Security

last person joined: an hour ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass Solution Guide: Wired Policy Enforcement

  • 1.  ClearPass Solution Guide: Wired Policy Enforcement

    Posted Jun 02, 2017 01:13 PM

    Team Aruba,

     

    We’re happy to announce an update to the ClearPass Solution Guide for Wired Policy Enforcement. Version 2018-01 adds OnConnect for Comware 7 (added in ClearPass 6.7.1), changes for ClearPass 6.7 and some overall tweaks and updates.

     

    2018-01 Release Notes:

    • Major Updates
      • [CW7] Added ClearPass OnConnect section
      • [CW7] Updated dynamic authorization references to use new H3C templates in 6.7

     

    • Minor Updates
      • [AOS-S] corrected ordering of some commands
      • [AOS-S] added addr-limit config
      • [AOS-S] added SNMP server trap source
      • [AOS-S] updated DUR section to include standard mode added in 6.7
      • [AOS-S] updated web auth service to use new page name attribute added in 6.7
      • [Cisco] Added note about LAN base image
      • [Cisco] updated web auth service to use new page name attribute added in 6.7
      • [CW7] updated web auth service to use new page name attribute added in 6.7

     

    Updated Document Summary:

    • Wired enforcement options and technologies
    • ArubaOS-Switch configurations:
      • Colorless port: 802.1X, MAC Auth, Captive Portal with local and downloadable user roles
      • OnConnect
      • Per-Port Tunneled-Node (PPTN)
      • Per-User Tunneled-Node (PUTN)
    • Comware 7 configuration:
      • Colorless port: 802.1X, MAC Auth, Captive Portal
      • OnConnect
    • Cisco IOS 12.x/15.x (IBNS 1.0) configuration:
      • Colorless port: 802.1X, MAC Auth, Captive Portal
      • OnConnect

     

     

    Document Link (v2017-02): ClearPass_Solution-Guide_Wired-Policy-Enforcement_v2018-01.pdf

     

    Future releases to include: 

    • Cisco IOS-XE 'Denali' (16.x) with IBNS 2.0
    • Juniper EX

    Enjoy

     

    - Aruba Security Team



  • 2.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Jun 04, 2017 07:37 PM

    Thank you very much for this guide.

    So i can use this guide to use cisco switch and CPPM for wired guest captive portal services?

     

    Cisco switch: Catalyst 3560-CX series (version: 15.2(4)E2)

    CPPM: running on VM using trial license (90 days)

     

    Cheers

    Tariq



  • 3.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Jun 04, 2017 07:46 PM
    Yes.


  • 4.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Jun 28, 2017 01:26 AM

    Thanks,

     

    In document it says:

    "Configuring a self-registration workflow in Guest is outside the scope of the document"

     

    Can I get a link to above so that I can complete rest of configuration?



  • 5.  RE: ClearPass Solution Guide: Wired Policy Enforcement



  • 6.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Jul 10, 2017 01:51 AM

    Thanks Tim,

    I followed this guide for CleasPass:Web Authentication section and configured my test CPPM as such. I configured guest page and Cisco switch.

     

    I am getting below error:

    ===

    Error Code:

    204

    Error Category:

    Authentication failure

    Error Message:

    Failed to classify request to service

     Alerts for this Request  

    RADIUSService Categorization failed


  • 7.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Jul 10, 2017 09:24 AM

    Did you configure the Guest side?



  • 8.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Jul 10, 2017 06:56 PM

    yes I did, not sure if I have missed something. 

    I followed link you posted for guest configuration.



  • 9.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted May 03, 2018 01:13 PM

    Hello Tim

     

    Thanks for creating this document, It's helping a lot.  One thing I do not yet see is this.  I am configuring Aruba 2530 (J9773A) switches for Dot1x raduis based enforcement.  Is there a command on the switch that I can use to fail-open (allow connections) if the switch cannot communicate with the ClearPass server cluster?

     

    Thanks

     

    Ric

     

     



  • 10.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted May 04, 2018 03:35 PM

    Hi,

     

    What firmware do you are using ? with last 16.05, there is this option (don't remenber the name...)



  • 11.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Jun 14, 2017 06:12 AM

    Hi, Tim 

     

    Great doccument.

    Question you tested with the 5510_HI_7.10.R1308. 

    Is the COA already supported here (5510 HI)?

    I really need this.

     

     



  • 12.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Jun 14, 2017 10:34 AM

    Yes, as mentioned in the doc:

     

    This configuration has been tested on the HPE 5130EI, 5130HI and 5510HI.

    The minimum versions of  Comware 7 required for this configuration are:

    5130_EI_7.10.R3113P02

    5130_HI_7.10.R1308
    • 5510_HI_7.10.R1308



  • 13.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Jul 17, 2017 03:50 PM

    I have a question about profiling e.g. DHCP finger printing. Does the IP helper address needs to be set up on each and every single edge switch or just the core/distribution switch? For example if I want to set up a deadend VLAN for profiling, does this VLAN need to be L3 (I would assume so)? But does that also mean this VLAN need to be L3 on each (downstream) edge switch or L2 would work?

