CPA 200

Cloudpath Administrator 200

Student Guide
Revision 0817
CPA 200

Corporate Headquarters - San Jose, CA USA

T: (408) 333-8000
[email protected]

European Headquarters - Geneva, Switzerland

T: +41 22 799 56 40
[email protected]

Asia Pacific Headquarters - Singapore

T: +65-6538-4700
[email protected]

© 2017 Brocade Communications Systems, Inc. All Rights Reserved.

ADX, Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric OS, HyperEdge,
ICX, MLX, MyBrocade, OpenScript, The Effortless Network, VCS, VDX, Vplane, and
Vyatta are registered trademarks, and Fabric Vision and vADX are trademarks of Brocade
Communications Systems, Inc., in the United States and/or in other countries. Other
brands, products, or service names mentioned may be trademarks of others.

Notice: This document is for informational purposes only and does not set forth any
warranty, expressed or implied, concerning any equipment, equipment feature, or service
offered or to be offered by Brocade. Brocade reserves the right to make changes to this
document at any time, without notice, and assumes no responsibility for its use. This
informational document describes features that may not be currently available. Contact a
Brocade sales office for information on feature and product availability. Export of technical
data contained in this document may require an export license from the United States
government.

Revision: August, 2017

CPA 200 Introduction

Revision 0817 1-1

CPA 200 Introduction

Revision 0817 1-2

CPA 200 Introduction

Revision 0817 1-3

CPA 200 Introduction

Revision 0817 1-4

CPA 200 Introduction

Revision 0817 1-5

CPA 200 Introduction

Revision 0817 1-6

CPA 200 Introduction

Revision 0817 1-7

CPA 200 Introduction

Revision 0817 1-8

CPA 200 Introduction

Revision 0817 1-9

CPA 200 Introduction

Revision 0817 1 - 10
CPA 200 Introduction

Revision 0817 1 - 11
CPA 200 Introduction

Revision 0817 1 - 12
CPA 200 Introduction

Revision 0817 1 - 13
CPA 200 Introduction

Revision 0817 1 - 14
Cloudpath Admin 200 Cloudpath Overview

Revision 0817 2-1

Cloudpath Admin 200 Cloudpath Overview

Revision 0817 2-2

Cloudpath Admin 200 Cloudpath Overview

Cloudpath Meets the rising need to:

• A “Wi-Fi First” Approach to Network connectivity that also secures wired
connections
• Secure connectivity that protects both users and business
• On-Demand Onboarding to WLAN and wired network with Zero-IT
administration

• Device Enablement: Automated device Onboarding to the WLAN

• Certificate Management: Passwords are replaced with more secure certificate
based authentication
• Policy Management: Set access policies by a user+device class of network
citizenship with separate rules for Corporate devices, employee BYOD, and
Guest users on the Network

Revision 0817 2-3

Cloudpath Admin 200 Cloudpath Overview

BYOD and the Internet of Things offer new challenges to Wireless LAN providers.
IoT enables thousands of new devices each day to networks, communicating data
both wired and wirelessly. Laptops, smartphones, thermostats, refrigerators,
lamps, lightbulbs, and more all require network access. Each of these devices
represents new data and risks to your wireless network.

Consider the possibilities: A hacker exploits a network vulnerability found in an

IoT coffee pot and connects to the smart thermostat on your home network. Your
smart phone thermostat app is linked to Bluetooth to turn the heat down when
your away, and to your calendar where you set your schedule to save energy.
Calendars are linked to email accounts. By accessing the coffee pot, that was
probably already granted permission to your calendar to brew your favorite cup of
joe, someone can read your email or look at the thermostat’s Bluetooth to see if
you’re at home or away.

The challenge of IoT is the secure management of an ever-changing onslaught of

new wired and wireless devices.

Revision 0817 2-4

Cloudpath Admin 200 Cloudpath Overview

Revision 0817 2-5

Cloudpath Admin 200 Cloudpath Overview

Cloudpath (ES) Provides:

• Device Enablement
• Certificate Management
• Policy Management

• Automated Onboarding: Self-service portal automatically provisions

devices for the Wired and Wireless networks
• Certificate Based: Public Key Infrastructure (PKI) policy-enabled
certificates tie User, Device & Policy together
• Enrollment Record: Tracks Devices, Where, & Who is on boarded and
authenticated
• Policy Control: VLANs, ACLs, & Policies based On Users, Groups, and
Devices give controlled access per-device
• Broad Device Support: iOS, Android, Chrome OS, Mac OS X, Windows,
Linux & More
• NAC Lite: Each supported OS has specific policy settings that control
access. These setting can be enforced to check certain items such as
installed agents, service packs, antivirus, updates, firewall, and more.

Revision 0817 2-6

Cloudpath Admin 200 Cloudpath Overview

Cloudpath has built-in services to facilitate certificate management and the on-
boarding process:

• Certificate Authority (CA): The built-in certificate authority can manage

certificates issued from 3rd party CAs. The Cloudpath CA also issues and
manages individual certificates device certificates on the wired or wireless LAN

• Mail & SMS Service: Sends enrollment vouchers to emails addresses or text
message to users devices onboarding to the WLAN

• Web Server (HTTP/HTTPS): The Cloudpath web server allows clients to enroll
a device from anywhere prior to being on site or within range of the WLAN

• RADIUS Server: provides centralized Authentication, Authorization, and

Accounting (AAA or Triple A) management.

• Lite Network Access Control (NAC) & Mobile Device Management (MDM):
enforces network and device setting policies during the on-boarding process.
• Note: NAC and MDM policies are only enforced during enrollment and
access to the WLAN and are not persistent or checked after enrollment
in Cloudpath 5.1

Revision 0817 2-7

Cloudpath Admin 200 Cloudpath Overview

Cloudpath is vendor agnostic integrates with many controllers or access point

Additional 3rd party integrations

• MDM Integration: Use the built-in light NAC and MDM or integrate with an
existing MDM provider for persistent NAC and MDM after the onboarding
process.
• Google Console: Deploy The Cloudpath Extension using the Google Console
For Zero IT Certificate Installation.
• To distribute certificates to managed Chromebooks, a Cloudpath
extension is pushed via the Google Admin Console. This extension will
recognize when the device has been authorized and automatically
queries the certificate and install it in the Trusted Platform Module
(TPM).

Revision 0817 2-8

Cloudpath Admin 200 Cloudpath Overview

Revision 0817 2-9

Cloudpath Admin 200 Cloudpath Overview

There are many combinations of users and devices that will onboard to your
WLAN.
Cloudpath allows you to define the onboarding journey by:
• Creating classifications of the devices and users
• Establishing granular controlled access by individual users and devices
• Administering policies and requirements to onboard to your WLAN
• Segregating users and access by SSIDs and VLANs

Example Onboarding Journey

The journey can begin either when a user comes into range of the WLAN or
the user can pre-board a device via the web. When a device attempts to
access the Service Set Identifier (SSID) the user is redirected to the Cloudpath
Onboarding Splash Page.
At the Onboarding page a WLAN administrator can visually identify the WLAN
via uploading their company graphic or logo and set the link to the company
“Terms & Conditions” policy.
This is the first step in creating an onboarding policy as the user may not
continue without accepting the terms of use. Remember to consult with your
company’s legal council when linking to your corporate use policy.

Revision 0817 2 - 10
Cloudpath Admin 200 Cloudpath Overview

Not all devices are safe to allow onto the WLAN as-is. Cloudpath provides
802.1x secure on-boarding for both Wired and Wireless LANs. During
activation, the user will go through an administrator-specified workflow to get
authenticated, authorized, configured, and moved to the secure SSID.

Example:
• Cloudpath Enrollment System creates a workflow split: Visitor or
Employee.
• Workflows refine the type of access by splitting each of the categories to
separate journeys with different policies and device requirements
• Each of these splits can follow separate policy paths as they continue
through the workflow
• Remediation prior to access: Cloudpath the device settings before getting it
onto the network i.e.: enable Firewall, check for antivirus & windows
updates install custom apps and more. verifies
• A workflow can assign one or more device certificates to authenticate the
access privilege granted.
• After the workflow requirements are met the user device is redirected to the
WLAN and SSID defined by the policy for that device’s journey

Revision 0817 2 - 11
Cloudpath Admin 200 Cloudpath Overview

While what the user sees is simple, there is a lot going on behind the scene to
protect the users, networks, and business. The process of configuring and
connecting a device to the secure network requires the integration of many
components of your network.

• The wireless LAN controller redirects to the Cloudpath ES.

• Cloudpath ES issues a user certificate based on user store credentials.
• The client is authenticated by a RADIUS server, which verifies the certificate.
• Cloudpath network Wizard installs the certificate in the local certificate store
and migrates the user to the secure network.

In Cloudpath you can also configure Contractor and Guest access to the WLAN.
ES can control the default or maximum time users are allowed access to the
WLAN. For example access can be granted for the single day of an event or the
duration of a user’s contract. Additionally, a user can pre-board a device via
Cloudpath’s Web service before they arrive onsite.

Revision 0817 2 - 12
Cloudpath Admin 200 Cloudpath Overview

Revision 0817 2 - 13
Cloudpath Admin 200 Cloudpath Overview

Revision 0817 2 - 14
Cloudpath Admin 200 Cloudpath Overview

Revision 0817 2 - 15
Cloudpath Admin 200 Cloudpath Overview

1. What are the 3 key services does Cloudpath ES Provide? (Answer: Device
Enablement, Certificate Management, Policy Management)

2. What Built-In Services are provided by Cloudpath ES? (Answer: Certificate

Authority (CA), Mail/SMS Service, NAC & MDM Lite, RADIUS Server, Web
Server)

3. What are the 2 types of Cloudpath Deployments? (Answer: Hosted & Cloud)

Revision 0817 2 - 16
Cloudpath Admin 200 Cloudpath Overview

Revision 0817 2 - 17
Cloudpath Admin 200 Cloudpath Overview

Revision 0817 2 - 18
Cloudpath Admin 200 Certificates and Secure WiFi

Revision 0817 3-1

Cloudpath Admin 200 Certificates and Secure WiFi

Revision 0817 3-2

Cloudpath Admin 200 Certificates and Secure WiFi

Example: https://secure website provides these additional enhancements over

typical http://

Authentication: Trusted third party “Certificate Authorities” provide confirmation

that your connection to a site is indeed the intended site and that you have not
been redirected to a fraudulent alternative. Users have become sensitive to fraud
and identify theft causing authentication to be an important part of a sites integrity.
Certificate Authorities issue certificates only to confirmed identified parties and are
responsible for validating the certificates they issue though a certificate chain
process.

Trust: Can be gained by the confidence of the organization that issued the
certificate. Browsers for example, offer visual cues often in the form of a lock
icon providing visitors with the knowledge of when their connection is secure. This
provides evidence to the user that the website is taking steps to secure the
communication between both parties.

Encryption: Is one of the primary reasons for certificates by creating a process

(private/public key pair) where two parties can communicate sensitive information
securely without the fear of interception from hackers.
SSL/TLS uses unique cryptographic key pairs: key pair are made up of a
secret private key and an associated public key. Information that is
encrypted using a public key can only be decrypted by the corresponding
private key.

Revision 0817 3-3

Cloudpath Admin 200 Certificates and Secure WiFi

Certificates are installed on the server and is used by its clients for security.
Connecting clients are presented with the servers certificate allowing them to
validate the server and establish an encrypted session. These clients have the
ability to examine the certificate to ensure it has not expired, been revoked and is
valid through a process called chain of trust (discussed later).
Because most clients do not have certificates installed, their identify is either
implied or validated through other means such as login credentials etc. This form
of identification can be compromised such as lost or shared passwords and is
required every time a user needs to connect to the network.

Cloudpath provides the ability to install and use certificates on client devices
providing validity for both sides of the connection. It also allows for greater
security by relying on the certificates and not a username/password
authentication method. Certificates also allow for authentication to be specific to a
device instead of anything a user can enter their credentials on.

Server certificates: The public portion of the certificate used by the secure
services server. Any device needing secure connection is presented the servers
certificate for validation and encryption. The server certificate does not contain the
private key and is safe to distribute. The RADIUS server provides the server
certificate to every device that attempts to connect.

TLS client certificate: (If used) The transport layer security (TLS) certificate
submitted by the client’s device allowing the use of the SSL protocol during the
login process. This certificate contains information about the client and about the
organization that issued the certificate.

Revision 0817 3-4

Cloudpath Admin 200 Certificates and Secure WiFi

The difference between a public and private certificate is based more on who has
issued it. As the name implies a public certificate issuer works to establish itself to
all devices making its issued certificates immediately identifiable/trustworthy .
These efforts of a public certificate signer allows them to charge for their services
and certificates they issue.
Private certificate issuers many times have to introduce themselves (install root
certificate) among clients and servers that are going to use certificates they issue.
Certificates can be issued based its use and on the domain and subdomain
structure of the service it is issued for.

Certificate options are:

Single – secures one fully-qualified domain name or subdomain name. These are
the "traditional" SSL certificates that have been in use since the advent of the SSL
protocol.
Wildcard – A wildcard certificate covers a domain name along with an unlimited
amount of its subdomains. The wildcard certificate with a common name of
*.ruckus.com secures login.ruckus.com, www.ruckus.com, mail.ruckus.com
etc. Wildcard certificates have an increased risk and sometimes limited extended
warranties for end users from trusted sites. Increased maintenance can be
created using these types of certificates. Example: If one server or subdomain
becomes compromised then all member subdomains are vulnerable. This
requires all servers that are effected to have the certificate revoked and replaced
instead of just the one effected server.

Revision 0817 3-5

Cloudpath Admin 200 Certificates and Secure WiFi

Multi-Domain – secures multiple domain names with a single SSL certificate.

The are often called Subject Alternative Names (SAN) certificates. These are
often used to cover multiple sub domains with one certificate. Often preferred
over wildcard certificates allowing better security and control. As many as 100
domain names can be included in this type of certificate.

Cloudpath Certificate Integration:

Depending on the integration of external CA or using the onboard CA, Cloudpath
can issue certificates based on the user and the device or just the device.
Greater control of the revoking process is achieved when both the user and the
device is associated with the certificate. More details on these options will be
discussed later in the course.

A good example would be a passport. It is issued by a trusted authority to

citizens traveling out of their own country. Because it is issued by a trusted
source other Countries can rely on its validity which if verifiable by contacting the
Country that it was issued. The examples will be further compared to different
aspects of a certificate as we move forward.

Revision 0817 3-6

Cloudpath Admin 200 Certificates and Secure WiFi

Name: Items such as the name, e-mail address, common domain name, and
other details. Additional information can be provided depending on the level of
validation the certificate is created for.
Serial Number: A unique value for the certificate coming from a given CA. The
serial number combined with the issuer name provide a unique certificate. Serial
numbers can be expected to contain long integers (up to 20 octets). A validity
date will accompany the certificate which can vary. With Cloudpath issuing client
certificates and using them for validation, greater control is achieved within your
environment ensuring devices do not “linger” on the network by setting
reasonable expiration dates on the certificates issued.
Public Key: This public-key does not exist as a file, but rather is produced when
a certificate and private key are created.
Signature: This field contains the algorithm identifier for the algorithm used by
the CA to sign the certificate verify it was issued by them.

Using this information/data the certificate can provide proof that the website you
are connecting to is the one intended. Or depending on the level of verification it
can also verify that the website you are connecting to belongs to the correct
representing company.

Revision 0817 3-7

Cloudpath Admin 200 Certificates and Secure WiFi

A certificate chain consists of all the certificates needed to certify the user or
device by the end certificate. The chain includes the end certificate, the
certificates of intermediate CAs, and the certificate of a root CA trusted by all
parties in the chain.

The intermediate CA in the chain maintains a certificate issued by the CA one

level above it in the trust chain. The root public or private CA issues a self-signed
certificate.

Cloudpath uses the public cert to verify and secure access to the onboarding site
however will manage its client certificates from its internal CA issuing internal
intermediate certificates to its on boarded users.

Referring back to the passport example: The passport can be verified by the
issuing authority allowing it to be trusted by other countries. The credibility of the
passport is based on the issuer and not the passport itself.

Revision 0817 3-8

Cloudpath Admin 200 Certificates and Secure WiFi

The public Root CA certificates are built into the clients browser or OS and the
browser can use it to refer back to the Root Certificate to validate any certificates
issued by that Certificate Authority.

Generally the intermediate certificate(s) are sent by the server to the client during
its initial connection and SSL / TLS certificate exchange
If an intermediate certificate is used in the chain of trust and is missing or expired
then the client will not be able to verify the chain of trust and a security warning
will be displayed

This chain of trust will be established by Cloudpath when issuing certificates to

clients during a devices onboarding process.

Revision 0817 3-9

Cloudpath Admin 200 Certificates and Secure WiFi

CRL:
As the name implies it’s a list of certificates revoked by the CA
Typically updated every 5-14 days
Clients may have to check through 1000’s of revoked certificates so its inefficient

OCSP:
Allows the client to check individual certificate validly so very efficient compared to
CRL’s
Used by Cloudpath to check for revoked client certificates

Again referring back the passport example: Passports can be verified and
revoked by the issuer at any time. Processes are in place that allow for the
identification of revoked passports at the time they are being used removing the
benefits to the individual that it provides.

Revision 0817 3 - 10
Cloudpath Admin 200 Certificates and Secure WiFi

Revision 0817 3 - 11
Cloudpath Admin 200 Certificates and Secure WiFi

Unlike wired networks, where a level of physical access is required, the ability to
intercept signals on WLANs is very easy. Those who wish to do harm do not need
to enter your building, simply parking across the street provides all the access
they need.

There are three main pillars of Wi-Fi security.

Network Validation: traditional network security uses certificates at the server
level. Server validation through the use of public trusted root certificate authorities
validates that a network is who it says it is. And this is good as we know where we
are going. However, It still leaves the gap of security as to the authentication of
who is coming in. Is the user who they say they are?

Client authentication: is the single greatest differentiator for modern Wi-Fi

security as it uses Certificates to validate down to the combination of an individual
device and user. This is a key differentiator as the network can mutually
authenticate individual users. Providing granular profiles of users and devices
allows network administrators to define levels of access. This next generation of
Wi-Fi security, in CloudPath, extends the traditional server based Certificate
model to the endpoint.

Over the air encryption: is crucial for persistent security. Mutual authentication
by networks and clients is only as good as we are able to keep that
communication private and secure.

Revision 0817 3 - 12
Cloudpath Admin 200 Certificates and Secure WiFi

There are three main categories of wireless network security methods: Open,
WPA2-PSK and WPA2 Enterprise

• Open (unencrypted) Hotspots (no device certificate used)

• Wi-Fi Protected Access 2 - Pre Shared Key or WPA2-PSK is encrypted but
passwords access is shared (no device certificate used)
• Wi-Fi Protected Access 2 Enterprise 802.1X Certificate based in WPA2 EAP-
TLS
Note the WPA-2 replaced the old WPA standard and remediating critical
vulnerabilities in the Legacy protocol. WPA is no longer used as it is highly
susceptible to being hacked.

Open Wi-Fi networks have their place in an overall Wi-Fi solution but they
should never be considered Secure. The ideal use case for Open Wi-Fi networks
are shopping malls, Coffee shops, and other public venues. The reason for this is
that public venues in and of themselves are not considered highly secure. One
does not have a sensitive conversation out in the open.
In Cloudpath an open network is used to allow users access to the network for
their onboarding. This access however is limited using a walled garden and any
unauthenticated user is redirected when they connect to the onboarding portal.

Revision 0817 3 - 13
Cloudpath Admin 200 Certificates and Secure WiFi

The positives of Open Wi-FIs are ease of access and availability, you just
connect. Some open Wi-Fi's use captive portals providing Limited authentication
via social media or self disclosure. Captive portals and open SSIDs provide know
security. Additionally, most users find that captive portal sites are an annoyance
and in the way of their productivity.

• Open Wi-Fi networks do not provide: client based authentication, network

authentication, or over the air encryption
• No User differentiation or validation of users for access levels…. Every
connected device is BYOD.

Note: Cloudpath uses Open Wi-Fi in concert with Walled Gardens to begin the
secure onboarding. More on Walled Gardens in later modules

WPA2 Pre-shared Key or PSK uses a shared key, or common password for all
users, as the basis for over-the-air encryption. This level of encryption is minimal
and valuable on a small scale, but is only as secure as the length of the PSK,
and how limited it is distributed.
The challenges with PSK, the network has no means to validate who an individual
user is. Any client holding the PSK may enter. WPA2-PSK was intended for
home use on a limited number of devices. Unfortunately, we also see it used on
education campuses, and corporate visitor wireless networks.

