Security

Team Aruba,

We’re happy to announce an update to the ClearPass Solution Guide for Wired Policy Enforcement. Version 2018-01 adds OnConnect for Comware 7 (added in ClearPass 6.7.1), changes for ClearPass 6.7 and some overall tweaks and updates.

2018-01 Release Notes:

• Major Updates
• [CW7] Added ClearPass OnConnect section
• [CW7] Updated dynamic authorization references to use new H3C templates in 6.7

• Minor Updates
• [AOS-S] corrected ordering of some commands
• [AOS-S] added addr-limit config
• [AOS-S] added SNMP server trap source
• [AOS-S] updated DUR section to include standard mode added in 6.7
• [AOS-S] updated web auth service to use new page name attribute added in 6.7
• [Cisco] Added note about LAN base image
• [Cisco] updated web auth service to use new page name attribute added in 6.7
• [CW7] updated web auth service to use new page name attribute added in 6.7

Updated Document Summary:

• Wired enforcement options and technologies
• ArubaOS-Switch configurations:
• Colorless port: 802.1X, MAC Auth, Captive Portal with local and downloadable user roles
• OnConnect
• Per-Port Tunneled-Node (PPTN)
• Per-User Tunneled-Node (PUTN)
• Comware 7 configuration:
• Colorless port: 802.1X, MAC Auth, Captive Portal
• OnConnect
• Cisco IOS 12.x/15.x (IBNS 1.0) configuration:
• Colorless port: 802.1X, MAC Auth, Captive Portal
• OnConnect

Document Link (v2017-02): ClearPass_Solution-Guide_Wired-Policy-Enforcement_v2018-01.pdf

Future releases to include: 

• Cisco IOS-XE 'Denali' (16.x) with IBNS 2.0
• Juniper EX

Enjoy

- Aruba Security Team

Thank you very much for this guide.

So i can use this guide to use cisco switch and CPPM for wired guest captive portal services?

Cisco switch: Catalyst 3560-CX series (version: 15.2(4)E2)

CPPM: running on VM using trial license (90 days)

Cheers

Tariq

Thanks,

In document it says:

"Configuring a self-registration workflow in Guest is outside the scope of the document"

Can I get a link to above so that I can complete rest of configuration?

http://www.arubanetworks.com/techdocs/ClearPass/6.6/Guest/Default.htm#Configuration/CustomizingSelfProvisionedAccess.htm%3FTocPath%3DConfiguration%7CPages%7CCustomizing%2520Guest%2520Self-Registration%7C_____0

Thanks Tim,

I followed this guide for CleasPass:Web Authentication section and configured my test CPPM as such. I configured guest page and Cisco switch.

I am getting below error:

===

Error Code:

Error Category:

Error Message:

 Alerts for this Request  

Did you configure the Guest side?

yes I did, not sure if I have missed something. 

I followed link you posted for guest configuration.

Hello Tim

Thanks for creating this document, It's helping a lot.  One thing I do not yet see is this.  I am configuring Aruba 2530 (J9773A) switches for Dot1x raduis based enforcement.  Is there a command on the switch that I can use to fail-open (allow connections) if the switch cannot communicate with the ClearPass server cluster?

Thanks

Ric

Hi,

What firmware do you are using ? with last 16.05, there is this option (don't remenber the name...)

Hi, Tim 

Great doccument.

Question you tested with the 5510_HI_7.10.R1308. 

Is the COA already supported here (5510 HI)?

I really need this.

Yes, as mentioned in the doc:

I have a question about profiling e.g. DHCP finger printing. Does the IP helper address needs to be set up on each and every single edge switch or just the core/distribution switch? For example if I want to set up a deadend VLAN for profiling, does this VLAN need to be L3 (I would assume so)? But does that also mean this VLAN need to be L3 on each (downstream) edge switch or L2 would work?

Generally it would be added to the client's gateway interface. In an L2 environment, that's commonly at the distribution layer. In an L3 environment, it's at the edge switch.

Team,

This document has been updated (v2017-02) to include the new ArubaOS-Switch 16.04 features: Downloadable User Roles and Per-User Tunneled-Node.

The original post at the top has been updated.

Enjoy!

On pg. 29 for Endpoint:Guest Role EQUALS AD-User what do I need setup already to get something like that to work?

I can't use my normal Authorization:Active Directory:memberof instead here, can I?

I don't think I'm using the Device Role ID's really anywhere in my setup.

I found this guide mere minutes before my call with my Aruba Sales Team to discuss expanding our use of CPPM into wired policy enforcement.

As usual your timing is excellent as is your advice.

Thanks!

.

(do you want me to PM you any errors/typos?)

