Configure WLAN and LAN Authentication
This section provides steps to configure ClearPass Policy Manager (CPPM) for authentication and authorization of client devices. ClearPass includes a set of templates to help create services for common use cases. For Orange Widget Logistics (OWL), the fictional customer used in this reference design, service configuration involves templates and manual service creation.
A total of three authentication services are configured in this chapter:
- RADIUS service for 802.1X-enabled wireless SSID CorpNet
- RADIUS service for 802.1X-enabled wired switch ports
- RADIUS service for MAC authentication-enabled switch ports
Some of the services in this guide share components such as Authentication Sources and Network Devices. They are configured once before the individual service configuration instructions to reduce repetitive steps.
Table of contents
- Configure WLAN and LAN Authentication
- Configure Common Components
- Configure Wireless 802.1X Authentication
- Configure Wired Authentication for ArubaOS-CX Switches
Configure Common Components
Authentication services in this guide share common steps. These include:
- Authentication Sources contain the identity store against which user devices are authenticated. In OWL’s design, it includes Active Directory Domain Controllers.
- Network Devices must be configured with the Network Access Device (NAD) information so that ClearPass can accept authentication requests from the switches and gateways in this design.
- Device Groups are optional and can be used within service, role-mapping rules, or enforcement profiles. Administrators configure device groups at the global level. They can contain the members or IP addresses of a specified subnet, regular expression-based variation, or devices previously configured in the Policy Manager database. OWL’s deployment involves using them in the enforcement policy, allowing ClearPass to send different responses based on request origin. For example, if the request is coming from an Aruba switch, ClearPass can return the user role. For requests coming from a non-Aruba switch, ClearPass can return the VLAN Name.
Follow the steps below to add the AD Domain Controllers, NADs, and Device Groups for OWL’s ClearPass cluster.
Add AD Authentication Sources
Follow the steps below to add the two Active Directory Domain Controllers to be queried by the ClearPass cluster.
Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.
Step 2 Log in using the admin credentials.
- Username: admin
- Password: Aruba123!
Add First Domain Controller
Step 3 Go to Configuration > Authentication > Sources and click the +Add link at the upper right.
Step 4 In the General tab, configure the following parameters, then click the Next button.
Name: RSVCP-AD1
Description: Roseville Campus Active Directory Domain Controller 1
Type: Active Directory
Step 5 In the Primary Tab, configure the following parameters.
Hostname: rsvp-ad1.owllab.net
Bind DN: owlservice@owllab .net
- Bind Password: Aruba123!
- Base DN: (Click the Search Base DN link to verify that you can access the domain from the LDAP Browser window)
- Click the Save button in the LDAP Browser window.
- Base DN: (Click the Search Base DN link to verify that you can access the domain from the LDAP Browser window)
Verify that NetBIOS Domain Name is populated
- Click the Save button
Add Second Domain Controller
Continue from the steps above to configure the second AD Domain Controller using the Copy function.
Step 6 Return to the Sources window, click the checkbox next to the new entry for RSVCP-AD1, then click the Copy button at the lower right.
Step 7 Click the newly created Copy_of_RSVCP-AD1 in the Sources list.
Step 8 When the details page appears, update the following, then click the Save button.
- In the General tab:
- Name: RSVCP-AD2
- Description: Roseville Campus Active Directory Domain Controller 2
- In the Primary tab:
- Hostname: rsvcp-ad2.owllab.net
Step 9 With both AD DCs added, proceed to the next section.
Add Network Devices (Authenticators)
Network Devices are configured so ClearPass can accept authentication requests from switches and gateways in this design.
Follow the steps below to add the gateways and switches using the information from the Network Devices (Authenticators) section on the ClearPass Preparation page.
Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.
Step 2 Log in using the admin credentials.
- Username: admin
- Password: Aruba123!
Step 3 Go to Configuration > Network > Devices, click the Add link at the upper right. Add the first device from the Network Devices table above.
Step 4 After adding the first network device, repeat the step or use the Copy function to add the remaining network devices listed in the previous chapter, then proceed to the next section.
Add Network Device Groups
ClearPass can group devices into Device Groups, which are optional components in service and role-mapping rules. Administrators configure device groups at the global level. They can contain the members or IP addresses of a specified subnet, regular expression-based variation, or devices previously configured in the Policy Manager database. OWL’s new cluster uses the third option with previously configured devices in a list format.
Follow the steps below to create the device groups.
Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.
Step 2 Log in using the admin credentials.
- Username: admin
- Password: Aruba123!
Step 3 Go to Configuration > Network > Device Groups and click the Add link at the upper right.
Step 4 In the Add New Device Group window, configure the following parameters to add the switches to the list, then click the Save button.
- Name: Switches
- Description: Switch Device Group
- Format: List
- Selected Devices: RSVCP-TEST-AC1, AG3-AC1, AG3-AC2, and AG3-AC4
Note: Press the SHIFT or CTRL key while clicking the list to select multiple devices and move them simultaneously.
Step 5 Repeat steps 3 and 4 to add the Gateway group.
Step 6 When complete, the groups are listed on the Network Device Groups page. They also appear in the Device Groups column on the Network Devices page, as shown below.
Note: The Access Points and an Access Points Group in the image above were created for future use of Bridge mode and Mixed mode SSIDs but do not need to be added in this first phase of OWL’s deployment, which is only using Tunnel Mode.
Step 7 Proceed to the next section.
Configure Wireless 802.1X Authentication
The first service to configure is for CorpNet WLAN, that services trusted OWL-owned assets. It authenticates clients against Active Directory (AD) using the EAP-TLS authentication method and use AD user group memberships to grant different authorization levels.
Note that the workflow for this setup requires creating Role Mapping and Enforcement Policies before adding the actual service.
Configure ClearPass Roles for Role Mapping Policy
Step 1 Go to Configuration > Identity > Roles and click the Add link at the upper right.
Step 2 In the Add New Role window, add the first role by matching the following info, then click the Save button.
- Name: OWL_Employee
Step 3 Repeat the step to add the following new roles:
- OWL_IT-Support
- OWL_IT-Admin
- OWL_Infra-Device
- OWL_LnD-Staff
- OWL_LnD-Student
- OWL_VoIP
- OWL_Printer
- OWL_Guest
- OWL_Contractor
- OWL_Security
- OWL_IoT-Limited
Step 4 When complete, continue to the next section.
Configure Role Mapping Policy
Step 1 Go to Configuration > Identity > Role Mappings and click the Add link at the upper right.
Step 2 In the Role Mappings window, on the Policy tab, configure the following, then click the Next button.
- Policy Name: OWL_RoleMappingPolicy1
- Default Role: [Other]
Step 3 On the Mapping Rules tab, click the Add Rule button and configure the following on the Rules Editor window, then click the Save button.
- Matches: ANY
- Type: Authorization:RSVCP-AD1
- Name: Groups
- Operator: EQUALS
- Value: OWL-Employee
- Role Name: OWL_Employee
Step 4 Repeat the step above until the following mapping rules are entered.
Type | Name | Operator | Value | Role Name |
---|---|---|---|---|
Authorization:RSVCP-AD1 | Groups | EQUALS | OWL-Employee | OWL_Employee |
Authorization:RSVCP-AD1 | Groups | EQUALS | OWL-IT-Admin | OWL_IT-Admin |
Authorization:RSVCP-AD1 | Groups | EQUALS | OWL-IT-Support | OWL_IT-Support |
Authorization:RSVCP-AD1 | Groups | EQUALS | OWL-LnD-Staff | OWL_LnD-Staff |
Authorization:RSVCP-AD1 | Groups | EQUALS | OWL-LnD-Student | OWL_LnD-Student |
Authorization:RSVCP-AD1 | Groups | EQUALS | OWL-Contractor | OWL_Contractor |
Step 5 Verify that the Mapping Rules look like the screenshot below, then click the Save button.
Step 6 Proceed to the next section.
