Education - Australia / New Zealand

 View Only
last person joined: one month ago 

A local community of Aruba education customers across Australia/NZ. This group will be moderated by Aruba staff and kept up to date with any upcoming training or events that are relevant to the EDU space.

Configuring Aruba OnConnect for the Intelligent Edge

This thread has been viewed 4 times
  • 1.  Configuring Aruba OnConnect for the Intelligent Edge

    Posted May 19, 2018 01:32 AM


    Configuring switch ports can be a real hassle, and with more and more devices moving to WiFi; why do we need to spend time manually configure the edge.  A network should be smart enough to see what is connecting and apply the policy required.  In this post we will see how to configure and test the OnConnect feature of Aruba ClearPass.


    OnConnect is a way for you to secure your wired network edge by being able to profile devices i.e. is it a Windows device or an Apple device and then program the port with the correct VLAN ID through SNMP.


    Note: OnConnect is not a replacement for wired 802.1X, however it does provide an elevated level of network security as you are enforcing policy based on device type.



    Lab Setup

    ClearPass 6.7

    Aruba 2930F WC.16.05.0007

    Windows 10 client

    Apple Time Capsule



    Switch Configuration

    First I am going to configure the VLAN's required.  I am using VLAN 99 as a null VLAN for my interfaces to initially be configured with.  VLAN 100 will be used for profiled Windows devices, and VLAN 200 will be used for profiled Apple devices.



    2930F(config)# conf t
    2930F(config)# vlan 99
    2930F(vlan-99)# name null
    2930F(vlan-99)# vlan 100
    2930F(vlan-100)# name WINDOWS-PC
    2930F(vlan-100)# vlan 200
    2930F(vlan-200)# name APPLE-DEVICE

    Now I need to configure the global SNMP configuration for the switch. 



    Note: While i am doing all of this through the CLI, it could be templated and done as part of a ZTP through Aruba AirWave.



    2930F(config)# snmp-server community ClearPassRO operator
    2930F(config)# snmp-server community ClearPassRW operator unrestricted 
    2930F(config)# snmp-server host <IP-OF-CLEARPASS> community ClearPass trap-level all
    2930F(config)# snmp-server trap-source <MGMT-IP-OF-SWITCH>
    2930F(config)# snmp-server enable traps mac-notify

    I can now configure the interface specific configuration.



    Note: I am only using ports 3 and 4 for this lab.



    2930F(config)# snmp-server enable traps link-change 3-4
    2930F(config)# interface 3-4 mac-notify traps learned
    2930F(config)# interface 3-4 mac-notify traps removed
    2930F(config)# interface 3-4 untagged vlan 99

    That's it, i don't need to configure anything else on the switch at this time.



    Note: You could tie ACL's to the VLAN's as well if you wanted to restrict traffic i.e. Apple devices can only access public IP addresses etc.


    Lets check ports 3 and 4 to see what VLAN they now have to ensure that it is set to VLAN 99.



    2930F(config)# sh vlan port 3 detail
     Status and Counters - VLAN Information - for ports 3
      VLAN ID Name                 | Status     Voice Jumbo Mode    
      ------- -------------------- + ---------- ----- ----- --------
      99      null                 | Port-based No    No    Untagged
    2930F(config)# sh vlan port 4 detail
     Status and Counters - VLAN Information - for ports 4
      VLAN ID Name                 | Status     Voice Jumbo Mode    
      ------- -------------------- + ---------- ----- ----- --------
      99      null                 | Port-based No    No    Untagged

    ClearPass Configuration


    1. Configure the SNMP v2c trap community, for my configuration this is "ClearPass".


    2. Make sure to stop and then start the ClearPass server's "System Auxiliary Services".



    3. Update the NAD's SNMP Read settings with the community string "ClearPassRO".cp3.jpeg


    4. Update the NAD's SNMP Write settings with the community string "ClearPassRW".  Also, ensure to set the default VLAN for the port so that once a session expires the port is returned to the null VLAN.cp4.jpeg


    5.  If SNMP has been configured correctly we should now be able to query the switch ports.  From the ports available select the ports that you want to use for OnConnect. (We may not want all ports i.e. uplinks).cp5.jpeg



    6. (Optional) If you would like to integrate with Windows AD for WMI ensure to configure the WMI settings for the allowed subnets and username for the query.



    7. Next up we are going to create the two enforcement profile that will configure the required VLAN's.snmp-win.jpeg


    8. To bring it all together we are going to create a new service for OnConnect. (Note: for this lab I am using the NAD IP address to select the service, you could use a NAD-Group or other means).cp.jpeg


    9. (Optional) If you are going to be using WMI, then you will most likely need to configure a strip username rule.cp10.jpeg


    10. In order to provide authorisation on the connecting endpoints we will configure the endpoints repository as a source. (Note: if using WMI you can add Active Directoy as a source as well).cp11.jpeg


    11. For role mapping i have created two roles one for the windows devices and one for the apple devices.  The role mapping is being done based on the OS Family of the endpoint.cp-role.jpeg


    12. Finally we are going to tie the enforcement profiles created before that will assign the VLAN with the role mapping policy.enforce.jpeg




    Now that we have both the Switch and ClearPass configured we can now test the endpoints. (You can't see it but i'm connecting the two device types now to the switch).


    2930F# sh vlan ports 3 det
     Status and Counters - VLAN Information - for ports 3
      VLAN ID Name                 | Status     Voice Jumbo Mode    
      ------- -------------------- + ---------- ----- ----- --------
      200     APPLE-DEVICE         | Port-based No    No    Untagged
     2930F# sh vlan ports 4 det
     Status and Counters - VLAN Information - for ports 4
      VLAN ID Name                 | Status     Voice Jumbo Mode    
      ------- -------------------- + ---------- ----- ----- --------
      100     WINDOWS-PC           | Port-based No    No    Untagged

    And there we have it ClearPass has profiles the two device types and assigned the correct VLAN ID's through SNMP.


    Things to Note


    While this was demonstrated with an Aruba Switch; Aruba ClearPass is multi-vendor, i.e. we could acheive the same function on a Cisco switch.


    Prior to ClearPass 6.7, you will need to enable to OnConnect service from Administration > Server Manager > Server Configuration > ClearPass-Server.