Security

last person joined: 7 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass Switch Configuration

Jump to Best Answer
  • 1.  ClearPass Switch Configuration

    Posted Dec 20, 2018 05:41 PM

    I haven't seen too many switch configurations for doing ClearPass Wired authentication outside of HPE and Cisco switches so thought I'd start some here. 

     



  • 2.  RE: ClearPass Switch Configuration

    Posted Dec 20, 2018 05:49 PM

    ClearPass Integration Switch Configuration for Extreme Networks 460-G2 but should work with most any of the G2 switches and likely the G3s:

     

    TACACS Admin Access

     

     

    configure tacacs primary server <CPPM VIP> client-ip <SWITCHES-IP-ADDRESS> vr VR-Default
    configure tacacs primary shared-secret <TACACS+ SECRET>
    enable tacacs
    enable tacacs-accounting
    enable tacacs-authorization

     

     

    Reference:

    https://community.extremenetworks.com/extreme/topics/tacacs-configuration

     

    Configure ClearPass RADIUS Server

     

    configure radius netlogin primary server <CPPM VIP> client-ip <SWITCHES-IP-ADDRESS> vr VR-Default shared-secret <RADIUS SECRET>
    configure radius-accounting netlogin primary server <CPPM VIP> client-ip <SWITCHES-IP-ADDRESS> vr VR-Default shared-secret <RADIUS SECRET>

     

    Setup 802.1x and MAC Auth

     

     

    create vlan nt_login
    configure netlogin vlan nt_login
    enable netlogin dot1x mac 
    configure netlogin mac authentication database-order radius
    configure netlogin authentication protocol-order mac dot1x 
    configure netlogin add mac-list default
    configure netlogin dot1x timers quiet-period 15
    configure netlogin dot1x timers supp-resp-timeout 15
     configure netlogin dot1x timers server-timeout 20

     

     

    Enable Port Authentication

     

     

    configure netlogin ports <access-ports> mode port-based-vlans
    enable netlogin ports <access-ports> dot1x mac
    configure netlogin ports <access-ports> allowed-users 3 
    configure netlogin ports <access-ports> restart

     

     

     

     

    Voice:

    Adding in Voice VLAN

     

    create vlan Voice tag <VOIP vlan ID> vr VR-Default description "Voice VLAN for Phones"
    configure vlan Voice add ports <access-ports> tagged
    
    enable lldp ports <access-ports>
    configure lldp port <access-ports> advertise vendor-specific dot1 vlan-name vlan <VOIP vlan>
    configure lldp port <access-ports> advertise vendor-specific med power-via-mdi
    configure lldp port<access-ports> advertise vendor-specific med policy application voice vlan <VOIP vlan> dscp 46
    Configure lldp port <access-ports> advertise system-capabilities
    Configure lldp port <access-ports> advertise vendor-specific dot1 port-protocol-vlan-id vlan <VOIP vlan>

     

     

    Auth Failure VLAN

     

     

    configure netlogin authentication failure vlan <Guest-VLAN>
    configure netlogin ports <access-ports> mode mac-based-vlans
    enable netlogin authentication failure vlan ports <Accesss-ports>

     

    Web Authentication / External Captive Portal

    Layering in External Captive Portal

     

    configure vlan nt_login ipaddress 10.x.x.1 255.255.255.0
    configure dns-client add name-server <CPPM VIP> vr VR-Default
    configure dns-client add domain-suffix <DNS Suffix>
    configure vlan nt_login dhcp-address-range 10.x.x.10 - 10.0.100.250
    configure vlan nt_login dhcp-options default-gateway 10.x.x.1
    disable netlogin logout-privilege
    
    configure netlogin base-url "<ClearPass URL>/guest/<GuestPageName>.php?mac=%{Connection:Client-Mac-Address}"
    
    configure netlogin web-based authentication database-order radius
    
    configure netlogin authentication protocol-order mac dot1x web-based
    enable netlogin dot1x mac web-based
    
    enable netlogin ports <access-ports> dot1x mac web-based
     

     

     

    References:
    https://community.extremenetworks.com/extreme/topics/web_based_authentication_problem-1kp2qk
    https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-802-1x-based-Netlogin-with-Radius-on-EXOS
    https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-netlogin-dot1x-via-policy-manager-in-exos
    https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-802-1x-based-Netlogin-with-Radius-on-EXOS
    https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Mac-based-Netlogin-with-Radius

     



  • 3.  RE: ClearPass Switch Configuration

    Posted Aug 26, 2020 07:44 AM

     

    For the Extreme, did you have to do anything special other than what you have here?  I can't get the webportal to show up on the re-direct.  