     



  • 14.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Jul 17, 2017 03:53 PM

    Generally it would be added to the client's gateway interface. In an L2 environment, that's commonly at the distribution layer. In an L3 environment, it's at the edge switch.



  • 15.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Aug 04, 2017 08:43 AM

    Team,

     

    This document has been updated (v2017-02) to include the new ArubaOS-Switch 16.04 features: Downloadable User Roles and Per-User Tunneled-Node.

     

    The original post at the top has been updated.

     

    Enjoy!



  • 16.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Oct 05, 2017 04:03 PM

    On pg. 29 for Endpoint:Guest Role EQUALS AD-User what do I need setup already to get something like that to work?

     

    I can't use my normal Authorization:Active Directory:memberof instead here, can I?

     

    I don't think I'm using the Device Role ID's really anywhere in my setup.



  • 17.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Oct 05, 2017 08:24 PM

    I found this guide mere minutes before my call with my Aruba Sales Team to discuss expanding our use of CPPM into wired policy enforcement.

    As usual your timing is excellent as is your advice.

    Thanks!

    .

    (do you want me to PM you any errors/typos?)



  • 18.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Nov 19, 2017 11:58 PM

    Awesome document!  Im about to do this with a customer nearly exactly the same as the document (802.1x with MAC and Captive Portal as last resort)   The

     

    Is there anywhere we can get the clearpass configuration template (Service,roles,enforcment profiles) so i can modify that rather then send hours making something similar?  i had a look on the solutions exchange but no luck.



  • 19.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Nov 20, 2017 09:11 AM
    We're looking at enhancing the service templates in the future to more closely align with these type of solutions, but unfortunately nothing to share right now.


  • 20.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Jan 25, 2018 06:07 AM

    Hi Tim,

     

    First of all, thanks for creating this document, very useful. Is this the latest version of the document, or are there any newer revisions? Thanks.

     

    NesaM



  • 21.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Jan 25, 2018 10:30 AM

    Yes, it's the latest. The link in the thread is updated as new versions are released. Next one is due in the next month or so.



  • 22.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Jan 25, 2018 10:43 AM

    Thanks Tim!

     

    Regards,

    NesaM



  • 23.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Feb 09, 2018 07:44 PM

    Version 2018-01 is now available! See original post for details and link.



  • 24.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Mar 15, 2018 02:23 AM

    Hi Tim, thanks for the update.

     

    We run a number of Aruba 2620 & 2530 switches in our environment and something that bit us when we first implemented ClearPass and 802.1x + MAC Auth through these switches about 1.5 years ago was lack of support for a number of features related to network authentication. For example today, based on the guide, on an Aruba 2530 "ArubaOS" running YB.16.05.0004 there is currently:

    • No downloadable user role support
    • No support for "ip client-tracker"
    • Unless it's changed in the last year and a bit there was also no support for RFC4675 for tagging VLANs on these switches - we had a ticket open with both Aruba & HPE (back in the day) and it was raised as a feature request and the typical response of use a higher model switch as the 2920 supported this at the time. Sorry if this has been added since.
    • i'm sure there's more.

    I can certainly appreciate this is an entry level switch and that's not an issue however do you know if there's any Aruba/HPE resource that tables these features that heavily relate to network authentication support specifically? Otherwise it makes reading these guides a little misleading at times unless you know what each switch can and cant do or a minimum model required, etc.

     

    Regards

    Jonathan



  • 25.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Mar 26, 2018 06:40 PM

    @cappalli

    Future releases to include: 

    • Cisco IOS-XE 'Denali' (16.x) with IBNS 2.0
    • Juniper EX

    Enjoy

     

    - Aruba Security Team




    Just curious if anyone is currently doing this with the Denali code, or if the document for it is close to publication? We are currently testing this out but before I went to TAC I wanted to see if anyone here had it working. We are seeing Clearpass approve devices, but the 3850s are saying the device isn't authenticated.

     

    Thanks! 

     



  • 26.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Mar 26, 2018 06:46 PM
    We’re hoping to publish the next release with IOS-XE in April.


  • 27.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Mar 29, 2018 02:21 AM

    Hello there.

     

    Any plan to support the Comware 5 for OnConnect ? Right now it's only comware 7 for H3C/HP Switches.

    Everything is working great here with comware 7 switches like 5130, but not so much with older 5120 under Comware 5 (the snmp command to change the vlan for exemple, is not recognize by the switch)

     

    Thx.

     

    (And sorry for my english)



  • 28.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Mar 29, 2018 10:41 AM
    Please work with your Aruba account team to raise a feature request for Comware 5.


