Security

Reply
Community Administrator
Posts: 2,180
Registered: ‎12-03-2013

Tutorial - Creating a WLAN with 802.1X authentication on Clearpass #mhc

[ Edited ]

Aruba 802.1X authentication with Clearpass.

 

First I like to start with creating the role that we will be returning from Clearpass. We will create a simple employee role and allow all.

 Role creation.PNG

 

Next let’s define the radius server. You will need to provide the IP of the server and a shared key. We will use this in a few min for the Clearpass portion.

 

Radius srever define.PNG

 

Now we will create the WLAN.  I have always had good luck with the wizard so I will use it. Begin by creating the new SSID (802.1x Clearpass) and hit next.

 

New SSID.PNG

 

Next option will be to select the forwarding mode for traffic on this WLAN. Next will be to select the radio type, to broadcast the SSID or not, and the VLAN for the WLAN. Next you chose the intentions for the WLAN, guest or internal, for this we will go with internal. The next page you specify your security. We want to choose strong encryption with 802.1x authentication so slide it all the way to the top. Now we select the authentication server we defined earlier. Click add and check the “select from known server” and select the server you created.

 

setting radius.png

   

Next is role assignment, since we will be returning roles from Clearpass you can leave this alone. That will finish out the WLAN creation.

 

Now to Clearpass, to start we will have to create a local user in the local user repository. Navigate to Configuration>Identity>Local Users. In the upper right click “Add User”

 

Add user.png

 

Enter the user ID this will be to log in with. Also fill in for name (first and last) and password. Make sure the user is enabled and select the default role of “employee” and click add.

 

jemployee.png

 

 

Next we need to add a new network device. Navigate to Network>Devices and select add new device. Enter the name, IP and shared secret used earlier when we defined the radius server and set the vendor to Aruba.

 

network device.png

 

Now navigate to Enforcement>Profiles. In the upper right select “Add Enforcement Profile” Add the name for the profile and for action, check Accept.

 

enforcement profile add.png

 

 

For attributes you will need to enter the exact name of the role that was created for the Value. Hit save.

(to change just click under Value)

 

Profile attributes.png

 

Now to create an enforcement policy. Click Add Enforcement Policy. Add a name for the policy, set enforcement to radius and for the default profile select the profile we just created.

 

enforcement policy.png

 

For rules change Type to Tips, Name to Role, Operator to EQUALS, and set the Value to the employee role on the dropdown list. Set the enforcement profile to the enforcement profile we just created and hit save. (to change just click on the word below Operator)

 

policy rule.png

 

We need to create a Service to use. Click Add Service. Leave the type at Aruba 802.1x Wireless. Enter the name and for service rule 3, change the operator to EQUALS and set the value to the exact name of the SSID created earlier.

 

new service.png

 

 

Set the authentication source to the local user repository.

 

user repository.png

 

We will skip the Roles tab, on the Enforcement set the Enforcement policy to the one created earlier and hit save. You might have to move the new service up the list if you run into the wrong service when trying to authenticate

 

finish service.png

 

 

Now we are ready to test. By connecting to the new SSID and entering the credientials for the local user created earlier. To check we can navigat to Monitoring>Access Tracker

access tracker.png

auth-tracebuf.png

 

 

And to verify the correct role has been returned to the controller, navigate to clients under the monitoring tab on the controller.

 

controller verification.png

 

CWNA, ACMP, Security +
Search Airheads
Showing results for 
Search instead for 
Did you mean: