Security

The third of my Clearpass howtos outlines the steps to authenticate an Aruba Switch via RADIUS with Clearpass. This post is going to build directly on the work that was completed in the second post. That post, how to authenticate an Aruba Wireless Controller can be found here:

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Howto-Authenticate-to-an-Aruba-Controller-via-Clearpass-and/m-p/94828

The first thing to note is that we're going to set this up in the Aruba Switch CLI. Please let me know if you can figure out how to do this in the GUI, because I don't think it's possible with the most recent release.

Here are the steps necessary for an Aruba Switch running 7.2.3.0 to authenticate to Clearpass 6.2.1 via RADIUS.

Aruba Switch:

Configure Clearpass as a Radius server on the Aruba Switch:

1. SSH into the Aruba switch, enter enable mode, and enter the configuration mode.
2. Enter the following commands:
   i. aaa authentication-server radius "<Clearpass server name>"
   ii. host "<Clearpass IP address>"
   iii. key <RADIUS shared secret key>

Create a Clearpass Server group on the Aruba Switch:

1. Enter the following commands:
   i. aaa server-group "Clearpass"
   ii. auth-server <Name of the server referenced above>

Configure Switch Management access via Clearpass:

1. Enter the following commands:
   i. aaa authentication mgmt
   ii. default-role "no-access"
   iii. server-group "Clearpass"
   iv. enable
   v. mschapv2

Optional - to remove all local authentication add the following in the CLI:

mgmt-user localauth-disable

Clearpass:

There's only two changes that you'll need to make in order for the Aruba Switch to authenticate via Clearpass.

First, add the Aruba Switch as a network device to Clearpass:

1. Configuration > Network > Device
2. Add the Aruba Switch's IP in the "IP or Subnet Address"
3. Enter the "RADIUS Shared Secret" that was defined above.
4. Select "Vendor Name:" of "Aruba"
5. Optional: Enter the following on the "SNMP Read Settings":
   i. Check "Enable..." under "Allow SNMP Read:"
   ii. Enter the appropriate "Community String"
   iii. Check "Always read info..." under "Force Read:"
   iv. Check "Read ARP table..." under "Read ARP Table Info"
6. Click "Save"

Second, add the Aruba Switch to the "Aruba Wireless" Device Group that was defined in the previous post.

1. Configuration > Network > Device groups > "Aruba Wireless"
2. Under the "List", move the Aruba Switch IP from the "Available Devices" to "Selected Devices"
3. Click "Save"

You now should be able to log into the Aruba Switch via the CLI or GUI with your AD credentials. The Aruba Switch uses the same management format and roles as an Aruba Controller. This means that the same RADIUS attributes that were defined in the previous post for the Aruba Controller will work with the Aruba Switch.

-Mike

Great write up. Do you know of a way to set the local auth priority before radius. When using Airwave we see a load of auth failures in Clearpass

Hi JB,

Is your Airwave server logging into the switch with the local credentials?

-Mike

Thanks for your reply boston. Yes Airwave is using the ssh/telnet credentials to login to the switch. This happens when making configuration changes etc.

I guess there are a few ways to tackle this. I would prefer to just use the management aaa policy on the switch's, local priority first then Clearpass. 

If i were to use SNMP v3 for Airwave's communication with our Aruba switch's will that eliminate the logon authentication when making changes?

The other alternative is to just create a user in our AD and be done with it. 

Either way i will be looking at updating a load of switches credentials in Airwave

JB,

I usually run SNMP v2c - honestly... I'm not ever sure I've ever set up SNMPv3 on these guys before. I'm not sure what that would look like. Could you reply back here with your experience when you mock that up?

In your case, it might be better to create another AD service account for this purpose and be done with it. My two cents.

-Mike

Boston,

Looks like "No Mobility Access Switch (S1500, S2500, S3500) supports SNMP Write" taken from another post (http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Question-Is-there-a-way-to-control-the-Aruba-S1500-Switch-via/m-p/137905#M29421)

AD service account it is 

Thanks for your help!

JB,

I'm joining the thread a little late and I'm trying to understand your requirement here. Do you want the local admin DB (e.g. mgmt-user X) to be consulted first before Tacacs for Management Access?

Best regards,

Madani

I usually set up a local user in the ClearPass local user database for all "service" type authentications like Airwave -> Switches/Controllers etc. This way it still uses TACACS and you don't have to worry about managing local credentials.

Hi JB,

The way that Tim mentioned is how I do it as well. You will need to do the following:

1. Clearpass Policy Manager > Configuration > Identity > Local Users

You'll need to create a user with the same role as your Airwave authentication service. For an example of how to configure Airwave with Clearpass, see my post here:

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Howto-Airwave-authentication-via-Clearpass/m-p/94090/highlight/true#M6850

2. Go to Configuration > Services > Your Aruba Controller / Switch Admin service

3. Go to the Authentication tab > Add "Local User Repository" as an available Authentication Source.

Doing it this way will allow you to perform a quick search for an "Airwave" user in the Access Tracker.

-Mike