Link Search Menu Expand Document
calendar_month 07-Mar-24

Configure WLAN and LAN Authentication

This section provides steps to configure ClearPass Policy Manager (CPPM) for authentication and authorization of client devices. ClearPass includes a set of templates to help create services for common use cases. For Orange Widget Logistics (OWL), the fictional customer used in this reference design, service configuration involves templates and manual service creation.

A total of three authentication services are configured in this chapter:

  • RADIUS service for 802.1X-enabled wireless SSID CorpNet
  • RADIUS service for 802.1X-enabled wired switch ports
  • RADIUS service for MAC authentication-enabled switch ports

Some of the services in this guide share components such as Authentication Sources and Network Devices. They are configured once before the individual service configuration instructions to reduce repetitive steps.

Table of contents

Configure Common Components

Authentication services in this guide share common steps. These include:

  • Authentication Sources contain the identity store against which user devices are authenticated. In OWL’s design, it includes Active Directory Domain Controllers.
  • Network Devices must be configured with the Network Access Device (NAD) information so that ClearPass can accept authentication requests from the switches and gateways in this design.
  • Device Groups are optional and can be used within service, role-mapping rules, or enforcement profiles. Administrators configure device groups at the global level. They can contain the members or IP addresses of a specified subnet, regular expression-based variation, or devices previously configured in the Policy Manager database. OWL’s deployment involves using them in the enforcement policy, allowing ClearPass to send different responses based on request origin. For example, if the request is coming from an Aruba switch, ClearPass can return the user role. For requests coming from a non-Aruba switch, ClearPass can return the VLAN Name.

Follow the steps below to add the AD Domain Controllers, NADs, and Device Groups for OWL’s ClearPass cluster.

Add AD Authentication Sources

Follow the steps below to add the two Active Directory Domain Controllers to be queried by the ClearPass cluster.

Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.

Step 2 Log in using the admin credentials.

  • Username: admin
  • Password: Aruba123!

Add First Domain Controller

Step 3 Go to Configuration > Authentication > Sources and click the +Add link at the upper right.

Authentication Sources

Step 4 In the General tab, configure the following parameters, then click the Next button.

  • Name: RSVCP-AD1

  • Description: Roseville Campus Active Directory Domain Controller 1

  • Type: Active Directory

Add Active Directory DC 1 General Tab

Step 5 In the Primary Tab, configure the following parameters.

  • Hostname: rsvp-ad1.owllab.net

  • Bind DN: owlservice@owllab .net

  • Bind Password: Aruba123!
    • Base DN: (Click the Search Base DN link to verify that you can access the domain from the LDAP Browser window)
      • Click the Save button in the LDAP Browser window.
  • Verify that NetBIOS Domain Name is populated

  • Click the Save button

Add Active Directory DC 1 Primary Tab

Add Second Domain Controller

Continue from the steps above to configure the second AD Domain Controller using the Copy function.

Step 6 Return to the Sources window, click the checkbox next to the new entry for RSVCP-AD1, then click the Copy button at the lower right.

Create Copy of AD1

Step 7 Click the newly created Copy_of_RSVCP-AD1 in the Sources list.

Step 8 When the details page appears, update the following, then click the Save button.

  • In the General tab:
    • Name: RSVCP-AD2
    • Description: Roseville Campus Active Directory Domain Controller 2
  • In the Primary tab:
    • Hostname: rsvcp-ad2.owllab.net

Edit Duplicate of AD1

Step 9 With both AD DCs added, proceed to the next section.

Add Network Devices (Authenticators)

Network Devices are configured so ClearPass can accept authentication requests from switches and gateways in this design.

Follow the steps below to add the gateways and switches using the information from the Network Devices (Authenticators) section on the ClearPass Preparation page.

Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.

Step 2 Log in using the admin credentials.

  • Username: admin
  • Password: Aruba123!

Step 3 Go to Configuration > Network > Devices, click the Add link at the upper right. Add the first device from the Network Devices table above.

Add Network Device 1

Step 4 After adding the first network device, repeat the step or use the Copy function to add the remaining network devices listed in the previous chapter, then proceed to the next section.

Add Network Device Groups

ClearPass can group devices into Device Groups, which are optional components in service and role-mapping rules. Administrators configure device groups at the global level. They can contain the members or IP addresses of a specified subnet, regular expression-based variation, or devices previously configured in the Policy Manager database. OWL’s new cluster uses the third option with previously configured devices in a list format.

