Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Adding a Network Device
To add a network device:
1. Navigate to the > > page. The page opens.
Figure 1 Network Devices Page
2. Click the Add link. The Add Device page opens.
Figure 2 Add Device > Device Dialog
Configure Device Settings
Click the Table 1:
tab and configure the parameters as described inConfigure RadSec Settings
If you selected the you select the Table 2. Note that this tab does not appear unless you select the option.
option on the tab, select the tab and configure RadSec parameters as described inFigure 3 Add Device > RadSec Settings Tab
Parameter |
Action/Description |
Source Override IP address |
The default value is the IP address or subnet Subnet is the logical division of an IP network. of the device entered in the field on the tab. If the NAD Network Access Device. NAD is a device that automatically connects the user to the preferred network, for example, an AP or an Ethernet switch. IP address is different from the source IP address, enter the source IP address or subnet Subnet is the logical division of an IP network. in this field to override the NAD Network Access Device. NAD is a device that automatically connects the user to the preferred network, for example, an AP or an Ethernet switch. IP with the desired source IP address. Subnets Subnet is the logical division of an IP network. must be defined by a slash, not a hyphen. Supported format: 10.2.54/24 Not supported format: 10.2.14.0 24 IPv6 addresses are not allowed in NAD Network Access Device. NAD is a device that automatically connects the user to the preferred network, for example, an AP or an Ethernet switch. configurations when RadSec is enabled. If wanting to use certificate validation, rather than source IP validation, set the Source Override IP address to 0.0.0.0/0. Certificate validation provides the flexibility for devices with a valid RadSec client certificate to connect from anywhere. When setting the Source Override IP address, keep in mind the following warning message displays if the address is set to 0.0.0.0/0 or ::/0. "WARNING: Setting the Source Override IP address to 0.0.0.0/0 or ::/0 allows radsec traffic from any device trying to establish connection on the configured radsec port. It is recommended to enable certificate validation when setting the Source Override IP address to 0.0.0.0/0 or ::/0 to allow only authorized devices." |
Validate Certificate |
If you do not want any validation or authorization checks for this device, select the option. |
To validate the certificate with a common name (CN Common Name. CN is the primary name used to identify a certificate. ) or Subject Alternative Name (SAN) select and enter the following values : Enter the name associated with this entity. This can be a host name, IP address, or other name. : Enter the Subject Alternative Name (SAN) for the specified Common Name in one of the following formats: email: email_address IP: x.x.x.x dns: dns_name rid: id |
|
For RFC Request For Comments. RFC is a commonly used format for the Internet standards documentss. 6614-compliant validation using the issuer distinguished name (DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate.) and certificate serial number, select and enter the following values: Serial Number Common Name Regex Regular Expression. Regex refers to a sequence of symbols and characters defining a search pattern. Subject Alternative Name Regex Regular Expression. Regex refers to a sequence of symbols and characters defining a search pattern. |
|
Devices with valid RadSec client certificates have the ability to connect from different access points, regardless of location. Public IP addresses assigned by ISPs establish a RadSec connection with Policy Manager. Policy Manager does not check the source IP address of a connecting client. Aruba recommends enabling certificate validation to permit just authorized devices to create a tunnel. Enter 0.0.0.0./0 in the Source IP Override Address field. In the Validate Certificate field, select Validate with CN Common Name. CN is the primary name used to identify a certificate. or SAN. Otherwise, setting the Source IP Override Address to 0.0.0.0./0 or ::/0 allows RadSec traffic from any device establishing a connection on the configured RadSec port. |
RadSec Certification Validation
To configure RadSec settings for RFC compliance (Serial + Issuer):
1. Navigate to Configuration > Network > Devices and select Add. Provide a default configuration for the device and be sure to select the Enable Radsec option to display the required RadSec Settings tab within the Add Device screen.
Figure 4 Add Device > Enable RadSec
2. Select the newly added device from the Network Devices tab. From the RadSec Settings tab, ensure No Authorization Checks is selected from the Validate Certificate drop-down menu.
3. Navigate to Administration > Certificates and select Trust List. From the Certificate Trust List, locate the certificate made available in the output of the access point's show cert all command and enable its Usage as RadSec.
4. Modify the existing network access device (NAD Network Access Device. NAD is a device that automatically connects the user to the preferred network, for example, an AP or an Ethernet switch.) that was added for Instant AP (IAP) information. From the Edit Device Details > RadSec Settings screen, change the value of the Validate Certificate field to RFC Request For Comments. RFC is a commonly used format for the Internet standards documentss. Compliant (Serial + Issuer).
Figure 5 RadSec Settings > Validate Certificate
5. Select the certificate returned by the show cert all command from within the Device Certificate section.
6. In the Serial Number field, enter the serial number displayed in the Device Certificate section, and returned by the show cert all command.
