit
17. Click Save.
Task 5-2: Editing the switch template
113
You want to make sure that the configuration template is set up in the same format
as you would see if you run a show running-config command in the CLI of the
switch.
18. At the top, navigate to Configuration Audit. You should see one device in Auto Commit State:
ON.
You can disable auto-commit by clicking View & Edit, but you will keep it on in this
lab.
19. It may take a minute or two to fall into sync. When synchronized, the number of devices listed
should be 0.
Task 5-3: Editing the switch template using variables
Objectives
You now have a working template file. You would modify the variables file to make per switch modifications in the real world. However, in this lab, you only change the template for the AOS-S switch.
Steps
1. In HPE Aruba Networking Central, navigate to Groups > AOS-S Template > Devices. Select the
Switches tab and click the Config gear to enter config mode.
2. In the navigation section, select Variables.
3. Click the Download icon to download the variables file in a CSV format.
114
Task 5-3: Editing the switch template using variables
4. Save the CSV file as an Excel file.
5. Open the variable Excel file using Office Excel or another Excel editor.
6. In the _sys_ hostname field, change the switch's name.
a. Change the _sys_hostname field to Aruba-2930F-SW1.
b. Change the modified field for the switch from N to Y.
When working with variable files, remember to set the modified cell to Y
(yes)—all lines marked as N will be ignored during the file import.
c. Select the _sys_vlan_1_untag_command column and right-click to format the cell to TXT
format. Replace the 28-Jan field with 1-28.
7. Save the Excel file on your desktop as SwitchVariable1.csv.
Task 5-3: Editing the switch template using variables
115
Lab 5: AOS-S switch configuration
This is an Excel auto-format issue. If you download the configuration in JSON
format, you can avoid this problem
8. Go back to HPE Aruba Networking Central and from the Variables tab, click the Upload Variables button.
9. Select the SwitchVariable1 file on your desktop and click Open. Verify that it was uploaded successfully.
10. Navigate to Configuration Audit.
11. Check the configuration status and ensure your switches are in sync.
12. Click the Variable tab to verify the Variable Value of "_sys_hostname" for this switch has been
changed to "Aruba-2930F-SW1."
Task 5-4: Customizing the variables file
Objectives
In this task, you will customize your variable file.
Steps
1. On your desktop, open the Excel file SwitchVariable1.
2. If the "_sys_vlan_1_untag_command" changed back to "28-Jan", follow the steps in the last task
to change it to text mode "1-28".
3. In the last vertical column to the right, add in the following in the first two rows:
n vlan_100_untag
n
Two double quotes "" (Note: "" means no value)
4. In the last vertical column to the right, add in the following in the first two rows:
116
Task 5-4: Customizing the variables file
n vlan_20_tag
n
Two double quotes "" (Note: "" means no value)
5. Save your Excel sheet on your desktop as SwitchVariable2.
6. In your HPE Aruba Networking Central account, navigate to the Variables tab.
7. Click Upload Variables File.
8. Select your file SwitchVariable2 and click Open.
9. In the Variables list, look at the new variables. You may need to refresh your browser.
If your customized variable is not there, go back to your variable file. The cells should
be in text format and only have underscores, no dashes.
Once you have confirmed you have the variables, proceed with the following steps.
11. In the navigation tabs, select Templates.
12. In the Templates list, select AOS-S-template-1 and click the pencil icon.
You will now set the custom variable as the VID for the VLAN value. This will allow
you to have different VIDs on different switches. You will also use this variable to
give the descriptive name field a proper name.
13. In the template window, make the following modifications:
%_sys_template_header%
hostname "%_sys_hostname%"
%_sys_module_command%
no cwmp enable
include-credentials
password manager user-name "admin" plaintext "Aruba123!"
snmp-server community "public"
Task 5-4: Customizing the variables file
117
Lab 5: AOS-S switch configuration
10. In the navigation tabs, navigate to Configuration Audit. Ensure the configuration status is good
without template error or Not In Sync issues.
snmp-server enable traps mac-count-notify
snmpv3 engineid "%_sys_snmpv3_engineid%"
vlan 1
name "DEFAULT_VLAN"
untagged %_sys_vlan_1_untag_command%
%if _sys_use_dhcp=1%
ip address dhcp-bootp
%endif%
%if _sys_use_dhcp=0%
ip address %_sys_ip_address% %_sys_netmask%
%endif%
ipv6 enable
ipv6 address dhcp full
exit
vlan 20
name "employee"
no ip address
tagged %vlan_20_tag%
exit
vlan 100
name "management"
no ip address
untagged %vlan_100_untag%
exit
14. Click Save.
15. In the navigation tabs, select the Variables tab.
16. Change the values for variables on the switch by clicking the pencil icon.
When you change the value of the template as below, you may need to refresh the
GUI page to see the changes. You can do this after you change all values.
n
_sys_vlan_1_untag_command: 1-2,4-28
n
_vlan_100_untag: 3
n
_vlan_20_tag: 3,24
Task 5-5: Check switch configuration
Objectives
In this task, you will check the switch configuration, looking for the configuration added using custom
variables.
118
Task 5-5: Check switch configuration
Steps
1. Access the Remote Lab Dashboard, open the Access Switch (AOS-S) console, and log in with
admin/Aruba123!.
2. Execute the show ip and show vlan commands to verify if the switch received its configuration
from HPE Aruba Networking Central.
3. Check VLAN 20 port assignment by executing the show vlan 20 command.
Lab 5: AOS-S switch configuration
4. Notice that Ports 3 and 24 are tagging frames for VLAN 20 as assigned by the custom variable
"vlan_20_tag".
Task 5-5: Check switch configuration
119
Task 5-6: Switch UI configuration group
Objectives
You will now complete the steps to configure a switch in UI (or GUI—Graphical User Interface) mode.
Steps
Configuring a new AOS-S UI group
1. Log in to HPE Aruba Networking Central and navigate to Global > Organization > Groups.
2. Click the + icon to create a new group, using the following informaton.
n
Name: AOS-S-GUI
n
Access points: Unchecked
n
Gateways: Unchecked
n
Switches: Checked
n
Configure using templates: Unchecked
n
Click Next.
3. Select AOS-S only, then click Add.
You will now look at the GUI options for AOS-S switches.
4. From the context filter, navigate to AOS-S-GUI > Devices. In the upper right corner, click the
Config icon.
You have no switches in this group at this time.
5. Click Interfaces and see in the submenu if you can configure ports, PoE, trunk groups, VLANs,
and so on.
6. Click Security and review the submenu options.
120
Task 5-6: Switch UI configuration group
These are the GUI configuration options for AOS-S switches.
You won't be adding the 2930F Series switch into the GUI-based group in this lab.
Lab 5: AOS-S switch configuration
Task 5-6: Switch UI configuration group
121
[This page intentionally left blank]
122
Task 5-6: Switch UI configuration group
Lab 6: AOS-CX switch configuration
Lab 6: AOS-CX switch configuration
Objectives
In this lab, you will deploy AOS-CX switches using HPE Aruba Networking Central in a UI group mode.
You will:
n
Create a UI group and assign the switches to the UI group.
n
Provide an initial configuration for your AOS-CX access layer switches.
n
Configure switch settings at the group level and device level using the GUI option.
n
Configure your switch using MultiEdit.
Task 6-1: Configure switch settings at the group level
Objectives
Configure an AOS-CX switch using the UI group mode. You will configure general networking settings
like DNS, VLAN, and so on, at the group level for the AOS-CX switch. At the device level, you will configure device-specific settings like the hostname, IP addressing, and so on.
Steps
1. Log in to HPE Aruba Networking Central, navigate to Groups > Main-Building-1 > Devices.
2. Select the Switches tab and click the Config icon in the upper right corner of the browser to
enter configuration mode.
The group password dialog window will appear.
3. Set the administrator password for this group to Aruba123! and click SAVE.
Feature-level configuration is divided into five distinct categories that you can use
within the current UI:
Lab 6: AOS-CX switch configuration
123
n
System: basic system properties, HTTP proxy, SNMP, logging, management
access, IP source interface, and VSF stacking.
n
Routing: static routes and overlay fabrics
n
Interfaces: port and link aggregation group (LAG) settings, VLAN assignments.
n
Security: port access (AAA), dynamic segmentation, and client roles.
n
Bridging: VLAN definitions, loop protection, and spanning tree.
At the top, you can also use MultiEdit for advanced configuration.
4. Click VLANs on the right under the Bridging section.
5. Click the + icon to add a VLAN.
6. Configure VLAN ID 10 with name management, description MGMT-VLAN, and admin status of
the VLAN (leave it checked), then click ADD to add the VLAN.
7. Follow the steps above to add another VLAN with ID 20, name employee-vlan, and Description
EMP-VLAN.
124
Task 6-1: Configure switch settings at the group level
8. Once you're done adding the VLANs, click the arrow (
configuration UI page.
) next to VLANs to return to the switch
9. Click Properties on the right under System.
10. Configure the following settings:
n
VRF: Default
n
DNS:10.254.1.21
n
NTP: 10.254.1.21
n
Timezone: US-Eastern
n
Click SAVE.
Later, you will use the static IP for management purposes. DNS is important to
ensure the switch can communicate with HPE Aruba Networking Central.
Lab 6: AOS-CX switch configuration
11. From the Context Menu in the top left corner, select Groups.
Task 6-1: Configure switch settings at the group level
125
12. Expand the Unprovisioned devices section.
13. Select your CX 6300 Series switch.
14. Click on the Move Device icon.
15. Select Main-Building-1 as the destination group.
16. Click Move.
17. Click OK to confirm.
Task 6-2: Configure the switch at the device level
Objectives
While some configuration is common to all switches in a group, some are specific to each device. In this
task, you will configure your switch name, configure interface, and IP route.