Follow the steps below to create the device groups.

Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.

Step 2 Log in using the admin credentials.

  • Username: admin
  • Password: Aruba123!

Step 3 Go to Configuration > Network > Device Groups and click the Add link at the upper right.

Add Network Device Group

Step 4 In the Add New Device Group window, configure the following parameters to add the switches to the list, then click the Save button.

  • Name: Switches
  • Description: Switch Device Group
  • Format: List
  • Selected Devices: RSVCP-TEST-AC1, AG3-AC1, AG3-AC2, and AG3-AC4

Note: Press the SHIFT or CTRL key while clicking the list to select multiple devices and move them simultaneously.

Add New Device Group Popup

Step 5 Repeat steps 3 and 4 to add the Gateway group.

Step 6 When complete, the groups are listed on the Network Device Groups page. They also appear in the Device Groups column on the Network Devices page, as shown below.

Added Device Groups

Note: The Access Points and an Access Points Group in the image above were created for future use of Bridge mode and Mixed mode SSIDs but do not need to be added in this first phase of OWL’s deployment, which is only using Tunnel Mode.

Step 7 Proceed to the next section.

Configure Wireless 802.1X Authentication

The first service to configure is for CorpNet WLAN, that services trusted OWL-owned assets. It authenticates clients against Active Directory (AD) using the EAP-TLS authentication method and use AD user group memberships to grant different authorization levels.

Note that the workflow for this setup requires creating Role Mapping and Enforcement Policies before adding the actual service.

Configure ClearPass Roles for Role Mapping Policy

Step 1 Go to Configuration > Identity > Roles and click the Add link at the upper right.

Add Roles

Step 2 In the Add New Role window, add the first role by matching the following info, then click the Save button.

  • Name: OWL_Employee

Create Role Mapping Role

Step 3 Repeat the step to add the following new roles:

  • OWL_IT-Support
  • OWL_IT-Admin
  • OWL_Infra-Device
  • OWL_LnD-Staff
  • OWL_LnD-Student
  • OWL_VoIP
  • OWL_Printer
  • OWL_Guest
  • OWL_Contractor
  • OWL_Security
  • OWL_IoT-Limited

Step 4 When complete, continue to the next section.

Configure Role Mapping Policy

Step 1 Go to Configuration > Identity > Role Mappings and click the Add link at the upper right.

Add Role Mapping Policy

Step 2 In the Role Mappings window, on the Policy tab, configure the following, then click the Next button.

  • Policy Name: OWL_RoleMappingPolicy1
  • Default Role: [Other]

Role Mapping Policy Tab

Step 3 On the Mapping Rules tab, click the Add Rule button and configure the following on the Rules Editor window, then click the Save button.

  • Matches: ANY
  • Type: Authorization:RSVCP-AD1
  • Name: Groups
  • Operator: EQUALS
  • Value: OWL-Employee
  • Role Name: OWL_Employee

Role Mapping Rules

Step 4 Repeat the step above until the following mapping rules are entered.

TypeNameOperatorValueRole Name
Authorization:RSVCP-AD1GroupsEQUALSOWL-EmployeeOWL_Employee
Authorization:RSVCP-AD1GroupsEQUALSOWL-IT-AdminOWL_IT-Admin
Authorization:RSVCP-AD1GroupsEQUALSOWL-IT-SupportOWL_IT-Support
Authorization:RSVCP-AD1GroupsEQUALSOWL-LnD-StaffOWL_LnD-Staff
Authorization:RSVCP-AD1GroupsEQUALSOWL-LnD-StudentOWL_LnD-Student
Authorization:RSVCP-AD1GroupsEQUALSOWL-ContractorOWL_Contractor

Step 5 Verify that the Mapping Rules look like the screenshot below, then click the Save button.

Role Mapping Rules 2

Step 6 Proceed to the next section.

Configure Enforcement Profiles for Enforcement Policy

Follow the steps below to configure the Enforcement Profiles documented in the User Role/Client Role Information table in the Preparing for ClearPass Deployment chapter.

Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.

Step 2 Log in using the admin credentials.

  • Username: admin
  • Password: Aruba123!

Step 3 Go to Configuration > Enforcement > Profiles and click the Add link at the upper right.