  • 4.  RE: ClearPass Switch Configuration

    Posted Aug 26, 2020 08:49 AM

    Victor actually came up with the solution for this:

    https://community.arubanetworks.com/t5/user/viewprofilepage/user-id/9462 

     

    SWITCH CONFIGURATION

    configure policy captive-portal web-redirect 1 server 1 url https://ClearPassVIP.fqdn.com/guest/YourGuestPageName.php enable ----> Defines the URL

    configure policy profile 1 name "GUEST-LOGON-ROLE" pvid-status "enable" pvid 0 cos 4 web-redirect 1 ----> Captive Portal Role

    configure policy profile 2 name "GUEST-ROLE" pvid-status "enable" pvid 4095----> Final Guest Role

    configure policy rule 1 udpdestportIP 53 mask 16 forward ----> Allows DNS

    configure policy rule 1 udpdestportIP 67 mask 16 forward ----> Allows DHCP

    configure policy rule 1 tcpdestportIP 80 mask 16 forward ----> Allows HTTP

    configure policy rule 1 tcpdestportIP 443 mask 16 forward ----> Allows HTTPs

    configure policy rule 1 ether 0x0806 mask 16 forward----> Allows ARP

    configure policy captive-portal listening 80 ----> Forces Redirect on port 80

    configure policy captive-portal listening 8080 ----> Forces Redirect on port 8080

    configure policy captive-portal listening 443 ----> Forces Redirect on port 443

    enable policy ----> Enables the capability on the switch to do policy

     

     

     

     

     

     



  • 5.  RE: ClearPass Switch Configuration

    Posted Aug 26, 2020 09:36 AM

    Here you go:

     
     
     

    EXTREME SWITCH CONFIGURATION 

    ********ENABLE GLOBAL RADIUS AUTH***********

    configure radius netlogin 1 server <CPPM-1_IP> 1812 client-ip <SWITCH-MGMT-IP> vr VR-Default

    configure radius netlogin 2 server <CPPM-2_IP> 1812 client-ip <SWITCH-MGMT-IP> vr VR-Default

    configure radius 1 shared-secret "<RADIUS-SHARED-KEY>"

    configure radius 2 shared-secret "<RADIUS-SHARED-KEY>"

    client-ip <SWITCH-MGMT-IP> vr VR-Default

    create vlan NETLOGIN-VLAN 
    configure netlogin vlan NETLOGIN-VLAN

    enable radius netlogin

    configure radius timeout 5

    configure radius netlogin timeout 5

    enable netlogin dot1x mac

    configure netlogin mac authentication database-order radius

    configure netlogin authentication protocol-order dot1x mac

    disable netlogin logout-privilege

    disable netlogin session-refresh

    configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48

    configure netlogin mac timers reauth-period 86400

    configure policy vlanauthorization enable ---> Allows dynamic VLAN creation from RADIUS attributes
    configure policy maptable response both ---> Accept both filter ID and RADIUS attributes for policy mapping

     

    ***********ENABLE RADIUS ACCOUNTING*************

    configure radius-accounting netlogin primary server <CPPM-1_IP> 1813 client-ip <SWITCH-MGMT-IP> vr VR-Default

    configure radius-accounting netlogin primary shared-secret "<RADIUS-SHARED-KEY>"

    configure radius-accounting netlogin primary server <CPPM-2_IP> 1813 client-ip <SWITCH-MGMT-IP> vr VR-Default

    configure radius-accounting netlogin primary shared-secret "<RADIUS-SHARED-KEY>"

    enable radius-accounting netlogin

     

