Security

Reply
Regular Contributor II

clearPass beginner

Hi Guys,

 

We are going to deploy a Clearpass enviroment envolved in a project that as a 7210 controller and 100 AP´s.

 

We are going to deploy clearpass policy manager and guest access.

 

 

IS there anyway for you guys to guide me to get familar with clearpass?

 

I already have clearpass trial to Vmware and I´m going to install it soon..

 

Is there any configuration guide to starters on clearpass? Configuration of the controller is not a issue, but clearpass is so Big! ;)

 

Thanks

 

Regards

Re: clearPass beginner

 

You can find all the deployment guides on the Aruba support site :

http://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/Command/Core_ViewDetails/Default.aspx?EntryId=6867

Screen Shot 2013-07-19 at 8.04.12 AM.png

Hope this helps

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Super Contributor II

Re: clearPass beginner

Hi,

 

I would recommend getting a handle on how services work and how they are identified. This can be done by setting up simple tests and then viewing the results in the Access Tracker.

The Access Tracker is really your best friend and will help you solve a lot of the issues you may run into in the beginning.

 

Once you get a good handle on how services work everything else just sort of false into place more or less.

 

Read through the forums as well as there are a ton of really smart people on here who give really detailed responses.

Regular Contributor II

Re: clearPass beginner

thanks guys for or help

Aruba

Re: clearPass beginner

I would recommend to use a few of the service templates and the look at how they were built. It will give you some good starting points to work from. Guest Mac authentication is good one to start with.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Super Contributor II

Re: clearPass beginner

Adding to what tarnold suggested an easy way to play with the services is purposely fudge your log in credentials to CPPM. Then login with the correct credentials and check the Access Tracker. You will see the failed attempt and it will help you get a feeling for how the service works and what the different failure messages look like.

Regular Contributor II

Re: clearPass beginner

Guys need an help here :smileysad:

 

I will need to configure an 7200 controller plus AP´s and then configure clearpass manager and clearpass guest.

 

I have a huge doubt... when I have the controller basic setup done,  I need also to configure the controller to see the clearpass correct? Like configure a Radius "clearpass" server?

 

I never configured clearpass before so I am lite worried...

 

Thanks

 

Regards

Super Contributor II

Re: clearPass beginner

Could you be a little more specific as to what you are worried about?

 

Are you looking for how to make the controller and the CPPM talk to one another?

 

Cheers

Regular Contributor II

Re: clearPass beginner

Hi,

 

let me see if I can explain clear to you, since I never installed ClearPAss:

 

1. after initial controller config we will on phase 2 implement Clearpass for guest mgmt.

 

2. How will ClearPass connect to the controller?

 

3. The guest network should be prior configured on the controller or directly on ClearPass?

 

4. After this we need to integrate clearPass with AD ? How can this be done?

 

Thanks for or help

 

Regards

Super Contributor II

Re: clearPass beginner

Hi, 

 

Just want to start off by saying that I am definitely not an expert when it comes to the Controller or CPPM. This is all based on my experience and what I have done to get things going. There could be mistakes and other erros so please test your configuration and read up on anything that isn't clear! Most of what I know I have learned from these forums and through a ton of trial and error.

 

1. after initial controller config we will on phase 2 implement Clearpass for guest mgmt.

2. How will ClearPass connect to the controller?

 

I am assuming you already have the controller configured and running. And that you are familar with the general settings for the SSID's.

On your Controller you need to configure the a Server Group, RADIUS Server, and RFC 3576 Server.

 

1)
This can be done under Security > Authentication > Servers

Create your RADIUS Server, and RFC 3576 Server first, then follow it up by creating your Server Group.

Configure_Server_Radius_RFC.png

 

 

2)

Once you create your Server Group you will need to add the RADIUS Server you created to the Servers list.

In the new settings for the server you created hit new and select the RADIUS Server from the drop down list.

Configure_Server_Group_0002.png  

 

Please note: When you configure your RADIUS Server you need to provide the values for 'Host', 'NAS ID', and 'NAS IP'

  • Host - The IP of your CPPM
  • NAS ID - The ID of your Controller
  • NAS IP - The IP of your Controller
  • You are asked to create passwords for the RADIUS Server. Make sure you write this down you will need it later.

3)

Next, create your secure SSID.

On the AAA Profile there is the option for 801.X Authentication Server Group and RFC 3576 server. Make sure that for two options you select the appropriate information created in the part above.

 

That pretty much covers getting your Controller to talk to the CPPM. You have to make sure that your Controller can talk to the CPPM (ping) before proceeding. Now you need to setup the CPPM to receive the information.

 

4)

Once you have your Controller setup, head over to your CPPM.

CPPM > Configuration > Network > Devices 

Once there select Add Device 

Fill in the relevant information from the steps above and hit Add   

Configure_CPPM_for_RADIUS.png

 

Your CPPM should now be all setup to receive information from your Controller.

When you attempt to connect to your new SSID all the requests received on the Controller should be forwarded to the CPPM for evaluation.

 

The SSID's can be either unencrypted (for guests) or encrypted (production). I found it easier to test with a secure SSID first. Then work my way back to setting up the Guest SSID.

 

3. The guest network should be prior configured on the controller or directly on ClearPass?

 

A pretty common way of setting up the Guest network is to leave it unencrypted and put a Captive Portal on it. This forces users connecting to the Guest SSID to a default page where you can provide them with more details as to what to do next.

 

Your Guest SSID could have it's own VLAN so that it is separate from your production network.

 

When you configure the AAA Profile for your Guest SSID under the option Initial role set this to User Role that has restricted access. I believe there should be an example of this called guest-logon. Take a look at this User Role to get an idea of what the Inital Role for your Guest SSID could look like. It basically gives the users DHCP and DNS access, HTTP access to the CPPM and a few other things.

Configure_Guest_SSID_0001.png

 

What this will do is put anyone connecting to the Guest SSID immediately into the User Role guest-logon.

This is how we get users connecting to the Guest SSID to hit our Captive Portal.

 

To configure your Captive Portal you must first create a Captive Portal on the CPPM. I won't go into a lot of detail with this because this post will be bigger then it already is. 

  1. Go to ClearPass Guest > Configuration > Guest Self-Registration
  2. Create your registration page and test it.
  3. Copy the URL for the Guest Self-Registration page
  4. Back on your Controller create a new Captive Portal Profile. Controller > Congiruation > All Profiles > Wireless LAN > Captive Portal Authentication Profile. 

Configure the Captive Portal profile, you will see a parameter for Login Page and this is where you paste the URL copied in Step 3. This will be the Captive Portal page that users see once they connect to the Guest SSID and attempt to browse the web.

Configure_Captive_Portal_Page.png

 

Now that you have configured your Captive Portal profile you need to have your User Role guest-logon use it.

  1. Log into your controller
  2. Configuration > SECURITY > Access Control
  3. Edit guest-logon (or whatever User Role you are using for the Initial Role)
  4. Scroll down to the option Captive Portal Profile
  5. Select your Captive Portal Profile from the drop down list and hit Change
  6. Then scroll down and hit Apply

Configure_Captive_Portal_Page_0002.png

 


This will get you setup so that your Guest SSID will redirect users to your Captive Portal page as soon as they attempt to browse to any website after connecting to your Guest SSID.

 

4. After this we need to integrate clearPass with AD ? How can this be done?


We are not using AD so I cannot comment to much on this. I did just do a test with a AD by adding it as a Authentication Source.

That is about the extent of my experience with AD

 

  1. Log into the CPPM
  2. Confgiruation > Authentication > Sources
  3. Hit Add Authentication Source
  4. Select Type: Active Directory
  5. File out the necessary information
  6. Hit Save

More then likely your setup to use your AD would look something like this...

  • You have a secure SSID setup to use WPA2-Enterprise
  • It will send it's requests back the CPPM
  • You will have a Service that will be setup to use your AD as an Authentication Source
  • Your Service will evaluate your users and apply rules based on your requirements.

As mentioned previously be sure to get a handle on the Services and how the other components (Authentication Methods and Sources, Endpoints, Enforment Policies and Profiles) come together to form your Service. If you can get a good handle on this then the CPPM because easier to understand.

 

If you can get through the inital configuration start by just doing small tests to see how your services react.
If you look in your Event Viewer and see the Service Name column empty it means that there are no Services that have been configured that meet the criteria of the user request.

 

Hope this helps. I tried to address your questions are directly as possible. If anything isn't clear I'll try my best to clarify.

 

Cheers

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: