Nothing Special   »   [go: up one dir, main page]
Scribd Logo
Upload

Welcome to Scribd!

  • 35 views

    Authentication Integration With Aruba Clearpass

    Uploaded by

    taufanprakasa
    ClearPass is a network access management solution developed by Aruba that provides secure network access control and policy enforcement for wired, wireless, and remote devices. It supports various authentication methods like 802.1X and captive portal and integrates with other security solutions. The document provides test requirements and configurations for testing ClearPass authentication methods including 802.1X authentication, 802.1X with dynamic VLAN assignment, and captive portal authentication. It also describes troubleshooting and packet analysis related to ClearPass authentication.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Authentication Integration With Aruba Clearpass

    Uploaded by

    taufanprakasa
    35 views24 pages
    ClearPass is a network access management solution developed by Aruba that provides secure network access control and policy enforcement for wired, wireless, and remote devices. It supports various authentication methods like 802.1X and captive portal and integrates with other security solutions. The document provides test requirements and configurations for testing ClearPass authentication methods including 802.1X authentication, 802.1X with dynamic VLAN assignment, and captive portal authentication. It also describes troubleshooting and packet analysis related to ClearPass authentication.

    Original Description:

    Original Title

    Authentication Integration With Aruba Clearpass (1)

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    ClearPass is a network access management solution developed by Aruba that provides secure network access control and policy enforcement for wired, wireless, and remote devices. It supports various authentication methods like 802.1X and captive portal and integrates with other security solutions. The document provides test requirements and configurations for testing ClearPass authentication methods including 802.1X authentication, 802.1X with dynamic VLAN assignment, and captive portal authentication. It also describes troubleshooting and packet analysis related to ClearPass authentication.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    35 views24 pages

    Authentication Integration With Aruba Clearpass

    Uploaded by

    taufanprakasa
    ClearPass is a network access management solution developed by Aruba that provides secure network access control and policy enforcement for wired, wireless, and remote devices. It supports various authentication methods like 802.1X and captive portal and integrates with other security solutions. The document provides test requirements and configurations for testing ClearPass authentication methods including 802.1X authentication, 802.1X with dynamic VLAN assignment, and captive portal authentication. It also describes troubleshooting and packet analysis related to ClearPass authentication.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 24

    Authentication Integration with Aruba

    Clearpass​
    Introduction to Clearpass​
    ClearPass is a network access management solution developed by Aruba Networks. It provides
    secure network access control and policy enforcement for wired, wireless, and remote devices.
    ClearPass allows organizations to authenticate, authorize, and manage user and device access
    to their network resources. It supports various authentication methods, such as 802.1X and
    captive portal, and integrates with other security solutions to provide comprehensive network
    security. ClearPass also offers capabilities for guest access management, device profiling, and
    policy enforcement, helping organizations ensure secure and compliant network access for their
    users and devices.​
    Basic Authentication Logic of Clearpass​
    PoC Test Guide​
    Test Requirement​
    1. 802.1x Authenticaiton ​
    2. 802.1x Authentication with Dynamic VLAN​
    3. Captive Portal Authentication​
    Test Device​
    Model​ Quantity​ Firmware Version​
    WS6008​ 1​ AC_RGOS 11.9(6)W1B1​
    S5310-24GT4XS-P-E​ 1​ S5310E_RGOS 12.6(2)B0204​
    AP730(TR)​ 1​ AP_RGOS 11.1(9)B1P30​

    ❗ Notice: ​
    Please confirm the Model and Firmware Version with the Industry Service
    Representative (Enterprise/Carrier: Nick & Kim; SMB: Henry; Strategy: Beni) before
    performing the PoC test. ​

    Test Topology​

    Test Content​
    1. 802.1x Authenticaiton​
    1.1 Configuration on AC​
    (1) Configure the RADIUS authentication server​
    ip radius source-interface VLAN 10​
    radius-server host 10.10.100.10 key Ruijie@123​
    (2) Configure an AAA method list​
    aaa new-model​
    aaa group server radius aruba_radius​
    server 10.10.100.10​
    exit​
    aaa accounting network aruba start-stop group aruba_radius​
    aaa authentication dot1x aruba group aruba_radius​
    aaa authentication login default local​
    (3) Enable 802.1x authentication.​
    wlan-config 1 clearpass_1x​

    ap-group default​
    interface-mapping 1 100 ap-wlan-id 1​

    wlansec 1​
    security rsn enable​
    security rsn ciphers aes enable​
    security rsn akm 802.1x enable​
    dot1x authentication aruba​
    dot1x accounting aruba​
    1.2 Configuration on Clearpass​
    (1) Add an Access Device​
    (2) Create User Accounts and Role (Optional)​
    (3) Configure the Serivces​
    2. 802.1x Authentication with Dynamic VLAN​
    2.1 Configuration on AC​
    (1) Configure the RADIUS authentication server​
    ip radius source-interface VLAN 10​
    radius-server host 10.10.100.10 key Ruijie@123​
    (2) Configure an AAA method list​
    aaa new-model​
    aaa group server radius aruba_radius​
    server 10.10.100.10​
    exit​
    aaa accounting network aruba start-stop group aruba_radius​
    aaa authentication dot1x aruba group aruba_radius​
    aaa authentication login default local​
    (3) Configure a VLAN group​
    vlan-group 1​
    vlan-list 100,200​
    default-vlan 100​
    vlan-assign-mode dot1x​
    (4) Enable 802.1x authentication.​
    wlan-config 2 clearpass_1x_dynamicvlan​

    ap-group default​
    interface-mapping 2 group 1​

    wlansec 2​
    security rsn enable​
    security rsn ciphers aes enable​
    security rsn akm 802.1x enable​
    dot1x authentication aruba​
    dot1x accounting aruba​
    2.2 Configuration on Clearpass​
    (1) Create profiles "VLAN100" and "VLAN200"​
    (2) Create a Policy "wireless_1x_dynamicvlan"​
    (3) Create a Service "wireless dot1x with dynamic vlan" and apply the
    "wireless_1x_dynamicvlan" policy​
    3. Captive Portal Authentication​
    3.1 Configuration on AC​
    (1) Configure the RADIUS authentication server​
    ip radius source-interface VLAN 10​
    radius-server host 10.10.100.10 key Ruijie@123​
    (2) Configure an AAA method list​
    aaa new-model​
    aaa group server radius aruba_radius​
    server 10.10.100.10​
    exit​

    web-auth template cpweb​


    ip 10.10.100.10​
    url https://10.10.100.10/guest/web_login.php​
    login-success response redirect-url https://www.ruijienetworks.com //optional, configure
    the redirection page after success login​

    aaa authentication cpweb aruba group aruba_radiu​


    aaa accounting network aruba start-stop group aruba_radius​
    aaa authentication dot1x aruba group aruba_radius​
    aaa authentication login default local​

    (3) Configure HTTP service parameters​


    web-auth auth-server ip 1.1.1.1 //can be any IP address, but needs to be the same as
    configured on clearpass​
    web-auth auth-server http​
    web-auth auth-server submit-url http://1.1.1.1:8082/login​
    (4) Enable captive portal authentication.​
    wlan-config 3 clearpass_portal​

    ap-group default​
    interface-mapping 3 100​

    wlansec 3​
    web-auth accounting cpweb aruba​
    web-auth authentication cpweb aruba​
    web-auth portal cpweb​
    webauth​
    3.2 Configuration on Clearpass​
    (1) Create a web login page​
    (2) Create a service for captive portal authentication ​
    ❗ Notice:​
    Ruijie Device does not support pre-defining the "user profile" on devices like HUAWEI
    or ARUBA.​

    Troubleshooting​
    Clearpass provides a useful troubleshooting tool: "Access Tracer" to troubleshoot authentication
    issues.​

    1. User not found​

    (1) Check whether the right authentication source is added to the service​
    (2) Check whether the user account is added to the authentication source​
    2. Cannot select the appropriate authentication method​
    Check whether the authentication method is correctly configured on Service​

    3. Service Categorization failed​


    Clearpass can not find a service to match the conditions of the authentication request. Need
    to check whether the service rule is correctly configured.​

    4. No error message is shown on Clearpass​


    (1) Check the connectivity between AC and clearpass. ​
    (2)Check whether the radius source interface is correctly configured​

    Packet Analysis​
    1. Like all standard radius protocols, when the terminal connects to the SSID, the NAS device
    (NAS IP:10.10.10.1) will send the radius request packets to Clearpass (Radius server IP:
    10.10.10.104), along with the username(staff1), NAS-Port-Type(Wireless-802.11 (19)),
    encrypted password and Called-Station-iD(clearpass_1x_dynamicvlan). Clearpass will verify
    the information according to the service configuration:​
    2. If the above information is all correct and accepted by Clearpass, it will send the Acces-accept
    packet to the NAS device along with the dynamic user VLAN based on the service rule
    settings:
    Appendix:​
    Full packet interaction process of the radius authentication is attached:​
    Clearpass_with_dynamic_vlan.pca
    png
    153.67KB

    You might also like