  • 29.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted May 10, 2018 02:19 AM

     Hi Tim,

     

    Before I go into sticking this into lab, I assume the authentication is performed at a port level rather then a client level? My assumption is based on connecting APs to colourless ports and allowing all bridged-wireless authenticated clients access to the transport networks. If not, then I would like to know whether this is capable of working in that scenario?



  • 30.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted May 10, 2018 10:10 AM

    Authentication is per-MAC.

     

    Colorless ports with User Roles with bridged APs (Instant) is not currently supported.



  • 31.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted May 24, 2018 10:27 AM

    Hi!

     

    Would be nice to have a list of switches that fully support this setup within the Aruba family. I´ve tested with 2920, but is also 2530 supported ? 2540 ?



  • 32.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted May 24, 2018 12:02 PM

    @Gonzwrote:

    Hi!

     

    Would be nice to have a list of switches that fully support this setup within the Aruba family. I´ve tested with 2920, but is also 2530 supported ? 2540 ?


    Yes good idea..

    No support of DUR on PPTN/PPUN for 2530 :(



  • 33.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted May 30, 2018 02:17 PM

    Probably should be a separate thread. Was curious how much of a difference is there between IBNS 1.0 and IBNS 2.0 for Cisco (new area for both the wireless and wired team)? We're looking into moving to Clearpass for wired device registration (Mac Auth) for the Residence Halls with the use of dACLs. Majority of the cisco access switches running a IOS-XE 3.06.06. Wasn't sure if it's best to configure with what the current tech note has (thank you for this document) IBNS 1.0 - or if should try to configure with IBNS 2.0?

    I should also phrase that my question is assuming that IBNS 1.0 and IBNS 2.0 are separate "module versions"/deployment methods where one can be deployed over the other on IOS-XE (legacy support) - or is it more IBNS 2.0 replaces IBNS 1.0 fully on newer versions?



  • 34.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted May 30, 2018 02:26 PM
    IBNS 2.0 is a new configuration model that provides if/then like functionality for port control.


  • 35.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Nov 08, 2018 08:07 PM

    Any update on Cisco IBNS 2.0/IOS-XE/Denali+?



  • 36.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Jun 08, 2018 08:26 PM
    Hi Tim, I am trying Cisco Catalyst (IOS) Enforcement RADIUS-based Enforcement. My WIN10 wired client gets the redirect (ClearPass Guest URL + client MAC) in its browser but with certificate trust errors. The certificate that client is not trusting is the Cisco switch self signed cert. What do I need to do?


  • 37.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Jun 11, 2018 07:36 PM

    Hi Tim,

    I am trying Cisco Catalyst (IOS) Enforcement RADIUS-based Enforcement. My WIN10 wired client gets the redirect (ClearPass Guest URL + client MAC) in its browser but with certificate trust errors. The certificate that client is not trusting is the Cisco switch self signed cert. What do I need to do?



  • 38.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Jun 15, 2018 06:12 PM

    Problem solved.

    The first ACL statement on the Cisco switch must block the wired client from accessing to the ClearPass captive portal (Guest). If you do not have that then the wired Client is able to talk directly to ClearPass. With the Cisco switch in the middle proxying the traffic you just end up in a weird HTTP redirect loop (HTTP 302).

     

    This solution guide has the reuqired config. Please dont miss the details like I did :)



  • 39.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Jun 26, 2018 10:30 PM
    Do you guys know if layer 3 for the user vlan needs to live in the access switch for url-redirect to work? 2 years ago this was required on Cisco 2960X switches, which is not scalable in larger deployments as usually layer 3 is on the upstream core switches.
    Thanks!


  • 40.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Jun 27, 2018 04:12 AM

    Yes, atleast to be able to redirect the traffic on a ArubaOS Switch. Doesn't need to be default gw of the client though so we've just setup a quarantine network were the switches have a ip and then the client gets an temporary ip, works pretty well.



  • 41.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Jun 27, 2018 05:12 AM

    The 2540 does seem to have trouble with login in the guest / changing to guest vlan after webregistration in my labs. Anyone got the 2540 working ? (Same config works fine for 2920 for me)



  • 42.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Jun 28, 2018 01:02 PM

    "Doesn't need to be default gw of the client though so we've just setup a quarantine network were the switches have a ip "

     

    So did you use the switch "vlan 1" or management IP to acomplish this?



  • 43.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Jul 02, 2018 05:40 AM

    Hi!

    We added a quarantine vlan. The vlan is the one you assign a unautharized client on first connecting to the switch. Add a ip on the switch on that vlan (we used dhcp to avoid to much work :) ). And then the switch will redirect the client upon connecting to the switch.

     

    So if you want to use vlan5 for anauthorized clients before they login to guestnetwork, then set a ip adress on the switch on vlan5.



  • 44.  RE: ClearPass Solution Guide: Wired Policy Enforcement

    Posted Jul 25, 2018 02:34 PM