Security

Hi everyone,

 

We're extremely new to setting up Aruba wireless networks and I'm trying to figure out exactly the process I should be using for our secure wireless network.  We have both Airwave and Clearpass running, but I don't think they're talking to each other correctly, and I've been tasked with seeing if I can make this work.

 

Currently, we have all of our Aruba devices showing up in Airwave, and Airwave is managing all of them and the Instant Virtual Controller at each of our physical sites.  This works great, and we're able to push AP configurations out with Instant Config in Airwave.  We're also authenticating to Airwave itself for management via LDAP/RADIUS authentication, and authenticating clients on an SSID using LDAP/RADIUS as well.  Pretty basic so far.

 

What I'm struggling with is the correct way to integrate Clearpass.  I originally was looking at this link, but I'm now thinking that all this is doing is telling Airwave "hey, ClearPass is up and running too, as well as your AP's".  That doesn't add Clearpass as an authentication method.

 

Next, I tried looking here and here as ways of getting Airwave to authenticate through ClearPass, and those seem to point me a bit more in the right direction.  But if I understand them correctly, I'd end up just authenticating Airwave with a local user database in ClearPass, which also isn't what I want.

 

So, am I correct in thinking that to accomplish fine tuned authentication to an SSID which would allow an authenticated user with a company owned device to access our internal network, I'd have to have ClearPass authenticating to our LDAP/RADIUS server, and Airwave authenticating via RADIUS to ClearPass?

 

Would this give me the ability to:

•Configure "Authentication server" 1 or 2 in Instant Config > Security as "ClearPass"?

•Log into Airwave using our LDAP credentials for authorized users (or would Airwave also need to authenticate to our LDAP/RADIUS server directly, as it's currently set up to do?)?

 

Thanks very much in advance for any information anyone can provide to lead me in the right direction.

- Is your identity store OpenLDAP or Active Directory?

- What authentication method are you planning to use? PEAPv0/EAP-MSCHAPv2? EAP-TTLS, EAP-TLS? PSK with captive portal, etc

 

- Is your identity store OpenLDAP or Active Directory?

OpenLDAP

 

- What authentication method are you planning to use? PEAPv0/EAP-MSCHAPv2? EAP-TTLS, EAP-TLS? PSK with captive portal, etc

Off the top of my head, I think PEAPv0/EAP-MSCHAPv2, but that's just a guess.  Right now, the only authentication specified is in Instant Config > Security > Authentication Servers, and I don't see authentication method in there, only "RADIUS".

 

How are credentials stored in your OpenLDAP database?

How are credentials stored in your OpenLDAP database? 

I'm actually not sure, sorry.  If I can find this out for you, I'll post back (I don't manage that).

You may want to reach out to your Aruba ClearPass partner. There are a lot of questions and some planning needs to be done before rolling out a full 802.1X implementation.

---

@cappalli wrote:
You may want to reach out to your Aruba ClearPass partner. There are a lot of questions and some planning needs to be done before rolling out a full 802.1X implementation.

---

That's what we're kind of thinking at this stage too.  Just was wondering if there was anything somewhat simple we were missing to get us started. 

 

Thanks for your time!

You can use ClearPass to get AirWave mgmt access via TACACS
https://ase.arubanetworks.com/solutions/id/159
Note: You can use AD/LDAP to authenticate and authorize users based on membership

What type of wireless devices are you guys using today ?
Windows Domain Devices
Macbooks
Mobile devices

You can use ClearPass as your RADIUS server and talk directly to your AD/LDAP server .

What type of wireless devices are you guys using today ?

A bit of each of these, really.  We plan on having 3 networks by the time we're done:

•Guest Network - Right now it's a PSK, but to get around that leaking, we'd like to set this network to use ClearPass and use something like temporary/expiring accounts created within ClearPass Guest Management, and delegate select staff who can create these accounts for guests, which seems like a much more elegant and secure solution for guests.

 

•Internet Access Only for users - this would be the main BYOD network that staff and authenticated users would use on their own personal devices, like cell phones

 

•Internal network - this is the network that I'd like to have be the most secure and only allow company devices onto, but by having users authenticate with their same LDAP account they'd log into for the BYOD network (we'd use ClearPass, if I understand correctly, to restrict which devices could access this network).