AAA, NAC, Guest Access & BYOD

How to Enable Dot1x authentication for wireless users on IAP

Aruba Employee

This Article explains about-

   i) adding the Aruba IAP as NAD device.
   ii) Integrating Aruba Controller with CPPM to perform Dot1x authentication.
   iii) Configuring service on CPPM to handle this request.

 

Environment : This Article is written  for CPPM 6.2.0 and greater.

 

Below are the detailed steps.

1: Adding Aruba Controller as NAD device on CPPM.

Navigate to Configuration > Network > Devices

 

Click Add Device

 

Add the device as shown below.

rtaImage.png

 

The Vendor name should be selected as Aruba and COA enabled.

also 
Make sure that we configure the same Radius Shared secret on the VC as well.


 2: Integrate Aruba IAP  with CPPM to perform Dot1x.

Click on "System" and fill the below details.

rtaImage (1).png

 

Give an IP to the Virtual Controller and enable Dynamic radius Proxy. This will forward all the radius packets ( from any IAP in the cluster) to CPPM with the VC's IP.

Click on "Authentication" and add a new radius Server.

rtaImage (2).png

Navigate to Security - Role page and add two new roles.

Employee : allowed to all destination.
Contractor : limited access
These roles can be customized based on user's requirements.

rtaImage (3).png

Sample Contractor Role.

rtaImage (4).png

Create a new SSID.

Click on "New" and give a name to the SSID.

rtaImage (5).png

On next page, select the Client IP assignment.

We can have it either VC assigned or Network Assigned based on our requirements.

rtaImage (6).png

On the Next page,

rtaImage (7).png

Select the security as "Enterprise"
Key Management as "WPA-2-Enterprise"
Authentication server as " CPPM"
Authentication Survivability - enable this. This if enabled will cache the MAC of the client and will authenticate it for 24 hours if the CPPM server is offline.

On the next page,

We can leave the Access control as "unrestricted" as we will push the role from CPPM.

rtaImage (8).png

This completes the configuration on the IAP.

3: Configuration of CPPM

Navigate to "Configuration » Identity » Local Users" and create two users.

rtaImage (9).pngFor Employee user  assign Employe role and for Contractor assign Contractor Role.

rtaImage (10).png

These users would be used for authentication.

Now, we will add  Enforcement profiles for Employee and Contractor.

Navigate to "Configuration » Enforcement » Profiles » Add Enforcement Profile".

rtaImage (11).png

The Aruba-user-role must be exactly same as the role which we added on the IAP.

rtaImage (12).png

Similarly add a Contractor enforcement policy .

rtaImage (13).png

Now we will add an Enforcement Policy to apply the logic.

Navigate to "Configuration » Enforcement » Policies"


and Add a new policy.

rtaImage (14).png

 

Make sure that the Default Role is set to "Deny Access Profile" and Enforcement type is "Radius".

rtaImage (15).png

This Rule is set as " If Tips Role = Contractor the CPPM will return the Contractor Role to IAP"

Similarly set the rule for Employee.

rtaImage (16).png

Save this policy and exit.

Now, we will add a Service to handle this request.

Navigate to "Configuration » Start Here" and use the default  "Aruba 802dot1x wireless template."

rtaImage (17).png

Edit the last rule and enter the exact name of the SSID.

rtaImage (18).png

Leave the authentication Methods as default and add Local User repository as Authentication Source.

rtaImage (19).png

Note: We can also use AD to authenticate the users, but CPPM must be joined to the Domain.

Leave the Roles tab as blank becasue we are not using AD for authentication.

On the Enforcement Tab, mapp the correct enforcement profile.

rtaImage (20).png

Click on Save and this completes the CPPM configuration as well.

 

Version history
Revision #:
1 of 1
Last update:
‎08-05-2014 03:06 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: