ArubaOS-Switch MAC Authentication with Device Registration Service Template

For wired devices that do not support strong 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication, ClearPass Device Registration offers a prebuilt registration portal for end users. This service type handles the device authorization from an ArubaOS-switch.

To access the ArubaOS-Switch MAC Authentication with Device Registration service template:

1. Navigate to Configuration > Service Templates & Wizards.

2. Select ArubaOS-Switch MAC Authentication with Device Registration. The following page opens:

Figure 1  ArubaOS-Switch MAC Authentication with Device Registration Service Template

General Tab

1. Specify the General tab service template parameters as described in the following table:

Table 1: General Tab Parameters

Parameter

Action/Description

General

Name Prefix

Enter a unique prefix that is appended to services using this template.

Use this to identify the services that use this template.

2. Click Next or select the Wireless Network Settings tab.

Wireless Network Settings

When you select the Wireless Network Settings tab, the following configuration dialog opens:

Figure 2  Wireless Network Settings Configuration Dialog

1. Specify the Wireless Network Settings tab service template parameters as described in the following table:

Table 2: Wireless Network Settings Parameters

Parameter

Action/Description

Wireless Network Settings

Device Name

Specify the name of the device.

IP Address

Enter the IP address of the device. The IP address is automatically populated when you select a NAD Network Access Device. NAD is a device that automatically connects the user to the preferred network, for example, an AP or an Ethernet switch. client.

Vendor Name

The vendor name is set to: Hewlett-Packard-Enterprise.

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Shared Secret

Enter the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Shared Secret, which should be the same value as set on the wireless controller. RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Shared Secret is automatically populated when you select a NAD Network Access Device. NAD is a device that automatically connects the user to the preferred network, for example, an AP or an Ethernet switch. client.

Enable RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Dynamic Authorization

If RADIUS Dynamic Authorization has not been automatically enabled, click the check box to enable this option.

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Dynamic Authorization allows dynamic changes to a user session, as implemented by network access server products. This includes support for disconnecting users and changing authorizations applicable to a user session.

Dynamic Authorization Port

The access point's UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. Port for Dynamic Authorization must be reachable from your RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

The Dynamic Authorization Port is set by default to 3799. This value may not be changed.

Enable RadSec

To enable RadSec, click the Enable RadSec check box.

When RadSec is enabled, the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  shared secret is populated with a default shared secret named “radsec.”

NOTE: It's important that the wireless controller is configured with the same shared secret.

2. Click Next or select the Device Roles tab.

Device Roles

Define logical device roles (think tags) that allow for dynamic policy construction; for example, Media Player, Printer, Game Console, Building Controls, etc.

When you select the Device Roles tab, the following configuration dialog opens:

Figure 3  Device Roles Configuration Dialog

1. Select one or more existing roles from the drop-down or type in a role name to create a new one.

2. Click Next or select the Enforcement Details tab.

Enforcement Details

The device roles selected in the Device Roles dialog are populated into the new Enforcement policy defined in the Enforcement Details configuration dialog. HPE User Roles are configured on the ArubaOS-Switch.

Figure 4  Enforcement Details Configuration Dialog

1. HPE User Role: For each Device Role, specify the corresponding HPE User Role that is configured on your ArubaOS-Switch.

2. Default HPE User Role: Enter the default HPE User role that is configured on your ArubaOS-Switch.

3. Click Add Service. The ArubaOS-Switch MAC Authentication with Device Registration service is created. You return to the Services page where the new service is now listed.