Security

last person joined: 4 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Configuring 802.1x Wired on CPPM for Both User and Machine Authentication

Jump to Best Answer
This thread has been viewed 12 times
  • 1.  Configuring 802.1x Wired on CPPM for Both User and Machine Authentication

    Posted Jan 02, 2020 07:44 PM

    Please, I have searched but unable to come across 802.1x wired configuration setup for both user and machine authentication via CPPM. What I see is for 802.1x wireless. 

    We have CPPM (version 6.8) in our environment, and I want to setup 802.1x wired where users would use both their AD credentials as well as their domain-joined PCs to gain access to the network. The domain-joined PCs are in an OU in the AD which I want to use.

     

    At the moment, only user authentication works. As soon as I add a role mapping to the conditions under the Enforcement Policy for [machine authenticated], wired 802.1x fails. I'm using an ArubaOS 2920 (version 16.09) switch as well but I do not think my issue is at the switch level. I think I am missing something on CPPM.

     

    Lest I forget, I'm new to Aruba.

     

    Thanks for your help.



  • 2.  RE: Configuring 802.1x Wired on CPPM for Both User and Machine Authentication
    Best Answer

    Posted Jan 03, 2020 04:23 AM

    The endpoint must have executed a 802.1x Wired machine authentication sucessfully, It then receives the mark [machine authenticated]

     

    After that you can use the role [machine authenitcated] during your user authentication.

     

    Have you enabled cached roles in your 802.1x enforcement?

     



  • 3.  RE: Configuring 802.1x Wired on CPPM for Both User and Machine Authentication

    Posted Jan 27, 2020 03:35 PM

    Thanks Fabian Klaring, 

    It worked successfully. I used both the roles [machine authenticated] and another user role which I created that is mapped to the group in the AD; all for user authentication.

     

    But please I just want to understand the essence of enabling cached roles. I actually did it but honestly, I cannot defend the reason why I did it.



  • 4.  RE: Configuring 802.1x Wired on CPPM for Both User and Machine Authentication

    Posted Jan 28, 2020 03:05 AM

    You are performing 2 seperate 802.1X authentications (user and computer).

     

    When your machine authentication is successfull, the result is stored (cached) within clearpass for a default period of 24 hours, you can adjust this time in the service paramaters.

     

    Next, you will perform a user authentication, but you need the previous result of the machine auth which is stored in clearpass cache, and combine the 2 results of both machine and user authentication.

     

    This is basicly just some clearpass intelligence of combing 2 seperate auth's into 1 policy.



  • 5.  RE: Configuring 802.1x Wired on CPPM for Both User and Machine Authentication

    Posted Feb 10, 2020 06:17 PM

    Thanks Fabian Klaring for the clarification.

     

    Another challenge: I tried testing BYOD and Guest wired. The objective is to allow employees connect with a BYOD laptop to an ArubaOS switch port and be presented with a captive portal to enter their AD username and password; and if successfully authenticated, they gain Internet access only.

     

    Also, a guest should be able to connect his/her laptop to a switch port and be redirected to a captive portal as well for guest user account authentication. Should a guest user account exists, only Internet access is granted; else, the guest can register via the captive portal to get sponsored by an employee.

     

    On the ArubaOS switch, I configured 2 local user roles - one that maps to a captive-portal profile for redirect to CPPM, and the other one that maps a policy for Internet access only.  See details below.

     

    class ipv4 "DNS"
    10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
    exit
    class ipv4 "DHCP"
    10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
    exit
    class ipv4 "INTERNAL"
    10 match ip 0.0.0.0 255.255.255.255 10.0.0.0 0.255.255.255
    exit
    class ipv4 "IP-ANY-ANY"
    10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
    exit
    class ipv4 "WEB-TRAFFIC"
    10 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 80
    exit
    class ipv4 "CLEARPASS-WEB"
    10 match tcp 0.0.0.0 255.255.255.255 10.100.1.44 0.0.0.0 eq 80
    20 match tcp 0.0.0.0 255.255.255.255 10.100.1.44 0.0.0.0 eq 443
    exit

    policy user "BYOD_GUEST_WIRED"
    10 class ipv4 "DNS" action permit
    20 class ipv4 "DHCP" action permit
    30 class ipv4 "INTERNAL" action deny
    40 class ipv4 "IP-ANY-ANY" action permit
    exit
    policy user "CLEARPASS-REDIRECT"
    10 class ipv4 "DNS" action permit
    20 class ipv4 "DHCP" action permit
    30 class ipv4 "CLEARPASS-WEB" action permit
    40 class ipv4 "WEB-TRAFFIC" action redirect captive-portal

