Scribd
Upload
783 views24 pages

Authentication Integration With Aruba Clearpass

ClearPass is a network access management solution developed by Aruba that provides secure network access control and policy enforcement for wired, wireless, and remote devices. It supports various authentication methods like 802.1X and captive portal and integrates with other security solutions. The document provides test requirements and configurations for testing ClearPass authentication methods including 802.1X authentication, 802.1X with dynamic VLAN assignment, and captive portal authentication. It also describes troubleshooting and packet analysis related to ClearPass authentication.

Uploaded by

taufanprakasa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
783 views24 pages

Authentication Integration With Aruba Clearpass

ClearPass is a network access management solution developed by Aruba that provides secure network access control and policy enforcement for wired, wireless, and remote devices. It supports various authentication methods like 802.1X and captive portal and integrates with other security solutions. The document provides test requirements and configurations for testing ClearPass authentication methods including 802.1X authentication, 802.1X with dynamic VLAN assignment, and captive portal authentication. It also describes troubleshooting and packet analysis related to ClearPass authentication.

Uploaded by

taufanprakasa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Authentication Integration with Aruba

Clearpass​
Introduction to Clearpass​
ClearPass is a network access management solution developed by Aruba Networks. It provides
secure network access control and policy enforcement for wired, wireless, and remote devices.
ClearPass allows organizations to authenticate, authorize, and manage user and device access
to their network resources. It supports various authentication methods, such as 802.1X and
captive portal, and integrates with other security solutions to provide comprehensive network
security. ClearPass also offers capabilities for guest access management, device profiling, and
policy enforcement, helping organizations ensure secure and compliant network access for their
users and devices.​
Basic Authentication Logic of Clearpass​
PoC Test Guide​
Test Requirement​
1. 802.1x Authenticaiton ​
2. 802.1x Authentication with Dynamic VLAN​
3. Captive Portal Authentication​
Test Device​
Model​ Quantity​ Firmware Version​
WS6008​ 1​ AC_RGOS 11.9(6)W1B1​
S5310-24GT4XS-P-E​ 1​ S5310E_RGOS 12.6(2)B0204​
AP730(TR)​ 1​ AP_RGOS 11.1(9)B1P30​

❗ Notice: ​
Please confirm the Model and Firmware Version with the Industry Service
Representative (Enterprise/Carrier: Nick & Kim; SMB: Henry; Strategy: Beni) before
performing the PoC test. ​

Test Topology​

Test Content​
1. 802.1x Authenticaiton​
1.1 Configuration on AC​
(1) Configure the RADIUS authentication server​
ip radius source-interface VLAN 10​
radius-server host [Link] key Ruijie@123​
(2) Configure an AAA method list​
aaa new-model​
aaa group server radius aruba_radius​
server [Link]​
exit​
aaa accounting network aruba start-stop group aruba_radius​
aaa authentication dot1x aruba group aruba_radius​
aaa authentication login default local​
(3) Enable 802.1x authentication.​
wlan-config 1 clearpass_1x​

ap-group default​
interface-mapping 1 100 ap-wlan-id 1​

wlansec 1​
security rsn enable​
security rsn ciphers aes enable​
security rsn akm 802.1x enable​
dot1x authentication aruba​
dot1x accounting aruba​
1.2 Configuration on Clearpass​
(1) Add an Access Device​
(2) Create User Accounts and Role (Optional)​
(3) Configure the Serivces​
2. 802.1x Authentication with Dynamic VLAN​
2.1 Configuration on AC​
(1) Configure the RADIUS authentication server​
ip radius source-interface VLAN 10​
radius-server host [Link] key Ruijie@123​
(2) Configure an AAA method list​
aaa new-model​
aaa group server radius aruba_radius​
server [Link]​
exit​
aaa accounting network aruba start-stop group aruba_radius​
aaa authentication dot1x aruba group aruba_radius​
aaa authentication login default local​
(3) Configure a VLAN group​
vlan-group 1​
vlan-list 100,200​
default-vlan 100​
vlan-assign-mode dot1x​
(4) Enable 802.1x authentication.​
wlan-config 2 clearpass_1x_dynamicvlan​

ap-group default​
interface-mapping 2 group 1​

wlansec 2​
security rsn enable​
security rsn ciphers aes enable​
security rsn akm 802.1x enable​
dot1x authentication aruba​
dot1x accounting aruba​
2.2 Configuration on Clearpass​
(1) Create profiles "VLAN100" and "VLAN200"​
(2) Create a Policy "wireless_1x_dynamicvlan"​
(3) Create a Service "wireless dot1x with dynamic vlan" and apply the
"wireless_1x_dynamicvlan" policy​
3. Captive Portal Authentication​
3.1 Configuration on AC​
(1) Configure the RADIUS authentication server​
ip radius source-interface VLAN 10​
radius-server host [Link] key Ruijie@123​
(2) Configure an AAA method list​
aaa new-model​
aaa group server radius aruba_radius​
server [Link]​
exit​

web-auth template cpweb​


ip [Link]​
url [Link]
login-success response redirect-url [Link] //optional, configure
the redirection page after success login​

aaa authentication cpweb aruba group aruba_radiu​


aaa accounting network aruba start-stop group aruba_radius​
aaa authentication dot1x aruba group aruba_radius​
aaa authentication login default local​

(3) Configure HTTP service parameters​


web-auth auth-server ip [Link] //can be any IP address, but needs to be the same as
configured on clearpass​
web-auth auth-server http​
web-auth auth-server submit-url [Link]
(4) Enable captive portal authentication.​
wlan-config 3 clearpass_portal​

ap-group default​
interface-mapping 3 100​

wlansec 3​
web-auth accounting cpweb aruba​
web-auth authentication cpweb aruba​
web-auth portal cpweb​
webauth​
3.2 Configuration on Clearpass​
(1) Create a web login page​
(2) Create a service for captive portal authentication ​
❗ Notice:​
Ruijie Device does not support pre-defining the "user profile" on devices like HUAWEI
or ARUBA.​

Troubleshooting​
Clearpass provides a useful troubleshooting tool: "Access Tracer" to troubleshoot authentication
issues.​

1. User not found​

(1) Check whether the right authentication source is added to the service​
(2) Check whether the user account is added to the authentication source​
2. Cannot select the appropriate authentication method​
Check whether the authentication method is correctly configured on Service​

3. Service Categorization failed​


Clearpass can not find a service to match the conditions of the authentication request. Need
to check whether the service rule is correctly configured.​

4. No error message is shown on Clearpass​


(1) Check the connectivity between AC and clearpass. ​
(2)Check whether the radius source interface is correctly configured​

Packet Analysis​
1. Like all standard radius protocols, when the terminal connects to the SSID, the NAS device
(NAS IP:[Link]) will send the radius request packets to Clearpass (Radius server IP:
[Link]), along with the username(staff1), NAS-Port-Type(Wireless-802.11 (19)),
encrypted password and Called-Station-iD(clearpass_1x_dynamicvlan). Clearpass will verify
the information according to the service configuration:​
2. If the above information is all correct and accepted by Clearpass, it will send the Acces-accept
packet to the NAS device along with the dynamic user VLAN based on the service rule
settings:
Appendix:​
Full packet interaction process of the radius authentication is attached:​
Clearpass_with_dynamic_vlan.pca
png
153.67KB

You might also like