Education - Australia / New Zealand

 View Only
last person joined: 2 months ago 

A local community of education customers across Australia / NZ. This group will be moderated by HPE Aruba Networking staff and kept up to date with any upcoming training or events that are relevant to the EDU space.

Aruba ClearPass with Cisco WLC 802.1X Role Based Access

This thread has been viewed 49 times
  • 1.  Aruba ClearPass with Cisco WLC 802.1X Role Based Access

    Posted Aug 19, 2018 07:52 AM


    The following post will detail how to configure and integrate Aruba ClearPass with a Cisco wireless LAN controller, for role based access.  The example will use both a staff and student type account.


    Lab Setup:

    ClearPass 6.6.10.x

    Cisco vWLC 8.0.x


    Cisco WLC Configuration:


    I have created two interfaces on the Cisco WLC, one for students, and one for staff. (note: i have not assigned IP addresses but this would be required for production).21.PNG




    Next i am going to create an access list that will be used by both account types (student and staff).  I could use any number of ACL's to restrict traffic based on use case, but for this example i am keeping it simple.



    You will need to ensure that "Support for RFC 3576" is enabled, otherwise role based policy from ClearPass won't work.


    Finally i am going to configure "Allow AAA Override" on the "Secure" SSID.  Without this configuration i wont be able to provide role based access to this SSID.5.PNG



    ClearPass Configuration:

    First up i am going to add the Cisco WLC as a network device on ClearPass, making sure to set the "Vendor Name" as "Cisco".10.PNG



    To make policy creation a little easier i am going to use device groups to determine what is a Cisco device and what is an Aruba device.




    Don't forget to enable the "Airespace" RADIUS attributes on ClearPass, as we will be using these later.01.PNG





    Now i am going to create a couple of roles to be used for applying policy to the Cisco WLC.8.PNG



    Next up i am going to create a role mapping policy to determine who is a staff user and who is a student user; and from what type of network device they are connecting.  (i.e. if the user authenticating is a member of the "StaffGroup" in Active Directory and the network device they are authenticating from is a Cisco device, then i will assign the role "staff-role-cisco".



    The next step is to create the enforcement profiles that will be sent to the Cisco WLC.  These profiles will set the ACL and VLAN that the user will be put on.13.PNG





    Now that we have created the profiles, it's time to create the policy.  The policy will map the roles created earlier to the enforcement profiles.15.PNG



    Finally we can create the servive for the secure SSID.  This service will match on the "secure" SSID for wireless authentications.16.PNG