    ***********ENABLE RADIUS COA**************

    configure radius dynamic-authorization 1 server <CPPM-1_IP> client-ip <SWITCH-MGMT-IP> vr VR-Default shared-secret "<RADIUS-SHARED-KEY>"

    configure radius dynamic-authorization 2 server <CPPM-2_IP> client-ip <SWITCH-MGMT-IP> vr VR-Default shared-secret "<RADIUS-SHARED-KEY>"

    enable radius dynamic-authorization

     

    *****ENABLE RADIUS (802.1X/MAC) AUTH ON PORT********

    enable netlogin ports <PORT-LIST> dot1x mac 

    configure netlogin mac ports <PORT-LIST> timers reauth-period 86400 reauthentication on

    configure netlogin dot1x ports <PORT-LIST> timers server-timeout 10 reauth-period 84600

     

    ****ENABLE POLICY FOR CAPTIVE PORTAL AUTH*********

    Enable Extreme Policy.png

     

    CLEARPASS CONFIGURATION 

    ***COA PROFILE*****

    ClearPass CoA.png

    ****ENFORCEMENT PROFILE TO RETURN ROLE/POLICY*****

    Captive Portal Role

    Final / Full Access Role

    After the user performs captive portal authentication, assuming the authentication is successful, we will need to send the REGISTERED-ROLE, COA and add the mac caching information/attribute to the endpoint db. The CoA will force the device to re-authenticate and we will use the endpoint db mac caching attributes to provide the device access to the network  

    *****WEB-LOGIN CONFIGURATION (LOGIN PAGE)******

    To give time for the re-authentication to happen , we need add 20 seconds 

    Web Login Page.png

    Web Login Page 2.png

    We also need to change the CoA from 2 to 5 seconds

     

    **********WEB-AUTH SERVICE*********

    ClearPass Web Auth Service 2.png

    **********FLOWCHART**********

     

    Workflow.png



  • 6.  RE: ClearPass Switch Configuration

    Posted Aug 26, 2020 09:57 AM
    Hi,

    Thanks very much for this. However, what I don't see (and it's more than likley me) is where do you specify the clearpass url?

    Here is a sample of the output from a show config

    configure netlogin vlan temp
    enable netlogin dot1x mac web-based
    configure netlogin agingtime 1
    configure netlogin web-based authentication database-order radius
    configure netlogin authentication protocol-order dot1x mac web-based
    configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
    configure netlogin mac timers reauth-period 60
    enable netlogin ports 1 dot1x
    enable netlogin ports 1 web-based
    configure netlogin dot1x ports 1 timers quiet-period 15 supp-resp-timeout 2



    disable netlogin logout-privilege
    disable netlogin session-refresh
    configure netlogin base-url "cppm-vip/guest/wired_main.php"
    configure netlogin redirect-page "https://ukaea.uk"
    configure netlogin ports 1 mode mac-based-vlans
    Press to continue or to quit:c


    Thanks



    [UKAEA Logo]



    Jody Green

    Computer Network Engineer

    United Kingdom Atomic Energy Authority

    Culham Science Centre, Abingdon, OX14 3DB, UK

    Tel. +44 (0)1235 464909

    Mob. +44 (0) 7966223052

    Email: jody.green@ukaea.uk

    [cid:08a46d67-6d37-4168-951c-518b3ee64b75][cid:b7d6dd8c-0fae-4a38-a2fd-b2b4e92e6201][cid:a554a472-4b3b-4425-8590-8b2e988313bf] [cid:c528af8d-2fc2-4340-bcef-5d5d282bb084] [cid:14fa7902-17a7-4380-9096-c90b075ea5ee]

    The content of this email is confidential and intended for the recipient specified in the message only. It is forbidden to share any part of this message with any third party, without the written consent of the sender. If you received this message by mistake, please reply to this message and then delete it, so that we can ensure it does not occur in the future.


