Controller-less WLANs

How to configure Instant AP with ClearPass integration for Airgroup?

Aruba Employee

This article shows how to configure integration of IAP with ClearPass for Airgroup.

 

AirGroup and CPPM (ClearPass Policy Manager) interface allows an AirGroup IAP and CPPM to exchange information regarding device sharing, and location. Configuration defines the RADIUS server that is used by the AirGroup RADIUS client. 

  

The following steps are required for this configuration:

  

  • Create a RADIUS server.
  • Assign a server to AirGroup.
  • Configure CPPM to enforce registration
Creating a Radius Server:

 

Navigate to the PEF link at the top right corner of the Instant UI to configure an external RADIUS server for a wireless network.
 
rtaImage (5).jpg
  
  • Name:  Enter the name of the new external RADIUS server. The maximum length is 32 characters.
  • IP address: Enter the IP address of the external RADIUS server.
  • Auth port:  Enter the authorization port number of the external RADIUS server. The port number is set to 1812 by default.
  • Accounting port:  Enter the accounting port number. This port is used to send accounting records to the RADIUS server. The port number is set to 1813 by default
  • Shared key:  Enter a shared key for communicating with the external RADIUS server.
  • Timeout: Indicates the timeout for one RADIUS request. The IAP retries to send the request everal times (as configured in the "Retry count") before the user gets disconnected. e.g. If the "Timeout" is 5 sec, "Retry counter" is 3, user is disconnected after 20 sec ("Timeout" x "Retry counter + 1). The default value is 5 seconds. Specify a number between 1 and 30 (seconds).
  • Retry count:  Specify a number between 1 and 5. Indicates the maximum number of authentication requests that are sent to server group, and the default value is 3 requests.
  • RFC 3576: When enabled, the Access Points process RFC 3576-compliant Change of Authorization (CoA) messages from the RADIUS server.
  • Air Group CoA port: Indicates that the AirGroup CoA is sent on a different port than the standard CoA port. The default value is 5999.
  • NAS IP address: Enter the Virtual Controller IP address. The NAS IP address is the Virtual Controller IP address that is sent in data packets. Note: If you do not enter the IP address, the Virtual Controller IP address is used by default when Dynamic RADIUS Proxy is enabled.
  • NAS identifier: Use this to configure strings for RADIUS attribute 32, NAS Identifier, to be sent with RADIUS requests to the RADIUS server.

Assign a server to AirGroup:


Now, as the Radius Server configuration is done, let us add it as CPPM server under Airgroup. Go to  Settings > AirGroup > ClearPass Settings and assign the server for AirGroup policy.

Note:  The CPPM server 1 acts as a primary server and the CPPM server 2 is optional and acts as a backup server.

rtaImage.jpg

As "Server 1" is added, Option to add "Server 2" and "CoA Server" would be displayed. As shown below:
 
rtaImage (1).jpg

Configure CPPM to enforce registration:

 
When enabled, only devices registered with CPPM will be discovered by Bonjour devices, based on the CPPM policy.
 
rtaImage (2).jpg

 

 

Version history
Revision #:
2 of 2
Last update:
‎07-03-2014 11:24 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.