Creating a WLAN with 802.1X authentication on Clearpass - Mar 2014


Tutorial by Jamie E

Aruba 802.1X authentication with Clearpass.

First I like to start with creating the role that we will be returning from Clearpass. We will create a simple employee role and allow all.

 Role creation.PNG


Next let’s define the radius server. You will need to provide the IP of the server and a shared key. We will use this in a few min for the Clearpass portion.


Radius srever define.PNG


Now we will create the WLAN.  I have always had good luck with the wizard so I will use it. Begin by creating the new SSID (802.1x Clearpass) and hit next.




Next option will be to select the forwarding mode for traffic on this WLAN. Next will be to select the radio type, to broadcast the SSID or not, and the VLAN for the WLAN. Next you chose the intentions for the WLAN, guest or internal, for this we will go with internal. The next page you specify your security. We want to choose strong encryption with 802.1x authentication so slide it all the way to the top. Now we select the authentication server we defined earlier. Click add and check the “select from known server” and select the server you created.


setting radius.png


Next is role assignment, since we will be returning roles from Clearpass you can leave this alone. That will finish out the WLAN creation.


Now to Clearpass, to start we will have to create a local user in the local user repository. Navigate to Configuration>Identity>Local Users. In the upper right click “Add User”


Add user.png


Enter the user ID this will be to log in with. Also fill in for name (first and last) and password. Make sure the user is enabled and select the default role of “employee” and click add.





Next we need to add a new network device. Navigate to Network>Devices and select add new device. Enter the name, IP and shared secret used earlier when we defined the radius server and set the vendor to Aruba.


network device.png


Now navigate to Enforcement>Profiles. In the upper right select “Add Enforcement Profile” Add the name for the profile and for action, check Accept.


enforcement profile add.png



For attributes you will need to enter the exact name of the role that was created for the Value. Hit save.

(to change just click under Value)


Profile attributes.png


Now to create an enforcement policy. Click Add Enforcement Policy. Add a name for the policy, set enforcement to radius and for the default profile select the profile we just created.


enforcement policy.png


For rules change Type to Tips, Name to Role, Operator to EQUALS, and set the Value to the employee role on the dropdown list. Set the enforcement profile to the enforcement profile we just created and hit save. (to change just click on the word below Operator)


policy rule.png


We need to create a Service to use. Click Add Service. Leave the type at Aruba 802.1x Wireless. Enter the name and for service rule 3, change the operator to EQUALS and set the value to the exact name of the SSID created earlier.


new service.png



Set the authentication source to the local user repository.


user repository.png


We will skip the Roles tab, on the Enforcement set the Enforcement policy to the one created earlier and hit save. You might have to move the new service up the list if you run into the wrong service when trying to authenticate


finish service.png



Now we are ready to test. By connecting to the new SSID and entering the credientials for the local user created earlier. To check we can navigat to Monitoring>Access Tracker

access tracker.png




And to verify the correct role has been returned to the controller, navigate to clients under the monitoring tab on the controller.


controller verification.png


Version history
Revision #:
2 of 2
Last update:
‎04-13-2014 07:05 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: