Security

Reply
Occasional Contributor I

ClearPass Vlan assignment

Evaluating Aruba ClearPass as possible replacement for Cisco Access Control Server. We use Cisco WLAN controllers and access points.


Wlan SSID set WPA2/Enterprise /AES with MAC auth WLAN.

 

Many devices are not AD integrated.


I need to dynamically map those devices to specific vlans based on MAC address.
I'd like to create logical device groups, example a group named BP-Mon, and add the mac address of each BP device to that group. Clearpass would then assign all devices in the BP-Mon group to a specific vlan.

 

Vlans exist on the connecting Cisco LAN switches and WLAN controllers and tested.

 

I can authenticate through ClearPass successfully with all devices but unable to assign vlans dynamically.

 

Is this possible? If so, please provide instructions.

 

Thanks,

 

Lenny

 

 

 

 

 

Re: ClearPass Vlan assignment

Once you identify those devices based the mac address then you need to create a condition in your policy that if the mac belongs to this group of mac address send the VLAN assignment to the switch or controller.

Make sure those VLANs are define on those devices.

How do you have you interfaces configured on switches?

How do you have the WLAN profile configured on the WLC ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I

Re: ClearPass Vlan assignment

Thanks for the quick reply Victor.

 

I would export the MAC addressess directly from Cisco ACS.

 

Would you have a step by step guide for?

 

1. Create a Group Called BP-Mon

2. Import the exported MAC address.

3. Create a Policy with condition that specifies devices in BP-Mon get set to vlan 249.

 

Wlan Config.

 

WLAN Identifier.................................. 29
Profile Name..................................... ClearPassTesting
Network Name (SSID).............................. BHClrPST
Status........................................... Enabled
MAC Filtering.................................... Enabled
Broadcast SSID................................... Disabled
AAA Policy Override.............................. Enabled
Network Admission Control
  Radius-NAC State............................... Disabled
  SNMP-NAC State................................. Disabled
  Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 1
Exclusionlist.................................... Disabled
Session Timeout.................................. Infinity
CHD per WLAN..................................... Disabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ entre-wlan-data
Multicast Interface.............................. Not Configured
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Bronze (background)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... 802.11a only
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
   Authentication................................ 10.26.50.70 1812 = IP address ClearPass
   Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
   802.11 Authentication:........................ Open System
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Enabled
      WPA (SSN IE)............................... Disabled
      WPA2 (RSN IE).............................. Enabled
         TKIP Cipher............................. Disabled
         AES Cipher.............................. Enabled
Auth Key Management
         802.1x.................................. Enabled
         PSK..................................... Disabled
         CCKM.................................... Disabled
         FT(802.11r)............................. Disabled
         FT-PSK(802.11r)......................... Disabled
FT Reassociation Timeout......................... 20
FT Over-The-Air mode............................. Enabled
FT Over-The-Ds mode.............................. Enabled
CCKM tsf Tolerance............................... 1000
   CKIP ......................................... Disabled
   IP Security................................... Disabled
   IP Security Passthru.......................... Disabled
   Web Based Authentication...................... Disabled
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   H-REAP Local Switching........................ Disabled
   H-REAP Local Authentication................... Disabled
   H-REAP Learn IP Address....................... Enabled
   Client MFP.................................... Optional
   Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled

Guru Elite

Re: ClearPass Vlan assignment

Instead of building static host lists, it may be easier for you to create a custom attribute in the ClearPass endpoint database and import all of your devices from ACS with an applicable value.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: ClearPass Vlan assignment

Good suggestion. Sadly I don't know how to accomplish that yet. All in good time.

Guru Elite

Re: ClearPass Vlan assignment

Are you working with an Aruba or partner SE on your evaluation?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: ClearPass Vlan assignment

Your profile you should look something like this:

2015-01-22 10_25_20-ClearPass Policy Manager - Aruba Networks.png

 

STL database:

2015-01-22 10_29_37-ClearPass Policy Manager - Aruba Networks.png

Enforcement Policy:

 2015-01-22 10_28_24-ClearPass Policy Manager - Aruba Networks.png

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I

Re: ClearPass Vlan assignment

Yes. They completed inital VM install and base configurtion.

Occasional Contributor I

Re: ClearPass Vlan assignment

Thank you. I'll give this a try

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: