Security

I am needing to configure Clearpass to authenticate users for switch access (logging on the switch) using RADIUS. Can someone point me to a document showing how to configure Clearpass to accomplish this?

Thank you!

Which switch?

The switches will be Brocade and Avaya.

Thank you,

You can create a generic RADIUS service and look for authentications coming from those NAS IPs.  I would place this service towards the end of your services list so it won't step on any other services you have enabled.  

 

In terms of then running through the service, select the auth methods used by Avaya and Brocade (most likely PAP and MSCHAP) and then the auth source (AD or admin user repository) and test with the default enforcement policy named "Sample Allow Access Policy"

 

Once you have that working, you can layer in more restrictive access based on AD memberof or other parameters.

Do you have a document showing how to configure this? I don’t have much experience with Clearpass…

Thank you!

Please find below link for step by step doc to explain you about clear pass and controller integration. let us know if you have any queries or questions on the same.

 

http://community.arubanetworks.com/aruba/attachments/aruba/tkb@tkb/220/2/Aruba%20Wireless%20and%20ClearPass%206%20Integration%20Guide%20v1.3.pdf

 

Thank you

I am needing a configuration doc show how to configure Clearpass to do RADIUS authentication to allow access to a network switch. I am going to be using Brocade and Avaya, but a document using Cisco (or any other vendor) would be great.
Thank you,

 

The documents for those vendors should be found at their respective support or documentation sites.  

I am just looking for the Clearpass relevant configuration to accomplish what I need to do. Which is to authenticate a user who is trying to logon to a network switch using RADIUS.

 

I have the individual switch configurations already.

Thank you,

Got it...so...in the Configuration --> Start here screen, click RADIUS Enforcement Generic towards the bottom of the list.

 

For the services tab, here is my output:

 

 

Then, on the Authentication Tab, here is a screen shot:

 

 

You can add AD as the auth source here.

 

Finally, on the Enforcement Tab (skip Roles), choose the one called Sample Allow Access Policy.

Chris -- Did a web search and I guess below link may help you with regads to Cisco configuration explains you the best practices of aaa.

 

http://www.routerfreak.com/aaa-best-practices/

 

Thank you

Seth,

Thank you for the great information!!! Can you tell me where in CPPM I would add the network switches I want to have authenticate using CPPM?

Configuration > Network > Devices

Right!  Forgot that step.  Make sure the shared secret matches on both ends.  You can also define an entire subnet as well...this will cut down on the entries here as you can define a management subnet for all switches.

Ok... I have this working now. Last two questions, how would I configure CPPM to allow certain user accounts to only have Read Only access?

And, how would I limit only users in a certain AD group to have access to logon to the switches?

Thank you!!!!

For that, you need to configure a role map.  See this example.  Using a role map, you can use memberof as an attribute and say if it CONTAINS a certain value like "IT administrator" then assign a role.  This role is INTERNAL TO CLEARPASS!!!  That is important to remember.  It has nothing to do with what is sent back to the NAS device.  Using these internally derived roles, you can then assign appropriate enforcement profiles to the NAS switches.  In order to tell you what to send back as an enforcement profile (action), we would need to know what format they need the reply to be sent as.  

 

Now...here is a screen shot of a sample role map.  These are for TACACS but you can easily see the logic and use RADIUS enforcement instead.

 

 

Then in your enforcement policy, you use the roles here and assign the profiles needed.  

 

For example:

 

In my Enforcement Policy, if I use Default Profile of Deny Access Profile, my authentication fails. If I use Allow Access Profile, my authentication is successful but my Roll Mappings never seem to be used.

It is using the Default Profile in the Enforcement Policy and stopping there...

Remember that the roll mapping is only "tagging" accounts with internal
ClearPass roles. Are you mapping the ClearPass roles to an action in the
enforcement policy?

Here's a screen shot...

Can you check in access tracker and on the first Summary tab of the request, does it show that you have the [TACACS Super Admin] role?

 

 

No. It shows Employee and User Authenticated.

OK, so it sounds like it may be an issue with your authorization source.

 

On the input tab of the request under Authorization, do you see the AD groups listed for that user account?

 

I have attached a screen shot of what it shows..

Hm. OK. Just to be sure, is the roll mapping policy selected in the drop down in the service?

You can select roles from the services tab in the service. You can add new roles as well once you make the roles tab visible. Keep in mind that these roles are internal to clear pass.

Sent from my iPhone

Yes it is. Attached a screen shot as well..

Last screenshot! Can you post the roll mapping policy?

Here you go..

It looks like you are referencing "Users" which the account isn't a member of. Are you referring to the account's OU? In that case use AD:UserDN CONTAINS Users instead of MemberOf.

That worked like a charm!!!!! Thank you very much!!!!

Awesome!

 

So UserDN is useful if you organize your AD domain with high-level OU's such as Staff, Vendors, Students, etc where MemberOf can get much more granular based on multiple group memberships.

Does the switch support TACACS?