Please, I have searched but unable to come across 802.1x wired configuration setup for both user and machine authentication via CPPM. What I see is for 802.1x wireless.
We have CPPM (version 6.8) in our environment, and I want to setup 802.1x wired where users would use both their AD credentials as well as their domain-joined PCs to gain access to the network. The domain-joined PCs are in an OU in the AD which I want to use.
At the moment, only user authentication works. As soon as I add a role mapping to the conditions under the Enforcement Policy for [machine authenticated], wired 802.1x fails. I'm using an ArubaOS 2920 (version 16.09) switch as well but I do not think my issue is at the switch level. I think I am missing something on CPPM.
Lest I forget, I'm new to Aruba.
Thanks for your help.
The endpoint must have executed a 802.1x Wired machine authentication sucessfully, It then receives the mark [machine authenticated]
After that you can use the role [machine authenitcated] during your user authentication.
Have you enabled cached roles in your 802.1x enforcement?
Thanks Fabian Klaring,
It worked successfully. I used both the roles [machine authenticated] and another user role which I created that is mapped to the group in the AD; all for user authentication.
But please I just want to understand the essence of enabling cached roles. I actually did it but honestly, I cannot defend the reason why I did it.
You are performing 2 seperate 802.1X authentications (user and computer).
When your machine authentication is successfull, the result is stored (cached) within clearpass for a default period of 24 hours, you can adjust this time in the service paramaters.
Next, you will perform a user authentication, but you need the previous result of the machine auth which is stored in clearpass cache, and combine the 2 results of both machine and user authentication.
This is basicly just some clearpass intelligence of combing 2 seperate auth's into 1 policy.
Thanks Fabian Klaring for the clarification.
Another challenge: I tried testing BYOD and Guest wired. The objective is to allow employees connect with a BYOD laptop to an ArubaOS switch port and be presented with a captive portal to enter their AD username and password; and if successfully authenticated, they gain Internet access only.
Also, a guest should be able to connect his/her laptop to a switch port and be redirected to a captive portal as well for guest user account authentication. Should a guest user account exists, only Internet access is granted; else, the guest can register via the captive portal to get sponsored by an employee.
On the ArubaOS switch, I configured 2 local user roles - one that maps to a captive-portal profile for redirect to CPPM, and the other one that maps a policy for Internet access only. See details below.
class ipv4 "DNS"10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53exitclass ipv4 "DHCP"10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67exitclass ipv4 "INTERNAL"10 match ip 0.0.0.0 255.255.255.255 10.0.0.0 0.255.255.255exitclass ipv4 "IP-ANY-ANY"10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255exitclass ipv4 "WEB-TRAFFIC"10 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 80exitclass ipv4 "CLEARPASS-WEB"10 match tcp 0.0.0.0 255.255.255.255 10.100.1.44 0.0.0.0 eq 8020 match tcp 0.0.0.0 255.255.255.255 10.100.1.44 0.0.0.0 eq 443exit
policy user "BYOD_GUEST_WIRED"10 class ipv4 "DNS" action permit20 class ipv4 "DHCP" action permit30 class ipv4 "INTERNAL" action deny40 class ipv4 "IP-ANY-ANY" action permitexitpolicy user "CLEARPASS-REDIRECT"10 class ipv4 "DNS" action permit20 class ipv4 "DHCP" action permit30 class ipv4 "CLEARPASS-WEB" action permit40 class ipv4 "WEB-TRAFFIC" action redirect captive-portal
aaa authorization user-role enableaaa authentication port-access eap-radiusaaa authentication captive-portal enableaaa port-access authenticator 18-20aaa port-access authenticator 18 client-limit 2aaa port-access authenticator 19 client-limit 2aaa port-access authenticator 20 client-limit 2aaa port-access authenticator activeaaa port-access mac-based 18-20aaa port-access mac-based 18 addr-limit 2aaa port-access mac-based 19 addr-limit 2aaa port-access mac-based 20 addr-limit 2
aaa authorization user-role name "Wired_BYOD_Guest"policy "BYOD_GUEST_WIRED"reauth-period 21600vlan-id 247exitaaa authorization user-role name "Wired_BYOD_Guest_Profile"captive-portal-profile "use-radius-vsa"policy "CLEARPASS-REDIRECT"vlan-id 247exitradius-server host 10.100.1.44 encrypted-key "xxxxxxxxxx"radius-server host 10.100.1.44 dyn-authorizationradius-server host 10.100.1.44 time-window plus-or-minus-time-windowradius-server host 10.100.1.44 time-window 0
ip source-interface radius vlan 144
vlan 247name "BYOD_Guest_VLAN"untagged 18-20tagged 24ip address 192.168.10.2 255.255.255.0exit
interface 18-20untagged vlan 247aaa port-access authenticatoraaa port-access authenticator client-limit 2aaa port-access mac-basedaaa port-access mac-based addr-limit 2exit
BYOD wired test worked fine. I have 3 services on CPPM - MAC Auth, 802.1x, and WEBAUTH. However, its successful test created an issue for domain-joined PCs/laptops undergoing machine authentication. Right now, a domain-join PC matches both MAC Auth and 802.1x service at the same time, and this makes the domain-PC and even the IP Phones to get stuck at the captive portal page under VLAN 247.
Is there a way to force domain-join PCs out of MAC Auth to match the 802.1x service only. The PCs use Windows supplicant and the authentication method for the 802.1x service is EAP-PEAP and EAP-MSCHAPv2.
I appreciate any advice for best practices in this kind of scenarios.
Traditionally with Procurve switches they generated the 802.1X and MAC-Auth at a very similar time - where the 802.1X Accept takes precedence over a MAC-Auth Accept which takes precedence over a Reject.
With 16.04 (?) we introduced the concept of order and priority - using the following commands:
aaa port-access 1-5 auth-order authenticator mac-based
aaa port-access 1-5 auth-priority authenticator mac-based
This will preference 802.1X over MAC-Auth.
Unfortunately, I'm using a 2920 switch and this command is not recognized on it.
DI, Some time ago I put this presentation together. Have a look at slides 115-124 - there might be something of interest.
There's loads more in this presentation...
This is not an official document so it might have mistakes - treat with care. Any suggestions/feedback welcome.
Are you using right 802.11x wired sevices in CPPM, in service type NAS Port Type should be Ethernet (15)
If request is coming but authentcation is failing then check access tracker >Alert section for more detials.
If you are tyring to authenticate Windows clients using machine authentcaiton aswell then make sure set authentication mode to user or computer authentication.
Link provides CPPM technical doucments
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.