Add Enforcement Profile

Step 4 In the Add Enforcement Profile window, match the following settings in the Profile tab, then click the Save button.

  • Template: Aruba RADIUS Enforcement
  • Name: OWL_Employee
  • Description: Return Aruba User Role
  • Action: Accept

Enforcement Profile Tab

Step 5 In the Attributes tab, match the following settings, then click the Save icon next to the Value, followed by the Next button.

  • Type: Radius:Aruba
  • Name: Aruba-User-Role (1)
  • Value: EMPLOYEE

Note: Make sure to match the letter case when configuring user roles. Case-sensitive Aruba switches, gateways, and APs ignore the role returned by ClearPass if the case does not match.

Enforcement Attributes Tab

Step 6 After the first rule is saved, click the Copy button to create the second rule as follows:

  • Click the checkbox next to the newly created OWL_Employee profile
  • Click the Copy button
  • Click the newly created Copy_of_OWL_Employee profile

Enforcement Profiles All

Step 7 When the Edit Enforcement Profile page appears, update the following, then click the Save button.

  • In the Profile tab:
    • Name: OWL_IT-Admin
  • In the Attributes tab:
    • Value: IT-ADMIN

Step 8 Repeat the steps to create the rest of the profiles in the image above.

Step 9 When the remaining profiles are created, proceed to the next section.

Configure Enforcement Policy

Follow the steps below to configure the Enforcement Policy for the Wireless 802.1X service for CorpNet SSID.

Step 1 Go to Configuration > Enforcement > Policies and click the Add link at the upper right.

Add Enforcement Policy

Step 2 In the Add Enforcement Policies screen, in the Enforcement tab, configure the following, then click the Next button.

  • Name: OWL_802.1X-EnforcementPolicy
  • Enforcement Type: RADIUS
  • Default Profile: [Deny Access Policy]

Enforcement Policy Enforcement Tab

Step 3 In the Rules tab, click the Add Rule button. In the Rules Editor window, configure the settings to match the image below, then click the Save button.

Enforcement Policy Rules Tab

Step 4 After the first rule is saved, click the Copy Rule button to create the second rule as follows:

  • Select the newly created rule for OWL_Employee
  • Click the Copy Rule button
  • Select the newly duplicated rule
  • Click the Edit Rule button
  • Change the Value column of the first rule to OWL_IT-Admin
  • Replace the Profile Name with OWL_IT-Admin
  • Click the Save button

Enforcement Policy Copy Rule

Step 5 Repeat the last step until the enforcement rules below are created, then click the Save button.

TypeProfile Names
Tips Role equals OWL_Employee AND Tips Role equals [Machine Authenticated][RADIUS] OWL_Employee
Tips Role equals OWL-Employee AND Tips Role equals [Machine Authenticated][RADIUS] OWL_IT-Admin
Tips Role equals OWL-Employee AND Tips Role equals [Machine Authenticated][RADIUS] OWL_IT-Support
Tips Role equals OWL-Employee AND Tips Role equals [Machine Authenticated][RADIUS] OWL_LnD-Staff
Tips Role equals OWL-Employee AND Tips Role equals [Machine Authenticated][RADIUS] OWL_LnD-Student
Tips Role equals OWL-Employee AND Tips Role equals [Machine Authenticated][RADIUS] OWL_Contractor
Tips Role equals [Machine Authenticated][RADIUS] OWL_Machine-Auth

Step 6 Verify that the Enforcement Policy Rules look like the screenshot below, then click the Save button.

Enforcement Policy Save Rule

Step 7 When complete, proceed to the next section.

Configure Service

With the enforcement and role mapping policies created, follow the steps below to create the RADIUS service for CorpNet SSID.

Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.

Step 2 Log in using the admin credentials.

  • Username: admin
  • Password: Aruba123!

Step 3 Go to Configuration > Services and click the Add link at the upper right.

Add Wireless RADIUS Service

Step 4 In the new Services window, in the Services tab, configure the following, then click the Next button.

  • Type: Aruba 802.1X Wireless
  • Name: OWL CorpNet 802.1X Service
  • Service Rule List > Rule No. 3:
    • Operator column: Change to EQUALS
    • Value column: Change to CorpNet

Dot1X Wireless Service Tab

Step 5 In the Authentication tab, configure the following, then click the Next button.

  • Authentication Methods:
    • [EAP-TLS]
    • [EAP PEAP]
  • Authentication Sources:
    • RSVCP-AD1
    • RSVCP-AD2
  • Strip Username Rules:
    • (Check the box to enable)
    • User:@

Dot1X Wireless Authentication Tab

Step 6 In the Roles tab, select OWL_RoleMappingPolicy1 from the Role Mapping Policy dropdown, then click the Next button.

Dot1X Wireless Roles Tab

Step 7 In the Enforcement tab, select OWL_802.1X_EnforcementPolicy from the Enforcement Policy dropdown, then click the Save button.

Dot1X Wireless Enforcement Tab

Step 8 When complete, proceed to next section.

Configure CorpNet WLAN in Aruba Central

Below are the primary settings for CorpNet WLAN. For prescriptive guidance on creating a new WLAN, please see the Campus Wireless Connectivity chapter of the Campus Deploy guide.

General

  • ESSID: CorpNet
  • Band: all

VLANs

  • Traffic forwarding mode: Tunnel
  • Primary Gateway Cluster: CP-RSVWLAN:CL-RSVCP-S2
  • VLAN ID: EMPLOYEE(103)

Security

  • Key Management: WPA3-Enterprise
  • Primary Server: rsvcp-cppm-1
  • Secondary Server: rsvcp-cppm-2

Access

  • Access Rules: Role Based
  • Roles: Ensure all Roles are configured
    • MACHINE-AUTH
    • EMPLOYEE
    • IT-SUPPORT
    • IT-ADMIN
    • INFRA-DEVICE
    • LND-STAFF
    • LND-STUDENT
    • VOIP
    • PRINTER
    • GUEST
    • CONTRACTOR
    • SECURITY
    • IOT-LIMITED

Configure Client

Below are the sample Windows client settings for CorpNet WLAN.

PEAP

  • SSID: CorpNet
  • Security type: WPA3-Enterprise
  • Encryption type: AES
  • Authentication Method: PEAP/EAP-MSCHAP v2
  • Authentication mode: User or computer authentication

EAP-TLS

  • SSID: CorpNet
  • Security type: WPA3-Enterprise
  • Encryption type: AES
  • Authentication Method: Microsoft Smart Card or other certificate (EAP-TLS)
  • Authentication mode: User or computer authentication

Validate Authentication

After connecting a client device to CorpNet, confirm successful authentication by reviewing the client, Aruba Central, and ClearPass Access Tracker. The following are examples from OWL’s CorpNet test.

Windows Client

In Windows, view Network & internet > Wi-Fi > CorpNet and verify that IP address in the expected subnet and client is able to access the expected resources according to their user role or VLAN.

Aruba Central

In Aruba Central, go to Groups > Clients , find the test client, and review details. Example:

Validate Central for CorpNet

ClearPass

In ClearPass, go to Monitoring > Access Tracker, find the authentication events and review details. Example:

Validate ClearPass for CorpNet

When validation is complete, proceed to next section.

Configure Wired Authentication for ArubaOS-CX Switches

For wired authentication, two separate services must be created. One is to authenticate OWL devices configured for wired 802.1X, and the second is to authenticate all wired headless devices via MAC authentication. Follow the steps below to configure both services.

Configure Wired 802.1X Authentication

The 802.1X service uses EAP-TLS authentication method with Active Directory (AD) user group memberships to provide different authorization levels for corporate users and computers.

Note that the workflow for this setup requires creating Role Mapping and Enforcement Policies before adding the actual service.

Configure ClearPass Roles for Role Mapping Policy

The ClearPass Roles created for the CorpNet Role Mapping Policy earlier in this chapter will be re-used for this configuration.

Configure Role Mapping Policy

Duplicate the Role Mapping Policy created for the Wireless 802.1X service earlier in this chapter to be able to manage them separately.

Step 1 Go to Configuration > Identity > Role Mappings > and check the box next to the previously created policy, then click the Copy button in the lower right of the page, and click on the new copy.

Duplicate Role Mapping Policy

Step 2 Click on the newly created Copy_of_OWL_RoleMappingPolicy1

Step 3 In the Role Mappings window, under the Policy tab, update the following, then click the Save button.

  • Policy Name: Rename to OWL_RoleMappingPolicy2

Rename Copy of Role Mapping Policy

Step 4 With OWL_RoleMappingPolicy2 successfully created, proceed to the next section.

Configure Enforcement Profiles for Enforcement Policy

The Enforcement Profiles created for the CorpNet Enforcement Policy earlier in this chapter are used for this configuration.

Configure Enforcement Policy

Duplicate the Enforcement Policy created for the Wireless 802.1X service earlier in this chapter to be able to manage them separately.

Step 1 Go to Configuration > Enforcement > Policies > and check the box next to the previously created policy, then click the Copy button in the lower right of the page.

Duplicate Enforcement Policy

Step 2 Click on the newly created Copy_of_OWL_802.1XEnforcementPolicy

Step 3 In the Enforcement Policies window, under the Enforcement tab, update the following, then click the Save button.

  • Name: Rename to OWL_WiredCX_802.1X-EnforcementPolicy

Rename Copy of Enforcement Policy

Step 4 With OWL_WiredCX_802.1X-EnforcementPolicy successfully created, proceed to the next section.

Configure Service

Follow the steps below to configure the wired 802.1X service for OWL’s CX switches.

Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.

Step 2 Log in using the admin credentials.

  • Username: admin

  • Password: Aruba123!

Step 3 Go to Configuration > Services and click the Add link at the upper right.

Add Wired CX RADIUS Service

Step 4 In the new Services screen, under the Services tab, configure the following, then click the Next button.

  • Type: 802.1X Wired
  • Name: OWL_Wired CX 802.1X Service
  • Add Service Rule 3:
    • Type: Connection
    • Name: NAD-IP-Address
    • Operator: BELONGS_TO_GROUP
    • Value: Switches

Wired CX Service Tab

Step 5 In the Authentication tab, configure the following, then click the Next button.

  • Authentication Methods:

    • [EAP-TLS]

    • [EAP PEAP]

  • Authentication Sources:

    • RSVCP-AD1

    • RSVCP-AD2

  • Strip Username Rules:

    • (Check the box to enable)

    • User:@

Wired CX Authentication Tab

Step 6 In the Roles tab, select OWL_RoleMappingPolicy2 from the Role Mapping Policy dropdown, then click the Next button.

Wired CX Roles Tab

Step 7 In the Enforcement tab, select OWL_WiredCX_802.1X_EnforcementPolicy from the Enforcement Policy dropdown, then click the Save button.

Wired CX Enforcement Tab

Step 8 When complete, proceed to next section.

Configure Wired MAC Authentication

In this deployment, the MAC Auth service uses the Endpoint Repository and DHCP profiling to provide different authorization levels for headless devices such as printers, phones, access points, and others.

Note that the workflow for this setup requires creating Role Mapping and Enforcement Policies before adding the actual service.

Follow the steps below to configure this service.

Configure ClearPass Roles for Role Mapping Policy

The ClearPass Roles created for the CorpNet Role Mapping Policy earlier in this chapter are used for this configuration.

Configure Role Mapping Policy

Configure a new Role Mapping Policy for the MAC authentication service.

Step 1 Go to Configuration > Identity > Role Mappings and click the Add link at the upper right.

Add Role Mapping Policy

Step 2 In the Role Mappings window, under the Policy tab, configure the following, then click the Next button.

  • Policy Name: OWL_WiredMACAuth_RoleMappingPolicy
  • Default Role: [Other]

MAC Auth Role Mapping Policy Tab

Step 3 In the Mapping Rules tab, click the Add Rule button and configure the following on the Rules Editor window.

  • Matches: ANY
  • Type: Authorization:[Endpoints Repository] for all rules
  • Name: Device Name for all rules
  • Operator: EQUALS for all rules
  • Value: Aruba Cape for the first rule, Aruba IAP for the second, and Aruba AP for the third
  • Role Name: OWL_Infra-Device

Step 4 When all conditions and actions are configured similar to the image below, click Save.

MAC Auth Role Mapping Rules Tab

Step 5 Repeat the two previous steps until the Role Mapping Rules list matches the screenshot below.

MAC Auth Role Mapping Rules Tab 2

Note: The Role Mapping Rules in this example and in the rest of this guide are specific for Orange Widget Logistics, the example customer in the VSG reference architecture. For additional configuration options, see the Adding and Modifying Role Mapping Policies section of the CPPM User Guide.

Step 6 Proceed to the next section.

Configure Enforcement Profiles for Enforcement Policy

The Enforcement Profiles created for the CorpNet Enforcement Policy earlier in this chapter are used for this configuration.

Configure Enforcement Policy

Follow the steps below to configure the Enforcement Policy for the wired MAC authentication service.

Step 1 Go to Configuration > Enforcement > Policies and click the Add link at the upper right.

Add Enforcement Policy

Step 2 In the Add Enforcement Policies window, in the Enforcement tab, configure the following, then click the Next button.

  • Name: OWL_Wired CX MACAuth-EnforcementPolicy
  • Enforcement Type: RADIUS
  • Default Profile: [Deny Access Policy]

Wired MAC Auth Policy Enforcement Tab

Step 3 In the Rules tab, click the Add Rule button. In the Rules Editor window, configure the following, then click the Save button.

Enforcement Policy Rules Tab

Step 4 After the first rule is saved, click the Copy Rule button to create the second rule as follows:

  • Select the newly created rule for OWL_Infra-Device
  • Click the Copy Rule button
  • Select the newly duplicated rule
  • Click the Edit Rule button
  • Change the Value column condition 1 to OWL_VoIP
  • Replace the Profile Name with OWL_VoIP
  • Click the Save button

Enforcement Policy Copy Rule

Step 5 Repeat the previous step until the enforcement rules below are entered, then click the Save button.

TypeProfile Names
Tips Role equals OWL_VoIP[RADIUS] OWL_VoIP
Tips Role equals OWL_Infra-Device[RADIUS] OWL_Infra-Device
Tips Role equals OWL_Printer[RADIUS] OWL_Printer
Tips Role equals OWL_IoT-Limited[RADIUS] OWL_IoT-Limited
Tips Role equals OWL_Security[RADIUS] OWL_Security

Step 6 When complete, proceed to the next section.

Configure Service

Follow the steps below to configure the wired MAC authentication service for OWL’s CX switches.

Step 1 Open a web browser and connect to the publisher node, RSVCP-CPPM-1.

Step 2 Log in using the admin credentials.

  • Username: admin

  • Password: Aruba123!

Step 3 Go to Configuration > Services and click the Add link at the upper right.

Add Wired CX RADIUS Service

Step 4 In the new Services window, in the Services tab, configure the following:

  • Type: MAC Authentication
  • Name: OWL_Wired CX MACAuth Service
  • Add Service Rule 3:
    • Type: Connection
    • Name: NAD-IP-Address
    • Operator: BELONGS_TO_GROUP
    • Value: Switches
  • Click the Next button

Wired CX MAC Auth Add

Step 5 In the Authentication tab, configure the following:

  • Authentication Methods:

    • [Allow All MAC AUTH]
  • Authentication Sources:

    • [Endpoints Repository] [Local SQL DB]
  • Click the Next Button

Wired CX MAC Authentication Tab

Step 6 In the Roles tab, select OWL_WiredMACAuth_RoleMappingPolicy from the Role Mapping Policy dropdown, then click the Next button.

Wired CX MAC Auth Roles Tab

Step 7 In the Enforcement tab, select OWL_Wired CX MACAuth-EnforcementPolicy from the Enforcement Policy dropdown, then click the Next button.

Wired CX MAC Auth Enforcement Tab

Step 8 In the Profiler tab, configure the following settings, then click the Next button:

  • Endpoint Classification: Any Category/ OS Family/ Name
  • RADIUS CoA Action: [AOS-CX - Bounce Switch Port]

Wired CX MAC Auth Profiler Tab

Step 9 Review the Summary tab, then proceed to next section.

Organize Services

Because services process authentication requests from the top down, similar to an ACL, it is essential to organize them in a way that is most effective for the deployment. Although the order is not critical for the three services created in this sample deployment, it is important to begin with a well organized set of services to facilitate troubleshooting and expansion of services as more sites are deployed or new services are tested.

One method to organize services is to create service “separators,” as described in the next section.

Create Service “Separators”

Separators optional, but recommended. They keep services grouped and make them easier to sort when troubleshooting.

Step 1 Pick any existin services and duplicate it with the Copy button. Then, rename it. Repeat until the three services below are created.

Service Separators

Step 2 Ensure that the newly created “separator” services are disabled, as shown in the image above, to prevent ClearPass from using them to process requests.

Reorder Services

Step 1 After the “separator” services are disabled, click the Reorder button at the lower right.