    aaa authorization user-role enable
    aaa authentication port-access eap-radius
    aaa authentication captive-portal enable
    aaa port-access authenticator 18-20
    aaa port-access authenticator 18 client-limit 2
    aaa port-access authenticator 19 client-limit 2
    aaa port-access authenticator 20 client-limit 2
    aaa port-access authenticator active
    aaa port-access mac-based 18-20
    aaa port-access mac-based 18 addr-limit 2
    aaa port-access mac-based 19 addr-limit 2
    aaa port-access mac-based 20 addr-limit 2

    aaa authorization user-role name "Wired_BYOD_Guest"
    policy "BYOD_GUEST_WIRED"
    reauth-period 21600
    vlan-id 247
    exit
    aaa authorization user-role name "Wired_BYOD_Guest_Profile"
    captive-portal-profile "use-radius-vsa"
    policy "CLEARPASS-REDIRECT"
    vlan-id 247
    exit
    radius-server host 10.100.1.44 encrypted-key "xxxxxxxxxx"
    radius-server host 10.100.1.44 dyn-authorization
    radius-server host 10.100.1.44 time-window plus-or-minus-time-window
    radius-server host 10.100.1.44 time-window 0


    ip source-interface radius vlan 144

    vlan 247
    name "BYOD_Guest_VLAN"
    untagged 18-20
    tagged 24
    ip address 192.168.10.2 255.255.255.0
    exit

     

    interface 18-20
    untagged vlan 247
    aaa port-access authenticator
    aaa port-access authenticator client-limit 2
    aaa port-access mac-based
    aaa port-access mac-based addr-limit 2
    exit

    -------------------------------------------------------------------------

    BYOD wired test worked fine. I have 3 services on CPPM - MAC Auth, 802.1x, and WEBAUTH. However, its successful test created an issue for domain-joined PCs/laptops undergoing machine authentication. Right now, a domain-join PC matches both MAC Auth and 802.1x service at the same time, and this makes the domain-PC and even the IP Phones to get stuck at the captive portal page under VLAN 247.

     

    Is there a way to force domain-join PCs out of MAC Auth to match the 802.1x service only. The PCs use Windows supplicant and the authentication method for the 802.1x service is EAP-PEAP and EAP-MSCHAPv2.

     

    I appreciate any advice for best practices in this kind of scenarios. 

     

     

     



  • 6.  RE: Configuring 802.1x Wired on CPPM for Both User and Machine Authentication

    Posted Feb 11, 2020 10:02 AM

    Traditionally with Procurve switches they generated the 802.1X and MAC-Auth at a very similar time - where the 802.1X Accept takes precedence over a MAC-Auth Accept which takes precedence over a Reject.

    With 16.04 (?) we introduced the concept of order and priority - using the following commands:

    aaa port-access 1-5 auth-order authenticator mac-based

    aaa port-access 1-5 auth-priority authenticator mac-based

    This will preference 802.1X over MAC-Auth.



  • 7.  RE: Configuring 802.1x Wired on CPPM for Both User and Machine Authentication

    Posted Feb 12, 2020 01:12 PM

    Thanks dmellor,

     

    Unfortunately, I'm using a 2920 switch and this command is not recognized on it. 



  • 8.  RE: Configuring 802.1x Wired on CPPM for Both User and Machine Authentication

    Posted Feb 13, 2020 06:16 AM
      |   view attached

    DI, Some time ago I put this presentation together. Have a look at slides 115-124 - there might be something of interest.

    There's loads more in this presentation...

    This is not an official document so it might have mistakes - treat with care. Any suggestions/feedback welcome.

    Attachment(s)



  • 9.  RE: Configuring 802.1x Wired on CPPM for Both User and Machine Authentication

    Posted Jan 03, 2020 04:37 AM

    Are you using right 802.11x wired sevices in CPPM, in service type NAS Port Type should be Ethernet (15)

     

    1.Radius:IETFNAS-Port-TypeEQUALSEthernet (15)
    2.Radius:IETFService-TypeBELONGS_TOLogin-User (1), Framed-User (2), Authenticate-Only (8)

    If request is coming but authentcation is failing then check access tracker >Alert section for more detials.

     

    If you are tyring to authenticate Windows clients using machine authentcaiton aswell then make sure set authentication mode to user or computer authentication.

    Capture.PNG

     

    Link provides CPPM technical doucments

     

    https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/33093/Default.aspx