Awesome document!  Im about to do this with a customer nearly exactly the same as the document (802.1x with MAC and Captive Portal as last resort)   The

Is there anywhere we can get the clearpass configuration template (Service,roles,enforcment profiles) so i can modify that rather then send hours making something similar?  i had a look on the solutions exchange but no luck.

Hi Tim,

First of all, thanks for creating this document, very useful. Is this the latest version of the document, or are there any newer revisions? Thanks.

NesaM

Yes, it's the latest. The link in the thread is updated as new versions are released. Next one is due in the next month or so.

Thanks Tim!

Regards,

NesaM

Version 2018-01 is now available! See original post for details and link.

Hi Tim, thanks for the update.

We run a number of Aruba 2620 & 2530 switches in our environment and something that bit us when we first implemented ClearPass and 802.1x + MAC Auth through these switches about 1.5 years ago was lack of support for a number of features related to network authentication. For example today, based on the guide, on an Aruba 2530 "ArubaOS" running YB.16.05.0004 there is currently:

• No downloadable user role support
• No support for "ip client-tracker"
• Unless it's changed in the last year and a bit there was also no support for RFC4675 for tagging VLANs on these switches - we had a ticket open with both Aruba & HPE (back in the day) and it was raised as a feature request and the typical response of use a higher model switch as the 2920 supported this at the time. Sorry if this has been added since.
• i'm sure there's more.

I can certainly appreciate this is an entry level switch and that's not an issue however do you know if there's any Aruba/HPE resource that tables these features that heavily relate to network authentication support specifically? Otherwise it makes reading these guides a little misleading at times unless you know what each switch can and cant do or a minimum model required, etc.

Regards

Jonathan

---

@cappalli

Future releases to include: 

• Cisco IOS-XE 'Denali' (16.x) with IBNS 2.0
• Juniper EX

Enjoy

 

- Aruba Security Team

---

Just curious if anyone is currently doing this with the Denali code, or if the document for it is close to publication? We are currently testing this out but before I went to TAC I wanted to see if anyone here had it working. We are seeing Clearpass approve devices, but the 3850s are saying the device isn't authenticated.

 

Thanks! 

Hello there.

Any plan to support the Comware 5 for OnConnect ? Right now it's only comware 7 for H3C/HP Switches.

Everything is working great here with comware 7 switches like 5130, but not so much with older 5120 under Comware 5 (the snmp command to change the vlan for exemple, is not recognize by the switch)

Thx.

(And sorry for my english)

 Hi Tim,

Before I go into sticking this into lab, I assume the authentication is performed at a port level rather then a client level? My assumption is based on connecting APs to colourless ports and allowing all bridged-wireless authenticated clients access to the transport networks. If not, then I would like to know whether this is capable of working in that scenario?

Authentication is per-MAC.

Colorless ports with User Roles with bridged APs (Instant) is not currently supported.

Hi!

Would be nice to have a list of switches that fully support this setup within the Aruba family. I´ve tested with 2920, but is also 2530 supported ? 2540 ?

---

@Gonzwrote:

Hi!

 

Would be nice to have a list of switches that fully support this setup within the Aruba family. I´ve tested with 2920, but is also 2530 supported ? 2540 ?

---

Yes good idea..

No support of DUR on PPTN/PPUN for 2530 :(

Probably should be a separate thread. Was curious how much of a difference is there between IBNS 1.0 and IBNS 2.0 for Cisco (new area for both the wireless and wired team)? We're looking into moving to Clearpass for wired device registration (Mac Auth) for the Residence Halls with the use of dACLs. Majority of the cisco access switches running a IOS-XE 3.06.06. Wasn't sure if it's best to configure with what the current tech note has (thank you for this document) IBNS 1.0 - or if should try to configure with IBNS 2.0?

I should also phrase that my question is assuming that IBNS 1.0 and IBNS 2.0 are separate "module versions"/deployment methods where one can be deployed over the other on IOS-XE (legacy support) - or is it more IBNS 2.0 replaces IBNS 1.0 fully on newer versions?

Any update on Cisco IBNS 2.0/IOS-XE/Denali+?

Hi Tim,

I am trying Cisco Catalyst (IOS) Enforcement RADIUS-based Enforcement. My WIN10 wired client gets the redirect (ClearPass Guest URL + client MAC) in its browser but with certificate trust errors. The certificate that client is not trusting is the Cisco switch self signed cert. What do I need to do?

Problem solved.

The first ACL statement on the Cisco switch must block the wired client from accessing to the ClearPass captive portal (Guest). If you do not have that then the wired Client is able to talk directly to ClearPass. With the Cisco switch in the middle proxying the traffic you just end up in a weird HTTP redirect loop (HTTP 302).

