Education - Australia / New Zealand

last person joined: 20 days ago 

A local community of Aruba education customers across Australia/NZ. This group will be moderated by Aruba staff and kept up to date with any upcoming training or events that are relevant to the EDU space.

Aruba ClearPass with Cisco WLC 802.1X Role Based Access

This thread has been viewed 18 times
  • 1.  Aruba ClearPass with Cisco WLC 802.1X Role Based Access

    Posted Aug 19, 2018 07:52 AM

    Overview:

    The following post will detail how to configure and integrate Aruba ClearPass with a Cisco wireless LAN controller, for role based access.  The example will use both a staff and student type account.

     

    Lab Setup:

    ClearPass 6.6.10.x

    Cisco vWLC 8.0.x

     

    Cisco WLC Configuration:

     

    I have created two interfaces on the Cisco WLC, one for students, and one for staff. (note: i have not assigned IP addresses but this would be required for production).21.PNG

     

     

     

    Next i am going to create an access list that will be used by both account types (student and staff).  I could use any number of ACL's to restrict traffic based on use case, but for this example i am keeping it simple.
    7.PNG

     

     

    You will need to ensure that "Support for RFC 3576" is enabled, otherwise role based policy from ClearPass won't work.
    1.PNG

     

    Finally i am going to configure "Allow AAA Override" on the "Secure" SSID.  Without this configuration i wont be able to provide role based access to this SSID.5.PNG

     

     

    ClearPass Configuration:

    First up i am going to add the Cisco WLC as a network device on ClearPass, making sure to set the "Vendor Name" as "Cisco".10.PNG

     

     

    To make policy creation a little easier i am going to use device groups to determine what is a Cisco device and what is an Aruba device.
    11.PNG

     

     

     

    Don't forget to enable the "Airespace" RADIUS attributes on ClearPass, as we will be using these later.01.PNG

     

     

     

     

    Now i am going to create a couple of roles to be used for applying policy to the Cisco WLC.8.PNG

     

     

    Next up i am going to create a role mapping policy to determine who is a staff user and who is a student user; and from what type of network device they are connecting.  (i.e. if the user authenticating is a member of the "StaffGroup" in Active Directory and the network device they are authenticating from is a Cisco device, then i will assign the role "staff-role-cisco".
    12.PNG

     

     

    The next step is to create the enforcement profiles that will be sent to the Cisco WLC.  These profiles will set the ACL and VLAN that the user will be put on.13.PNG

     14.PNG

     

     

     

    Now that we have created the profiles, it's time to create the policy.  The policy will map the roles created earlier to the enforcement profiles.15.PNG

     

     

    Finally we can create the servive for the secure SSID.  This service will match on the "secure" SSID for wireless authentications.16.PNG

     

    Testing:17.PNG

     

    18.PNG

     

    19.PNG

     

    20.PNG