Steps
1. To start configuring the new CX 6300 Series switch, in the Context Menu on the left, navigate to
Groups > Main-Building-1 > Devices > Switches, click the Device Name of the 6300 switch, and
select Device.
2. Click the Ports & Link Aggregations on the right, under Interfaces.
3. Select port 1/1/1 and click the pencil icon in "item(s) selected" in the bottom right corner to
assign a port to the VLAN.
4. Assign port 1/1/1 to VLAN 20, add the description Connect-test-Client, and click SAVE. You
should see a successful update message at the bottom.
126
Task 6-2: Configure the switch at the device level
5. Once you are back to the Ports & Link Aggregations page, on the top right click Configuration
Status.
Here, you can see the status of HPE Aruba Networking Central pushing the switch configuration
status.
By default, any configuration changes in the HPE Aruba Networking Central UI are
applied immediately to all managed switches in the group. This behavior is controlled
by the auto-commit setting for each managed device, which is enabled by default.
You can enable or disable the auto-commit setting using the toggle switch next to
Auto-commit Changes State on the left side of the page.
When you disable auto-commit, you can review pending configuration changes by
selecting the Pending changes to link from the Configuration status page before committing to the switch running and startup configuration.
6. Once the status changes to Synchronized under Configuration State Issues, click the arrow next
to the Configuration Status to return the main switch configuration UI page.
Lab 6: AOS-CX switch configuration
7. In the System area, click Properties on the right.
Task 6-2: Configure the switch at the device level
127
8. Configure the device hostname AOSCX-SW1 under Name. Leave all the other configurations
pushed down to the device from the group level and click SAVE.
9. Configure the default static route under Routing > Static Routing. Click the + icon add and
enter the following:
n
Destination: 0.0.0.0/0
n
VRF: Default
n
Next hop: 10.10.10.1
n
Distance: 1
n
Click SAVE.
Task 6-3: Deploy switch configuration using MultiEdit
Objectives
MultiEdit is a powerful configuration tool available on HPE Aruba Networking Central UI Groups for
AOS-CX switches. MultiEdit allows the configuration of one or multiple switches simultaneously in an
intelligent template style. In this lab, you will configure your AOS-CX switch using MultiEdit.
128
Task 6-3: Deploy switch configuration using MultiEdit
Steps
The table switch has been preconfigured. You can check out the configuration through
WebGate. The table switch's log credential is admin with no password.
1. Log in to HPE Aruba Networking Central.
2. In the Context Menu, navigate to Groups > Main-Building-1 > Devices > Switches and click the
gear icon to enter config mode.
3. Enable MultiEdit mode by selecting the MultiEdit toggle switch. This opens a device list from
which you can select one or more devices to view or modify the switch configuration. Or you can
utilize the Express Config feature to deploy Network Analytics Engine agents or device profile
settings.
MultiEdit needs to be turned off if you want to use UI options.
4. Click the only switch in the list and select EDIT CONFIG from the pop-up in the bottom right
corner. This opens the configuration context intelligent CLI for the selected switches.
You can select multiple devices to configure simultaneously.
Lab 6: AOS-CX switch configuration
Task 6-3: Deploy switch configuration using MultiEdit
129
MultiEdit is an intelligent Template tool, that offers command syntax validation. You will now try
the syntax validation.
5. At the end of the configuration, enter "inteface" (this typo, neglecting to add the letter "r," is
purposeful).
We are entering a typo on purpose to test the syntax validation. Notice that the command will be highlighted in red, showing that there is an error in the command.
6. Hover your mouse over the command to see MultiEdit provide the reason for the warning.
7. Delete the command "inteface". start typing "interface" (correct spelling), notice that MultiEdit
helps show the correct command syntax.
8. Enter the following commands at the end of the script.
Use the tab key to identify the command indent.
vlan 100
Name MultiEdit_Test
130
Task 6-3: Deploy switch configuration using MultiEdit
Notice that MultiEdit automatically organizes and places the command in the proper place.
9. Now, try entering an incomplete command. Type "description" and press Enter.
Notice that the command is highlighted in yellow.
10. Hover the mouse over the command to see a MultiEdit message.
11. Complete the command with a description for your VLAN.
When configuring multiple switches at the same time, you may simply configure a switch-specific
configuration by right-clicking the green part of the command line, creating a variable for that
field.
Task 6-3: Deploy switch configuration using MultiEdit
131
Lab 6: AOS-CX switch configuration
12. Since you have just one switch, you will not be able to configure those variables, but you may
check how it is done. Right-click the DNS server IP address at the bottom of your configuration
script. A parameter box will be displayed on the right side, with a line for each device configured.
If you want all the switches to get the same value, check the Set same value for all devices
checkbox.
13. Close the parameters overlay by clicking the X in the top right corner.
14. Click Save.
15. Click Configuration Status to observe the configuration synchronization process and status on
the top right.
Under Config Status, the config status will soon change to "Synchronized."
132
Task 6-3: Deploy switch configuration using MultiEdit
Advanced Network Management with HPE Aruba Networking Central
LAB GUIDE
Version: 24.21
Copyright 2024