  • 7.  RE: ClearPass Switch Configuration

    Posted Aug 26, 2020 10:35 AM
    Forgot to add that part, just updated the post


  • 8.  RE: ClearPass Switch Configuration

    Posted Jan 08, 2019 04:01 PM

    For Captive Portal to work you must be running at least 15.1R6S3, for Juniper Port Bounce (Needed if you're going to do CoA with a different VLAN/Subnet) to work you must be running at least 17.3R1 

     

    Check the JTAC recommended release here

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB21476 

     

    Also Check Out the fine ASE solution here: 

    https://ase.arubanetworks.com/solutions/id/97 

     

     

     TACACS+ Admin Access

     

    Create Login Class

     

    set system login class su-with-timeout idle-timeout 30
    set system login class su-with-timeout permissions all
    
    
    

     Create remote User

     

     

    set system login user <TACACS Username> uid 1111
    set system login user <TACACS Username> class su-with-timeout

     

    Setup NTP

     

    set system ntp boot-server <Your NTP1>
    set system ntp server <Your NTP1> version 3
    set system ntp server <Your NTP1> prefer
    set system ntp server <Your NTP2> version 3

     

     

    Set the Server

     

    set system tacplus-server <CPPM-VIP-IP-Address> secret <TACACS+ Shared Secret> 
    set system tacplus-server <CPPM-VIP-IP-Address> source-address <IRB IP> 
    set system tacplus-server <CPPM-VIP-IP-Address> timeout 30
    set system authentication-order [ tacplus password ]

     TACACS accounting

     

     

    set system accounting events [ change-log  login ]
    set system accounting destination tacplus server <CPPM-VIP-IP-Address> secret <TACACS+ Shared Secret>  timeout 30 
    set system accounting destination tacplus server <CPPM-VIP-IP-Address>  source-address <IRB IP> 

     

     

    Reference: 

    https://www.juniper.net/documentation/en_US/junos/topics/concept/access-privileges-levels-overview.html

     

     

    RADIUS Port Authentication

     

    ClearPass service assumes the default port configuration is configured for the authenticated user VLAN

     

    delete interfaces ge-0/0/x unit 0 family ethernet-switching vlan members 
    set interfaces ge-0/0/x unit 0 family ethernet-switching vlan members <Default VLAN>

     

     

    Enable HTTP and HTTPS services.

    These services must be enabled for URL redirection. Please ensure that you have proper firewall filters to block management access. 

     

    set system services web-management http
    set system services web-management https system-generated-certificate

    Setup NTP

    If you did not set up NTP with TACACS above please ensure NTP is properly configured. 

    set system ntp boot-server <Your NTP1>
    set system ntp server <Your NTP1> version 3
    set system ntp server <Your NTP1> prefer
    set system ntp server <Your NTP2> version 3

    Radius Server Configuration

    set access profile ClearPass_Auth radius authentication-server <CPPM-VIP-IP-Address>
    set access profile ClearPass_Auth accounting-order radius
    set access profile ClearPass_Auth authentication-order radius
    set access profile ClearPass_Auth radius accounting-server <CPPM-VIP-IP-Address>
    set access profile ClearPass_Auth radius options nas-identifier JuniperSwitch
    set access radius-options interim-rate 60

    DHCP Forwarding Options

    set forwarding-options dhcp-relay group DHCP_Relay interface <L3 Interfaces>
    set forwarding-options dhcp-relay server-group DHCP_Relay <CPPM1-IP-Address>
    set forwarding-options dhcp-relay server-group DHCP_Relay <CPPM2-IP-Address>

    Port Authentication (Dot1x/MAC)

    set protocols dot1x authenticator no-mac-table-binding
    set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all supplicant multiple
    set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all mac-radius authentication-protocol pap

    set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all mac-radius flap-on-disconnect

    ASE Recommended Timers

     

    	set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all quiet-period 10
    	set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all transmit-period 5
    	set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all reauthentication 600
    	set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all supplicant-timeout 10
    	set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all server-timeout 5
    	set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all maximum-requests 3
    set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all server-fail use-cache

    Disable 802.1x (MAC Auth Only)

    set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all mac-radius restrict

     

    Firewall Filters

     

    Port ACL/Firewall filters can be passed back from ClearPass as a Filter-ID. 

