Security

Evaluating Aruba ClearPass as possible replacement for Cisco Access Control Server. We use Cisco WLAN controllers and access points.

Wlan SSID set WPA2/Enterprise /AES with MAC auth WLAN.

 

Many devices are not AD integrated.

I need to dynamically map those devices to specific vlans based on MAC address.
I'd like to create logical device groups, example a group named BP-Mon, and add the mac address of each BP device to that group. Clearpass would then assign all devices in the BP-Mon group to a specific vlan.

 

Vlans exist on the connecting Cisco LAN switches and WLAN controllers and tested.

 

I can authenticate through ClearPass successfully with all devices but unable to assign vlans dynamically.

 

Is this possible? If so, please provide instructions.

 

Thanks,

 

Lenny

 

 

 

 

 

Once you identify those devices based the mac address then you need to create a condition in your policy that if the mac belongs to this group of mac address send the VLAN assignment to the switch or controller.

Make sure those VLANs are define on those devices.

How do you have you interfaces configured on switches?

How do you have the WLAN profile configured on the WLC ?

Thanks for the quick reply Victor.

 

I would export the MAC addressess directly from Cisco ACS.

 

Would you have a step by step guide for?

 

1. Create a Group Called BP-Mon

2. Import the exported MAC address.

3. Create a Policy with condition that specifies devices in BP-Mon get set to vlan 249.

 

Wlan Config.

 

WLAN Identifier.................................. 29
Profile Name..................................... ClearPassTesting
Network Name (SSID).............................. BHClrPST
Status........................................... Enabled
MAC Filtering.................................... Enabled
Broadcast SSID................................... Disabled
AAA Policy Override.............................. Enabled
Network Admission Control
  Radius-NAC State............................... Disabled
  SNMP-NAC State................................. Disabled
  Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 1
Exclusionlist.................................... Disabled
Session Timeout.................................. Infinity
CHD per WLAN..................................... Disabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ entre-wlan-data
Multicast Interface.............................. Not Configured
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Bronze (background)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... 802.11a only
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
   Authentication................................ 10.26.50.70 1812 = IP address ClearPass
   Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
   802.11 Authentication:........................ Open System
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Enabled
      WPA (SSN IE)............................... Disabled
      WPA2 (RSN IE).............................. Enabled
         TKIP Cipher............................. Disabled
         AES Cipher.............................. Enabled
Auth Key Management
         802.1x.................................. Enabled
         PSK..................................... Disabled
         CCKM.................................... Disabled
         FT(802.11r)............................. Disabled
         FT-PSK(802.11r)......................... Disabled
FT Reassociation Timeout......................... 20
FT Over-The-Air mode............................. Enabled
FT Over-The-Ds mode.............................. Enabled
CCKM tsf Tolerance............................... 1000
   CKIP ......................................... Disabled
   IP Security................................... Disabled
   IP Security Passthru.......................... Disabled
   Web Based Authentication...................... Disabled
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   H-REAP Local Switching........................ Disabled
   H-REAP Local Authentication................... Disabled
   H-REAP Learn IP Address....................... Enabled
   Client MFP.................................... Optional
   Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled

Instead of building static host lists, it may be easier for you to create a custom attribute in the ClearPass endpoint database and import all of your devices from ACS with an applicable value.

Good suggestion. Sadly I don't know how to accomplish that yet. All in good time.

Are you working with an Aruba or partner SE on your evaluation?

Yes. They completed inital VM install and base configurtion.

Your profile you should look something like this:

 

STL database:

Enforcement Policy:

 

 

Thank you. I'll give this a try