Configure Enforcement Profiles for Enforcement Policy
Follow the steps below to configure the Enforcement Profiles documented in the User Role/Client Role Information table in the Preparing for ClearPass Deployment chapter.
Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.
Step 2 Log in using the admin credentials.
- Username: admin
- Password: Aruba123!
Step 3 Go to Configuration > Enforcement > Profiles and click the Add link at the upper right.
Step 4 In the Add Enforcement Profile window, match the following settings in the Profile tab, then click the Save button.
- Template: Aruba RADIUS Enforcement
- Name: OWL_Employee
- Description: Return Aruba User Role
- Action: Accept
Step 5 In the Attributes tab, match the following settings, then click the Save icon next to the Value, followed by the Next button.
- Type: Radius:Aruba
- Name: Aruba-User-Role (1)
- Value: EMPLOYEE
Note: Make sure to match the letter case when configuring user roles. Case-sensitive Aruba switches, gateways, and APs ignore the role returned by ClearPass if the case does not match.
Step 6 After the first rule is saved, click the Copy button to create the second rule as follows:
- Click the checkbox next to the newly created OWL_Employee profile
- Click the Copy button
- Click the newly created Copy_of_OWL_Employee profile
Step 7 When the Edit Enforcement Profile page appears, update the following, then click the Save button.
- In the Profile tab:
- Name: OWL_IT-Admin
- In the Attributes tab:
- Value: IT-ADMIN
Step 8 Repeat the steps to create the rest of the profiles in the image above.
Step 9 When the remaining profiles are created, proceed to the next section.
Configure Enforcement Policy
Follow the steps below to configure the Enforcement Policy for the Wireless 802.1X service for CorpNet SSID.
Step 1 Go to Configuration > Enforcement > Policies and click the Add link at the upper right.
Step 2 In the Add Enforcement Policies screen, in the Enforcement tab, configure the following, then click the Next button.
- Name: OWL_802.1X-EnforcementPolicy
- Enforcement Type: RADIUS
- Default Profile: [Deny Access Policy]
Step 3 In the Rules tab, click the Add Rule button. In the Rules Editor window, configure the settings to match the image below, then click the Save button.
Step 4 After the first rule is saved, click the Copy Rule button to create the second rule as follows:
- Select the newly created rule for OWL_Employee
- Click the Copy Rule button
- Select the newly duplicated rule
- Click the Edit Rule button
- Change the Value column of the first rule to OWL_IT-Admin
- Replace the Profile Name with OWL_IT-Admin
- Click the Save button
Step 5 Repeat the last step until the enforcement rules below are created, then click the Save button.
Type | Profile Names |
---|---|
Tips Role equals OWL_Employee AND Tips Role equals [Machine Authenticated] | [RADIUS] OWL_Employee |
Tips Role equals OWL-Employee AND Tips Role equals [Machine Authenticated] | [RADIUS] OWL_IT-Admin |
Tips Role equals OWL-Employee AND Tips Role equals [Machine Authenticated] | [RADIUS] OWL_IT-Support |
Tips Role equals OWL-Employee AND Tips Role equals [Machine Authenticated] | [RADIUS] OWL_LnD-Staff |
Tips Role equals OWL-Employee AND Tips Role equals [Machine Authenticated] | [RADIUS] OWL_LnD-Student |
Tips Role equals OWL-Employee AND Tips Role equals [Machine Authenticated] | [RADIUS] OWL_Contractor |
Tips Role equals [Machine Authenticated] | [RADIUS] OWL_Machine-Auth |
Step 6 Verify that the Enforcement Policy Rules look like the screenshot below, then click the Save button.
Step 7 When complete, proceed to the next section.
Configure Service
With the enforcement and role mapping policies created, follow the steps below to create the RADIUS service for CorpNet SSID.
Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.
Step 2 Log in using the admin credentials.
- Username: admin
- Password: Aruba123!
Step 3 Go to Configuration > Services and click the Add link at the upper right.
Step 4 In the new Services window, in the Services tab, configure the following, then click the Next button.
- Type: Aruba 802.1X Wireless
- Name: OWL CorpNet 802.1X Service
- Service Rule List > Rule No. 3:
- Operator column: Change to EQUALS
- Value column: Change to CorpNet
Step 5 In the Authentication tab, configure the following, then click the Next button.
- Authentication Methods:
- [EAP-TLS]
- [EAP PEAP]
- Authentication Sources:
- RSVCP-AD1
- RSVCP-AD2
- Strip Username Rules:
- (Check the box to enable)
- User:@
Step 6 In the Roles tab, select OWL_RoleMappingPolicy1 from the Role Mapping Policy dropdown, then click the Next button.
Step 7 In the Enforcement tab, select OWL_802.1X_EnforcementPolicy from the Enforcement Policy dropdown, then click the Save button.
Step 8 When complete, proceed to next section.
Configure CorpNet WLAN in Aruba Central
Below are the primary settings for CorpNet WLAN. For prescriptive guidance on creating a new WLAN, please see the Campus Wireless Connectivity chapter of the Campus Deploy guide.
General
- ESSID: CorpNet
- Band: all
VLANs
- Traffic forwarding mode: Tunnel
- Primary Gateway Cluster: CP-RSVWLAN:CL-RSVCP-S2
- VLAN ID: EMPLOYEE(103)
Security
- Key Management: WPA3-Enterprise
- Primary Server: rsvcp-cppm-1
- Secondary Server: rsvcp-cppm-2
Access
- Access Rules: Role Based
- Roles: Ensure all Roles are configured
- MACHINE-AUTH
- EMPLOYEE
- IT-SUPPORT
- IT-ADMIN
- INFRA-DEVICE
- LND-STAFF
- LND-STUDENT
- VOIP
- PRINTER
- GUEST
- CONTRACTOR
- SECURITY
- IOT-LIMITED
Configure Client
Below are the sample Windows client settings for CorpNet WLAN.
PEAP
- SSID: CorpNet
- Security type: WPA3-Enterprise
- Encryption type: AES
- Authentication Method: PEAP/EAP-MSCHAP v2
- Authentication mode: User or computer authentication
EAP-TLS
- SSID: CorpNet
- Security type: WPA3-Enterprise
- Encryption type: AES
- Authentication Method: Microsoft Smart Card or other certificate (EAP-TLS)
- Authentication mode: User or computer authentication
Validate Authentication
After connecting a client device to CorpNet, confirm successful authentication by reviewing the client, Aruba Central, and ClearPass Access Tracker. The following are examples from OWL’s CorpNet test.
Windows Client
In Windows, view Network & internet > Wi-Fi > CorpNet and verify that IP address in the expected subnet and client is able to access the expected resources according to their user role or VLAN.
Aruba Central
In Aruba Central, go to Groups > Clients , find the test client, and review details. Example:
ClearPass
In ClearPass, go to Monitoring > Access Tracker, find the authentication events and review details. Example:
When validation is complete, proceed to next section.
Configure Wired Authentication for ArubaOS-CX Switches
For wired authentication, two separate services must be created. One is to authenticate OWL devices configured for wired 802.1X, and the second is to authenticate all wired headless devices via MAC authentication. Follow the steps below to configure both services.
Configure Wired 802.1X Authentication
The 802.1X service uses EAP-TLS authentication method with Active Directory (AD) user group memberships to provide different authorization levels for corporate users and computers.
Note that the workflow for this setup requires creating Role Mapping and Enforcement Policies before adding the actual service.
Configure ClearPass Roles for Role Mapping Policy
The ClearPass Roles created for the CorpNet Role Mapping Policy earlier in this chapter will be re-used for this configuration.
Configure Role Mapping Policy
Duplicate the Role Mapping Policy created for the Wireless 802.1X service earlier in this chapter to be able to manage them separately.
Step 1 Go to Configuration > Identity > Role Mappings > and check the box next to the previously created policy, then click the Copy button in the lower right of the page, and click on the new copy.
Step 2 Click on the newly created Copy_of_OWL_RoleMappingPolicy1
Step 3 In the Role Mappings window, under the Policy tab, update the following, then click the Save button.
- Policy Name: Rename to OWL_RoleMappingPolicy2
Step 4 With OWL_RoleMappingPolicy2 successfully created, proceed to the next section.
Configure Enforcement Profiles for Enforcement Policy
The Enforcement Profiles created for the CorpNet Enforcement Policy earlier in this chapter are used for this configuration.
Configure Enforcement Policy
Duplicate the Enforcement Policy created for the Wireless 802.1X service earlier in this chapter to be able to manage them separately.
Step 1 Go to Configuration > Enforcement > Policies > and check the box next to the previously created policy, then click the Copy button in the lower right of the page.
Step 2 Click on the newly created Copy_of_OWL_802.1XEnforcementPolicy
Step 3 In the Enforcement Policies window, under the Enforcement tab, update the following, then click the Save button.
- Name: Rename to OWL_WiredCX_802.1X-EnforcementPolicy
Step 4 With OWL_WiredCX_802.1X-EnforcementPolicy successfully created, proceed to the next section.
Configure Service
Follow the steps below to configure the wired 802.1X service for OWL’s CX switches.
Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.
Step 2 Log in using the admin credentials.
Username: admin
Password: Aruba123!
Step 3 Go to Configuration > Services and click the Add link at the upper right.
Step 4 In the new Services screen, under the Services tab, configure the following, then click the Next button.
- Type: 802.1X Wired
- Name: OWL_Wired CX 802.1X Service
- Add Service Rule 3:
- Type: Connection
- Name: NAD-IP-Address
- Operator: BELONGS_TO_GROUP
- Value: Switches
Step 5 In the Authentication tab, configure the following, then click the Next button.
Authentication Methods:
[EAP-TLS]
[EAP PEAP]
Authentication Sources:
RSVCP-AD1
RSVCP-AD2
Strip Username Rules:
(Check the box to enable)
User:@
Step 6 In the Roles tab, select OWL_RoleMappingPolicy2 from the Role Mapping Policy dropdown, then click the Next button.
Step 7 In the Enforcement tab, select OWL_WiredCX_802.1X_EnforcementPolicy from the Enforcement Policy dropdown, then click the Save button.
Step 8 When complete, proceed to next section.
Configure Wired MAC Authentication
In this deployment, the MAC Auth service uses the Endpoint Repository and DHCP profiling to provide different authorization levels for headless devices such as printers, phones, access points, and others.
Note that the workflow for this setup requires creating Role Mapping and Enforcement Policies before adding the actual service.
Follow the steps below to configure this service.
Configure ClearPass Roles for Role Mapping Policy
The ClearPass Roles created for the CorpNet Role Mapping Policy earlier in this chapter are used for this configuration.
Configure Role Mapping Policy
Configure a new Role Mapping Policy for the MAC authentication service.
Step 1 Go to Configuration > Identity > Role Mappings and click the Add link at the upper right.
Step 2 In the Role Mappings window, under the Policy tab, configure the following, then click the Next button.
- Policy Name: OWL_WiredMACAuth_RoleMappingPolicy
- Default Role: [Other]
Step 3 In the Mapping Rules tab, click the Add Rule button and configure the following on the Rules Editor window.
- Matches: ANY
- Type: Authorization:[Endpoints Repository] for all rules
- Name: Device Name for all rules
- Operator: EQUALS for all rules
- Value: Aruba Cape for the first rule, Aruba IAP for the second, and Aruba AP for the third
- Role Name: OWL_Infra-Device
Step 4 When all conditions and actions are configured similar to the image below, click Save.
Step 5 Repeat the two previous steps until the Role Mapping Rules list matches the screenshot below.
Note: The Role Mapping Rules in this example and in the rest of this guide are specific for Orange Widget Logistics, the example customer in the VSG reference architecture. For additional configuration options, see the Adding and Modifying Role Mapping Policies section of the CPPM User Guide.
Step 6 Proceed to the next section.
Configure Enforcement Profiles for Enforcement Policy
The Enforcement Profiles created for the CorpNet Enforcement Policy earlier in this chapter are used for this configuration.
Configure Enforcement Policy
Follow the steps below to configure the Enforcement Policy for the wired MAC authentication service.
Step 1 Go to Configuration > Enforcement > Policies and click the Add link at the upper right.
Step 2 In the Add Enforcement Policies window, in the Enforcement tab, configure the following, then click the Next button.
- Name: OWL_Wired CX MACAuth-EnforcementPolicy
- Enforcement Type: RADIUS
- Default Profile: [Deny Access Policy]
Step 3 In the Rules tab, click the Add Rule button. In the Rules Editor window, configure the following, then click the Save button.
Step 4 After the first rule is saved, click the Copy Rule button to create the second rule as follows:
- Select the newly created rule for OWL_Infra-Device
- Click the Copy Rule button
- Select the newly duplicated rule
- Click the Edit Rule button
- Change the Value column condition 1 to OWL_VoIP
- Replace the Profile Name with OWL_VoIP
- Click the Save button
Step 5 Repeat the previous step until the enforcement rules below are entered, then click the Save button.
Type | Profile Names |
---|---|
Tips Role equals OWL_VoIP | [RADIUS] OWL_VoIP |
Tips Role equals OWL_Infra-Device | [RADIUS] OWL_Infra-Device |
Tips Role equals OWL_Printer | [RADIUS] OWL_Printer |
Tips Role equals OWL_IoT-Limited | [RADIUS] OWL_IoT-Limited |
Tips Role equals OWL_Security | [RADIUS] OWL_Security |
Step 6 When complete, proceed to the next section.
Configure Service
Follow the steps below to configure the wired MAC authentication service for OWL’s CX switches.
Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.
Step 2 Log in using the admin credentials.
Username: admin
Password: Aruba123!
Step 3 Go to Configuration > Services and click the Add link at the upper right.
Step 4 In the new Services window, in the Services tab, configure the following:
- Type: MAC Authentication
- Name: OWL_Wired CX MACAuth Service
- Add Service Rule 3:
- Type: Connection
- Name: NAD-IP-Address
- Operator: BELONGS_TO_GROUP
- Value: Switches
- Click the Next button
Step 5 In the Authentication tab, configure the following:
Authentication Methods:
- [Allow All MAC AUTH]
Authentication Sources:
- [Endpoints Repository] [Local SQL DB]
Click the Next Button
Step 6 In the Roles tab, select OWL_WiredMACAuth_RoleMappingPolicy from the Role Mapping Policy dropdown, then click the Next button.
Step 7 In the Enforcement tab, select OWL_Wired CX MACAuth-EnforcementPolicy from the Enforcement Policy dropdown, then click the Next button.
Step 8 In the Profiler tab, configure the following settings, then click the Next button:
- Endpoint Classification: Any Category/ OS Family/ Name
- RADIUS CoA Action: [AOS-CX - Bounce Switch Port]
Step 9 Review the Summary tab, then proceed to next section.
Organize Services
Because services process authentication requests from the top down, similar to an ACL, it is essential to organize them in a way that is most effective for the deployment. Although the order is not critical for the three services created in this sample deployment, it is important to begin with a well organized set of services to facilitate troubleshooting and expansion of services as more sites are deployed or new services are tested.
One method to organize services is to create service “separators,” as described in the next section.
Create Service “Separators”
Separators optional, but recommended. They keep services grouped and make them easier to sort when troubleshooting.
Step 1 Pick any existin services and duplicate it with the Copy button. Then, rename it. Repeat until the three services below are created.
Step 2 Ensure that the newly created “separator” services are disabled, as shown in the image above, to prevent ClearPass from using them to process requests.
Reorder Services
Step 1 After the “separator” services are disabled, click the Reorder button at the lower right.
Step 2 In the Reorder window, left-click and release the first service to be moved, move the cursor to the desired location, and then click again to release the service in the intended place.
Step 3 Repeat this step until the order looks similar to the image above.
Step 4 When the reorder is complete, the services should look like the screenshot below.
Step 5 Proceed to the next section.
Verify Switch Configuration
The following sections contain the base configuration expected for AOS-CX switches to authenticate wired clients against the RADIUS services configured in this guide. For instructions on configuring the switches, see the Configure RADIUS and UBT section of the Wired Access Configuration page in the Campus Deploy guide.
Global RADIUS Configuration
Verify that the following global RADIUS configuration exists.
radius-server host 10.2.120.192 key plaintext Aruba123!
radius-server host 10.2.120.193 key plaintext Aruba123!
aaa group server radius clearpass_radius_group
server 10.2.120.192
server 10.2.120.193
aaa accounting port-access start-stop interim 60 group clearpass_radius_group
radius dyn-authorization enable
radius dyn-authorization client 10.2.120.194 secret-key Aruba123!
radius dyn-authorization client 10.2.120.195 secret-key Aruba123!
aaa authentication port-access dot1x authenticator
radius server-group clearpass_radius_group
enable
aaa authentication port-access mac-auth
radius server-group clearpass_radius_group
enable
The table below provides brief descriptions of each configuration section above.
Configuration | Description |
---|---|
radius-server host 10.2.120.192 key plaintext Aruba123! radius-server host 10.2.120.193 key plaintext Aruba123! | Adds the RADIUS server virtual IP addresses along with shared secret. |
aaa group server radius clearpass_radius_group server 10.2.120.192 server 10.2.120.193 | Creates a AAA server group with name and adds the newly added RADIUS servers to it. |
aaa accounting port-access start-stop interim 60 group clearpass_radius_group | Configures the new RADIUS server group to send accounting records at the beginning and end of each user/device session, as well as interim updates every 60 seconds. |
radius dyn-authorization enable | Enables CoA |
radius dyn-authorization client 10.2.120.194 secret-key Aruba123! radius dyn-authorization client 10.2.120.195 secret-key Aruba123! | Configures the switch to accept and process dynamic authorization requests sourced from the RADIUS servers’ IP addresses (not VRRP virtual IPs). |
aaa authentication port-access dot1x authenticator radius server-group clearpass_radius_group enable | Enables 802.1X authentication and configures authentication requests to be sent to RADIUS server group clearpass_radius_group |
aaa authentication port-access mac-auth radius server-group clearpass_radius_group enable | Enables MAC authentication and configures authentication requests to be sent to RADIUS server group clearpass_radius_group |
Switch Port Configuration
Verify that the following configuration exists on the ports expected to authenticate wired clients.
interface 1/1/1
aaa authentcation port-access client-limit 3
aaa authentication port-access onboarding-method concurrent enable
aaa authentication port-access dot1x authenticator
max-eapol-requests 1
max-retries 1
reauth
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
The table below provides brief descriptions of each configuration section above.
Configuration | Description |
---|---|
aaa authentcation port-access client-limit 3 | Sets the port to authenticate a maximum of three clients |
aaa authentication port-access onboarding-method concurrent enable | Configures the port to use 802.1X and MAC authentication simultaneously |
aaa authentication port-access dot1x authenticator | Opens the configuration subsection for 802.1X |
max-eapol-requests 1 | Sets port to only send one EAPOL request to the client. If the client does not respond to the single request, the authentication process is considered failed. |
max-retries 1 | Sets the maximum number of times the switch reattempts the authentication process after a failure |
reauth | Enables the switch to periodically reinitiate the authentication process to verify that the client should still be granted network access |
enable | Enables 802.1X authentication on the port |
aaa authentication port-access mac-auth | Opens the configuration subsection for MAC authentication |
cached-reauth cached-reauth-period 86400 | Configures the switch to cache the MAC address and use it to reauthenticate the client on the same port without going through full authentication if the device disconnects and reconnects during a period of 86400 seconds (24 hours). |
quiet-period 30 | Sets the duration during which the switch does not attempt to reauthenticate a device after a failed authentication attempt |
enable | Enables MAC authentication on the port |
This concludes ClearPass deployment guidance.