In WPA2-PSK Networks, access can be granted buy simple word of mouth or

found on a forgotten Post-it note, leaving encrypted endpoints with no individual
authentication.

Change in the pre-shared key De-authorizes all users from the wireless network.
This is a network management nightmare for help desks as they are call an
endless cycles of handing out PSKs over and over again.

There is no inherent value in PSK's for BYOD environments as devices and users
cannot be separated for the purpose of providing levels of access to the network.
No User differentiation or validation of users for access levels means every
connected device is a BYOD.

Revision 0817 3 - 14
Cloudpath Admin 200 Certificates and Secure WiFi

The most secure WLANs use WPA2-Enterprise and 802.1X. The term
”Enterprise” denotes the use of a RADIUS Server . WPA2-Enterprise provides:
client authentication, network validation, and over-the-air encryption. This is at
the heart of Cloudpath. For this level of security there are some increased
complexities. WPA2-Enterprise requires the configuration of, or a connection to, a
RADIUS server. This connection is available in Cloudpath both on VM and
Hosted. If the environment does not have a RADIUS Server, Cloudpath has one
built in.

Positives and Negatives of WPA2- Enterprise

+ WPA2-Enterprise can apply multiple policies on a single SSID
- Many gaming consoles do not currently support WPA2 Enterprise
Cloudpath can support Gaming Consoles via MAC and PSK Authentication
The security and policy characteristics of WPA2-Enterprise are the core of robust
BYOD environments as they allow administrators to set policy at the individual
user profile level. Equally, in higher education WPA2-Enterprise is the framework
for eduroam.

Eduroam = (education roaming) pronounced “eju-roam” is a secure wireless

access authentication method, built on WPA2- 8021.X Enterprise, Eduroam
allows students, researchers and staff from participating institutions to obtain
Internet connectivity across campuses and when visiting other participating
institutions.

Revision 0817 3 - 15
Cloudpath Admin 200 Certificates and Secure WiFi

Certificates are the gold standard in security, not just for Wi-Fi but for numerous
technologies. Certificates have been used in Windows, Unix, and server domains
for years

In Wireless, Certificates overcome the inherent problems of open, pre-shared-key,

and password-based Wi-Fi. In EAP TLS both Network and Client authentication is
required.

WPA2 Enterprise using EAP-TLS is the highest standard of WLAN security

To achieve this level of security, a secure wireless environment needs:

PKI infrastructure to issue certificates.
Onboarding portal to distribute certificates
Systems to track users+devices, policies associated with certificates.
These tools and more are found in Cloudpath.

Revision 0817 3 - 16
Cloudpath Admin 200 Certificates and Secure WiFi

Because Cloudpath contains a Web Server

A client uses the web server portal BEFORE being configured by the
deployment wizard thus a trusted CA server certificate chain must be
installed on the client before enrollment
If the web server certificate is not issued by a trusted public or private CA
(i.e. pre-installed in the client), a certificate warning will be issued by the
browser

ES also contains a RADIUS Server

The client associates to the secure SSID *AFTER* being configured by the
deployment wizard thus a RADIUS server certificate issued by a CA must be
installed on the client before
the client associates to the secure SSID
The RADIUS server certificate may be from a public or private CA because
the Wizard will install it on the client if necessary
Do NOT use wildcard certificate for RADIUS. Some clients like Windows
will not persist trust. The client can be configured to allow *.corporate.com,
but the actual server certificate must have a name like
radius.corporate.com
ES Deploys Client Certificates
Cloudpath ES client certificates contain an embedded Policy derived from
the respective Certificate Templates for that class of user or device. The
Policy controls certificate validity and expiration, user VLAN ID, rate limits
and other items based on Radius attributes, re-authentication period, etc.

Revision 0817 3 - 17
Cloudpath Admin 200 Certificates and Secure WiFi
ES can deploy Web Browser certificates that need to be trusted
If clients need to have additional Root or Intermediate CA certificates
loaded during provisioning this can be accomplished using the “Trust”
settings in Device Configurations
Examples are private CA’s or re-signed Man in the Middle (MitM) SSL
Proxy certificates

Revision 0817 3 - 18
Cloudpath Admin 200 Certificates and Secure WiFi

1. When an previously onboarded client (certificate issued) attempts to connect to

its associated SSID the AP (or controller) will initiate authentication of the device.
2. The RADIUS server provides its certificate to the client to verify its identity
3. The client will present its certificate (issued by CP) to the RADIUS server for
authentication.
4. The RADIUS server verifies the certificate is still valid by looking at its status
and consulting the CA using OCSP (Online Certificate Status Protocol) to verify it
is still active.
5. If the certificate is still valid the RADIUS verifies the credentials and approves
the connection. (Ass the RADIUS responds to the authorization request it can
forward attributes to the controller such as its VLAN or even Access list (ACL)
assignment.
6. Once the client and then connected it receives its IP address, is bound to the
VLAN and ACL (if assigned) and is now authorized to access network resources.

RADIUS Accounting can also be configured allowing for the monitoring of

connect/disconnect and bit used. If configured, the access point will send out a
radius accounting packet.
Customers are commonly confused in thinking that radius accounting originates
from the radius server, but it actually originates from the wireless.

Revision 0817 3 - 19
Cloudpath Admin 200 Certificates and Secure WiFi

1. A server should have a certificate installed for each secure service. True or
False? (Answer: True)
2. On-boarded clients are authenticated when connecting to the network using
________________? (Answer: Cloudpath issued Certificates)
3. Certificates are confirmed they are still valid using ______________?
(Answer: Online Certificate Status Protocol (OCSP) )
4. Cloudpath uses ____________ secure Wi-Fi method deploying
____________ for encryption? (Answer: WPA2 Enterprise using EAP-TLS for
encryption)

Revision 0817 3 - 20
Cloudpath Admin 200 Certificates and Secure WiFi

Revision 0817 3 - 21
Cloudpath Admin 200 Certificates and Secure WiFi

Revision 0817 3 - 22
Cloudpath Admin 200 Cloudpath Installation

Revision 0817 4-1

Cloudpath Admin 200 Cloudpath Installation

Revision 0817 4-2

Cloudpath Admin 200 Cloudpath Installation

Cloudpath can be deployed on a physical on premise (Bare Metal Server), to a

hypervisor environment, or to a cloud-hosted environment (multi-tenant).
In this module we will define the specifications for deploying Cloudpath as a
virtual appliance, how to download and deploy the package, and initial
configuration and account setup.
VM disk format.
Use a thick provision for a production environment.
For a thick provision, the total space required for the virtual disk is allocated
during creation.
Use a thin provision for testing, or if disk space is an issue. A thin provisioned disk
uses only as much data store space as the disk initially needs. If the thin disk
needs more space later, it can grow to the maximum capacity allocated to it.
Note: Cloudpath supports Hyper-V versions 2012, and later. This includes Hyper-
V Server, Windows Server and the Client Hyper-V client for Windows 10.

Revision 0817 4-3

Cloudpath Admin 200 Cloudpath Installation

Note Open Virtualization Appliance (OVA) is a open virtualization file format type.
It is the container for the virtual machine.

What you will need: (details)

• OVA file for the Cloudpath virtual appliance
• FQDN Hostname of virtual appliance
• (Optional) list of IP addresses to allowed Administrative access
• Service account security credentials
• IP address, subnet mask, and gateway for the virtual appliance (not required if
using DHCP)
• IP address of DNS server (not required if using DHCP)

Cloudpath Account Setup: (details)

• URL for the VM server where Cloudpath is deployed
• URL for the Cloudpath Licensing Server
• Login credentials for the Cloudpath Licensing Server
• Web certificate for the Cloudpath virtual appliance (public-signed)

Revision 0817 4-4

Cloudpath Admin 200 Cloudpath Installation

Cloudpath supports the following Browsers and Operating Systems

Supported Browsers
• Internet Explorer 6.0 and later •Firefox 1.5 and later
• Safari 2.0 and later
• Chrome 3.0 and later

Supported Operating Systems

• Windows XP SP2 and later
• Mac OS X 10.7 and later
• Apple iOS 6.0 and later
• Ubuntu 12.04 and later
• Fedora 18 and later
• Android 4.0.3 and later
• Windows Phone 8.1
• Chromium, all Google-supported versions

Revision 0817 4-5

Cloudpath Admin 200 Cloudpath Installation

The OVA file can be retrieved from either an activation code, received in email, or
from the licensing server.
From the hyperlink in the activation email you can navigate to the Cloudpath
licensing server, enter activation code, and retrieve the OVA file. Note, if you have
retrieve the OVA file before, Select “Already have credentials for the Cloudpath
license server?” and login via your email address and password.

The Cloudpath licensing server can be found at: https://xpc.cloudpath.net to

download OVAs for physical server or VM deployments.

Revision 0817 4-6

Cloudpath Admin 200 Cloudpath Installation

Log into the Cloudpath licensing server from the credentials in your activation
email or go to https://xpc.cloudpath.net

From the license server you can download the OVA, manage accounts, and
licenses. There is also a link to the current release notes. It is best practice to
read the release notes prior to downloading the OVA.

After downloading the OVA we can begin mounting the image.

Revision 0817 4-7

Cloudpath Admin 200 Cloudpath Installation

Console Deployment
• 12 steps to complete then reboot
• Steps can be found in the ES Template Information
Default Service Account: cpn_service

Notes:
• The service account is not available if SSH access is not permitted.
• The shell user is only available during the initial system configuration. After the
initial boot, you must use the service password to access the system.

Revision 0817 4-8

Cloudpath Admin 200 Cloudpath Installation

1. Launch Setup (Previous Slide)

2. Select enter to begin the Console installation
3. Accept the licensing agreement y
4. Enter the local Time Zone. Note: enter a question mark ? to see all available time
zones and formats. The CLI is case sensitive. Enter the Time zone exactly as it
appears in the CLI. Example, PST8PDT is Pacific Standard time 8 Pacific Daylight
Time (daylight savings)
5. Enter the Fully Qualified Domain Name (FQDN) for the host. The FQDN will also be
used in the URL and wild card SSL web certificate. Example
cloudpath.ruckustraining.net This name will be used in the DNS A records.
6. Enable HTTPS by selecting y. This will invoke the certificates signing requests signed
by a root CA later in installation. It is best practice to have this certificate signed by an
external certificate authority, vs an internal CA, as guests accessing the WLAN may
not have access to authenticate via the company’s internal Certificate store.
7. Best practice is to enter y for static IP and enter to the next screen.
8. Under IP the admin will be prompted to enter the static IP address, subnet mask,
default gateway, and DNS Server IP found in the Cloudpath Pre-Deployment Check
List.
9. Enter y to enable SSH access to the server locally via SSH on port 8022
10. Enter and re-enter the CLI password for the cpn_service master account. This is the
only time where the administrator will be able to enter this password. If this password
is mistyped or lost the VM must be reset as there is no way to retrieve the password
11. NTP Settings default enter no if the network does not have its own NTP server
12. Enter to reboot the server

Revision 0817 4-9

Cloudpath Admin 200 Cloudpath Installation

Use the following commands to explore the Cloudpath lab VM via Linux command
line

• Console – takes you to the CPN_Service VM view

• Show config – shows the IP, netmask, and broadcast information, MAC
address and any RX & TX packets
• Ifconfig – shows DHCP, DNS, SSH ports
• Ping – and an IP address or FQDN launches continuous PING from the VM
(control+C stops Ping) Example: ping xpc.cloudpath.net to test the connection
to the ES license server

Revision 0817 4 - 10
Cloudpath Admin 200 Cloudpath Installation

If you are setting up a Cloudpath account for the first time, you will be sent an
activation code in the activation email.

When browsing to the Cloudpath VM IP address via HTTPS, the first time the
user will see a certificate error. The error will be resolved in future access after
installing the VM Certificate. For initial access, bypass the certificate error by
adding an exception in the browser.
Enter the Cloudpath Activation Code from the activation email.

If you already have a Cloudpath License Server account, use that account to
activate the new Cloudpath ES VM.

Note: the format for browsing to the VM is: https://xxx.xxx.xxx.xxx/admin/ If you

do not use the /admin/ the browser will return a ”enable Cookies” error

Revision 0817 4 - 11
Cloudpath Admin 200 Cloudpath Installation

Company information is required when selecting “Standard Server” during the

setup wizard. This has required fields and you must use the exact information
for certain fields. The data entered in these fields become embedded within
the ES onboard Root CA. All certificate templates and subsequent certificates
issued will be stamped with this embedded company information.

Standard Server ( always used for the first ES deployment)

• Default type installation required basic information

Add-On Server for cluster

• Cluster must be setup from master ES to add server to existing ES cluster

Replacement Server for Existing Server

• This will import data from an existing server to this ES server

Revision 0817 4 - 12
Cloudpath Admin 200 Cloudpath Installation

Company Information Screen

• Company Information text is free form

Note: The Legal Company Name listed in this field will be used in the
creation of certificate signing requests (CSR) and subsequent certificates

Company Web Presence

• Web Presence text is free form
Note: The Company Domain listed in this field will be used in the creation of
certificate signing requests (CSR) and subsequent certificates.

Revision 0817 4 - 13
Cloudpath Admin 200 Cloudpath Installation

The following Screen “WWW Certificate for HTTPS” will prompt to:
Generate a Certificate Signing Request - (Recommended) to Create a CSR to
be signed by a certificate authority
Upload a WWW Certificate – select this option if you already have a WWW
certificate
Skip for now. - Not recommended as user will receive a certificate error or 404
error when onboarding a device

The system is configured to use HTTPS, but does not currently have a valid
WWW server certificate. An invalid WWW server certificate can impact the ability
of end-user enrollments, causing 404 errors due to a lack of trust.

The certificate should be installed prior to attempting to enroll an end-user.

The Cloudpath ES supports web server certificates in P12 format, password

protected P12, or you can upload the individual certificate components; the public
key, chain, and private key or password protected private key.

Revision 0817 4 - 14
Cloudpath Admin 200 Cloudpath Installation

Generate a Certificate Signing Request. This Certificate will be used in the lab for
this module.

Revision 0817 4 - 15
Cloudpath Admin 200 Cloudpath Installation

• The Host Name, Organization Name, and Domain Name will be embedded in
the Certificate Signing Request (CSR).
• Select Next to create the CSR.
• Note: Every CSR, even from the same server and VM, is uniquely coded to a
machine per version.

Revision 0817 4 - 16
Cloudpath Admin 200 Cloudpath Installation

When the signed CSR is uploaded:

• Certificate Chain of Trust is use to secure client access to the WLAN

Browse to the Signed CA and download the certificate(s) and select next

P12 Upload (Public-Key Cryptography Standard version "12”)

• P12 File is a format for storing the server certificate, any intermediate
certificates, and the private key into a single encryptable file.
• P12 files are an all in one certificate file format
• P12 files can be password protected

Or PEM Upload (Privacy Enhanced Mail) This is the public key for the ES
server
• PEM file is a container format that includes just the public certificate.
• Chain PEM may only contain the signed Certificates but not the Private key.
Root certificates may or may not be included and may need to be obtained
• Additional Chain (optional) Contain certificate changes in the Chain of Trust
to the Root CA

Revision 0817 4 - 17
Cloudpath Admin 200 Cloudpath Installation

The final step of setting up the Cloudpath ES is to select the first workflow
template. Workflow is a customizable enrollment process that provides more
control over who is granted network access and how they should be provisioned.
It is similar to toy building blocks that can snap together or a logical flow chart.

The initial workflow can be used as a template, or simply add a device

configuration and use immediately. The options are:

• BYOD Users & SMS-based Guests

• BYOD Users Only
• Start with a Blank Canvas (To create your own workflow, select Start with Blank
Canvas.)

Workflows will be discussed in later modules

After selecting the workflow template, the Cloudpath ES will do an initial check of
the VM installation.

Revision 0817 4 - 18
Cloudpath Admin 200 Cloudpath Installation

Revision 0817 4 - 19
Cloudpath Admin 200 Cloudpath Installation

1. What are the 2 types of on-premise deployments? (Answer: Bare Metal &
Virtual Appliance)

2. The first instance of Cloudpath should be deployed as a _____________

server. (Answer: Standard Server)

3. What 2 pieces of information are pulled from the configuration information into
the Certificate Signing Request? (Answer: Legal Company Name & Company
Domain)

Revision 0817 4 - 20
Cloudpath Admin 200 Cloudpath Installation

Revision 0817 4 - 21
Cloudpath Admin 200 Cloudpath Installation

Revision 0817 4 - 22
Cloudpath Admin 200 Cloudpath Components and Concepts

Revision 0817 5-1

Cloudpath Admin 200 Cloudpath Components and Concepts

Revision 0817 5-2

Cloudpath Admin 200 Cloudpath Components and Concepts

We will discuss in this unit the administrative components that make up the ES
GUI. The main concepts and terms will also be reviewed.

Revision 0817 5-3

Cloudpath Admin 200 Cloudpath Components and Concepts

The ”Dashboard” contains the Operational Status of your Cloudpath Platform:

• Welcome - General overview of the Cloudpath ES

• Connections - section reports on devices on boarded to the ES by: Status,
IP Address, MAC Address, Username, SSID, and Duration
• Enrollments – Location views the ES Enrollments information for associated
users, devices and certificates. The information can be view from 30 minutes
to hours, days, weeks, years or all.
• Users & Devices – Review data on device types, MAC registrations and
users
• Certificates – Analyse active, revoked, expired or all certificates including
trends.
• DHCP Fingerprints – (New in Cloudpath 5.1) Discovers information about the
devices on your network and displays them in a Dashboard view
• Notifications – View the emails and SMS messages sent by the ES. Review
system event logs. Create or review scheduled reports.
• Event Response – This page supports bulk Block Enrollments, Certificates,
or Blocks Users by batch Excel (.xls, .xlsx, or .csv) spreadsheet.

Revision 0817 5-4

Cloudpath Admin 200 Cloudpath Components and Concepts

DHCP Fingerprints can identify IoT devices with no direct interface (AKA
Headless Devices) i.e. Cameras, Door Locks, Smart Home Hubs that do not
support the download of a certificate or 802.1X.

DHCP Fingerprinting in Cloudpath provides useful information about to enroll

devices. The dashboard contains device enrollment details on:
• Device Name and Type
• Hostname
• IP Address
• MAC Address
• OS Version
• Timestamp

This feature is only be available for locally deployed (on-premise) systems in

5.1, as hosted Cloudpath cannot currently match the information in the DHCP
packet exchange to a specific account on a hosted system. DHCP Fingerprint
requires enabling the IP Helper on your router.

DHCP Fingerprint can be configured for IPV4 and/or IPV6 under

Administration  System Services  DHCP fingerprinting

Revision 0817 5-5

Cloudpath Admin 200 Cloudpath Components and Concepts

The Configuration  Workflow tab contains sub-sections regarding workflows and

deployment settings and the look and feel of Cloudpath. This is the tab where
administrators will spend most of their time. Let's look deeper at workflow, device
configurations, Radius server, and the authentication server,

• Workflow – This is where are you defined the on boarding journey. These
are process or sequences of steps a device and user is required to follow to
gain access to the network. These steps may include splits for employees,
visitors, or contractors. Each of the splits are separate journeys with
individual requirements for users and devices.

Revision 0817 5-6

Cloudpath Admin 200 Cloudpath Components and Concepts

The Device Configuration tab contains sub-sections to place on boarding

requirements or limitations by:

• Limited Internal Access by Network

• Trust CA requirements

• NAC and MDM settings by device operating system version, and configuration

Revision 0817 5-7

Cloudpath Admin 200 Cloudpath Components and Concepts

Configuration Status page for RADIUS contains: Server Status, Server

Settings, Certificate, and Logs
Change of Authorization (COA)- (New in Cloudpath 5.0) When a administrator
makes policy changes to an active Wireless Environment CoA is use to Re-
authenticate or Disconnect live/active Clients based on these new policy
requirements.
Example: if an emergency security risk is identified CoA can enforce the policy
change to devices by forcing re-enrollment and remediation of active devices.
The Configuration  RADIUS Server tab also contains the tabs to configure:
• Status- addressed above
• Policies- Contain certificate policies. Examples of these are: IT asset
policies, Guest policy, 30 day certificate policy, six month contract or policy
etc.
• Clients- used for RADIUS client systems, WLAN controller or switch
configuration
• Eduroam- allows students, researchers, and staff from participating
institutions to obtain Internet connectivity across campus and when visiting
other participating institutions.
• Attributes- list of RADIUS Attributes used in the onboard RADIUS server for
transactions and logging
• External- Certificate migration tool to use an external RADIUS Server
• Open Access- Open access grants temporary timed access Internet to get
vouchers, perform remediation, or prior to requiring 3rd party paid access
• Accounting- Storage RADIUS accounting information

Revision 0817 5-8

Cloudpath Admin 200 Cloudpath Components and Concepts

Authentication Server hook into 3rd party authentications services. For example
the Active Directory or LDAP services for the network will have no record to
authenticate a person visiting your campus. Authentication service allows a
person to validated by a source external to the network.

Authentication Server- used to connect Cloudpath to and enable end-users to

authenticate using:

• 3rd party OAuth Services i.e. LinkedIn or Google.

• LDAP
• Active Directory
• SAML 2.0 IdP Identity Providers for Single Sign On (SSO)
• New in Cloudpath 5.1

Revision 0817 5-9

Cloudpath Admin 200 Cloudpath Components and Concepts

• Firewall & Web Filtering- Integrating with 3rd party firewalls & web filter
vendors

• MAC Registrations To create a MAC registration requirements called upon

buy a workflow.

• API Keys- Integration of REST APIs to 3rd Party Systems Refer student to
API support Document found in ES Support

Revision 0817 5 - 10
Cloudpath Admin 200 Cloudpath Components and Concepts

The Sponsorship tab contains sub-sections to manage vouchers and voucher

lists, and customize the look & feel of the sponsorship portal:

• Vouchers – Enables the creation and management of one-time-use codes to

verify a user and/or device during enrollment.

• Define sponsors and roles

• Look & Feel – Page provides settings to customize the graphics, images,
look and feel of the sponsorship portal.

Revision 0817 5 - 11
Cloudpath Admin 200 Cloudpath Components and Concepts

The Certificate Authority tab contains sub-sections to manually generate

certificates, view certificate details, revoke certificates, manage the characteristics
of certificates to be issued, and manage certificate authorities:

• Managed Templates – Where policies are defined via certificate templates.

The Policy controls certificate validity and expiration, user VLAN ID, rate
limits and other items based on Radius attributes, re-authentication period

• Generate Certificate – Manually generate a certificate

• Issued Certificates – Displays issues certificates and ability to revoke

certificates

• Manage CA – The location to generate new Root CA (by generating new

keys), upload existing Root CA or Intermediate CA

Revision 0817 5 - 12
Cloudpath Admin 200 Cloudpath Components and Concepts

The Administration tab contains sub-sections to manage administrator

accounts, system services, diagnostics and logs, and system updates:

• Administrators - lists System administrator accounts and privileges

• Company information – Company name, URL, Address, contact information,
etc.
• Warning if this information is changed it will impact Certificates that
have already been issues
• System Services - Web Server, Network, SSH, Support Tunnel, Email,
SMS etc.
• System Updates – contain the current software version and OVA version
updates
• Replication – replicates virtual machine for VM clustering and load-
balancing
• Data Clean-up – contains policies for data and event logs aging out of the
system
• Firewall Requirements – governs firewalled traffic Inbound and Outbound
from Cloudpath to 3rd party services
• Note: There are additional documents for specific firewall integrations

Revision 0817 5 - 13
Cloudpath Admin 200 Cloudpath Components and Concepts

Support documentation is found on any screen by selecting the “?” in the upper
right of the screen.

This contains sub-sections to provide access to the Quick Start Guide and several
Setup Guides to help with common configurations along with licensing
information:

• Documentation – Documents related to setup and configuration of the

system.

• Licensing – View information related to system licensing such as License

Type, License Server URL.

• Upload Support File. This allows the customer to upload a support file to ES.
This file will makes changes to ES and it is advised to create a VM snapshot
first.

Revision 0817 5 - 14
Cloudpath Admin 200 Cloudpath Components and Concepts

https://support.ruckuswireless.com/product_families/6-cloudpath-es-security

Revision 0817 5 - 15
Cloudpath Admin 200 Cloudpath Components and Concepts

1. DHCP Fingerprinting provides information on _________? (Answer: Headless

devices that do not support certificates or 802.1X)

2. What is a Workflow? (Answer: A Workflow is where you defined the on

boarding journey.)

3. Manage Templates is where_________. (Answer: policies are defined via

certificate templates)

4. What 2 functions are under the Sponsorship tab? (Answers: Voucher and
Look & Feel)

Revision 0817 5 - 16
Cloudpath Admin 200 Cloudpath Components and Concepts

Revision 0817 5 - 17
Cloudpath Admin 200 Cloudpath Components and Concepts

Revision 0817 5 - 18
Cloudpath Admin 200 Basic Workflow

Revision 0817 6-1

Cloudpath Admin 200 Basic Workflow

Revision 0817 6-2

Cloudpath Admin 200 Basic Workflow

To understand the purpose and benefit of Cloudpath is to reflect on your current

process of onboading. Often this is a manual process requiring IT resources or
even logistic concerns. If users were able to be verified and have configurations
applied to their device depending on their relationship with the company, it would
greatly reduce the overhead of IT resources and the end user as well. Cloudpath
allows users to onboard their devices in a self service manner on or off-site and
ensures they are authorized for the type of access they are trying to achieve.
The Workflow is the engine that provides a process for users enroll while
removing the manual process that is used in many environments today. Users are
able to use the workflow to onboard their device and ultimately connect to a
secured network.
First each new user/device will connect either to an open hotspot or a 802.1X
controlled port which will direct them to the workflow.
Redirection occurs connecting to Cloudpath guiding the user through an
enrollment process. This ‘process’ is made up of different plug-ins where each
provide a unique function within the onboarding session.
Once the user is authenticated the onboarding process supplies the device with a
configuration profile and certificate allowing it to migrate to the secured WLAN or
trusted port.

Revision 0817 6-3

Cloudpath Admin 200 Basic Workflow

Customizable: Provides the ability to conform to your network policies and your
onboarding options you would like to provide to your users.
Flow: Building blocks can be placed in an order (similar to a flow chart) providing
steps you prefer for your environment strategy. This could include the display of
information (acceptable use policy), authentication types such as directories,
sponsorship/voucher or 3rd party options, policy enforcement (Network Access
Control/Mobile Device Management) along with applying access policies
(users/guest/contractor.
Sequence: Each onboarding flow (workflow) is up to you with multiple options
(plug-ins) creating the branching steps sequence depending on the users choices.
3rd party or guests would follow a different branch within the workflow providing
different steps compared to an Employee or company managed device.
Onboarding: The goal is to migrate users to the secure network but only after the
user (or device) has successfully met your requirements of the unique path they
chosen. Users unique path can provide specific policies to be applied to the
connection or device. This can include NAC/MDM enforcement along with VLAN
and ACL assignments.

Revision 0817 6-4

Cloudpath Admin 200 Basic Workflow

Admins can plug-in what functions they want, anywhere within the workflow. Each
plug-in performs a certain function allowing it to replace a manual onboarding
process. What is currently done to onboard a device by an IT resource can now
be automated using the plug-ins that perform the same task. If the first step is to
verify the user Cloudpath has plug-ins that can authentication of the user using
many different methods. Need the user to authenticate to your AD server? Then
use the Auth Traditional Server plug-in requiring users to enter their credentials
which will be verified by the AD server. Not all users are the same however. If you
are wanting to automate guests within your environment they would not typically
have AD credentials. Cloudpath provides the splitting of users to allow for different
authentication types. This allows the ability to accommodate all users needing
access to your network.

Display an Acceptable Use Policy

This is typically used for network policies or end-user license agreements
(EULAs).

Authenticate to a Traditional Authentication Server

Authenticate users to a local server using an Active Directory, LDAP (or LDAPS),
or through a RADIUS server using PAP.

Ask the User About Concurrent Certificates

Cleanup plug-in provides a method for allowing users to maintain the number of
certificates registered to their devices.

Revision 0817 6-5

Cloudpath Admin 200 Basic Workflow

Authenticate Using a Voucher From a Sponsor

The user is provided with a one-time password (OTP) voucher for self-service
registration and is prompted for this password during the enrollment process.

Authenticate to a Third-Party
Cloudpath ES supports third-party integration using Facebook, LinkedIn, Google,
or you can specify a custom OAuth 2.0 server. The social media provides
additional identity information during the onboarding process to deliver
automated, self-service access to the WPA2-Enterprise wireless network.

Split Users Into Different Workflow Branches

Creates a branch or fork in the enrollment process visually by having the user
make a selection or automatically based on criteria associated with each option.

Perform Out-of-Band Verification Using Email or SMS

Allows the user to enter an email address or phone number and have the
verification code, or one-time password, sent to them. You can create a new
voucher list specifically for out of bound verification or use an existing list.

Request Access From a Sponsor

Prompts the user for a sponsor's email address and then notifies the sponsor.

Register a Device for MAC-Based Authentication

Registers the MAC address of the device for MAC authentication by RADIUS.
The MAC address is captured and the device is permitted access for a
configurable period of time.
• To authenticate the device on the current SSID through the WLAN captive
portal.
• To register a device, such as a gaming device, for a PSK-based SSID.

Display a Message To Users

Welcome partners or guest users to your network and provide links for where to
get additional information.

Redirect Users to an External URL

May be used to authenticate the user to the captive portal of the onboarding
SSID.

Prompt User For Information

User data can be used for informational purposes or for configuration purposes,
such as personalizing certificates.

Revision 0817 6-6

Cloudpath Admin 200 Basic Workflow

Authenticate Using a Shared PassPhrase

Prompts the user for a shared passphrase and verifies that it is correct. A shared
passphrase is useful for controlling access to an enrollment process separate
from, or in addition to, user credentials.

Generate a Ruckus DPSK

Generates a Dynamic Pre-shared Key (DPSK) through a Ruckus WLAN
controller. This allows, for example, a gaming system to be registered and issued
a unique PSK.

Send a Notification
Generates a notification about the enrollment. Notification types include email,
SMS, REST API, syslog and more. This step is invisible to the end-user.

Ask the user to name their device

Prompts the user to provide a name for the device, with the option to reuse or
delete previously enrolled devices. This may suggest that old devices be removed
or may limit the maximum number of concurrent devices.

Generate a Ruckus DPSK

Generates a DPSK through a Ruckus WLAN controller.

Revision 0817 6-7

Cloudpath Admin 200 Basic Workflow

You can use only these plug-ins to create the flow for your employees. Using
these plug-ins you allowing them to:
1. Agree to the Acceptable Use Policy
2. Allow them to choose if they are an employee or possibly a visitor
3. Ask them to authenticate using an AD or RADIUS server
4. Ask use for additional information such as the Asset tag of the device they are
onboarding
5. Check to see if this replaces an old device and to de-activate the old certificate
6. Device receives its configuration and certificate and can move to its
designated SSID

Revision 0817 6-8

Cloudpath Admin 200 Basic Workflow

Use different plug-ins to create the flow for your guests. Using these plug-ins you
allowing them to:
1. Agree to the Acceptable Use Policy
2. Allow them to choose if they are a visitor instead of employee
3. Ask them to use Facebook, Linkedin or Google+ to allow the gathering of
information about the user
4. Ask use for additional information such as their purpose of their visit
5. Device receives its configuration and certificate and can move to the secure
guest SSID

Revision 0817 6-9

Cloudpath Admin 200 Basic Workflow

User Selection: A split plug-in within a workflow can provide options such as
visitor/employee with can be selected taking the user through a different process
than the other selectable options.

Filtering: Advanced workflow options provide an ability to filter based on user

(position/relationship to the organization) or a device type such as if an Android
device can be presented a different enrollment sequence than a Windows device.
This filtering can occur automatically based on criteria associated with each
option.

Nesting: Branches can be nested under other branches further accommodating

different user types and authentication options. Further branch splits can provide
differing policies such as access to different networks (internal/external/internet
only) and/or client certificates with varying validity periods.
There is virtually no limit to the number of splits or branches a workflow can
contain. The graphic provides a workflow branch dividing between Employees and
Visitors and each branch in the workflow specifies a different authentication
method and possibly assign different certificates based on the onboarding branch
followed.

Revision 0817 6 - 10
Cloudpath Admin 200 Basic Workflow

Splits or branches within a workflow provide paths based on user types, device
types or both. The purpose of the branches is ultimately to apply unique policies
to the device according to the admin requirements. Each branch usually includes
different authentication methods, unique or additional steps to verify the user
assuring that the config and cert they are about to receive should be applied to
them. Visitors policy will be vastly different than an employee along with their
devices. These differences include duration of access, types of access such as
specific SSIDs, VLANs or ACL binding. Because the user selected a path that
best matches their position or device type you have created for them you can
assure the correct configuration and certificate is applied to the device.

Revision 0817 6 - 11
Cloudpath Admin 200 Basic Workflow

Device configuration assignments along with certificate issuance are the results of
each branch. You select the configuration that should be applied to the device
such as what SSID’s you want it to connect to, If you want to allow the device to
be able to use a wired connection (802.1X port) or how long you want the device
to be able to connect before onboarding again. Each option can be applied to the
end of every branch customizing how that device will be identified and configured.

Module 4 slide 5 provides a list of supported OS’s.

Because the devices are correctly identified by the authentication within a

workflow the correct configuration and access is automated replacing the manual
process that many organizations have in place today.

Revision 0817 6 - 12
Cloudpath Admin 200 Basic Workflow

A device configuration provides the adjustable parameters to be applied to a

device that has successfully completed a workflow branch. These configurations
identify the SSID it is to connect to along with its credential settings and can also
perform NAC and MDM enforcement. Conflicting SSIDs such as the hotspot the
user use to onboard can be identified to assure devices attempt to connect to the
correct SSID and do not attempt to return to the hotspot. Device configuration
profiles can also be associated with specific certificate templates identifying which
certificates should be installed along with their specific parameters. Unique device
configurations profiles can be configured proving specific handling of devices
depending on the branch they followed.

Note: If device connection is wired only configuration there is no SSID or

conflicting SSID configuration details.

Example: Guests device configuration profile might identify a guest only SSID
along with a certificate template that limits their access duration. Employees
configuration profile however might associate the device with a SSID that
provides access to all organization portals along with a certificate with a year
expiration date.

Each can be customized to control the onboarded devices after they have been
identified due to their onboarding workflow path.

Revision 0817 6 - 13
Cloudpath Admin 200 Basic Workflow

Certificates Templates can be uniquely created for each branch of the workflow
however most are created differentiating between the types of users or devices.
The CA uses the template to identify the parameters for certificates. Certificate
templates include the start/expiration period, Cypher strength and Subject
Alternative Name (SAN) values of a certificate. You can configure a Subject
Alternative Name for each type of user allowing you to quickly identify the user
type in authentication logs. These names can be set to values such as
username@BYOD.(yourcompanyname) for quick identification Additional abilities
include Extended Key Usage objects in certificates issued by the certificate
template. Once associated with a branch any certificates issued based on that
branch completion will have the values described in the certificate template
assigned to that branch.

Certificate maintenance can also be included in the template with such options as
OCSP Monitoring. This option provides the ability to set a value from the last time
a certificate validity request was received. If no requests are received within the
configured value the certificate will automatically be revoked.

Revision 0817 6 - 14
Cloudpath Admin 200 Basic Workflow

As a user completes the steps established through the active workflow, a client
certificate is issued by the Cloudpath CA and used as the authentication
credentials when connecting to a secured network using WPA2-Enterprise or
802.1X for wired connections.
Wireless LAN Controller are configured (AAA) to use a RADIUS server for
certificate authentication which can be external, Network Policy Server with
RADIUS services or the onboard RADIUS server within Cloudpath.
Proxy RADIUS support is available allowing requests from external RADIUS
servers to be responded for authentication by the Cloudpath onboard RADIUS
server

RADIUS Accounting: RADIUS Accounting can be configured and can provide

start/stop information and byte counts on user connections which this data can be
used for auditing and future Network Planning.
RADIUS Server VLAN Attributes: When setting up SSIDs in the WLC, you can
use VLANS to apply policies for different groups by combining the VLAN in the
RADIUS Request as a RADIUS attribute. RADIUS attributes are configured on
the certificate template.
VLAN Tagging: The onboard RADIUS server can assign policy information for
devices by defining VLAN tags in the certificate template.

Revision 0817 6 - 15
Cloudpath Admin 200 Basic Workflow

If Connection Tracking is enabled, you can view RADIUS accounting packets on

the RADIUS server Accounting tab within Cloudpath under Configuration >
Advanced > RADIUS Server.

Onboard CA
The Cloudpath onboard CA can issue a server certificate to the onboard RADIUS
server and it can issue client certificates. After the client certificate issued, all
authentications take place using the certificate

WPA2-Enterprise requires an authentication server for issuing client certificates

for the wireless authentication. Cloudpath provides an onboard RADIUS server,
supports integration with your existing RADIUS server, or integration with a
Microsoft Network Policy Server acting as a RADIUS server.

Revision 0817 6 - 16
Cloudpath Admin 200 Basic Workflow

Enrollment can be done On-Prem or Off-Prem.

External facing On-Prem CP servers can allow for off-site enrollments
along with the cloud based Cloudpath versions.

Based on the lab workflow, the first page displayed to the user is the acceptable
use policy. The rest of the process is defined by the workflow and could entail
user/device type selection and authentication steps. The enrollment may contain
an option to remove previous registrations or certificates. After authentication and
authorization is granted, the “Network Wizard Loader” or “Cloudpath App” client is
downloaded to the client. The software configures the Wi-Fi settings, installs
certificates and other settings. For Windows, Android, Linux, and Mac OS X
(depending on configuration options), the device is automatically moved to the
secure SSID.
Wired clients follow this similar process except for the migration to the secured
SSID. Ports that on boarded clients reside on uses 802.1X to authenticate the
user and can assign him to a VLAN along with other ACLs if desired.
The enrollment workflow for Unmanaged Chromebooks follows the same process
as the Windows OS. The user accepts the AUP, logs in with AD credentials and is
presented with the Download page.
The enrollment workflow for Android follows the same process as the other OSes.
The user accepts the AUP, logs in with AD credentials and is presented with the
Download page.
Note: The enrollment workflow for iOS devices follows the same process as the
other OSs. The user accepts the AUP, logs in with AD credentials, but instead of
the download page, as in the other OSes, you are prompted to install the network
profile.

Revision 0817 6 - 17
Cloudpath Admin 200 Basic Workflow

After user connects to the open hotspot they are redirected to captive portal
(Cloudpath) and first presented with a welcome message and AUP agreement
prompt.
User is then presented with the split (branching) where Visitors, Employees or
Partners are their options. Selects the employee option.
User is prompted with request for their credentials that will be verified by an Active
Directory server (in this case the server is identified as test AD)
An additional split (Branch) provides either Your Device or Company Device.
Important to note: that this selection can be performed by a filter ensuring that the
user does not try and onboard a personal device as an IT managed asset.
As the asset was assigned it was accompanied by a voucher (one time
password) providing additional validation and can be associated with the
MAC of the IT device if chosen or due being a member of a specified AD
group. (Departmentalized IT assets)
Result: The device receives a configuration policy with details of the Secure
Internal Network it is to connect to along with a certificate with the Client
Certificate Template attributes
Important to note: Various branches can provide different profiles connecting to
different secure networks depending on your network design/policy. Also the
Certificate template can also have unique values including active/valid dates
along with VLAN and ACL assignments.

Revision 0817 6 - 18
Cloudpath Admin 200 Basic Workflow

Revision 0817 6 - 19
Cloudpath Admin 200 Basic Workflow

Snapshots activate a workflow and places it into production allowing it to be

publically accessible using the Cloudpath web server. Each deployment location
represents a URL to where its configuration resides.

A snapshot is a “version” of an activated workflow. You can create and maintain

multiple versions of each configuration although only one snapshot can be active
at a time for each location.

The Cloudpath ES supports multiple locations allowing for the deployment of

unique workflows for different environments.

Revision 0817 6 - 20
Cloudpath Admin 200 Basic Workflow

Deploy the workflow from the Configuration > Workflow Snapshots tab using the
Publish button or the cloud publish button next to the workflow. Its important to
understand that publishing and snapshot functions are isolated to the workflow
highlighted in blue.

Once Published previous snapshots can be activated (through the activate button)
if needed. By default up to 5 previous snapshots will be stored however you can
store more if needed.

Rollback options are available allowing to revert back to a previous snapshot

when needed.
IMPORTANT NOTE: If one reverts back to a previous snapshot options publish
up to that time are in production however it does not change the current workflow
designed up until that point. Any changes made past the current active snapshot
will need to be removed before a new snapshot is created otherwise all will be
available once published.

