This channel is an IT related channel. its main purpose is to offer viewers knowledge on topics related to things like how to build a functional network. How networking works. How to create your lab and much more
I am Nafith Salama a certified Aruba, HPE and Cisco instructor for the last 20 years
Пікірлер
Nice Video but the thumbnail with candle stick charts is misleading
hello Nafith, What is the code of Aruba Clearpass associate exam now ?
There is no exam for clearpass
@@nafithsalama what's the replacement?
Hi Nafith, any chance we can see the lab work for these modules?
@@jjzz541 hi I am planning to do so I will create a whole new series labs only. Probably after summer
@@nafithsalama cheers :)
Hi, thanks for these helpful videos. So we do not need to assign vlan to the port where the endpoint is connected. is that right?
@@umangishchumun4886 many thanks . Yes you actually don’t assign the VLAN to the port where the client is connected to
The cluster function will also helpme with the wired Vlans?.if i have 2 gateways in a cluster and i lose one, will the other take its place and also take the control of the vlans without any impact?
So when you configure the cluster it should be symmetrical from VLAN respective meaning whatever VLAN you. Configure on one controller will be the same on the other gateway
So yes it is going to be fine in terms of user traffic assuming you planned well and as best practice design for N+N redundancy
Many thanks
Hello Nafith Sir, Your videos are always clear and help to connect dots in different aruba networking concepts. thank you very much. Hoping for more practical content in future. thanks again sir.
Many thanks i will include all of these modules as labs as well in the near future
thanks bro for valuable information. go ahead
Many many thanks
@nafithsalama we have one user cannot join the wifi. our CPPM integrated with DC. when user try to join gives error certificates. the user already joined domain
@@askmethod it can be different reasons. Is Certificate valid? Is it revoked? does the client machine trust the Certificate issuing CA?
@nafithsalama all clients jioned normally. specially this client refused to connect . when I checked CCPM it said trust CA certificate invalid
@@askmethod Did you look at the certificate details on the client
Hi, could we get the presentation by anyway? Your videos are very interesting!!!
Many thanks for watching but I am sorry I can’t share the slides they’re copy righted
Hi Nafith, where is Module 9 !? 😂
Hi Patrick. I will upload today just missing :)
@@nafithsalama thanks!! ;)
Great video, thanks! However, I have a question, in the Authorization Source Filter Query, is the certificate referring to the default Intune client certificate when the device was enrolled in Intune? Just so you know, we don't have a CA in Intune to issue device certificates.
Nafish, thank you for the awesome video. One follow-up question. If I don’t want to use eap-peap for the pre-auth how can I do this? Is it possible? But also verify that the user is an employee.
You can use what so called dual SSID onboarding so first they’ll connect to and open ssid pretty much like guest then once onboarded they can use the secure one
@@nafithsalama first let me apologize for not spelling your name correctly but that auto-type. Thank you for your reply
Hi Nafith, thank you for everything. that's awesome. I have a question please (as always haha): on the guest ssid, when i done an : nmap 192.168.x.x (ip of the mobility controller) i can see the http port 80 and port 443 and port 4343 are open (the guest even can have on the Gui the (username&password) of the mobility controller ). i want to deny this as every guest can not access tp the mobility controller ip and when the nmap 192.168.x.x done by guest, those ports i need them blocked or close. i tried the rules on he mobility controller (but some works and others not) thank you
I managed finally to do it. The thing is, i set up a rule to deny any from the guest pool ip to the mobility controlller as dest, but this rule wasn't the first one, i just moved it to the top and now works fine. i didn't know it should be the first otherwise don't work. Thanks a lots
Well done you see how Aruba solution is so flexible 😂
Very good presentation, thanks! I was wondering as the media types have to be same, does LAG work between a single mode and a multi mode fiber, if they are both 10G? The media types being: 10G-LR & 10G-SR. I have two server rooms that are connected with 10G SM & MM fibers. The same SFP+ transceiver is used in all related ports.
Interesting setup. Media type needs to be the same but not sure about the mode I never tried it
@@nafithsalama Thanks for the reply. I tried it and it works.
Thank you for taking the time and effort. priceless content.
Thanks
Thank you Nafith, it is really helpfull I have a question please : i wan't basiczally the same thing but i don't have onboard licence, is there any way to do something like that ? So to give you the context : I want use same SSID captive portal for employee and byod(or guest), but i dont want give full access to the guest or the byod is there any way to do it ? let's say just give them an intetnet access and that's it. for exemple i dont want them to have access to the employee machine (ping for exemple) is this doable by role or policy or something else ? I tried to create in advance an account for every employee with employee role, and they will connect with it and for the byod they will use request from captive portal to their host by sending a request and the sponsor they will accept and they have guest role. but i think they ahve the same access . i wanna just make sure to give guest or byod just internet access and not full or not like employee access thank you
Hi First of all many thanks for sharing your thoughts. for the BYOD to be implemented yes you need a license for that. you can try evaluation license if want to. For the different levels of Access you can have say employee one role and create your policies (FW) for the employee and guest usually get guest role which only allows them to access the internet (This might apply to the contractor as well in your case since you don't have proper OnBoard license). if you are going to use gateway to tunnel it might also be a good idea to terminate the guest tunnel on a separate gateway this gives you a more control over guest traffic If you need further clarification please let me know All the best
@@nafithsalama Hi Nafith, thank you very much for you reply, i really appreciate that; For the licence, i can't have one unfortunatelly, so for this reason, i was looking for a solution to do that. So you saying that the roles (employee and guest) are already different by default ? I mean if a guest get an access by guest role and an employee by employee role, they don't have already the same access ? is that correct ? if yes, what's the difference for exemple ? which kind of things the guest has a deny y default ? It's really a good idea for the tunnel and gateway, since im really new one to the clearpass, how i can technically do that ? how to terminate the guest tunnel on a separate gateway in real exemple? Thank you very much
@@amnayamnay6821 In nutshell ClearPass job (after authentication) is to assign the roles. the roles have policy(s) and each policy has rules (think of them as ACLs but they are session based in most cases) the details of the role is done on the device(s) such as APs. GWs.
@@nafithsalama sorry for thoses questions but i dont understand verry well. My config is like that : Aruba ap 515 (5 or 6), acting like on virtual controller and i have Clearpass Are you tryong to say that the roles needs to be set on the virtual controller and ont in the Clearpass ? If yes could you please give an exemple ?
Yes that is all done with your Access policy (FW)
Is there Airwave Architecture design diagram available? Like how OS, DB and Airwave App app aur corelate/communicate with each other?
Do you something like a design document or is it how Airwave is internally structured
@@nafithsalama three tier architecture for Airwave OS, Database and Application
I have around Aruba for a few years. This has been on of the most impact to my learning thus far. The breakdown of AP mode operation between AOS8 & AOS10 was very informative.
Thanks ❤
where the rest of videos for this exam prep?
Hi i am planning to post more videos on this topic. you can also attend the official training for this course.
how can i delete the device from inventory?
You can archive the device and by doing so it is available to be used elsewhere
how to download tool
The tool is downloaded only for vendor partners and not available to general public. If you work for say Aruba or Cisco partner then you can request help with the tool
Do we need to have links extended between the Gateways or will it form logical clustering ?
They need to have reachability but not necessarily direct physical links
Hi Nafith. I have several android devices join to Intune, the devices with andoid v8 - V9 show in hardware propierties de MAC WiFi adress, but in android 10 - 11 - 12 - 13 -14 don´t show this information for integration with ClearPass. Is possible another way to access this information.
nice !!!
Thanks!
Thanks for your presentation. Best Video in the KZread
I was wondering if you have full clear pass course
I don’t have it as videos I am working on that it’ll be out soon ❤️
Very informative thanks for sharing
You’re welcome
Thank you for the video. Can you please comment how much time it takes to finish AMP installation step?
I would say around an hour
Thank You Very Much for this:) 🙂 Its Really Works!
Admin, can i have the iso file please? i need 8.2.9.0 version. thank you
I’ll send it tomorrow
@@nafithsalama thank you, i'll waiting
www.dropbox.com/scl/fo/lt1boywq5k2j6osmapl69/AOQsVKkkV8y87PurlZuTEGI?rlkey=obu4s7utznm0a45qn58bd8kbk&dl=0
@@nafithsalama thank you very very very much
Very helpful videos
Nicely explained 👍👍
Great video Sir, Thanks! :)
Thank you sir
Hi Nafith! thanks for all those greats vidéos! Can you make one on dynamic segmentaton but in a distributed design. ( evpn/vxlan fabric) I'm in the process of installing one but i'm facing a lot of limitation/caveat on NetConductor! If you have any expérience with that to share it will be verry appreciate. I have 2 RR 8325 and 6 BORDER, STUB, EDGE 8360 already in central with foundation advance licence.