     

    GuestUserFilter

     

    set firewall family ethernet-switching filter GuestUserFilter term BlockDHCPServer from destination-port 68
    set firewall family ethernet-switching filter GuestUserFilter term BlockDHCPServer from ip-protocol udp
    set firewall family ethernet-switching filter GuestUserFilter term BlockDHCPServer then discard
    
    set firewall family ethernet-switching filter GuestUserFilter term ra-guard from icmp-type router-advertisement
    set firewall family ethernet-switching filter GuestUserFilter term ra-guard from icmp-type ip-protocol icmp6;
    set firewall family ethernet-switching filter GuestUserFilter term ra-guard then discard
    
    set firewall family ethernet-switching filter GuestUserFilter term <YourResource> from ip-destination-address <IP Address>
    set firewall family ethernet-switching filter GuestUserFilter term <YourResource> from destination-port [ <Ports Used> ]
    set firewall family ethernet-switching filter GuestUserFilter term <YourResource> then accept
    
    
    set firewall family ethernet-switching filter GuestUserFilter term AllowDNS from destination-port domain
    set firewall family ethernet-switching filter GuestUserFilter term AllowDNS from ip-destination-address <Internal DNS / DNS Proxy If Needed>/32
    set firewall family ethernet-switching filter GuestUserFilter term AllowDNS from ip-destination-address <Internal DNS / DNS Proxy If Needed>/32
    set firewall family ethernet-switching filter GuestUserFilter term AllowDNS then accept
    
    set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_10 from ip-destination-address 10.0.0.0/8
    set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_10 then discard
    
    set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_172 from ip-destination-address 172.16.0.0/12
    set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_172 then discard
    
    set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_192 from ip-destination-address 192.168.0.0/16
    set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_192 then discard
    
    set firewall family ethernet-switching filter GuestUserFilter term AllowInternet then accept

     

    AuthorizedUserFilter

    set firewall family ethernet-switching filter AuthorizedUserFilter term BlockDHCPServer from source-port 68
    set firewall family ethernet-switching filter AuthorizedUserFilter term BlockDHCPServer from ip-protocol udp
    set firewall family ethernet-switching filter AuthorizedUserFilter term BlockDHCPServer then discard
    
    set firewall family ethernet-switching filter AuthorizedUserFilter term ra-guard from icmp-type router-advertisement
    set firewall family ethernet-switching filter AuthorizedUserFilter term ra-guard from icmp-type ip-protocol icmp6;
    set firewall family ethernet-switching filter AuthorizedUserFilter term ra-guard then discard
    
    set firewall family ethernet-switching filter AuthorizedUserFilter term term allowall then accept

    References:

     

    https://ase.arubanetworks.com/solutions/id/97 

     

    https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/radius-authentication-configuring.html 

     

    https://www.juniper.net/documentation/en_US/junos/topics/concept/802-1x-pnac-vsa-understanding.html 

     

    https://www.juniper.net/documentation/en_US/release-independent/nce/information-products/pathway-pages/nce/nce-159-aruba-device-profiling.pdf

     

    https://www.juniper.net/documentation/en_US/release-independent/nce/topics/example/nce160-example-aruba-guest-access.html

     

    https://www.juniper.net/documentation/en_US/junos/topics/concept/aaa-radius-coa-overview.html

     

    https://www.juniper.net/documentation/en_US/release-independent/nce/information-products/pathway-pages/nce/nce-157-aruba-dot1x-mac-configuring.pdf

     

    https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/central-web-authentication-configuring.html

     

    https://www.juniper.net/documentation/en_US/junos/topics/example/authentication-captive-portal-els.html

     

    https://www.juniper.net/documentation/en_US/junos/topics/reference/general/authentication-process-flow-chart-ex-series-switches.html

     

    VoIP LLDP Med

    https://www.juniper.net/documentation/en_US/junos/topics/example/802-1x-pnac-voip-ex-series-configuring.html

     

     



  • 9.  RE: ClearPass Switch Configuration
    Best Answer

    Posted Jun 26, 2020 10:43 AM

    All, can you help me finding out with AP from Extreme Networks is equivalent to IAP 345  ( JZ 031A)  ? And wich switch from EXTREME NETWORKS is Equivalent to : SWITCH 2930M 48P.  (JL 323A).  Thanks