7. In the Common Name Regex Regular Expression. Regex refers to a sequence of symbols and characters defining a search pattern. field, enter the value displayed for the Subject in the Device Certificate section and returned by the show cert all command.
8. Select Enable to confirm saving the updated RadSec related settings, this will re-establish all existing RadSec sessions. Click Save.
SNMP Read Settings Parameters
SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. Read Settings to define values that allow ClearPass Policy Manager to read information from the device using SNMPv1 Simple Network Management Protocol version 1. SNMPv1 is a widely used network management protocol., SNMPv2 Simple Network Management Protocol version 2. SNMPv2 is an enhanced version of SNMPv1, which includes improvements in the areas of performance, security, confidentiality, and manager-to-manager communications., or SNMPv3 Simple Network Management Protocol version 3. SNMPv3 is an enhanced version of SNMP that includes security and remote configuration features.. Available parameters are described in .
|
Large or geographically-spread cluster deployments typically do not require each Policy Manager node to probe all SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. configured devices. |
Figure 6 Add Device > SNMP Read Settings Dialog
SNMP Write Settings Parameters
SNMPv1 Simple Network Management Protocol version 1. SNMPv1 is a widely used network management protocol., SNMPv2 Simple Network Management Protocol version 2. SNMPv2 is an enhanced version of SNMPv1, which includes improvements in the areas of performance, security, confidentiality, and manager-to-manager communications., or SNMPv3 Simple Network Management Protocol version 3. SNMPv3 is an enhanced version of SNMP that includes security and remote configuration features.. Available parameters are described in Table 3.
tab to define values that allow Policy Manager to write to (manage) the device usingFigure 7 Add Device > SNMP Write Settings Dialog
CLI Settings Parameters
From the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions., and define user names, passwords, and port settings for accessing the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.. Available parameters are described in Table 4.
> > page, use the tab to enable or disable theFigure 8 Add Device > CLI Settings Dialog
Enabling OnConnect Enforcement on a Network Device
802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. methods for device scans, VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. placement, and so on. allows enforcement in non-802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. environments without the need for an agent (such as OnGuard) on the endpoint.
is an enforcement model that allows you to use non-
|
Assigning a Policy Manager Zone is mandatory for all devices if or is enabled. |
When this feature is enabled, Policy Manager performs the following actions:
Detects when a new endpoint connects to the network.
Scans the endpoint to identify the logged-in user and other device-specific information.
Triggers a Web-based authentication (WebAuth) for the device.
Performs SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. -based enforcement to change the network access profile for the device.
Use the Table 5.
tab on the > > page to configure the settings described inFigure 9 Add Device > OnConnect Enforcement Dialog
Parameter |
Action/Description |
Enable |
Select this check box to enable OnConnect on the network access device being added. |
Port Names |
Specify the names and descriptions of the ports to be enabled for OnConnect Enforcement (see the next section for details). You can do so in two ways: Click .Manually enter port names the the field as a comma-separated list.Only the ports added in the field will have OnConnect Enforcement enabled.For example, if you add the port names , when clients connect to any of these ports on the specified network device, OnConnect Enforcement is triggered on that network device.An empty string will enable OnConnect on all ports. Policy Manager will attempt to determine the uplink or upstream trunk ports; however, it is recommended to explicitly remove those ports. |
Query Ports |
Click o display the list of ports on the current server. Select the ports to use, then click .The selected port names are added to the list. Only the ports added in the field will have OnConnect Enforcement enabled.
This feature requires that you enable the setting on the tab. |
Add to Port Names |
Once a query displays the list of ports, select the desired ports from the list, then click .The selected ports are added to the field. |
Attributes Parameters
Use the
tab on the > > page to add custom attributes for this device.Figure 10 Adding Custom Device Attributes
1. From the Attribute field, click .
By default, the following custom attributes appear in the
drop down:Controller ID
Device Type
Device Vendor
Location
OS Version
sysContact
sysLocation
sysName
2. Select one of the default attributes or enter a new attribute. You can enter any name in the Attribute field. All attributes are of string datatype.
3. Specify the attribute's value. You can populate the Value field with any string.
4. Repeat this procedure as necessary.
5. When finished adding custom attributes, click . All attributes entered for a device are available in the role-mapping Rules Editor under the Device namespace.
Modifying a Network Device
To modify a Policy Manager managed network device:
1. Navigate to the > > page. The page opens.
Figure 11 Network Devices Page
2. In the table, click the name of the network device you want to modify. The dialog opens.
Figure 12 Modifying a Network Device
3. Modify any device settings as necessary. For details about all of the Network Device tabs and parameters, refer to the previous section, Adding a Network Device.
|
If you disable , the shared secret is removed, and you must re-enter the original shared secret. |
4. Click .