The URL is the result of the publishing process and is used as the landing page
for devices that are attempting to onboard.
The default deployment location is enroll/<network name>/Production, but this
can be modified.

It takes a few minutes to build the deployment package. During this process, all
Cloudpath ES workflow branches are bundled as one configuration creating
various flows for users.

Revision 0817 6 - 21
Cloudpath Admin 200 Basic Workflow
When the snapshot is created and activated, expand the appropriate deployment
location to test the network enrollment process.
Snapshots can be renamed and a description can be added to better identify the
snapshots purpose.

The Cloudpath ES supports multiple locations. For example, a test configuration

might be published to /test URL, and a production configuration may be deployed
to /production URL.

Removing/deleting a workflow can be done using the cleanup option. All details of
the workflow are removed HOWEVER any device, Certificate Templates etc. that
were created to support the workflow remain.

Revision 0817 6 - 22
Cloudpath Admin 200 Basic Workflow

The workflow view when splits are introduced changes depending on the current
flow you are looking at. When each option within the split is selected options for
those steps can be chosen.

View Tabs:
• Properties tab to enable/disable a configuration, or to modify the configuration
Name and Description.
• Enrollment Process tab to configure the steps presented to a user during the
enrollment process.
• Look & Feel tab to configure the Cloudpath ES skin, and to customize the
logos, colors, buttons, and images for the ES, the Wizard, the Download page.
• Advanced tab provides the portal URLs, Managed Chromebook Setup and the
Cleanup option which allows for the deletion of the entire workflow.
Insert Arrows:
• On the top left corner of each step to insert a new enrollment step.
• Alternately, you can click the blank space between two steps to insert a step.
Edit Step:
• The icons on the right side of each step to allow you to edit, modify, delete,
view the enrollment steps. Properties of the step can be configured using the
pencil.

Revision 0817 6 - 23
Cloudpath Admin 200 Basic Workflow

Revision 0817 6 - 24
Cloudpath Admin 200 Basic Workflow

The process of configuring and connecting a device to the secure network

requires the integration of many components of your network. The wireless LAN
controller redirects to the Cloudpath ES. The Cloudpath ES issues a user
certificate based on user store credentials. The client is authenticated by a
RADIUS server, which verifies the certificate. The network Wizard installs the
certificate in the local certificate store and migrates the user to the secure
network.

Revision 0817 6 - 25
Cloudpath Admin 200 Basic Workflow

Existing controllers can be setup to delegate authentication of the onboarding

process to a AAA server which can be the Cloudpath Onboard RADIUS or your
existing AAA.

AAA Authentication: Edge devices are configured to delegate authentication by

setting up an accessible AAA server. This can be CP onboard RADIUS server or
an existing server in the environment. Either way the controller needs to be able
to authenticate clients based on their certificate credentials they have installed
from their onboarding process.
Walled garden: creates a restricted access area limiting their access to only the
Cloudpath server or other required authentication services such as a 3 rd party
authentication site.

AAA Accounting Server: Collecting of start/stop information and byte counts can
be achieved by the setting up of the accounting server
The secure WPA2-Enterprise SSID to delegate authentication to the Cloudpath
onboard RADIUS server, the NPS, or an external RADIUS server.
Setup to delegate authentication to the onboard AAA server or your existing AAA.
-If using an existing AAA server, it requires layer 3 access to the Enrollment
System VM to verify certificate status (optional).
•If using Active Directory, you need the AD domain information (plus any
subdomains) and the IP address of the AD server.
Generate a Ruckus DPSK
Generates a a Dynamic Pre-shared Key (DPSK) through a Ruckus WLAN
controller. This allows, for example, a gaming system to be registered and issued
a unique PSK.

Revision 0817 6 - 26
Cloudpath Admin 200 Basic Workflow
Create the Onboarding SSID
This is an open SSID providing access to the network which will point the
unauthenticated user to the Cloudpath redirect URL. The Walled Garden will also
be associated with this SSID to limit access.
Create the Secure SSIDs
Depending on your network design multiple Secure SSIDs can be configured and
can be associated with certain client/certificates allowing for diversification,
additional load balance or control of on boarded users.

Revision 0817 6 - 27
Cloudpath Admin 200 Basic Workflow

Regardless if you are using the onboard or an external RADIUS controllers will
need to be configured to allow for certificate authentication for users.

The authentication method will be PAP and the IP address of your Cloudpath
server will be identified. Many controllers require the actual IP address and not a
DNS name.
The port used by the RADIUS server can be either the default which is usually the
case for on premise deployments however as shown if you are using the cloud
version of Cloudpath your RADIUS port numbers will be different from the default
value. Verify the port numbers to be used in Cloudpath under
Configuration>Advanced>RADIUS Server.
The shared secret provides Symmetric communication by each side encrypting
the PAP communication using this shared secret as the key. Because of this the
key should be protected thus is not displayed by default in Cloudpath however it
can be obtained using the show secret icon. If it is suspected that the shared
secrete has been compromised a new one can be generated as set as a new
value.
RADIUS Server: A Remote Authentication Dial-In User Service (RADIUS) server
through which users can authenticate.
WPA2-Enterprise requires an authentication server for issuing client certificates
for the wireless authentication. The Cloudpath ES provides an onboard RADIUS
server, supports integration with your existing RADIUS server, or integration with
a Microsoft Network Policy Server acting as a RADIUS server. The default port
number is 1812. The Cloud hosted ES will have a different port number.

Revision 0817 6 - 28
Cloudpath Admin 200 Basic Workflow
RADIUS Accounting provides start/stop information and byte counts on the
connection. Default port number is 1813. The Cloud hosted ES will have a
different port number.

*Note - Select Auth Method = PAP (ZoneDirector only)

Revision 0817 6 - 29
Cloudpath Admin 200 Basic Workflow

Hotspot Services page can be used to configure a traditional (WISPr 1.0) hotspot
service to provide public access to users through its WLANs. Need the following
to deploy a hotspot:
• Captive Portal: A special web page, typically a login page, to which users that
have associated with your hotspot will be redirected for authentication purposes.
• RADIUS Server

A Walled Garden is a limited environment to which an unauthenticated user is

given access for the purpose of setting up an account. After the account is
established, the user is allowed out of the Walled Garden. The Walled Garden
will need to contain entries for the relative client’s app store to download the
Cloudpath network wizard.

Revision 0817 6 - 30
Cloudpath Admin 200 Basic Workflow

Hotspot is a service designed to redirect users once connected to the open

hotspot to be presented with the Cloudpath Enrollment workflow.
After naming the Hotspot instance the URL of the intended snapshot is identified.
The redirect URL is location and snapshot dependent and can be obtained in
Cloudpath under Configuration>Deploy

Additional Configuration if using a Ruckus ZoneDirector

Select the Cloudpath RADIUS Authentication Server (ZoneDirector only).
Enable MAC authentication bypass redirection (ZoneDirector only).
Select Use device MAC address as authentication password.
Select the Cloudpath RADIUS Accounting Server (ZoneDirector only).
Leave the defaults for the remaining settings. Click OK

Revision 0817 6 - 31
Cloudpath Admin 200 Basic Workflow

Walled Gardens provide restricted access when connected to the hotspot SSID
network. When applied any attempts to access other sites not listed in the walled
garden will be discarded or redirected to CloudPath. If 3rd party authentication
methods are options included in the active workflow they will need to be added.

The final two steps will be to configure a Hotspot SSID and apply the Walled
Garden and Hotspot service to its configuration.
The secure SSID will then be created where 802.1X will use the AAA server
(previously configured) delegating authentication to the onboard AAA server or
your existing AAA.
If using an existing AAA server, it requires layer 3 access to the Enrollment
System VM to verify certificate status (optional).
If using Active Directory, you need the AD domain information (plus any
subdomains) and the IP address of the AD server.

Revision 0817 6 - 32
Cloudpath Admin 200 Basic Workflow

The Cloudpath ES requires an open SSID for onboarding, and one or more
secure SSIDs, depending on your deployment scheme. The open SSID
terminates to a captive portal that points to the ES, and the secure SSID is the
network to which your users migrate. Best practice is to create an SSID
specifically for the Cloudpath ES.

If your security policy provides a guest SSID for Internet-only or limited network
access, you can set up an open SSID specifically for guests. The guest SSID
redirects guest users to the ES captive portal, where they can onboard to a
limited access network. The limited access is managed using VLAN assignment,
which is configured in the wireless LAN controller, where you can also filter, shape
or throttle the guest VLAN.

The Cloudpath ES provides a method for managing conflicting SSIDs to prevent a

device from roaming away from the secure network. When setting up the device
configuration, in the conflicting SSID section, you can set it up to either delete the
open SSID or set it to connect manually.

Revision 0817 6 - 33
Cloudpath Admin 200 Basic Workflow

1. Display an Acceptable Use Policy step is an example of workflow _______.

(Answer: Plug-in)

2. How do you add a step in a workflow? (Answer: Blue arrow to the left of
the workflow)

3. How do you activate to a workflow? (Answer: Publish which creates a

snapshot)

4. The client is redirected to the captive portal hosted on ________. (Answer:

Cloudpath)

5. Authentication is required for issuing certificates to clients (Answer: False)

6. Which ES SSID setting is used to prevent Open SSID reconnects?

(Answer: conflicting SSID)

Revision 0817 6 - 34
Cloudpath Admin 200 Basic Workflow

Revision 0817 6 - 35
Cloudpath Admin 200 Basic Workflow

In these labs you will create your first workflow that includes two branches and then publish. You
will also configure vSmartzone establishing an onboarding SSID and secure SSID allowing for
users to migrate from an open onboarding connection to the secured SSID using the certificate as
credentials.

Revision 0817 6 - 36
Cloudpath Admin 200 Basic Workflow

Revision 0817 6 - 37
Cloudpath Admin 200 Basic Workflow

Revision 0817 6 - 38
Cloudpath Admin 200 MAC Authentication

Revision 0817 7-1

Cloudpath Admin 200 MAC Authentication

Revision 0817 7-2

Cloudpath Admin 200 MAC Authentication

Using 802.1X authentication with WPA2-Enterprise provides the best security

option for wireless devices on your network. However, for devices that do not
have WPA2-Enterprise or 802.1X support, such as gaming consoles, printers, or
display monitors the Cloudpath ES offers a method for registering these devices
on the network.

When setting up MAC registration, a list of authorized MAC addresses is

maintained on the RADIUS server. When a non-802.1X device attempts to
connect to the network, the request is forwarded to the RADIUS server, where the
device is checked against the list of authorized MAC addresses. If the registration
is not expired, the RADIUS server authenticates the device. Subsequent access
requests from the user to the access point cause the AP to open the firewall to
allow access to the Internet until the validity period expires and the user must re-
enroll.
This option provides the ability to authenticate using a MAC address instead of
certificate authentication discussed previously.

MAC population can either be by a pre-populated list managed by an admin or

sponsor or you can provide within the workflow a method for users to register their
own MAC either onsite or offsite. This is a popular option for conference centers
or lodging industries were large amount of guest gather and remain onsite for
extended events unlike a coffee shop visit or retail store.

MAC registration can be configured to provide MAC authentication to either wired

or wireless environments or both.

Revision 0817 7-3

Cloudpath Admin 200 MAC Authentication

1. Authentication involves pre-populating a database with identified MACs

allowing registered devices (MAC address) to be transparently authorized without
having to log in. Your MAC can also be added to the database by an Admin before
the device attempts to connect to the WLAN. This is common for devices that do
not have browsers such as IP cameras, thermostats or printers allowing
registration using the device itself. Devices that do have browsers can connect to
the WLAN and register the device on the same open SSID. Once the device has
its MAC registered it can will have its restrictions lifted (walled garden) and
connect to the network.

2. Registering consists of a user accessing the Captive Portal and registering their
device my entering its MAC address. Registered devices are then given access to
an identified Secured SSID for a preselected amount of time. After of which the
user will then have to re-register the MAC of their device for additional access.

Both instances requires the user to either connect with their preferred device to
the Captive Portal or register its MAC off-site or by other means such as a bulk
import. This involves an Admin to upload a MAC list allowing a pre-enrollment of
MAC addresses for MAC-based device authentication.
.
The Workflow plug-in “ Register a Device for MAC-Based Authentication” allows
users to register the MAC address of the device for MAC authentication by
RADIUS. The MAC address is captured and will have access for the configured
time set.

Revision 0817 7-4

Cloudpath Admin 200 MAC Authentication

In this example, the user attempts to access the Internet, is redirected to the captive
portal on the Cloudpath ES and proceeds through the enrollment workflow, during which,
the user is prompted for information.
At the MAC registration step, the Cloudpath ES sends a registration URL to the client for
use in the RADIUS authentication request. The registration URL contains the username,
password, and validity period for the MAC registration.
RADIUS Authentication Example: (270274) Wed Mar 22 19:41:02 2017: Auth: Login OK:
[689c7084a9f2/689c7084a9f2] (from client 0.0.0.0/0 port 0 cli
68:9C:70:84:A9:F2) [CPN]: server=port14597, macAddress=68:9C:70:84:A9:F2,
username=Enrollment-185B40B6-CAC5-4938-BE1C-16E20E8F0C0A, serial=, ssid=

The access point obtains the MAC address of the user device and sends this information
in the RADIUS request to the RADIUS server. The RADIUS server compares the MAC
address and expiration date with existing user information. If the validity period and
expiration period matches, the RADIUS server authorizes the authentication and returns
an Access-Accept to the access point. If other RADIUS attributes are configured, such as
the Filter-Id, they are returned with the Access-Accept.
Subsequent access requests from the user to the access point cause the AP to open the
firewall to allow access to the Internet. This occurs until the validity period expires and
the MAC must re-enroll.

Revision 0817 7-5

Cloudpath Admin 200 MAC Authentication

You can configure a single database to house and maintain your MAC
registrations or choose to create multiples providing a unique function.

Example:
Create a DB to register company asset devices such as IP cameras,
Thermostats, or printers while creating another to provide guest headless device
access. Each database can have its own settings for registration duration as well
as the specific WiFi connection that should be used.

For IT-owned devices, you might already have a list of MAC Addresses. Importing
the list allows devices to bypass the registration process and to move straight
towards the configuration wizard

MAC Registration Lists

View and manage MAC registration databases, which allow network access to
devices that do not have the 802.1X supplicant capability. Each database has its
own policies. When a device is registered, it is assigned to one of the databases.
The ES provides a template for importing MAC
address in bulk using a .csv or .xlsx file extension.

Revision 0817 7-6

Cloudpath Admin 200 MAC Authentication

The workflow starting with the AUP can provide a split option where users can
register their non-compliant (WPA2-WPA) devices.
As MACs are registered any devices connected to the Identified SSIDs are
authenticated via a RADIUS server using a unique Enrollment ID as a
username and a MAC address to be the password. With the WiFi controller
set to enable MAC authentication bypass (no redirection) registered
devices cause the AP to open the firewall to allow access to the Internet

Depending on the type of deployment behavior you prefer. When

authentication is not required such as a convention or an event where
many unknown devices need to connect to the network the top two options
are available. (prompt user/Always prompt.)

The Create MAC Registration page

SSID Regex - This is the SSID to which MAC registered devices are assigned.
Only SSIDs listed here will use the MAC list for authentication.
(Note - This field is case sensitive. Separate multiple SSIDs by a vertical
pipe (|). The default (*) is any SSID that is pointed at the RADIUS server.)

Expiration Date Basis - The basis for calculating the default validity period for
MAC registration. Calculations based on minutes, hours, days, weeks, months,
quarters and years using an offset value. Similar options that exclude the use of
the offset value and will be calculated based on registration time. A specified date
can also be configured allowing for all MAC entries to be invalid after the specified
entry.

Revision 0817 7-7

Cloudpath Admin 200 MAC Authentication
Expiration Date Offset - The number of hours/days/months/etc to be offset from
the event date when calculating the registration validity period. If Specified Date
is selected, this should be the date in YYYY/MM/DD format.
Note: A sponsor can override the validity period configured for MAC
registration.

Behavior - Specifies the prompt and redirect settings for the MAC registration
configuration. Use the Web Page Information section to configure the user prompt
or redirect URL. More details will be discussed in next slide.

Config Shortcuts – Shortcuts are available to help alleviate common configuration

issues with MAC registration, configuration shortcuts have been added for Ruckus
Zone Director, Ruckus SmartZone, Cisco, Aruba, and Aerohive controllers. These
clickable options effect the redirect URL along with the POST parameters required
by your controller for them to correctly accept and store the data received.

Use POSTS - is the process where the redirect is handled as a POST rather than
a GET within the HTML protocol. If Use POST is used POST parameters will have
to be defined to provide proper mapping to values. The config shortcuts provide
the ability to have these prepopulated with the correct mapping depending on the
controller.

Allow Continuation - If checked, the submit-redirect call is processed, if

unchecked, the submit-redirect call is ignored.

Kill Session - If checked, the user's session will be killed as they are redirected
and, if they return, they will be forced to start over.

Additional features such as filtering of workflow plugins based on the MAC lists
can provide options of whether the plugin is visible to non MAC registered
devices.

Revision 0817 7-8

Cloudpath Admin 200 MAC Authentication

Different behaviors can be applied to the “Register the MAC address” plugin to
effect how the user is handled. As a result some fields are not applicable to the
behavior chosen therefore only configurable fields pertaining to that behavior will
be selected. Example: If you do not select a behavior that that includes a redirect
option then the redirect URL field will not be displayed. Each behavior has certain
elements that need to be configured to allow it to function correctly. In the next
few slides we will explore the behaviors in more detail to see their effects on the
user experience.

Revision 0817 7-9

Cloudpath Admin 200 MAC Authentication

Depending on the type of deployment behavior you prefer. When authentication is

not required such as a convention or an event where many unknown devices
need to connect to the network the top two options are available. (prompt
user/Always prompt.)

Redirect options provide the ability to verify the user against an authentication
method other than the MAC address list.

Prompt user when MAC is unknown: This is intended for situations where the user
is registering the current device for use on a separate SSID, like a PSK SSID.
The separate SSID is identified in the MAC registration configuration as the SSID
Regex and the devices MAC will be used for authentication onto the identified
SSID.

Revision 0817 7 - 10
Cloudpath Admin 200 MAC Authentication

Always prompt: Intended for scenarios where the user is registering a different
device (such as a gaming device). Each time a user reaches the MAC registration
of the workflow they will be prompted. Understand this only applies when a user
navigates to the MAC registration portion. If the MAC of the device is already
registered when it connects to its intended SSID it will be authorized and will
bypass the redirect of the captive portal.

Revision 0817 7 - 11
Cloudpath Admin 200 MAC Authentication

Redirect when MAC is unknown: Allows the WLAN controller to send the MAC
address via RADIUS to the system. This is Intended to allow the MAC address to
be gathered from the WLAN controller when no MAC exists, this option uses a
redirect to authenticate the user to the WLAN controller. Given the correct
controller configuration, this allows the WLAN controller to send the MAC address
via RADIUS to the system providing an auto discovery process for the MAC.

Revision 0817 7 - 12
Cloudpath Admin 200 MAC Authentication

Always redirect to authenticate user: Intended for scenarios where the user will be
authenticated to the current SSID, this option forces a redirect to occur such that
the user is logged into the WLAN controller's captive portal requiring an
authentication process.

Revision 0817 7 - 13
Cloudpath Admin 200 MAC Authentication

Skip registration when MAC is unknown: this process requires that the MAC be
entered by other means such as a bulk import of MACs that are to access the
SSID. As a result, if this option is chosen, the system will not move to the
registering a MAC address.

Revision 0817 7 - 14
Cloudpath Admin 200 MAC Authentication

Revision 0817 7 - 15
Cloudpath Admin 200 MAC Authentication

Recall during the ES MAC registration process, the AP\WLC obtains the MAC
address of the user device and sends this information in the RADIUS request to
the RADIUS server. The MAC information will be unreadable while encrypted and
therefore break the MAC Registration process.

Login to your SZ CLI and enter “config” mode

Disable the vSZ default MAC IP encryption with config mode command “no
encrypt-mac-ip”
Alternatively, you could redirect “uip” and “client_mac” parameters in the “POST
Parameters:” of the assigned “MAC Registration” step.
POST = Client requesting web server receive and store the information contained
in the message
Once the client has been redirected to the web server, the login page is loaded
onto the client. The captive portal is responsible for acquiring the login credentials
that will be sent to the SmartZone for verification against an authentication server.
Example URL:
http://172.16.112.125/login.html?sip=172.16.112.49&mac=50a7
331b9f20&client_mac=4cb199355fd7&uip=172.16.112.141&lid=&dn
=&url=https%3a%2f%2f2.zoppoz.workers.dev%3a443%2fhttp%2fwww%2eapple%2ecom%2flibrary%2ftest%2fsuc
cess%2ehtml&ssid=open%2ddpsk&loc=&vlan=1

Revision 0817 7 - 16
Cloudpath Admin 200 MAC Authentication

Revision 0817 7 - 17
Cloudpath Admin 200 MAC Authentication

Automatic branching is term used for a part of the workflow process that
automatically splits clients into different branches based on criteria specified in
filters and restrictions. A user can manually select an option in the workflow or we
can design the workflow to automatically process a client based on the options we
define in the “Split users into different branches” plug-in.

An example could be a split filter that only allows users that match the BYOD APP
AD group name pattern to view the Personal Device user prompt. Users that are
not in the BYOD APP AD group cannot enroll personal devices on the network.
Another example you will see in the lab for this module will be how to auto branch
a user based on their AD group membership.

Filtration can be performed on information a user inputs on previous steps of the

workflow effecting what branches may be displayed to the user as they progress
through the enrollment process.

Revision 0817 7 - 18
Cloudpath Admin 200 MAC Authentication

The “Split users into different branches” workflow plug-in creates a branch or fork
in the enrollment process. This can occur (1) visually by having the user make a
selection or (2) it can occur automatically based on criteria associated with each
option.

The image above represents a workflow that is split into two branches, with one
sequence of steps for employees, and another for guest users. Each branch in
the workflow specifies a different authentication method and assigns different
certificates to the user. A workflow utilizing splits without automatic branch
selection requires the client to make the correct selections during the processing.

Revision 0817 7 - 19
Cloudpath Admin 200 MAC Authentication

The settings in the Filters & Restrictions section control which users have access
to a split option. If nothing is specified, all users have access to the split option. If
criteria is specified, only users meeting the criteria have access to the split option.

Revision 0817 7 - 20
Cloudpath Admin 200 MAC Authentication

Filtering can be performed on a per branch workflow. Each can have multiple
filters applied with a combination of match/not match entries. Multiple entries per
field can entered using the pipe (|) between entries. Filtering based on OS along
with user agent (browser) can also be performed based on information advertised
by the browser. Regex expressions can be used which will be explained in more
detail in later modules.

Revision 0817 7 - 21
Cloudpath Admin 200 MAC Authentication

Revision 0817 7 - 22
Cloudpath Admin 200 MAC Authentication

The ES Onboard Database provides the ability to enable end-users to

authenticate to accounts defined within this system. This option is not meant to
replace AD or LDAP system, but is useful for trial and demo accounts. It also
allows you to create policies based on group information.

The onboard database can be configured within a workflow as the authentication

authority where local accounts can be created and managed.

Multiple databases can be configured allowing for unique authentication options

for different workflows within Cloudpath.

Revision 0817 7 - 23
Cloudpath Admin 200 MAC Authentication

Onboard Database aka “Authenticate to a traditional server”

The workflow plug-in “Authenticate to a traditional server” is used to typically add
a connection to AD, LDAP or RADIUS server but it is also the plug-in to add a
local database or “Onboard Database” to ES. As stated in the previous slide, this
will allow us to create user accounts only. We will discuss the user account
settings on the next slide. The main setting required to add the database is an
unique global system name. Other settings provide the ability to customize the
email sent when passwords are reset by the Admin.

Configuration
Authentication Servers
Modify

Revision 0817 7 - 24
Cloudpath Admin 200 MAC Authentication

Users can be manually entered including a unique username. Once entered an

email will be sent to the user with their initial randomly-generated password. The
Onboard Database does not display the user account passwords. Not even the
CA Admin can view the stored passwords for the users. Only the users will have
access to their password. The ES Admins can reset the user’s password with the
“reset” icon. The reset will create a randomly-generated password with is emailed
to the user only.

Any workflows that have been configured to use the onboard database will use
these credentials for their authentication. As mentioned earlier that if the results of
the workflow is to issue a certificate then future connections to the network will
use the certificate for authorization.

Icons allow for editing, Deleting Password reset and account blocking. Accounts
can be unblocked by simply unchecking the blocked status option.

Export of the list using CSV or XLS format can be accomplished for import or
record keeping.

Revision 0817 7 - 25
Cloudpath Admin 200 MAC Authentication

1. What types of devices might utilize MAC Registration? (Answer: Headless

devices: (Printer, gaming console, thermostat))

2. Which device is responsible for forwarding the RADIUS Supplicant request

with the MAC information to the RADIUS Server? (Answer: Controller or
AP)

3. MAC Registration can only be implemented through a WLAN captive

portal. True or False? (Answer: False off-site registration can be used
when the behavior of plug-in supports it)

Revision 0817 7 - 26
Cloudpath Admin 200 MAC Authentication

Revision 0817 7 - 27
Cloudpath Admin 200 MAC Authentication

Revision 0817 7 - 28
Cloudpath Admin 200 MAC Authentication

Revision 0817 7 - 29
Cloudpath Admin 200 MAC Authentication

Revision 0817 7 - 30
Cloupdath Admin 200 Guest Access

Revision 0817 8-1

Cloupdath Admin 200 Guest Access

Revision 0817 8-2

Cloupdath Admin 200 Guest Access

In today’s networks security and liability avoidance is crucial in protecting data as

well as unauthorized access. This protection can increase overhead of IT
resources dealing with authorization management as well as support for
onboarding of these devices.

Cloudpath however provides controlled access with tools such as self-service or

sponsorship options in an automated manner allowing for strong device and user
identification along with management including revoke privileges.

Each type of guest can be managed providing unique access through SSID
selection, VLAN or ACL association as well as length of access. All can be
performed though the use of guest workflow branches and Cloudpath templates.
Guests needs along with network access requirements are applied to guests
devices by creating a workflow which supplies them with configuration and a
certificate template.

Revision 0817 8-3

Cloupdath Admin 200 Guest Access

Workflows are designed to accommodate these guest access options providing

the ability to place them on special (internet only) VLANs or onto restricted SSIDs
depending on your deployment strategy and requirements. Workflow plug-in such
as Sponsor (vouchers or approving a request) , Email/SMS (out-of-band) and
third party provide a variety of validation options. These can be stand alone
authorizations or be combined within a workflow branch to increase control and
assure only authorized users can access the network.

Example of combining workflow:

Use the voucher plug-in to have users enter a voucher value then have them
authorize against a 3rd party such as Facebook or LinkedIn.

Revision 0817 8-4

Cloupdath Admin 200 Guest Access

A voucher is a one-time password (OTP) and is useful for controlling access to an

enrollment process separate from, or in addition to, user credentials. The system
may automatically email the guest user or the sponsor can communicate the
voucher manually. Vouchers have configurable format and validity periods

Single code entry option provides the ability to identify the user including the
sending it through email or SMS. Multiple vouchers can be generated at one time
however it does not allow user information to be specified. Multiple voucher
generation is common when a convention or group that is not identified yet needs
access to the secured network.

Separate lists can be maintained on Cloudpath and can be associated with one or
more workflows. Different sponsors can be assigned to each list/s as well allowing
for logistical or hierarchical options.
Example: Arriving guests to building B, once identified, can be given access to
the guest network from the receptionist who is a sponsor of the guest list. New
contractors on the other hand would be granted access through a HR
representative once their contract is approved.

Voucher list entries can also be uploaded Upload a CSV file containing a list of
vouchers. Templates can be downloaded allowing for their population and
eventual upload to specific voucher lists is available. Uploading unlike the multiple
voucher option allows for the identification of the users.

Revision 0817 8-5

Cloupdath Admin 200 Guest Access

Voucher list note: The file must be formatted in the template sequence:
vouchers, name, description, company, email, expiration date, sponsor, SMS
phone number, SMS country code. If voucher is left blank, a voucher will be
generated and emailed or SMSed to the user.

Steps in slide:
1. Voucher is created by Admin or Sponsor
2. Voucher is emailed/SMS and delivered to Guest
3. Guest uses OTP to receive necessary details and certificate to access
network

Voucher List Settings:

• Name - Guest user name
Note - If Require Username Match has been specified in the voucher list, the
guest must authenticate with a username that matches the name specified in the
voucher provided by the sponsor. This allows the voucher to be locked to a
particular user.

Revision 0817 8-6

Cloupdath Admin 200 Guest Access

Self-Registration aka “Perform Out-of-Band Verification Using Email or

SMS”
Out of band verification allows the user to enter an email address or phone
number and have the verification code, or one-time password, sent to them. The
out of band prompt is tied to a voucher list, which controls the characteristics of
the one-time password (OTP). You can create a new voucher list specifically for
out of band verification or use an existing list.

Steps in slide:
1. User submits requested
2. Request is added to a voucher list
3. Voucher is emailed/SMS and delivered to Guest
4. Guest uses OTP to receive necessary details and certificate to access
network

Sponsors maintain the voucher list that is populated by self registration process.
These vouchers are tied to a user and allows the sponsors to revoke.

Revision 0817 8-7

Cloupdath Admin 200 Guest Access

Sponsored Access also known as Real time Request option

Sponsored guest access allows authorized employees (sponsors) to grant
network access to onboarding users at the time of their requests. It is most
commonly used to provide higher security wireless network access to corporate
visitors and partners, and is typically time-restricted. By distributing authorization
requests to employees via emails, onboarding users are able to quickly gain
access without IT involvement and with appropriate traceability.
The user is held in a pending state until the sponsor accepts or rejects the
request. The request can be configure to go to a static user (like a receptionist), to
a sponsor selected from a list by the user, or to a sponsor entered by the user.
This type of access is typically deployed in environments with higher security and
when the user is accompanied within the premises and also verified.

User Experience:

Revision 0817 8-8

Cloupdath Admin 200 Guest Access

Social media identification is also available providing a method for users to

associate their onboarding process to a social media profile. OAuth 2.0 is
used to connect from Cloudpath and received the users information.

Step 1: User starts his onboarding journey by selecting a branch that provides
social media gathering of user information (The user's browser will send a
requests the redirect URL for the identity provider and is forwarded to provide
access)
Step 2: User requests oAuth request to be sent to the 3rd party of his choice
where he authorizes access to their account. This is done without sharing of
credentials used at the 3rd party site)
Step 3: Once authorized the user information (email address, Name etc) is
gathered and placed into the enrollment record. This information can later be
used for security audits, recourse or for marketing.
Step 4: Once the user authorization is given the user continues on his onboarding
journey resulting in his device receiving its proper configuration and certificate.

Revision 0817 8-9

Cloupdath Admin 200 Guest Access

Provides additional identity information during the onboarding process

Social Media Login aka “Authenticate to a Third-Party”

When you combine third-party authentication with traditional authorization
methods, the social media provides additional identity information during the
onboarding process to deliver automated, self-service access to the WPA2-
Enterprise wireless network. The Cloudpath ES supports third-party integration
using Facebook, LinkedIn, Google, or you can specify a custom OAuth 2.0 server.

In oAuth (Open Authorization), the client requests access to resources controlled

by the resource owner and hosted by the resource server, and is issued a
different set of credentials than those of the resource owner.

The OAuth 2.0 authorization framework (RFC 6749) enables a third-party

application to obtain limited access to an HTTP service, either on behalf of a
resource owner by orchestrating an approval interaction between the resource
owner and the HTTP service, or by allowing the third-party application to obtain
access on its own behalf.

Refer to the deployment guides within the support section of Cloudpath to provide
details and assist in deploying each option.
Note: Sponsored access can be combined with additional options, such as
authentication through Facebook, LinkedIn, or Google. When combined, the
social media provides the authentication while the voucher provides the
authorization. This method provides additional identity information and reduces
the risk of the voucher being intercepted or misused.

Revision 0817 8 - 10
Cloupdath Admin 200 Guest Access

Revision 0817 8 - 11
Cloupdath Admin 200 Guest Access

All sponsor lists are managed from a single URL per CP deployment. Sponsors
are given administration rights to specific lists which will be available to them
when they log in.

External access is available allowing for extended hour or remote guest

management.

DNS values (friendly URL) can be configured allowing redirection to the

sponsorship portal. Colors along with titles and logos can be personalized for
branding and uniformity.

An administrator gives an employee permission to sponsor guest users by placing

them in a Sponsor group in the corporate authentication server (AD or LDAP) or
manually assigning them to a list.

Revision 0817 8 - 12
Cloupdath Admin 200 Guest Access

An administrator gives an employee permission to sponsor guest users by placing

them in a Sponsor group in the corporate authentication server (AD or LDAP) or
manually assigning them to a list.

Each sponsor can have specific permissions granted allowing them to perform
certain duties if preferred. These permissions include:
Manage Devices Enrolled By Sponsor -- sponsor can review and revoke
devices enrolled through vouchers issued by that sponsor.
Manage Devices Enrolled By All -- sponsor can review and revoke devices
enrolled through vouchers issued by any sponsor in the group.
Allow Creation by CSV Upload -- sponsor can create vouchers in bulk by
importing a spreadsheet of vouchers.
Allow Bulk Creation – sponsor can perform a bulk creation of vouchers.
Reminder: Bulk creation does not allow the specifying of voucher users.
Add/Edit/Delete Sponsors In Group -- sponsor can add, edit, and delete other
sponsors within the group.

Revision 0817 8 - 13
Cloupdath Admin 200 Guest Access

Multiple voucher lists can be created and can serve a unique purpose. Separate
lists can be created to allow for certain sponsors to manage such as assigning
someone based on building within a campus or even between campuses of a
school or company. Multiple lists may also be created to separate guest vouchers
from contract employees vouchers or even types of devices. List creation will
depend on how Cloudpath is deployed in your environment customizing to your
specific needs.

Revision 0817 8 - 14
Cloupdath Admin 200 Guest Access

Each voucher list created can be modified with default values. These included the
length of characters used for the voucher code, If they are to be alphanumeric or
just numeric along with case sensitive values. Validity effects the time until the
voucher expires. You can also set the voucher to be used more than once for
users that are trying to onboard multiple devices. Maximum days for access can
also be set and can also provide verification the correct user is using the voucher
by requiring the username entry of the user to match who the certificate was
issued to. Many of these fields can be displayed or hidden to the sponsors
controlling their ability to modify the default settings.

Revision 0817 8 - 15
Cloupdath Admin 200 Guest Access

Sponsors assigned to a Voucher list will be able to generate vouchers,

monitor/maintain requests received from self registration (EMAIL/SMS) and
review/revoke voucher privileges.

Duties include pre-registering guests either by entering the guests information or

by bulk creation.
Monitoring and maintaining Email/SMS requests
Responding to access requests
New requests are received from sponsor requests can be approved/denied on the
sponsor portal or links inside the email notification which provide easy access.

Revision 0817 8 - 16
Cloupdath Admin 200 Guest Access

1. A voucher code can be transmitted to a guest through _____ or ________.

(Answer: Email/SMS)

2. Only an ES Admin can create voucher codes. True or False? (Answer:

False)

3. What is the name of the workflow component to use social media

authentication? (Answer: Authenticate to 3rd Party)

4. Sponsors have to register guests before they can connect. (True or

False)? (Answer: False)

Revision 0817 8 - 17
Cloupdath Admin 200 Guest Access

Revision 0817 8 - 18
Cloupdath Admin 200 Guest Access

Revision 0817 8 - 19
Cloupdath Admin 200 Guest Access

Revision 0817 8 - 20
Cloudpath Admin 200 Customization and Multi-Workflow

Revision 0817 9-1

Cloudpath Admin 200 Customization and Multi-Workflow

Revision 0817 9-2

Cloudpath Admin 200 Customization and Multi-Workflow

Within a Cloudpath deployment multiple locations can be configured with each

having a unique workflow providing branches that meet the locations access
needs.
Example: Lobbies and Cafes could have workflow branches to accommodate
visitors where the upper floors (employee space) just offers IT managed and
employee BYOD branches.
Each URL represents a workflow build within the system which is deployed with
its own activation (snapshot). Once deployed the URL can be added to the
appropriate AP active portal configuration redirecting connected users to the
associated workflow.

ES uses the system information when configuring the onboard CA, certificate
template and deployment locations.

The deployment Locations page contains the URL where a configuration is

deployed, and snapshots, which are build packages for each workflow
configuration.

Revision 0817 9-3

Cloudpath Admin 200 Customization and Multi-Workflow

Each workflow created within a Cloudpath deployment will have the same
prepended values within their URL structure.
The Portal URL is established when the Cloudpath instance is deployed and does
not change once set. All Workflows use this setting as part of its URL structure
therefore should be set in the beginning and not changed. When multiple
Workflow locations are configured each will have an extension value added to the
end of the URL allowing it to be globally unique. Once the workflow is deployed
(snapshot) its unique URL can be used for onboarding of devices using the
workflow designed.

Note: The first two values, Hostname and URL-Safe Company Name, are pre-
populated using the information provided in the initial system setup.

Hotspot 2.0 (HS 2.0), often referred to as Wi-Fi Certified Passpoint, is the new
standard for Wi-Fi public access that automates and secures the connection.
Cloudpath supports Passpoint and provides the URL simarly to the strandard
onboarding URL. For more details on Passpoint refer to the Cloudpath support
document Configuring Cloudpath to Support Hotspot 2.0 Release 2 (Passpoint)

QR code: Offsite users wanting to onboard allows for easy redirection for
onboarding before they are actually on location. I.E. College students,
Conventions. The ability to download

Revision 0817 9-4

Cloudpath Admin 200 Customization and Multi-Workflow

Each workflow is unique in its design accommodating the users that may need
access within a certain environment. The name along with the URL extension of
your choice can be added. This URL along with the prepended URL structure
mentioned previously provides a path that can be used as a redirect destination
for any users needing access. Workflows can be deployed in multiple locations
as long as it meets the needs for the local users. If other locations have different
policies or its users require different access additional workflows are configured to
accommodate that locations requests. As workflows are created they can be
activated by the use of a snapshot. Each workflow is activated independently
along with its unique URL.

How to Add a Deployment Location

1. On the left menu, select Configuration > Workflow
2. Click Add workflow.
3. Enter the URL through which the end-users will enroll and Save.

Revision 0817 9-5

Cloudpath Admin 200 Customization and Multi-Workflow

With previously unpublished workflows there are two options are available for the
initial publish. Previously published workflows are performed by the snapshot
cloud icon on left of a workflow. Once the workflow is published its URL can be
placed into an AP redirecting unauthenticated users to the workflow created for
that environment. As shown in previous modules the APs require that the
associated SSIDs, walled garden, AAA authentication configurations be in place
as well providing onboarding and authentication for user access.

In addition, users can be given this URL to perform out-of-band onboarding using
this workflow if your CP deployment is external facing.

Revision 0817 9-6

Cloudpath Admin 200 Customization and Multi-Workflow

Revision 0817 9-7

Cloudpath Admin 200 Customization and Multi-Workflow

The default skin of the onboarding user experience is called Modern (Ruckus).
This “skin” is customizable allowing for organizations color and style to be
replicated. Titles and HTML code colors provide the ability to adjust the
onboarding experience. Each section of the display can be configured including:
Background Color
Start over font color
Powered by font color
Button background color list item text color
Etc.

Each workflow has its own customization capabilities. This allows the workflow to
be customized to its environment displaying different icon choices as well as
different themes. Example: In a academic environment workflows could be
created providing a different experience in the dorms than what might be used in
the lecture halls.

HTML templates for download are available allowing for a complete rebranding of
the user experience.

A snapshot of the workflow is required to allow the customization to take effect.

Revision 0817 9-8

Cloudpath Admin 200 Customization and Multi-Workflow

The default “skin” is fully customizable

HTML, Download Page and Wizard page
Color of fonts and backgrounds
Favicon, web (logo) and background image
Each workflow can be customized
Personalizing for location deployment
Each location can have its own characteristics
HTML template available
Full control of user experience
Complete branding capable
Organizations visual language

Revision 0817 9-9

Cloudpath Admin 200 Customization and Multi-Workflow

Many aspects of the clients user experience is highly customisable, for both
secure BYOD and guest connectivity. This includes the deployment download and
wizard pages

Configuration > Workflow: Look & Feel tab of desired workflow

Use the Look & Feel tab to configure the Cloudpath ES skin, and to customize the
logos, colors, buttons, and images for the ES, the Wizard and Download page.

