This article covers a very specific case when you are importing a certificate and private key pair where the private key does not have a password. It does not explain the certificate types or use cases, certificate and key-file file formats or detail the intricacies of PKI.

ClearPass requires certificates in order to operate securely (encrypt/decrypt traffic) and identify itself during RADIUS transactions. The most common certificates you would import are RADIUS, HTTPS and RadSec. There are others but these all require a private key.

ClearPass allows you to import the certificate and private key as two separate files (you can also import them as a combined file). 

It is quite common to receive a private key file that is not protected by a password, whether it be from a public certificate authority or an internal CA service. When you try to import this file pair into ClearPass while leaving the "Private Key Password" field blank you will receive an error:

The error states that the Private Key Password must be specified. The problem is there isn't one to be entered, so it can be confusing how you may proceed.

You can get around this error by entering anything (I haven't exhaustively tested every possible entry) into the Private Key Password field. 

During my first attempt I used "null", which worked. Then I used "asdf" which also worked. A simple, single character entry also appeared to work fine.

When using phone numbers in ClearPass guest self-registration, the system elevates US and UK to the top of the ​country codes selector by default. This isn't always suitable so you may want to change the country codes that are promoted to the top to be more appropriate for your user base.

Generally this will come up when you are building a Guest Self-Registration workflow - but it may be relevant for any page which shows a phone number field in a ClearPass form.

It is possible to edit the settings of the most commonly used visitor_phone Base Field. This should result in an update across all Forms which use this Field.

This can be done from the ClearPass Guest Configuration page.

1. Go to Pages --> Fields
2. Select the visitor_phone field (which is close to the bottom of the list when alphabetically sorted)
3. Click Edit
4. Scroll down to the Preferred Countries property
5. Add the appropriate two character country code or codes (multiple country codes can be entered using a comma between each)
6. Click Save Changes

It is possible to edit this field on a per form basis so that portals and pages can have differing preferred country codes. This may be appropriate for ClearPass deployments that cater to global or multi-national use-cases.

So you've just had a contractor install 173 Access Points! Congrats! But, they haven't taken note of which one is where, nor did you create a table to show them which specific unit belongs in which location. Bummer dude! The problem with not knowing where each AP is is that you can't make finer adjustments of the system and troubleshooting location specific issues can be a nightmare.

There's an app for this problem... Well, maybe an API... 

Aruba Access Points have a function where each Access Point can advertise it's hostname in the beacon. It's still a manual job to go around and find each one with a survey tool or something like Wi-Fi Explorer, but it makes it easier than searching BSSIDs!

To enable this handy feature on an Instant AP (or cluster) you can use the Command Line Interface (CLI). 
Go to the specific WLAN context and use the "advertise-ap-name" command.

If you're using Aruba Central then you can't adjust the AP config via CLI. So you can use the API! For this particular feature (as of the date this is published) there is no specifically targeted API. You can use the AP Configuration API called "Replace AP configuration". With this essentially you are replacing the entire CLI for the Group or Swarm within a group. You can retrieve the existing CLI using "Get AP configuration", make your adjustments to include "advertise-ap-name" in the appropriate locations (for one fo the SSID profiles in the configuration) and then push it back to the AP using "Replace AP configuration".

The specific use of the API is outside of the context of this blog post!
Now go find an installer who documents their work!