This solution guide has the reuqired config. Please dont miss the details like I did :)

Yes, atleast to be able to redirect the traffic on a ArubaOS Switch. Doesn't need to be default gw of the client though so we've just setup a quarantine network were the switches have a ip and then the client gets an temporary ip, works pretty well.

The 2540 does seem to have trouble with login in the guest / changing to guest vlan after webregistration in my labs. Anyone got the 2540 working ? (Same config works fine for 2920 for me)

"Doesn't need to be default gw of the client though so we've just setup a quarantine network were the switches have a ip "

So did you use the switch "vlan 1" or management IP to acomplish this?

Hi!

We added a quarantine vlan. The vlan is the one you assign a unautharized client on first connecting to the switch. Add a ip on the switch on that vlan (we used dhcp to avoid to much work :) ). And then the switch will redirect the client upon connecting to the switch.

So if you want to use vlan5 for anauthorized clients before they login to guestnetwork, then set a ip adress on the switch on vlan5.

The Wired Policy Enforcement Guide was helpful. Is there are Wireless Policy Enforcement Guide available for download?

Hi,

You can download all cppm technotes guides from below location

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961

Hello all,

I've ran into a limitation on 2930F switches with local user-roles. When I try to define a new user-role I get the following error:

"The maximum number of local user roles allowed is 32".

This is a big problem since our customer is using more then 32 vlan's on their access layer. I personally don't want to go back to the days of having to manually configure a port so I'm working with support to get this resolved. Also posting here since I didn't find this particular limit anywhere in docs or community posts.

I'm considering to try downloadable user roles if it allows me to add more then 32 user-roles to the switches, but I don't know if that'll let me pass the limitation. More testing required ;-)

---

@Udimonk wrote:

Hello all,

 

I've ran into a limitation on 2930F switches with local user-roles. When I try to define a new user-role I get the following error:

 

"The maximum number of local user roles allowed is 32".

 

This is a big problem since our customer is using more then 32 vlan's on their access layer. I personally don't want to go back to the days of having to manually configure a port so I'm working with support to get this resolved. Also posting here since I didn't find this particular limit anywhere in docs or community posts.

 

I'm considering to try downloadable user roles if it allows me to add more then 32 user-roles to the switches, but I don't know if that'll let me pass the limitation. More testing requried ;-)

---

What your configuration ?

a user-role = a vlan ?

(May be better to open a new topic..)

Exactly. Our ClearPass cluster is returning generic role names that are tied to local user-roles on the switches. We have a few special roles that have wired captive portal ACL's active, mostly for guest users.

I've included one of the switch configs. I have opened a new topic, for those interested link is below. I'll update it once we find a working solution with support. So far it's been verified in their labs.

https://community.arubanetworks.com/t5/Wired-Intelligent-Edge-Campus/2930F-max-local-user-roles/td-p/487076

Attachment(s)

SERO_AS_VSF_01.txt   99 KB 1 version

I look it is the same POLICY actually...

i think, we need to look for return vlan(-id or name) by ClearPass...

Hi Tim,

First, thanks for your availability and continued support on these forums.

In the comware section of the solution guide, you recommend disbaling the multicast-trigger feature, because it can cause issues with IP phones.

I actualy experienced the opposite, with Aastra phones. The phones would not reauthenticate unless multicast-trigger was enable. Finaly we enabled both multicast and unicast trigger on the ports.

First question, could you ellaborate on why multicast-trigger could cause issues with phones in particular ?

Second question, do think enabling both multi/unicast-trigger could cause undesired side effects ?

Thanks a lot for your insights.

Regards,

Is it possible to configure the authentication of guests with captive portal, without the need for Switch 5130 EI to be layer 3?

No, you wouldn't be able to redirect clients to a different IP.

Best you can achieve in my opinion is to permit https port 443 and have users browse to the portal themselves. After that you can register the user, appoint VLANs/ACLs and let the user reconnect by either sending a Change of Authorization (CoA) or asking the user to unplug and replug themselves

Hi!

Will the guide be updated after the new firmware release ?

Also this new feature isn't available in 2920-switches in the latest release, any idea if it will be available in the future ?

Yes, there is also new feature of 16.08 (like download root certificate for ClearPass...)

Hi TIM ,

In that document mentioned as by selecting a HEWLET PACKET ENTERPRISE in nas vendor setting , user request will be craft to web authentication service .

Can you  please clarify how the request is caterigorized as Web auth and enforcing a endpoint attribute and Bouce the host port  ???

Hi Tim.

¿Is it planned to make an update for this document soon?

Regards

Have you managed to update the document by including IBNS 2.0?

Hello,

Any update on including Juniper EX switches in the document.

Thanks,

Yugandhar.