Revision 0817 9 - 10
Cloudpath Admin 200 Customization and Multi-Workflow

The HTML Template option allows you to import your own fully customized look
and feel. You can change the Browser Title Bar and some of the Fonts / item
Color controls as well.

Images can be imported.

Background Image
Favicon File
Web Image File

The “Download Page” and “Wizard Logo” sections can also be customized.

Revision 0817 9 - 11
Cloudpath Admin 200 Customization and Multi-Workflow

Each split (user choice) known as an option can have its own personalized logo.
Along with the split option description key information along with an corresponding
image will provide a clear path for users.

Note: Because the short name overlay (as shown on the left) will not be used
when a custom icon is uploaded addition text or text incorporated into the icon is
suggested to ensure a clear direction for the user.

Revision 0817 9 - 12
Cloudpath Admin 200 Customization and Multi-Workflow

Sponsorship > Look & Feel > Edit form enables you to change the text, color
scheme and logo for the Sponsor’s Portal. Because the sponsors portal is
universal this effects all sponsors access. Titles along with display colors can be
adjusted to better suit your deployment environment. A custom logo displayed in
the upper right can be changed as well.

Revision 0817 9 - 13
Cloudpath Admin 200 Customization and Multi-Workflow

Revision 0817 9 - 14
Cloudpath Admin 200 Customization and Multi-Workflow

Revision 0817 9 - 15
Cloudpath Admin 200 Customization and Multi-Workflow

Revision 0817 9 - 16
Cloudpath Admin 200 NAC & MDM Client Management

Revision 0817 10 - 1
Cloudpath Admin 200 NAC & MDM Client Management

This Module introduces students to the different aspects of the Cloudpath

enrollment system. NAC and MDM settings.

Revision 0817 10 - 2
Cloudpath Admin 200 NAC & MDM Client Management

Network Access Control (NAC), or called Network Access Protection (NAP) by

some vendors, is used to analyze a connecting device, determine if it meets
minimum network access requirements and then either grant or denies access
accordingly.
ES provides settings to assist with automated system compliance, including
AV, firewalls, NAC, proxies, and software installation. The NAC Lite settings
are not persistent in version 5.1 but persistence will be available in future
versions. These settings are only enforced during the onboarding process not
in future connections. Settings are only re-checked when the certificate expires
and the user device enrolls again.
Examples of settings that can be validated:
• Service Packs
• Security Center
• Anti Spyware
• Operating System Hotfix & Patches
• Antivirus
• Firewall
• Updates
• Block rooted devices
• Plug-ins to integrate 3rd Party NAC services

Revision 0817 10 - 3
Cloudpath Admin 200 NAC & MDM Client Management

ES provides a “lite” version of a Mobile Device Management system. MDM is the

generic name for a solution that allows for the registration (enrollment),
management and decommissioning or de-authentication of mobile devices such
as laptops, tablets and mobile phones. MDM may be used to manage enterprise-
owned devices or user-owned (Bring Your Own Device (BYOD)) devices.
MDM can validate OS specific settings and health for:

• Registration
• Profile Management
• Wireless Updates
• Application control
• Certificate
• Software version
• Proxy settings
• Lock Screen
• Device Behavior on WLAN
• Scripts
• PMK
• IPv6

Revision 0817 10 - 4
Cloudpath Admin 200 NAC & MDM Client Management

RADIUS Server Information

Defining a RADIUS server provides the client at target for authentication. Setting
a RADIUS server is best practice for certificate validation utilizing either
Cloudpath’s onboard RADIUS server or an existing external server.
“Do not configure server certificate validation” is not best practice. If selected, on
boarding devices with attempt to authenticate to any RADIUS server, including
those not part of this wireless network domain.

The Additional Options contain configurations specific to:

• Windows
• Mac OS X
• iPhone, iPad, & iPod Touch
• Android

Revision 0817 10 - 5
Cloudpath Admin 200 NAC & MDM Client Management

Revision 0817 10 - 6
Cloudpath Admin 200 NAC & MDM Client Management

Automatically configured Operating Systems require minimal action on the part of

the user.
Manually configured Operating Systems require user configuration where the user
is referred to online documentation.

The following OS must be manually configured by Operating Systems for

remediation changes:

• Blackberry
• Windows RT
• Windows Phone 8+

Revision 0817 10 - 7
Cloudpath Admin 200 NAC & MDM Client Management

After configuring the RADIUS Server information and Additional Options the
base policy is functional and maybe deployed.

However, the policy is not yet complete. From here we can configure the
Operating Systems, MDM and NAC setting by navigating to the Operating
Systems page.

Revision 0817 10 - 8
Cloudpath Admin 200 NAC & MDM Client Management

Select the pencil to access or change OS version to configure:

• Operating Systems
• Advanced - these setting are commonly configure in EDU for shared device
or workstations
• WLAN Profile Type: Specifies whether certificate authorities are
installed in the current user's or the machine's certificate store.
• Certificate Store: specifies which type of credentials are used for
authentication i.e. Student user ID
• Advanced: 802.1X Timing
• Advanced: Single Sign-On
• Advanced: PEAP

Revision 0817 10 - 9
Cloudpath Admin 200 NAC & MDM Client Management

Fundamentally, operating systems organize the configuration of network settings,

software settings, and proxies etc. very differently. Cloud path allows the administrator to
set OS specific policies for how these platforms behave while on the wireless LAN.

• Certificate Settings – contain requirements for trusted intermediate and trusted root
certificate authorities. User or Machine certificates can be specified
• NAC Settings - contain plug ins and requirements for third-party NAC Service
provider integrations. Additionally there are options to require OS specific Service
packs, Hot fixes, and firewall settings for the OS being administered
• Software Settings- define what software and services must be running on specified
operating systems to onboard. It additionally contains policy requirements for
administers to require third party software package installation. Note if a software
package is required, This will negate zero-IT on boarding and require the user to
configure an additional software package.
• Proxy Settings - automatically configures the OS browser proxy and can block use
of proxy bypass
• General Settings – very greatly by operating system and offer opportunities to refine
security posture.
• Examples of this are to disable Device tethering and wired NIC cards while
on the WLAN. These settings prohibit users from bridging potentially
noncompliant devices onto the network.

Revision 0817 10 - 10
Cloudpath Admin 200 NAC & MDM Client Management

1. NAC sets policy at the ______________ layer while MDM sets policy for
______________ OS settings. (Answer: Network - Device)

2. Cloudpath NAC and MDM lite settings are not ______________ after
enrollment or onboarding. (Answer: lite or persistent)

3. Screen lock is an example of a ______________ setting while Firewall are

______________ settings. (Answer: MDM - NAC)

4. Cloudpath can set policy to allow device on the network based on OS version.
True or False? (Answer: True)

Revision 0817 10 - 11
Cloudpath Admin 200 NAC & MDM Client Management

Revision 0817 10 - 12
Cloudpath Admin 200 NAC & MDM Client Management

Revision 0817 10 - 13
Cloudpath Admin 200 NAC & MDM Client Management

Revision 0817 10 - 14
Cloudpath Admin 200 Advanced Workflow

Revision 0817 11 - 1
Cloudpath Admin 200 Advanced Workflow

Revision 0817 11 - 2
Cloudpath Admin 200 Advanced Workflow

Regex expressions can be used to provide an inclusion mask in fields where

multiple options have common characters.

Example: MAC Registration option allows for an SSID regex expression allowing
many closely named SSID to be included with one expression.

The purpose of Regex within Cloudpath ES to validate or extract the data or

strings being entered or captured. If we request a US based phone number or
email, it should be of a specific format and characters. We do not want to accept
letters in a US based phone number or the # symbol replacing the @ symbol in an
email. The strings for a US bases phone number should be of certain length of
numeric characters as well (depending if we include area code or not). Think of
Regex as a character validation instead of a data validation. We can not check to
see if the phone number is working or the email address is assigned to someone.
We do want to make sure the characters are correct. Understanding how to read
and create a Regex is beyond the scope of this course but there are numerous
resources to understand and generate Regex. We recommend using some form
of web search or Regex calculator to ensure you have the best Regex for your
matching variables.

A good reference for Regex characters is located at the following MSDN link:
https://msdn.microsoft.com/en-us/library/az24scfc(d=printer,v=vs.110).aspx

A great free Regex tool to help learn and find examples is located at:
http://regexr.com/ and http://regexlib.com/

Revision 0817 11 - 3
Cloudpath Admin 200 Advanced Workflow

Adding REGEX to fields in Cloudpath causes users input the be in a consistent

pattern. The user's entry can be validated against a regular expression
(RegEx) verifying that the entry conforms to the expected values. User is
prompted to correct the entry if it does not meet the expression established for
the entry field. This process provides uniformity along with additional
safeguards.

Ensuring that users are entering information in a consistent and correct format
provides the ability to filter workflow options based on the pattern that the data
was entered. Not only can the REGEX expression be used to validate the data
format but also provides the ability to use a REGEX expression when filtering
workflows or branches.

Example: If a field asking for an email address has a RegEx expression to

validate a specific domain name only users with a valid email for that domain
name can move forward in the workflow.

Revision 0817 11 - 4
Cloudpath Admin 200 Advanced Workflow

Variables allow for an association of a variable name and its value field. This
information is stored in an enrollment record within Cloudpath for audit and data
collection as well as population of the client certificate such as the username.

Variable Types: Standard system variables are collected however custom

variables can be collected as well by placing the user prompt plug-in within the
workflow.
System and custom variables If you use the USERNAME variable in a data
prompt, and the data prompt follows the AD prompt in the workflow, the data
prompt username value can overwrite the AD username value in the client
certificate. The ES uses the last known username value prior to issuing the
certificate.
Filtering: Additionally variables collected can be used to further filter workflow
options that are displayed to the user such as split options within the workflow.
Cloudpath also supports Device-based, Location-based, Web authentication, and
Voucher List filters. If criteria is specified within these sections, only users meeting
the criteria will have access to this plugin option. When using these variables for
filtering enter only the variable name instead of the validation expression.
Example: enter USERNAME, not '${USERNAME}‘

All user entries are collected within the enrollment record. Filtering of branches
however are chosen based on the last entry.
Example: If a user puts in their company email and a later step in the branch asks
for the user to oAuth to Facebook which collects the users email address. The
email address used to filter any following splits will be the one collected from the
oAuth facebook entry.

Revision 0817 11 - 5
Cloudpath Admin 200 Advanced Workflow

Prompt user plug-in provides customizable input fields and a label value to
associate with it. This variable label does not have to be pre configured into the
variables to be used in the variable name field. Regex values can be used for
these fields as well to validate user input ensuring its is properly formatted and
legitimate.

These variables collected by the users can be also exported and used for network
planning and security audits or if authorized added to marketing or contact
databases.

Formatting of these fields can play important roll especially if later in the workflow
they are used to possibly filter data or effect users experience. With Regex
validations the field values will be consistent for both input and filtering.

The phone number field provides a text “phone number”, the variable label and
regex expression for formatting.

User input values are stored in the enrollment record and can be used as filter
values, auditing or data collection.

Revision 0817 11 - 6
Cloudpath Admin 200 Advanced Workflow

Up to 7 variable fields are supported within CP allowing for a variety of data to be

collected. Inputs such as driver license or home address can provide the ability to
validate or create a trail of the users requesting access to the network. Other
values such as a driver’s license etc. could be used for data retention and
possible user validation as well.

This information is persistent even with incomplete or abandoned enrollments

allowing for a complete picture of users experience. Many incomplete records
could indicate that the workflow might not be clear enough to users allowing for
the review of the flow. Many attempts could also indicate security breach
behavior.

These variables collected by the users can be also exported and used for network
planning and security audits or if authorized added to marketing or contact
databases.

Formatting of these fields can play important roll especially if later in the workflow
they are used to possibly filter data or effect users experience. With Regex
validations the field values will be consistent for both input and filtering.

The phone number field provides a text “phone number”, the variable label and
regex expression for formatting.

User input values are stored in the enrollment record and can be used as filter
values, auditing or data collection.

Revision 0817 11 - 7
Cloudpath Admin 200 Advanced Workflow

Each branch option within the Split-users plugin can be filtered using matching or
not matching criteria. These filter patterns will effect the display of the option to
the user based on information they have entered or what was gathered from their
connection. This information is collected in their enrollment record and retained
for future filtering options. Common words such as a domain name along with
regex expressions can be used within the fields providing partial matching of
expressions providing broad collection of slightly different entries.

This is very useful when filtering common domain name email filtering etc.

Revision 0817 11 - 8
Cloudpath Admin 200 Advanced Workflow

User information gathered and placed within their enrollment record can be used
to filter certain branches that might be available to them during their onboarding
process.

Within a given field we have two options of match or does not match, In this
example we are using email criteria expressed using an Regex expression. As a
result each email address matching this filter will allow this split option to be
visible to the user during their onboard experience.

Additional “filters” can be placed in other fields such as Operating System for
even further filtering of branch options. This is useful if you want to separate
mobile devices from laptops etc. This type of limiting on branches also provides
another level of security or ensuring the user is selecting the proper branches to
follow or not even presented with certain options. The current release limits what
fields that can be used for filtering branches however this option continues to
expand

Filtering can be utilized many ways: (Match/Not Match)

Users where the email address do not match the regex value could be presented
with additional choices or even a display message that explains the network is
available to employees only.
Others that match the value will be offered additional branch flows within the
onboarding process.

Revision 0817 11 - 9
Cloudpath Admin 200 Advanced Workflow

These tools also help to limit how much of the onboarding process information is
exposed to possible hackers as well.

Don’t forget to mention in the example: Filtering against multiple

emails can be accomplished using a vertical pipe (|) separator
between email formats allowing for multiple entry types to be used.

Revision 0817 11 - 10
Cloudpath Admin 200 Advanced Workflow

Any users that do not have an email that matches the regex expression will have
this option displayed to them. Other users however that the expression matches
will not have the option to choose from.

Filtering provides further control over the users experience and ensures that
devices are being properly configured. In this illustration the ability to use filtering
to ensure that employees do not register their devices using the guest user option
but instead other options such as Employee BYOD etc is accomplished by not
allowing the guest user option displayed to them.

Revision 0817 11 - 11
Cloudpath Admin 200 Advanced Workflow

User based filtering can include AD group authentication or LDAP distinguished

name values. Email address domains or patterns. Device based filtering can
include OS or User agent options which would allow for browser and operating
system combination filtering along with Language setting on the device as well as
inclusion/exclusion of MAC registration lists. Location based filtering allows the
identification of IP subnets or "location” parameters included in WLAN controller
redirects. Issued certificate filtering based on Common Name, issuer or template
patterns along with certificate expiration dates. Example: this feature would allow
a branch to be displayed for only users that have expiring certificates that need to
be renewed. Finally voucher list names can be used as well to filter a branch fro
being displayed based on list membership. As mentioned before these filters can
be independent or a combination allowing for complex workflows based on the
environment needs.

Cloudpath provides the ability to filter an option based on user values such as
email or domain name, Devices along with the OS they are running along with
User-agent pattern which includes browsers along with the OS version being
used. Location filtering allows for IP addresses to be identified and filtered based
on their value. There are other filter criteria that can be used for filtering beyond
these options. Details of these additional filtration options can be found in the
Cloudpath documentation.

Many user string values can be found on the web such as below:
http://www.useragentstring.com/pages/useragentstring.php

Revision 0817 11 - 12
Cloudpath Admin 200 Advanced Workflow

An ability to verify new enrollments to be checked for the required parameters can
be enforced under the properties of a workflow. As users are redirected to the
onboarding URL the identified parameters can be checked and enforced before
the user will be offered to onboard. As a result the user not meeting the required
information will be directed to a page that can provide information or further
instruction on how to onboard their device. This

Revision 0817 11 - 13
Cloudpath Admin 200 Advanced Workflow

Devices can not only be authenticated with Wi-Fi connections but also hardwired
802.1X supplicant devices. Switch ports can be enabled for 802.1X
authentication using the Cloudpath onboarding certificate. This allows for one
onboarding event for a user providing versatile connections depending on the
clients needs. Because certificate templates also provide dynamic VLAN, an ACL
assignments, users privileges are consistent regardless of their type of
connection. Centralized control of network access (wireless/wired) provide easy
deployment and maintenance for all connected devices. Added features such as
Change of Authority can also be utilized on wired solutions providing full control of
connected device regardless of their connection type.

EAP options include:

EAP-TLS - Authenticates clients by client certificate and RADIUS server by
server certificate.
PEAP/MSCHAPv2 - Authenticates clients by weakly-hashed password and
RADIUS server by server certificate.
EAP-SIM [Limited OS Support] - Authenticates clients by the SIM card installed
on mobile device.
EAP-AKA [Limited OS Support] - Authenticates clients by the SIM card installed
on mobile device.
EAP-AKA' (Prime) [Limited OS Support] - Authenticates clients by the SIM card
installed on mobile device.

Revision 0817 11 - 14
Cloudpath Admin 200 Advanced Workflow
Below is a sample configuration of an ICX switch providing 802.1X Supplicant
authentication on its edge ports 1/1/2 to 1/1/10.

ICX(config)# aaa authentication dot1x default radius

ICX(config)# aaa authorization coa enable
ICX(config)# aaa accounting dot1x default start-stop radius
ICX(config)# radius-server host 10.157.22.99 auth-port 1812
acct-port 1813 default key <key> dot1x

ICX(config)# dot1x enable

ICX(config-dot1x)# dot1x enable ethe 1/1/2 to 1/1/10
ICX(config-dot1x)# dot1x timeout tx-period 10
ICX(config-dot1x)# dot1x timeout quiet-period 10
ICX(config-dot1x)# dot1x timeout supplicant 10

Revision 0817 11 - 15
Cloudpath Admin 200 Advanced Workflow

Revision 0817 11 - 16
Cloudpath Admin 200 Advanced Workflow

Revision 0817 11 - 17
Cloudpath Admin 200 Advanced Workflow

Revision 0817 11 - 18
Cloudpath Admin 200 Workflow Notifications & Events

Revision 0817 12 - 1
Cloudpath Admin 200 Workflow Notifications & Events

This Module introduces students to the different aspects of the Cloudpath

enrollment system Notifications, Event Logs, and Automating Event Reports

Revision 0817 12 - 2
Cloudpath Admin 200 Workflow Notifications & Events

Notifications may use a variety of variables based on information gathered in

previous steps of the workflow. Variables are used in the format
${VARIABLE_NAME}. Review an existing enrollment for available variables
and their corresponding values.

ES automatically generates Enrollment messages containing:

• Cloudpath Device Configuration

• Onboarding time stamp
• Enrollment Record ID
• Workflow: Workflow Assistance ID, Branch Selected
• User’s: full name, Identity, Domain Name
• Device: OS, Name, Browser WLAN, NIC, MAC, Manufacturer, Model,
Language

Revision 0817 12 - 3
Cloudpath Admin 200 Workflow Notifications & Events

The Notifications tab allows you to review emails and SMS messages, event logs,
and schedule reports.

The Notifications table displays email and SMS notifications that have been sent
by the system. The system logs email and SMS notifications sent for sponsors,
messages for vouchers, network access, and certificate issuance or revocation.

The table can be exported to CSV, XLS, filtered or cleared. The default retention
rule is 30 days from time of creation.

Note: Best practice is to set logging to match your company’s data retention
policy.
Retention rules can be changed in Administration  Data Cleanup  Cleanup
Thresholds  Notifications

Revision 0817 12 - 4
Cloudpath Admin 200 Workflow Notifications & Events

Notifications log (Dashboard > Notifications > Notification)

The Notifications section of the dashboard contains information on:

Notifications
Events
Scheduled Reports

Revision 0817 12 - 5
Cloudpath Admin 200 Workflow Notifications & Events

Best practice is to insert notifications as the last step in the workflow

The following screen will give the administrator the option:

• A new notification configuration
• An existing notification configuration (if any configured)

Revision 0817 12 - 6
Cloudpath Admin 200 Workflow Notifications & Events

The methods to send notification:

• Send user an email (preferred) or SMS - If an email address is

associated with the certificate, the notification will be sent by email only. If
not, the notification will be sent by SMS if a phone number is available.
• Send user an SMS (preferred) or email - If a phone number is associated
with the certificate, the notification will be sent by SMS only. If not, the
notification will be sent by email if an email address is available.
• Send user an email and SMS - The notification will be sent by both email
address and SMS. If both an email address and a phone number are
associated with the certificate, the user will receive duplicate notifications.
• Send user an email - If an email address is associated with the certificate,
the notification will be sent by email only. SMS will not be attempted.
• Send user an SMS - If a phone number is associated with the certificate,
the notification will be sent by SMS only. Email will not be attempted.
• Send administrator an email - Sends an email to the address specified.
• Call a URL (REST API) - Calls a URL for a external web server.
• Log an event - Logs an event. If syslog is configured in the system, this
will be sent to syslog.

