09-29-2013 09:55 AM
The third of my Clearpass howtos outlines the steps to authenticate an Aruba Switch via RADIUS with Clearpass. This post is going to build directly on the work that was completed in the second post. That post, how to authenticate an Aruba Wireless Controller can be found here:
The first thing to note is that we're going to set this up in the Aruba Switch CLI. Please let me know if you can figure out how to do this in the GUI, because I don't think it's possible with the most recent release.
Here are the steps necessary for an Aruba Switch running 18.104.22.168 to authenticate to Clearpass 6.2.1 via RADIUS.
Configure Clearpass as a Radius server on the Aruba Switch:
1. SSH into the Aruba switch, enter enable mode, and enter the configuration mode.
2. Enter the following commands:
i. aaa authentication-server radius "<Clearpass server name>"
ii. host "<Clearpass IP address>"
iii. key <RADIUS shared secret key>
Create a Clearpass Server group on the Aruba Switch:
1. Enter the following commands:
i. aaa server-group "Clearpass"
ii. auth-server <Name of the server referenced above>
Configure Switch Management access via Clearpass:
1. Enter the following commands:
i. aaa authentication mgmt
ii. default-role "no-access"
iii. server-group "Clearpass"
Optional - to remove all local authentication add the following in the CLI:
There's only two changes that you'll need to make in order for the Aruba Switch to authenticate via Clearpass.
First, add the Aruba Switch as a network device to Clearpass:
1. Configuration > Network > Device
2. Add the Aruba Switch's IP in the "IP or Subnet Address"
3. Enter the "RADIUS Shared Secret" that was defined above.
4. Select "Vendor Name:" of "Aruba"
5. Optional: Enter the following on the "SNMP Read Settings":
i. Check "Enable..." under "Allow SNMP Read:"
ii. Enter the appropriate "Community String"
iii. Check "Always read info..." under "Force Read:"
iv. Check "Read ARP table..." under "Read ARP Table Info"
6. Click "Save"
Second, add the Aruba Switch to the "Aruba Wireless" Device Group that was defined in the previous post.
1. Configuration > Network > Device groups > "Aruba Wireless"
2. Under the "List", move the Aruba Switch IP from the "Available Devices" to "Selected Devices"
3. Click "Save"
You now should be able to log into the Aruba Switch via the CLI or GUI with your AD credentials. The Aruba Switch uses the same management format and roles as an Aruba Controller. This means that the same RADIUS attributes that were defined in the previous post for the Aruba Controller will work with the Aruba Switch.
07-02-2014 06:02 AM
I usually set up a local user in the ClearPass local user database for all "service" type authentications like Airwave -> Switches/Controllers etc. This way it still uses TACACS and you don't have to worry about managing local credentials.
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
07-02-2014 02:38 PM
The way that Tim mentioned is how I do it as well. You will need to do the following:
1. Clearpass Policy Manager > Configuration > Identity > Local Users
You'll need to create a user with the same role as your Airwave authentication service. For an example of how to configure Airwave with Clearpass, see my post here:
2. Go to Configuration > Services > Your Aruba Controller / Switch Admin service
3. Go to the Authentication tab > Add "Local User Repository" as an available Authentication Source.
Doing it this way will allow you to perform a quick search for an "Airwave" user in the Access Tracker.
07-02-2014 04:50 PM
Thanks for your reply boston. Yes Airwave is using the ssh/telnet credentials to login to the switch. This happens when making configuration changes etc.
I guess there are a few ways to tackle this. I would prefer to just use the management aaa policy on the switch's, local priority first then Clearpass.
If i were to use SNMP v3 for Airwave's communication with our Aruba switch's will that eliminate the logon authentication when making changes?
The other alternative is to just create a user in our AD and be done with it.
Either way i will be looking at updating a load of switches credentials in Airwave
07-03-2014 06:16 AM
I usually run SNMP v2c - honestly... I'm not ever sure I've ever set up SNMPv3 on these guys before. I'm not sure what that would look like. Could you reply back here with your experience when you mock that up?
In your case, it might be better to create another AD service account for this purpose and be done with it. My two cents.
07-13-2014 09:14 PM
Looks like "No Mobility Access Switch (S1500, S2500, S3500) supports SNMP Write" taken from another post (http://community.arubanetworks.com/t5/Unified-Wire
AD service account it is
Thanks for your help!
07-14-2014 04:12 AM
I'm joining the thread a little late and I'm trying to understand your requirement here. Do you want the local admin DB (e.g. mgmt-user X) to be consulted first before Tacacs for Management Access?