We’re happy to announce an update to the ClearPass Solution Guide for Wired Policy Enforcement. Version 2018-01 adds OnConnect for Comware 7 (added in ClearPass 6.7.1), changes for ClearPass 6.7 and some overall tweaks and updates.
2018-01 Release Notes:
Updated Document Summary:
Document Link (v2017-02): ClearPass_Solution-Guide_Wired-Policy-Enforcement_v2018-01.pdf
Future releases to include:
- Aruba Security Team
Thank you very much for this guide.
So i can use this guide to use cisco switch and CPPM for wired guest captive portal services?
Cisco switch: Catalyst 3560-CX series (version: 15.2(4)E2)
CPPM: running on VM using trial license (90 days)
In document it says:
"Configuring a self-registration workflow in Guest is outside the scope of the document"
Can I get a link to above so that I can complete rest of configuration?
I followed this guide for CleasPass:Web Authentication section and configured my test CPPM as such. I configured guest page and Cisco switch.
I am getting below error:
Alerts for this Request
Did you configure the Guest side?
yes I did, not sure if I have missed something.
I followed link you posted for guest configuration.
Thanks for creating this document, It's helping a lot. One thing I do not yet see is this. I am configuring Aruba 2530 (J9773A) switches for Dot1x raduis based enforcement. Is there a command on the switch that I can use to fail-open (allow connections) if the switch cannot communicate with the ClearPass server cluster?
What firmware do you are using ? with last 16.05, there is this option (don't remenber the name...)
Question you tested with the 5510_HI_7.10.R1308.
Is the COA already supported here (5510 HI)?
I really need this.
Yes, as mentioned in the doc:
This configuration has been tested on the HPE 5130EI, 5130HI and 5510HI.
The minimum versions of Comware 7 required for this configuration are:
• 5130_HI_7.10.R1308 • 5510_HI_7.10.R1308
I have a question about profiling e.g. DHCP finger printing. Does the IP helper address needs to be set up on each and every single edge switch or just the core/distribution switch? For example if I want to set up a deadend VLAN for profiling, does this VLAN need to be L3 (I would assume so)? But does that also mean this VLAN need to be L3 on each (downstream) edge switch or L2 would work?
Generally it would be added to the client's gateway interface. In an L2 environment, that's commonly at the distribution layer. In an L3 environment, it's at the edge switch.
This document has been updated (v2017-02) to include the new ArubaOS-Switch 16.04 features: Downloadable User Roles and Per-User Tunneled-Node.
The original post at the top has been updated.
On pg. 29 for Endpoint:Guest Role EQUALS AD-User what do I need setup already to get something like that to work?
I can't use my normal Authorization:Active Directory:memberof instead here, can I?
I don't think I'm using the Device Role ID's really anywhere in my setup.
I found this guide mere minutes before my call with my Aruba Sales Team to discuss expanding our use of CPPM into wired policy enforcement.
As usual your timing is excellent as is your advice.
(do you want me to PM you any errors/typos?)
Awesome document! Im about to do this with a customer nearly exactly the same as the document (802.1x with MAC and Captive Portal as last resort) The
Is there anywhere we can get the clearpass configuration template (Service,roles,enforcment profiles) so i can modify that rather then send hours making something similar? i had a look on the solutions exchange but no luck.
First of all, thanks for creating this document, very useful. Is this the latest version of the document, or are there any newer revisions? Thanks.
Yes, it's the latest. The link in the thread is updated as new versions are released. Next one is due in the next month or so.
Version 2018-01 is now available! See original post for details and link.
Hi Tim, thanks for the update.
We run a number of Aruba 2620 & 2530 switches in our environment and something that bit us when we first implemented ClearPass and 802.1x + MAC Auth through these switches about 1.5 years ago was lack of support for a number of features related to network authentication. For example today, based on the guide, on an Aruba 2530 "ArubaOS" running YB.16.05.0004 there is currently:
I can certainly appreciate this is an entry level switch and that's not an issue however do you know if there's any Aruba/HPE resource that tables these features that heavily relate to network authentication support specifically? Otherwise it makes reading these guides a little misleading at times unless you know what each switch can and cant do or a minimum model required, etc.
@cappalliFuture releases to include: Cisco IOS-XE 'Denali' (16.x) with IBNS 2.0Juniper EXEnjoy - Aruba Security TeamJust curious if anyone is currently doing this with the Denali code, or if the document for it is close to publication? We are currently testing this out but before I went to TAC I wanted to see if anyone here had it working. We are seeing Clearpass approve devices, but the 3850s are saying the device isn't authenticated. Thanks!
Any plan to support the Comware 5 for OnConnect ? Right now it's only comware 7 for H3C/HP Switches.
Everything is working great here with comware 7 switches like 5130, but not so much with older 5120 under Comware 5 (the snmp command to change the vlan for exemple, is not recognize by the switch)
(And sorry for my english)
Before I go into sticking this into lab, I assume the authentication is performed at a port level rather then a client level? My assumption is based on connecting APs to colourless ports and allowing all bridged-wireless authenticated clients access to the transport networks. If not, then I would like to know whether this is capable of working in that scenario?
Authentication is per-MAC.
Colorless ports with User Roles with bridged APs (Instant) is not currently supported.
Would be nice to have a list of switches that fully support this setup within the Aruba family. I´ve tested with 2920, but is also 2530 supported ? 2540 ?
@Gonzwrote:Hi! Would be nice to have a list of switches that fully support this setup within the Aruba family. I´ve tested with 2920, but is also 2530 supported ? 2540 ?
Yes good idea..
No support of DUR on PPTN/PPUN for 2530 :(
Probably should be a separate thread. Was curious how much of a difference is there between IBNS 1.0 and IBNS 2.0 for Cisco (new area for both the wireless and wired team)? We're looking into moving to Clearpass for wired device registration (Mac Auth) for the Residence Halls with the use of dACLs. Majority of the cisco access switches running a IOS-XE 3.06.06. Wasn't sure if it's best to configure with what the current tech note has (thank you for this document) IBNS 1.0 - or if should try to configure with IBNS 2.0?I should also phrase that my question is assuming that IBNS 1.0 and IBNS 2.0 are separate "module versions"/deployment methods where one can be deployed over the other on IOS-XE (legacy support) - or is it more IBNS 2.0 replaces IBNS 1.0 fully on newer versions?
Any update on Cisco IBNS 2.0/IOS-XE/Denali+?
I am trying Cisco Catalyst (IOS) Enforcement RADIUS-based Enforcement. My WIN10 wired client gets the redirect (ClearPass Guest URL + client MAC) in its browser but with certificate trust errors. The certificate that client is not trusting is the Cisco switch self signed cert. What do I need to do?
The first ACL statement on the Cisco switch must block the wired client from accessing to the ClearPass captive portal (Guest). If you do not have that then the wired Client is able to talk directly to ClearPass. With the Cisco switch in the middle proxying the traffic you just end up in a weird HTTP redirect loop (HTTP 302).
This solution guide has the reuqired config. Please dont miss the details like I did :)
Yes, atleast to be able to redirect the traffic on a ArubaOS Switch. Doesn't need to be default gw of the client though so we've just setup a quarantine network were the switches have a ip and then the client gets an temporary ip, works pretty well.
The 2540 does seem to have trouble with login in the guest / changing to guest vlan after webregistration in my labs. Anyone got the 2540 working ? (Same config works fine for 2920 for me)
"Doesn't need to be default gw of the client though so we've just setup a quarantine network were the switches have a ip "
So did you use the switch "vlan 1" or management IP to acomplish this?
We added a quarantine vlan. The vlan is the one you assign a unautharized client on first connecting to the switch. Add a ip on the switch on that vlan (we used dhcp to avoid to much work :) ). And then the switch will redirect the client upon connecting to the switch.
So if you want to use vlan5 for anauthorized clients before they login to guestnetwork, then set a ip adress on the switch on vlan5.
The Wired Policy Enforcement Guide was helpful. Is there are Wireless Policy Enforcement Guide available for download?
You can download all cppm technotes guides from below location
I've ran into a limitation on 2930F switches with local user-roles. When I try to define a new user-role I get the following error:
"The maximum number of local user roles allowed is 32".
This is a big problem since our customer is using more then 32 vlan's on their access layer. I personally don't want to go back to the days of having to manually configure a port so I'm working with support to get this resolved. Also posting here since I didn't find this particular limit anywhere in docs or community posts.
I'm considering to try downloadable user roles if it allows me to add more then 32 user-roles to the switches, but I don't know if that'll let me pass the limitation. More testing required ;-)
@Udimonk wrote:Hello all, I've ran into a limitation on 2930F switches with local user-roles. When I try to define a new user-role I get the following error: "The maximum number of local user roles allowed is 32". This is a big problem since our customer is using more then 32 vlan's on their access layer. I personally don't want to go back to the days of having to manually configure a port so I'm working with support to get this resolved. Also posting here since I didn't find this particular limit anywhere in docs or community posts. I'm considering to try downloadable user roles if it allows me to add more then 32 user-roles to the switches, but I don't know if that'll let me pass the limitation. More testing requried ;-)
I'm considering to try downloadable user roles if it allows me to add more then 32 user-roles to the switches, but I don't know if that'll let me pass the limitation. More testing requried ;-)
What your configuration ?
a user-role = a vlan ?
(May be better to open a new topic..)
Exactly. Our ClearPass cluster is returning generic role names that are tied to local user-roles on the switches. We have a few special roles that have wired captive portal ACL's active, mostly for guest users.
I've included one of the switch configs. I have opened a new topic, for those interested link is below. I'll update it once we find a working solution with support. So far it's been verified in their labs.
I look it is the same POLICY actually...
i think, we need to look for return vlan(-id or name) by ClearPass...
First, thanks for your availability and continued support on these forums.
In the comware section of the solution guide, you recommend disbaling the multicast-trigger feature, because it can cause issues with IP phones.
I actualy experienced the opposite, with Aastra phones. The phones would not reauthenticate unless multicast-trigger was enable. Finaly we enabled both multicast and unicast trigger on the ports.
First question, could you ellaborate on why multicast-trigger could cause issues with phones in particular ?
Second question, do think enabling both multi/unicast-trigger could cause undesired side effects ?
Thanks a lot for your insights.
Is it possible to configure the authentication of guests with captive portal, without the need for Switch 5130 EI to be layer 3?
No, you wouldn't be able to redirect clients to a different IP.
Best you can achieve in my opinion is to permit https port 443 and have users browse to the portal themselves. After that you can register the user, appoint VLANs/ACLs and let the user reconnect by either sending a Change of Authorization (CoA) or asking the user to unplug and replug themselves
Will the guide be updated after the new firmware release ?
Also this new feature isn't available in 2920-switches in the latest release, any idea if it will be available in the future ?
Yes, there is also new feature of 16.08 (like download root certificate for ClearPass...)
Hi TIM ,
In that document mentioned as by selecting a HEWLET PACKET ENTERPRISE in nas vendor setting , user request will be craft to web authentication service .
Can you please clarify how the request is caterigorized as Web auth and enforcing a endpoint attribute and Bouce the host port ???
¿Is it planned to make an update for this document soon?
Have you managed to update the document by including IBNS 2.0?
Any update on including Juniper EX switches in the document.