Revision 0817 12 - 7
Cloudpath Admin 200 Workflow Notifications & Events

Revision 0817 12 - 8
Cloudpath Admin 200 Workflow Notifications & Events

A Certificate Template defines the properties embedded into a certificate when it

is issued. Some properties are static and remain the same for every certificate.
Other properties are calculated or use variables, allowing them to differ per
certificate based on the user and/or their device.

Revision 0817 12 - 9
Cloudpath Admin 200 Workflow Notifications & Events

The Events log (Dashboard > Notifications > Events) displays all system
events, such as account logins, enrollments, acceptance of AUPs,
registrations, certificate issuance, errors, account updates and snapshot
creation. You can filter and clear events in the log

Revision 0817 12 - 10
Cloudpath Admin 200 Workflow Notifications & Events

The Events log (Dashboard > Notifications > Events) displays all system
events. The Events logs are categorized by: Event Type, Level, Tracking ID,
Message, Timestamp and can be filtered above the field types.

Event Logs contain:

• Account logins
• Enrollments
• Acceptance of AUPs
• Registrations
• Certificate issuance
• Errors
• Account updates
• Snapshot creation

Revision 0817 12 - 11
Cloudpath Admin 200 Workflow Notifications & Events

Under Dashboard, Notifications, Schedule Reports administrators can

automate email reports on a daily, weekly, 2 week, or monthly basis sending to
email address or distribution list. This is useful in tracking expired or revoked
certificates.

Revision 0817 12 - 12
Cloudpath Admin 200 Workflow Notifications & Events

1. What is the default retention time for events in the log? (Answer: 30 day)

2. Which workflow plug-in is required to log an enrollment event? (Answer:

Notification Plugin)

3. Where are the logs for enrollment records found? (Answer: Dashboard >
Notifications > Notifications)

Revision 0817 12 - 13
Cloudpath Admin 200 Workflow Notifications & Events

Revision 0817 12 - 14
Cloudpath Admin 200 Workflow Notifications & Events

Revision 0817 12 - 15
Cloudpath Admin 200 Workflow Notifications & Events

Revision 0817 12 - 16
Cloudpath Admin 200 Updating Cloudpath

Revision 0817 13 - 1
Cloudpath Admin 200 Updating Cloudpath

Revision 0817 13 - 2
Cloudpath Admin 200 Updating Cloudpath

There are separate upgrade paths for Cloudpath Hosted vs Cloudpath On

Premise local VM platforms. For each of these upgrade paths there are minor and
major updated that will need to be performed to keep the ES up to date.

Revision 0817 13 - 3
Cloudpath Admin 200 Updating Cloudpath

Registered administrators are notified via email when a wizard update is available
for the Cloud Tenant

• Minor upgrade can be completed by the cloud tenant administrator in place on

the tenant VM via the update wizard.
• Minor updates require a Cloudpath Snapshot and may disrupt service
• Refer to the release notes prior to upgrading a version for potential impact and
update instructions for the wizard.
• The release notes will contain any changes regarding WLAN devices supported

Revision 0817 13 - 4
Cloudpath Admin 200 Updating Cloudpath

Customers with cloud deployments do not perform any actions for the upgrade of
ES.

• Registered administrators are notified via email several days before a

scheduled system software update where potential downtime may occur.
• The update window is typically on a Saturday between 9-11PM MDT to
minimize user disruption.
• Depending on changes to the system/wizard it may trigger new workflow
snapshots to be created automatically
• The next time the administrator goes to create a workflow snapshot they will be
informed a new wizard version is available
• Note: always check the Cloudpath Version when creating a new
Workflow Snapshot to avoid unintentional upgrades.
• Registered administrators are also notified via email when a wizard update is
available

Revision 0817 13 - 5
Cloudpath Admin 200 Updating Cloudpath

Revision 0817 13 - 6
Cloudpath Admin 200 Updating Cloudpath

There are separate upgrade paths for Cloudpath Hosted vs Cloudpath On

Premise local VM platforms. For each of these upgrade paths there are minor and
major updated that will need to be performed to keep the ES up to date.

Revision 0817 13 - 7
Cloudpath Admin 200 Updating Cloudpath

Administrators will receive an email notification when minor or major updates are
available. Administrators can also manually check for new updates to the system
software/wizard under Administration > System > System Updates.

• It is recommended to take a VMWare Snapshot before updating the system.

• If the on-site VM does not have internet access, administrators will be unable
to check for updates and will be unable to create new snapshots.

Revision 0817 13 - 8
Cloudpath Admin 200 Updating Cloudpath

Minor Updates using ES Wizard

• The Wizard is the ES application provided to automate the Minor Update

process.
• Upgrades are not a part of daily operations as they can disrupt users
onboarding via a workflow during the upgrade.
• Minor upgrades should be treated as a maintenance event.
• Minor Updates should be lab tested as they can change the way clients
onboard to ES.

Note: When taking an ES Snapshot, not for the sake of upgrading, always check
the Wizard version to avoid making an unscheduled or unintended Minor Upgrade

Revision 0817 13 - 9
Cloudpath Admin 200 Updating Cloudpath

For Major Upgrades begin by following the steps in Module 5 with the exception of
assigning the new VM a temporary IP, in the same subnet, that is accessible to
both the Internet and the old VM containing the OVA being upgraded. Make sure
that the new VM and old VM can ping the other’s IP.

Single VM Tenant Major Upgrade

1. Download the new OVA
2. Create a new Virtual Machine Instance with the new OVA using the steps in
Module 5 with a new DNS {Host Name} and assign a temporary IP address
for access
3. From the new Virtual Machine SSH Console command line type the
command: maintenance cannibalize {Host Name} of the old OVA DNS Host
Name being upgraded. This process will import all configurations of the old
VM host into the new VM and OVA
4. Shutdown the old version VM host

Revision 0817 13 - 10
Cloudpath Admin 200 Updating Cloudpath

1. What are the two main types of upgrades? (Answer: Minor and Major)

2. Which deployment type requires a manual update process? (Answer: Cloud

and Local hosted)

3. What should an administrator “take” before performing an upgrade? (Answer:

Snapshot)

4. When doing a major update for a locally deployed VM the new OVA and VM
must be in the same? (Answer: Subnet)

Revision 0817 13 - 11
Cloudpath Admin 200 Updating Cloudpath

Revision 0817 13 - 12
Cloudpath Admin 200 Updating Cloudpath

Revision 0817 13 - 13
Cloudpath Admin 200 Module Name

Revision 0817 13 - 14
Cloudpath Admin 200 Server Clustering

Revision 0817 14 - 1
Cloudpath Admin 200 Server Clustering

Revision 0817 14 - 2
Cloudpath Admin 200 Server Clustering

Cloudpath supports replication between two servers as Master-Master, or

between servers in a Star Topology. When using replication in Cloudpath, the
data is pushed from one server to the other server(s). Replication between two
servers allows two master servers to replicate with both servers being
available for active use. Replication in a star pattern allows 3 or more servers
to replicate, with all servers being available for active use.

In both configurations, all nodes are active and the database is synchronized
to all nodes. A load balancer is required in either a Master-Master or Star
Topology. Cloudpath does not support an active-passive configuration.
With the two-server configuration, the data is pushed from the server from
which replication is configured to the second server. Cloudpath supports an
Active-Active system, but must employ a load balancer. Without a load
balancer in your network setup, the Cloudpath system becomes Active-
Standby.
With the star-pattern configuration, the data is pushed from the hub server (the
server from which replication is configured) to the other server nodes.

Revision 0817 14 - 3
Cloudpath Admin 200 Server Clustering

Prerequisites
• Set up 2 or more ES virtual appliances with the same version OVA
• For Initial setup all VMs in the Cluster must be able to communicate with the
host and each other to sync. It best practice to PING all servers from each
other prior to beginning the cluster setup
• Note: after replication setup is complete, you can restrict
communications if needed. The hub must always be able to see the
spoke nodes but the nodes can be restricted to only see the hub
• If the network environment is not using a load balancer, the deployment
URL for the master server becomes the deployment URL for all servers in
the cluster
• If the network environment is using a load balancer between the Hub and
Spoke or between the Master-Master the system will display a message
when you log in that the URL is a mismatch with the server certificate.
• This message can be suppressed by adding the load balancer URL
to the topology in Administrative Company Info Vanity URL

Note: Firewall requirements will be discussed later in this module

Revision 0817 14 - 4
Cloudpath Admin 200 Server Clustering

Choose the Virtual Machine ES server as the Master node. This is the server from
which you set up replication in the ES Admin UI.

1. Choose a topology Setup: Replication between two server or Replication in

star pattern
2. The server you are on will be prepopulated. If you are creating a Star topology
this server will become the Hub server
3. If nodes are behind NAT, enter Local (internal) FQDN or Local DNS
4. Save the configuration

The Cloudpath ES saves the data from the server node from which replication
was configured, then copies the database to the other server nodes. This can
take a while, depending on the number of server nodes and the size of the
database.

Revision 0817 14 - 5
Cloudpath Admin 200 Server Clustering

When all processes are complete and display a Success status, click Next to
return to the replication Setup page.
The Setup Status should be in the Completed state and the Status in the Running
state. The ES provides a log file for the replication setup process.

Revision 0817 14 - 6
Cloudpath Admin 200 Server Clustering

When replication is successfully completed click the “Next” button to return to the
setup page – validate the status showing Online

Cluster Status

• The Replication Servers table lists all servers in the cluster. After setup, all
servers should be Enabled (green icon) and ONLINE. Status page.
• The Collect Replication Logs button is typically used for troubleshooting. This
gathers the necessary log information and saves it to a tar.gz file. This file can
be sent to the support team upon request.
• Load Balancer: button allows the user to enter the URL of any load balancing
device in the topology
• Click the Details button to view the replication

• Note: When upgrading a Cluster wait for re-sync to complete each time before
upgrading other nodes

Revision 0817 14 - 7
Cloudpath Admin 200 Server Clustering

Cluster replication status is found in:

Administration System Replication  Status.

The Replication Status give the current state of all nodes in the cluster topology

Replication States
• Not Setup - The ES server has not been configured for replication.
• Running - Replication has been set up and is currently running.
• Stopped - Replication has been configured but the replication service is not
running.
• Starting: Synchronizing - The ES server was previously stopped or disabled
and is in the process of synchronizing with the master server.
• Offline: Normal - The server is configured for replication, but has been disabled.
• Offline: Error - The server is in an error state and will try to correct the issue.
This can take 5 to 10 minutes. If the server is unable to resolve the issue,
replication should be disabled for troubleshooting.

Revision 0817 14 - 8
Cloudpath Admin 200 Server Clustering

The firewall ports for Clustering are found under Administration  Advanced 
Firewall Requirements. However, these ports will not be visible until after the
deployment of replication is complete. After completing replication we will come
back to this setting to establish the firewall rules. The ports 5 for replication are
TCP: 10000, 10001, 3306, 2112 and 8022 used for SSH. Changes for firewall
setting are done on the individual ES’s

Validate the inbound and outbound firewall setting on the ES Servers in the
cluster topology. This information is generated based topology configuration.
Changed to firewall setting are made on the individual ES nodes, not he cluster.

Revision 0817 14 - 9
Cloudpath Admin 200 Server Clustering

Adding an ES VM to a Cluster

• When performing the initial ES configuration of a new VM node deployment

select the “Add-On Server for Cluster” option and follow the prompts
• If a new ES is built but not added to an existing cluster during setup, the
existing server cluster must be un-clustered to add or make change

• Best Practice: Plan out the all instance of Cloudpath in the topology to avoid
rework and un-clustering.

Revision 0817 14 - 10
Cloudpath Admin 200 Server Clustering

Cluster Topology Changes

To make topology changes, such as adding another server (when Cluster is built
and a new ES was not added on initial setup, or replacing an inoperable server in
the cluster, you must take down the cluster configuration and rebuild it with the
new servers.

• Got to Administration  System  Replication and click Remove Cluster in the

Maintenance section.
• Remove a clustering deletes all ES of the replication functionality and leaves
the individual ES functions in their current state.

Revision 0817 14 - 11
Cloudpath Admin 200 Server Clustering

1. Which topology is recommended for multi-site and/or high capacity

deployments? (Answer: star)

2. How many times should you change a cluster node’s FQDN? (Answer: 0)

3. After setup, all nodes should have what kind of icon in the status chart?
(Answer: Green Enabled Icon)

Revision 0817 14 - 12
Cloudpath Admin 200 Server Clustering

Revision 0817 14 - 13
Cloudpath Admin 200 Server Clustering

Revision 0817 14 - 14
Cloudpath Admin 200 Basic Troublshooting

Revision 0817 15 - 1
Cloudpath Admin 200 Basic Troublshooting

Revision 0817 15 - 2
Cloudpath Admin 200 Basic Troublshooting

Troubles in and ES deployment can be divided into 3 major categories:

System Issues
• Usually found in initial system setup
• Related to the Cloudpath on premise virtual appliance or the web-based
application.
• Typically reproducible and client agnostic.
• Examples issues are initial system setup, certificate installation, VM setup,
snapshots, or a specific feature is not working as expected
Network Issues
• Usually found in ES Server required connections IE RADIUS, AAA Service,
or Web Server or connections to clients
• The Cloudpath ES communicates with the Cloudpath License Server for
network and licensing information.
• ES must be able to communicate to xpc.cloudpath.net (72.181.151.75) over
TCP ports 80/443 for HTTP/HTTPS. Connectivity issues can be the cause
of authentication problems.
Client-Related Issues
• The most common issues and administrator will encounter given diverse
types of devices connecting to the WLAN and lack of control over BYOD
end user configurations.
• Example, a particular device or group of devices (such as Android devices)
cannot connect to the secure network.

Revision 0817 15 - 3
Cloudpath Admin 200 Basic Troublshooting

Revision 0817 15 - 4
Cloudpath Admin 200 Basic Troublshooting

The first place to look for System Issues is in the Events Log. The Events log
(Dashboard > Notifications > Events) displays all system events, such as
account logins, enrollments, acceptance of AUPs, registrations, certificate
issuance, errors, account updates, and snapshot creation.
Look for “Error” logs related to the trouble event. If the error is preceded by
ADMIN_ACCESS and SYSTEM_CONFIGURATION consider rolling back to the
previous Snapshot and investigate the system configuration changes.

Revision 0817 15 - 5
Cloudpath Admin 200 Basic Troublshooting

Cloudpath License Server Cloudpath communicates with the License Server

for network and licensing information. Cloudpath must be able to communicate
to xpc.cloudpath.net (72.181.151.75) over TCP ports 80/443 for HTTP/HTTPS.
• From the ES virtual machine CLI validate that ES can reach the license
server: PING 72.181.151.75
RADIUS Server The wireless controller must be able to communicate with the
Cloudpath onboard RADIUS server on port 14650.
• From the ES virtual machine CLI validate that ES can reach the RADIUS
server
DNS Issues to verify that DNS is working.
• Open a Command Prompt and enter the command: nslookup.
• The result should display the eth0 IP address of the Cloudpath virtual
appliance.
OSCP Issues OCSP provides the ability to revoke certificates. The RADIUS or
NPS server first attempts to validate a client certificate using the Online
Certificate Status Protocol (OSCP). If the OSCP validation is successful, the
validation verification is satisfied. If this validations fails ES attempts to
perform a CRL validation of the user or computer certificate. ,
Note: If using OCSP affects the performance of your system, you can disable
OCSP and use CRL only.

Revision 0817 15 - 6
Cloudpath Admin 200 Basic Troublshooting

Web Server
• Note - Only On-Premise accounts can edit Web Server information. Cloud
accounts can only view the Web Server.
• Warning changes to the Web Server may disrupt user enrollment
• The component is should be running.
• HTTPS can be enabled if it was not previously setup.
• Confirm the Web Server Certificate keys.
• The Pencil Icon presents options to change Enrollment Session Timeout,
Admin UI Allowed IP/CIDR, SSL Cipher List, SSL Protocols and Strict
Transport Security settings.
• The web service and application can also be restarted as part of
troubleshooting.

Network
• Components should be reviewed to ensure the hostname and IP information
is correct.
• The Diagnostics option provides a tool to view the network diagnostic test
and download the results of that test.

Revision 0817 15 - 7
Cloudpath Admin 200 Basic Troublshooting

Each system contains rolling logs, which can be reviewed for troubleshooting
purposes.

The Cloudpath system logs all network activity to and from individual components
of the system, including protocols used, whitelists, and packet information.
Debug or download additional logs from each component. All logs can be run in
Normal (default) or Debug (finer, or verbose) mode.
• General Log - The General log is the JBoss server log file, which are web
application log files.
• SCEP Log - Logs related to Simple Certificate Enrollment Protocol (SCEP).
The system provides an outward-facing SCEP server interface that allows
SCEP clients, such as iOS, to pull certificates via SCEP.
• OCSP Log - Logs related to Online Certificate Status Protocol (OCSP), which
is used for obtaining the revocation status of an X.509 digital certificate.
• Replication Log - Logs related to the replication setup and operation of ES
Clusters

Note: Cloudpath 5.1 supports Syslog Server integration to offload logging

Revision 0817 15 - 8
Cloudpath Admin 200 Basic Troublshooting

Walled Gardens are dynamic as they engage connections to 3rd party services to
streamline the onboarding process. 3Rd party URLs added to the ES Walled
Garden exception lists grant WLAN access to social media, vendor store applets
and 3rd party O-auth services for authentication. If users report issues of time
outs in the onboarding process, ask the method of onboarding and validate the
exception list URL to the 3rd party service.

Revision 0817 15 - 9
Cloudpath Admin 200 Basic Troublshooting

When setting up MAC registration, a list of authorized MAC addresses is

maintained on the RADIUS server. If using HTTPS its important to have a
certificate on the WLAN controller to avoid encryption or VLAN issues. Request
from Non-802.1X devices attempting to connect to the network are forwarded to
the RADIUS server, where the device is checked against the list of authorized
MAC addresses.
The RADIUS server compares the MAC address and expiration date with existing
user information. If the validity period and expiration period matches, the RADIUS
server authorizes the authentication and returns an Access-Accept to the access
point. After the RADIUS server authenticates the device it sends a redirect URL,
which points to the wireless controller for client CoA.
Mac Registration Flow
1. Client connects, placed in walled garden
2. Client is approved using a voucher or other verification
3. CP registers client MAC into radius and sends approval (access-accept ) back
to Wi-Fi controller
4. Authorization redirect URL including post parameters is sent to client.
5. Client is redirect using the Authorization URL and released from the walled
garden (CoA) this is transparent to the client.
6. Client can now access the network

• Client will not be redirected to the portal as long as the mac registration is valid.
• Client must be able to communicate with the wireless controller on the on
boarding/guest VLAN
• Cloudpath will not receive the client mac address unless the client is redirected
to the captive portal. client can not browse directly to the portal.

Revision 0817 15 - 10
Cloudpath Admin 200 Basic Troublshooting

If you are using a Ruckus Smart Zone:

• Log into the controller command line and run the: no encrypt-mac-ip
command.
• Note: You must be in ‘enable’ mode to run this command.

Revision 0817 15 - 11
Cloudpath Admin 200 Basic Troublshooting

Revision 0817 15 - 12
Cloudpath Admin 200 Basic Troublshooting

Note: If using the hosted training.cloudapth.net and wish to use a local AD server
then the site Firewall and NAT rules must allow the inbound authentication access
from the respective source socket (72.18.151.76:389 for LDAP or :636 for LDAP
over SSL

Revision 0817 15 - 13
Cloudpath Admin 200 Basic Troublshooting

If the correct firewall ports are not open you will experience issues with AD
integration, cannot create snapshots, or the Cloudpath ES cannot communicate
with your network systems.

Revision 0817 15 - 14
Cloudpath Admin 200 Basic Troublshooting

Outbound Firewall Rules

• System Rules
• Retrieve system updates.
• System interacting with cloud services (licensing, wizards, built-in email,
etc).
• Support tunnel for remote assistance. Only necessary when support
tunnel is enabled.
• Support 3rd party O-auth
• External CA: System querying certificates from external CA.
• Authentication Server: Authenticates to Active Directory server and other 3rd
party user validation
• NTP: Performs NTP synchronization
• RADIUS CoA: Send CoA to wired/wireless infrastructure (default RADIUS
client)

Inbound Firewall Rules

• Web Interface: Administrator, API, and end-user access to the web interface.
• Onboard CA: OCSP requests coming from external systems
• SSH: Grants SSH access to the system.
• Onboard RADIUS: Receives RADIUS accounting requests from external
systems.