Hi NetConductor can be a bit tricky. Let me try to mimic your setup in a lab environment and get back to you. It might be useful if you can send me a high level view of your setup
@@nafithsalama I just found that there is a new documented design called "Scaled-Access Design", I think that will resolve many of the limitations that i was facing with. I'm wathing for Aruba to enable this feature in my account. (I dont understand why it is not enable by default when you pay for the advance licence). I will keep you updated.
Hi Patrick. Many thanks for updating me and that is an amazing feature Aruba should make it part of the advanced licensing. But I guess it might be sort of new feature
I tried to generate the CSR but unable to understand from where did you get the mc_conf file and where you have stored that openssl is not asking any attribute to generate the CSR Can't open "mc_conf" for reading, No such file or directory
The car file I call answer file. I created it and stored on my computer.
Admin, can I have the iso file please?
Sure I will send a link to you later today
www.dropbox.com/scl/fi/oz6vvp3mics1n6imzih1r/AMP-8.3.0.1-x86_64.ova?rlkey=jpgrvmfvsntp9wx54cnmdhukb&dl=0
@@nafithsalama Thank bro
Here is the link tot he OVA www.dropbox.com/scl/fo/lt1boywq5k2j6osmapl69/AOQsVKkkV8y87PurlZuTEGI?rlkey=obu4s7utznm0a45qn58bd8kbk&dl=0
@@nafithsalama Sir, I requested version 8.2.9. If it doesn't bother you, can you send me the link again?
hello -- can you tell me how to use the interface range command on AOS-CX version PL.10.10.1100
say you would like to have a range between 1/1/1 to 1/1/10 simply type interface 1/1/1-1/1/10
Absolutely I can create videos on how to setup Aruba mobility controller and CAP ap
hi dear thank you very much for your super lecturing, can you please provide me with your contact number
Hi You can reach me on this WhatsApp +447875965285
Hi there, sorry to bother you. I am completely new to this and I was wondering if you might be able to give me some advice. I was given an Aruna 650 branch controller running ArubaOS version 6.2.1.2 and 3 Aruba AP 105. Could you do a video on how to factory reset this controller and setup the APs, I want to know if I can use this at home. I very much enjoy experimenting and trying new things and I thought it was a shame to throw it in the WEE Waist. Or is it even worth doing. I look forward to hearing from you 😊 also Ive made a console cable and I am able to see the boot up processes using Putty. Also can this all be done through the console port?
Hi Ryan Thanks for being thoughtful and not wasteful but in my opinion it is not worth it. Also I don’t have these devices. The oldest controller I have is 7005 with 207 APs
@@nafithsalama Hi there, thank you for the reply. I might still have a play and see what I can learn from these controllers and how they are setup and used. Then dispose of it properly.
Hello, Thank you for awesome video as always i have two questions: 1. What is the correct way to assigne tagged from clearpass for IP phone in ArubaOS switch and comware 7 switch? I try different way i can see the port has tagged but the ip phone not connect. 2. Is there to assigne dynamic vlan from clearpass for the upling between two switch? Example between ArubaCX switch and ArubaOS Thank you
Let me look into this for you
@@nafithsalama thank you
Dear Nafith any help please on the integration of ClearPass with Cisco switches 2950 ou 2960 version 12. We have tried to make a test on download ACL but it is not working ClearPass Is showing that the profile was attributed however we can't find the ACL on the Switch Thank you
Hi Not sure what you’ve done on both Cisco switch and clearpass. What does access tracker say and what about the logs on Cisco switch what does it show in relation to the ACL
i am not able to enable this bind9 service, error "Failed to enable unit: Refusing to operate on alias name or linked unit file: bind9.service "
Not sure why but let me try to mimic this error. Did you install the required utilities as per the instructions just double check that
@@nafithsalama systemctl enable bind9 Failed to enable unit: Refusing to operate on alias name or linked unit file: bind9.service root@dns:/etc/bind# systemctl enable named Synchronizing state of named.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable named root@dns:/etc/bind# Then i enabled named and i tested reboot server and i got status running bind service
New issue now, reverse nslookup not working forwarding working fine - nslookup 10.10.7.182 ** server can't find 182.7.10.10.in-addr.arpa: NXDOMAIN
nice tutorial, but don't use .local anymore
Great video and your explanation is simple and flawless
Can we configure PTP with VSX on 8320 switches and what third part device can be used to configure the Grand source clock ? Thank you
I will into this in more depth
Great job where do you live?
Thanks I live in the UK
Thanks Nafitth for sharing such knowledge...this is great information...do you have any videos on Mobility Controlers?
Planning to have a series on the mobility controllers
Keep up the great work Nafith, loving the video releases your doing so helpful!
Thanks