Service Reoder

Step 2 In the Reorder window, left-click and release the first service to be moved, move the cursor to the desired location, and then click again to release the service in the intended place.

Service Reorder 2

Step 3 Repeat this step until the order looks similar to the image above.

Step 4 When the reorder is complete, the services should look like the screenshot below.

Service Reorder 3

Step 5 Proceed to the next section.

Verify Switch Configuration

The following sections contain the base configuration expected for AOS-CX switches to authenticate wired clients against the RADIUS services configured in this guide. For instructions on configuring the switches, see the Configure RADIUS and UBT section of the Wired Access Configuration page in the Campus Deploy guide.

Global RADIUS Configuration

Verify that the following global RADIUS configuration exists.

radius-server host 10.2.120.192 key plaintext Aruba123!
radius-server host 10.2.120.193 key plaintext Aruba123!

aaa group server radius clearpass_radius_group
    server 10.2.120.192
    server 10.2.120.193

aaa accounting port-access start-stop interim 60 group clearpass_radius_group

radius dyn-authorization enable

radius dyn-authorization client 10.2.120.194 secret-key Aruba123!
radius dyn-authorization client 10.2.120.195 secret-key Aruba123!

aaa authentication port-access dot1x authenticator
    radius server-group clearpass_radius_group
    enable
aaa authentication port-access mac-auth
    radius server-group clearpass_radius_group
    enable

The table below provides brief descriptions of each configuration section above.

ConfigurationDescription
radius-server host 10.2.120.192 key plaintext Aruba123!
radius-server host 10.2.120.193 key plaintext Aruba123!
Adds the RADIUS server virtual IP addresses along with shared secret.
aaa group server radius clearpass_radius_group
server 10.2.120.192
server 10.2.120.193
Creates a AAA server group with name and adds the newly added RADIUS servers to it.
aaa accounting port-access start-stop interim 60 group clearpass_radius_groupConfigures the new RADIUS server group to send accounting records at the beginning and end of each user/device session, as well as interim updates every 60 seconds.
radius dyn-authorization enableEnables CoA
radius dyn-authorization client 10.2.120.194 secret-key Aruba123!
radius dyn-authorization client 10.2.120.195 secret-key Aruba123!
Configures the switch to accept and process dynamic authorization requests sourced from the RADIUS servers’ IP addresses (not VRRP virtual IPs).
aaa authentication port-access dot1x authenticator
radius server-group clearpass_radius_group
enable
Enables 802.1X authentication and configures authentication requests to be sent to RADIUS server group clearpass_radius_group
aaa authentication port-access mac-auth
radius server-group clearpass_radius_group
enable
Enables MAC authentication and configures authentication requests to be sent to RADIUS server group clearpass_radius_group

Switch Port Configuration

Verify that the following configuration exists on the ports expected to authenticate wired clients.

interface 1/1/1
    aaa authentcation port-access client-limit 3
    aaa authentication port-access onboarding-method concurrent enable
    aaa authentication port-access dot1x authenticator
        max-eapol-requests 1
        max-retries 1
        reauth
        enable
    aaa authentication port-access mac-auth
        cached-reauth
        cached-reauth-period 86400
        quiet-period 30
        enable

The table below provides brief descriptions of each configuration section above.

ConfigurationDescription
aaa authentcation port-access client-limit 3Sets the port to authenticate a maximum of three clients
aaa authentication port-access onboarding-method concurrent enableConfigures the port to use 802.1X and MAC authentication simultaneously
aaa authentication port-access dot1x authenticatorOpens the configuration subsection for 802.1X
max-eapol-requests 1Sets port to only send one EAPOL request to the client. If the client does not respond to the single request, the authentication process is considered failed.
max-retries 1Sets the maximum number of times the switch reattempts the authentication process after a failure
reauthEnables the switch to periodically reinitiate the authentication process to verify that the client should still be granted network access
enableEnables 802.1X authentication on the port
aaa authentication port-access mac-authOpens the configuration subsection for MAC authentication
cached-reauth
cached-reauth-period 86400
Configures the switch to cache the MAC address and use it to reauthenticate the client on the same port without going through full authentication if the device disconnects and reconnects during a period of 86400 seconds (24 hours).
quiet-period 30Sets the duration during which the switch does not attempt to reauthenticate a device after a failed authentication attempt
enableEnables MAC authentication on the port

This concludes ClearPass deployment guidance.


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.