Revision 0817 15 - 15
Cloudpath Admin 200 Basic Troublshooting

The availability of the system can be monitored at various layers. At the lowest
layer, the system responds to ICMP pings.

For local VM deployment the positive and negative test can be run from a browser
to the HOSTNAME

Revision 0817 15 - 16
Cloudpath Admin 200 Basic Troublshooting

Revision 0817 15 - 17
Cloudpath Admin 200 Basic Troublshooting

Revision 0817 15 - 18
Cloudpath Admin 200 Basic Troublshooting

If an issue affects a class of devices or all devices, it is typically either a

misconfiguration or a fault manifested by either the configuration or the type of
OS.
If an issue is specific to an individual device, the local support desk typically
assists the user in resolving the issue.

Examples of specific questions to help narrow the client issues:

• Issue affects all devices regardless of operating system

• Issue affects all Android devices but not Mac or Windows devices
• Issue affects all Android 4.0 devices, but not other versions of Android
• Issue affects some Android 4.0 devices, but not all Android 4.0 devices
• Issue affects this device, but not other similar devices

Revision 0817 15 - 19
Cloudpath Admin 200 Basic Troublshooting

Revision 0817 15 - 20
Cloudpath Admin 200 Basic Troublshooting

Cloudpath.log contains the logs related to all configuration and execution of ES

Any information (logs, diagnostic information) gathered can be sent to Cloudpath

Support, and a team member can attempt to isolate the issue and implement a fix
or work-around out-of-band.

Device Support Logs

For desktop operating systems using the Wizard, there is a menu option located
at Options  Generate Support File. This generates a text file on the device
desktop that is helpful for diagnosing issues.
On Android, the Menu button provides an option to email the support file.

Revision 0817 15 - 21
Cloudpath Admin 200 Basic Troublshooting

How to Contact Support for System Issues

When contacting support for system-related issues, be prepared with:

• Login credentials for the web-based Enrollment System Admin UI
• SSH access and login credentials to the Enrollment System virtual appliance.
• If the issue is network connectivity-related such that SSH access is
unavailable, you should have access to the VMware console.

Additional Resources
http://support.ruckuslwireless.com

Revision 0817 15 - 22
Cloudpath Admin 200 Basic Troublshooting

1. What are the 3 categories of Cloudpath troubleshooting? (Answer: System,

Network and Client Issues)

2. Cloudpath ES must be able to communicate with what license url? (Answer:

https://xpc.cloudpath.net)

3. Where is Cloudpath.log stored on Windows and Mac? (Answer: Windows =

/temp/cloudpath; Mac = /tmp/cloudpath)

4. Where in the ES GUI can you find technical resources? (Answer:

Support>Documentation)

Revision 0817 15 - 23
Cloudpath Admin 200 Basic Troublshooting

Revision 0817 15 - 24
Cloudpath Admin 200 Basic Troublshooting

Revision 0817 15 - 25
Cloudpath Admin 200 Basic Troublshooting

Revision 0817 15 - 26
Cloudpath Admin 200 Eduroam

Revision 0817 1
Cloudpath Admin 200 Eduroam

Revision 0817 2
Cloudpath Admin 200 Eduroam

Eduroam (https://www.eduroam.us/introduction)
eduroam is a “federation” of Radius proxies that allows educational institute
Radius servers to pass user authentications between each other:
Global network supporting roaming between research and educational
institutions
eduroam provides a secure 802.1X Wi-Fi SSID for internet access when
clients roam between educational institutes
Supports EAP-PEAP / TTLS / TLS

Cloudpath
Cloudpath provisions local devices with an eduroam SSID policy certificate.
Visiting users authenticate to their home Radius server through Cloudpath Radius
and then via the eduroam federation:
Visiting clients are not onboarded because they have to trust their home Radius
server, not the local one
Local users to authenticate to local service through Cloudpath Radius

Revision 0817 3
Cloudpath Admin 200 Eduroam

Local users need not “enter” the eduroam federation

They can be handled locally by the Home Institution’s RADIUS server
They are typically provided policies different than visiting users authenticated via
the eduroam federation.

Revision 0817 4
Cloudpath Admin 200 Eduroam

A roaming user’s device must be configured to trust their Home Institution’s

RADIUS server, not eduroam’s or the Visited Institution’s
Some institutions run only an “eduroam” SSID (common in UK) while others run a
branded SSID + eduroam (more common in US)

Revision 0817 5
Cloudpath Admin 200 Eduroam

A Visited Institution should not configure devices for a Visiting User. The
configuration is dictated by the users Home Institution

eduroam-US is authoritative for the .edu TLD, and handles routing to other TLDs
including those handled by eduroam in Europe (for all European members of the
federation), eduroam in the Asia-Pacific region (including Australia, China, Hong
Kong, Japan, New Zealand, and Taiwan), and Canada. Within the US the
eduroam-US Top-Level RADIUS Server (TLRS) handles routing to .edu member
institutions. (Technical Overview. (n.d.). Retrieved August 11, 2016, from
https://www.eduroam.us/node/10)

Revision 0817 6
Cloudpath Admin 200 Eduroam

The slide is a review of the process and tasks that occur depending on the type of
user and location.

Revision 0817 7
Cloudpath Admin 200 Eduroam

The eduroam federation feature is not enabled by default.

eduroam Configuration Settings:

Organization ID: - The organization ID used as a reference within eduroam.
Eduroam IP Address: - The IP address of the eduroam federation RADIUS server.
Allowed SSID(s): - A regular expression defining the SSID(s) from which devices
are allowed to authenticate. This only needs populated if multiple secure SSIDs
exist and users are only allowed to authenticate from one of them.

eduroam Authentication Attributes: When an authentication is sent to eduroam,

the following attributes will be appended to the returned result. This may be used,
for example, to assign all eduroam users to a VLAN.
VLAN ID: - The VLAN ID included in the RADIUS reply for successful
authentications.

Note - When the VLAN ID - field is populated, ES sends Tunnel-Type, Tunnel-

Medium-Type, and Tunnel-Private-Group-ID. If your network policy is wireless, the
Tunnel-Type value is VLAN, the Tunnel-Medium-Type value is 802 (this includes
all 802 media plus Ethernet canonical format), and the Tunnel-Private-Group-ID is
the integer that represents the VLAN number to which group members will be
assigned.

Filter ID: - The filter ID included in the RADIUS reply for successful
authentications.

Revision 0817 8
Cloudpath Admin 200 Eduroam

Class ID: - The class included in the RADIUS reply for successful authentications.
Reauthentication: - The re-authentication period, in seconds, included in the
RADIUS reply for successful authentications. If the device stays connected for
longer than this period, the WLAN or switch will require that the device (invisibly to
user) re-authenticate. In wireless, this causes the encryption keys to be rotated.
Additional Attribute: - Clicking the plus(+) sign will allow for additional standard
RADIUS attributes.

Revision 0817 9
Cloudpath Admin 200 Eduroam

Placing Cloudpath ES on the Internet allows users to easily configure or fix their
device from anywhere in the world at any time of day or night.

Note - Eduroam have a statement on their web site about not using Web Portals
for authentication as they are insecure. This is only for visiting users and not
applicable to their onboarding portal for a local user.

Online Production Site example: Drexel University -

https://dragonfly.drexel.edu/version/drexel-eduroam_20160519/

Revision 0817 10
Cloudpath Admin 200 Eduroam

What does eduroam leverage for secure authentication? (Ans: 802.1X)

A visiting student’s authentication request is validated at which RADIUS? (Ans:

Student’s Institution RADIUS or home RADIUS)

Which RADUIS server determines the policy to implement? (Ans: Visting RADIUS
server)

Where is “eduroam” enabled in the ES GUI? (Ans: Configuration -> Advanced ->
RADIUS Server -> eduroam tab)

Revision 0817 11
Cloudpath Admin 200 Eduroam

Revision 0817 <Mod#> - 12

Admin 200 Integrating with Microsoft CA

Revision 0817 Appendix B 1

Admin 200 Integrating with Microsoft CA

Revision 0817 Appendix B 2

Admin 200 Integrating with Microsoft CA

To implement certificate-based authentication on your WPA-2 Enterprise and

802.1X network, through EAP-TLS, you must set up a certificate infrastructure,
which includes a certificate authority (CA) for issuing client certificates. The
Cloudpath ES Integration Module for Microsoft CA allows Cloudpath ES to
request TLS client certificates from your existing Microsoft CA infrastructure.

Revision 0817 Appendix B 3

Admin 200 Integrating with Microsoft CA

• Eliminates security and usability problems related to Microsoft’s SCEP (Simple

Certificate Enrollment Protocol) implementation

• Configure a certificate template in ES, pointing it at the Microsoft CA server and

template. Download the resulting ZIP file and expand it on a domain-joined IIS
server

• The DLL acts as an NDES replacement, allowing certificates to be issued to a

user’s account rather than issuing all to SCEP_ADMIN. Optionally, a dedicated
service account may be used

• ES will handle the authorization of the user & device, the installation of the
certificate across most common BYOD and IT devices, and will provide
reporting on the user, device, certificate, and policy

Revision 0817 Appendix B 4

Admin 200 Integrating with Microsoft CA

Cloudpath integrates with Microsoft IIS and CA via a DLL referred to as the
Integration Module

While configuring a user’s device, Cloudpath ES prompts the user for credentials.
It then generates a CSR, authenticates to the CA, and sends the CSR to the CA
via the Integration Module. The Integration Module, in coordination with the CA,
authenticates the user and, if valid credentials are provided, signs a certificate for
the user. The characteristics of the certificate generated are dictated by the
certificate template utilized. The certificate is then streamed back to the Cloudpath
Wizard, which installs it and configures the SSID to utilize it.

Revision 0817 Appendix B 5

Admin 200 Integrating with Microsoft CA

Download Cloudpath ES technical guide from support site for more information:
“Issuing Certificates From a Microsoft CA Configuration Guide”

Note - It is highly recommended you run the Integration DLL package on a

separate server to the one running MS CA i.e. an IIS HTTPS server in the domain
Note - if you change the MS-CA configuration in the Template you need to
download and re-install the DLL package

Revision 0817 Appendix B 6

Admin 200 Integrating with Microsoft CA

Example of a completed MS-CA template

The reference name for this certificate template. This is visible to the
administrator only.

1. CA Host Name - The DNS name of the CA server.

2. CA Name - The name of the CA, which appears in the Certificate Authority
console.
Note - The CA Name should be the name of the CA as displayed in the Certificate
Authority snap-in. On Windows, it also displays in the Issued By field when a
certificate is viewed in the CertMgr.

3. Request Attributes - The attributes used when querying the CA. This typically
includes, at a minimum, the certificate template name. For example,
Certificate Template:User.

Revision 0817 Appendix B 7

Admin 200 Integrating with Microsoft CA

CA Host Name: The DNS name of the CA server.

CA Name: The name of the CA. This appears in the Certificate Authority
console.
Request Attributes: Includes, at a minimum, the certificate template name.
CA Chain: Provide the CA chain for certificates issued by the remote CA.
Note PEM Format:
The certificates should be concatenated together in PEM format.
Export MS-CA Root and Intermediate certificates in PEM (Base-64) format.
Concatenate the certs in a text file as illustrated below:
-----BEGIN CERTIFICATE-----
(Your Intermediate MS-CA certificate contents)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root MS-CA certificate contents)
-----END CERTIFICATE-----
Upload concatenated file into the “CA Chain” field of the ES Template
Check the ES Device Configuration under the Trust tab:
Verify the Trusted RADIUS Server(s) > Trusted Common Name matches
that of the Configuration > RADIUS Servers Settings configuration
Verify Trusted RAIUS Chain is correct

Revision 0817 Appendix B 8

Admin 200 Integrating with Microsoft CA

• Most commonly, the RADIUS server replies with the username based on the
CN of the certificate. But, additional options are available. This username is
used by some WLAN infrastructure as the username displayed within the
WLAN UI. Certificate Common Name (Default). Returns the certificate
common name as the username.

• Alternative Configurations:

• Enrollment Username: Returns the username from the enrollment

record as the username.
• Enrollment Username + Device Name: Returns the username and
device name from the enrollment record as the username.
• Certificate Unique ID: Returns the unique ID of the certificate as the
username. This option provides anonymity but is traceable.
• Certificate Common Name + ID: Returns the common name of the
certificate plus the certificate's unique ID as the username.

• Allowed SSID(s): regular expression defining the SSID(s) from which devices
are allowed to authenticate. This only needs populated if multiple secure SSIDs
exist and users are only allowed to authenticate from one of them.

Revision 0817 Appendix B 9

Admin 200 Integrating with Microsoft CA

Within a template in Microsoft CA, the behavior for building the Subject Name is
configurable. It is strongly recommended, and the default behavior, that Microsoft
CA builds the CN and SAN automatically (left image).

if you wish to use a custom subject, it must be passed via the CSR and the ES
needs to verify that the CSR has the appropriate values before sending to
Microsoft CA. The fields below configure the subject of the CSR destined for
Microsoft CA when 'Supply is the request' (right image) is selected in the template

Revision 0817 Appendix B 10

Admin 200 Integrating with Microsoft CA

1. What replaces the MS Network Device Enrollment Service(NDES)? (Answer:

Integration Module DLL)

2. What is best practice regarding IIS and CA server deployment? (Answer:

Install each service on separate servers)

3. Where is the Integration Module DLL installed after the download? (Answer:
IIS Server)

4. Where is the concatenated file information applied in ES setup process?

(Answer: The “CA Chain” field of the ES Certificate MS-CA Template)

Revision 0817 Appendix B 11

Admin 200 Integrating with Microsoft CA

Revision 0817 Appendix B 12

Admin 200 Integrating with Microsoft CA

Revision 0817 Appendix B 13

Admin 200 Integrating with Microsoft CA

Revision 0817 Appendix B 14

Cloudpath Admin 200 Chromebook

Revision 0817 1
Cloudpath Admin 200 Chromebook

Revision 0817 2
Cloudpath Admin 200 Chromebook

Google Management Console - deploy and control users, devices and apps
across a fleet of Chromebooks.

Open Network Configuration (ONC) - format to describe multiple network

configurations for Wi-Fi, Ethernet, Cellular, Bluetooth/WiFi-Direct, and VPN
connections in a single file format, in order to simplify and automate network
configuration for users.

Trusted Platform Module (TPM) - specialized crypto-processor on host systems

that stores encryption keys specific to the host system for hardware
authentication.

Revision 0817 3
Cloudpath Admin 200 Chromebook

Instructions to enable the Chrome OS for a device configuration:

1. On the ES Admin UI, go to Configuration > Advanced > Device

Configurations.
2. Select the device configuration to support the Chrome OS.
3. On the OS Settings tab page, edit the Chrome: “Settings from the
Network(s) tab will be applied to these versions:”.
4. Select Operating System: Chrome check box.
5. Leave the default settings for Validate Server Certificate, and Save.

Revision 0817 4
Cloudpath Admin 200 Chromebook

Chromebook User Experience

Unmanaged devices - the user downloads the ONC file, which contains the
certificate and Wi-Fi settings required to connect to the secure network.

Managed devices - the Cloudpath ES extension, which is configured in the

Chrome Management Console, installs the certificate and network settings into
the TPM as the user or as the device.

Supported Method - setting controls the installation methods available to end-

users. By default, installation is handled using an ONC file, which can be used by
both unmanaged and managed devices.

ONC Only - Allows installation using the ONC file only. It can be used for both
unmanaged and managed Chromebooks
ONC + User Extension - Allows installation using the ONC file or Chrome
extension. If the extension is used, the certificate is installed as the user
ONC + Device Extension - Allows installation using the ONC file or Chrome
extension. If the extension is used, the certificate is installed as the device
User Extension Only - Allows installation to the user TPM using only the Chrome
extension
Device Extension Only - Allows installation to the device TPM using only the
Chrome extension.

Revision 0817 5
Cloudpath Admin 200 Chromebook

Extension Messages.
Extension Install Instructions - are displayed to the user if an extension is used to
install the certificate on the device.
Completed Message - appears after the certificate has been successfully installed
using the extension.

Extension – Advanced Behavior

Existing Certificates - the extension may remove existing certificates from the
certificate manager. This can be useful in cleaning up the device.
Completed Message - the app will be notified when the certificate installation is
complete.

App ID to Notify - notifies an app when the certificate installation is complete. This
can be useful if an app is managing the enrollment process for the user.

Revision 0817 6
Cloudpath Admin 200 Chromebook

1. Login to support.ruckuswireless.com

2. Select “Cloudpath Enrollment System (ES)” in the Software Downloads

section

3. Select the “Documents” tab and scroll down to locate and select the below for
downloads:
• Cloudpath_ES 4.3.2861 (GA) Chromebook Config Guide
• Cloudpath_ES 4.3.2861 (GA) Chromebook User Experience Guide

Revision 0817 7
Cloudpath Admin 200 Chromebook

1. What file is utilized to simplify and automate network configuration for

Chromebook users? (Ans: “Open Network Configuration” or ONC file)

2. Where in the ES GUI can you enable or disable Chrome support? (Ans:
Configuration > Advanced > Device Configurations)

3. What is the purpose of the “Cloudpath ES Extension” in managed

Chromebook devices? (Ans: Installs the certificate and network settings into
the TPM)

4. Where can you download technical documents for ES Chromebook

configurations? (Ans: support.ruckuswireless.com)

Revision 0817 8
Cloudpath Admin 200 Chromebook

Revision 0817 9
Cloudpath Admin 200 Chromebook

Revision 0817 10
Cloudpath Admin 200 Cloudpath Multi-Tenant (MSP)

Revision 0817 Appendix D 1

Cloudpath Admin 200 Cloudpath Multi-Tenant (MSP)

Revision 0817 Appendix D 2

Cloudpath Admin 200 Cloudpath Multi-Tenant (MSP)

A multi-tenant instance allows you to host multiple customer accounts on your

Cloudpath ES system.

Multi-tenanted mode AKA MSP-Multi-Service Provider

Revision 0817 Appendix D 3

Cloudpath Admin 200 Cloudpath Multi-Tenant (MSP)

Super Admin login screen as illustrated above

Super Admin can not create a work flow, no RADIUS, Tennent admin only

Revision 0817 Appendix D 4

Cloudpath Admin 200 Cloudpath Multi-Tenant (MSP)

Revision 0817 Appendix D 5

Cloudpath Admin 200 Cloudpath Multi-Tenant (MSP)

If a Super Admin switches into a tenanted Account, they can’t switch back out to
the Super Admin view (they have to logout and back in)

Revision 0817 Appendix D 6

Cloudpath Admin 200 Cloudpath Multi-Tenant (MSP)

Multi-tenant is enabled before the initial system setup. Once enabled, the
database structure cannot be reverted back to a single-tenant instance.

If you attempt to enable multi-tenant on a Cloudpath ES system that has gone

through the initial system setup process, the workflow configuration will be lost.

Revision 0817 Appendix D 7

Cloudpath Admin 200 Updating Cloudpath

Multitenant Configuration
The administrator needs to manually initiate a check for new updates to the
system software/wizard under Administration  System  System Updates.

• Registered administrators are notified via email of new system or wizard

updates.
• It is recommended to take a VMWare Snapshot before updating the system.
• Minor updates are done by the individual Tenant via normal process
• Major Updates follow the same Upgrade path for single Tennant VMs with
the only difference that the upgrade process begins on the host instance of
Cloudpath when logged into the SuperAdmin Account. Best practice is for
the Multi Tenant Administrator to advise the individual tenants of a major
upgrade using Cloudpath’s Hosted notification process on slide 5

Revision 0817 Appendix D 8

Cloudpath Admin 200 Cloudpath Multi-Tenant (MSP)

1. When should Multi-Tenant be enabled? (Answer: After VM snapshot and

before initial setup)

2. The “Set It & Forget It” account is ________ level account. (Answer: Tenant)

3. What will happen if Multi-Tenant is enabled after initial setup? (Answer: The
workflow configuration will be lost)

Revision 0817 Appendix D 9

Cloudpath Admin 200 Cloudpath Multi-Tenant (MSP)

Revision 0817 Appendix D 10

Cloudpath Admin 200 Cloudpath Multi-Tenant (MSP)

Revision 0817 Appendix D 11

Cloudpath Admin 200 Module Name

Revision 0817 Appendix D 12