last person joined: 2 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Network access control with Aruba ClearPass and Siemens Switch

This thread has been viewed 25 times
  • 1.  Network access control with Aruba ClearPass and Siemens Switch

    Posted Jul 07, 2020 09:24 AM

    As a result of digitization, IT (Information Technology) and OT (Operational Technology) are growing closer and closer together, leading to an increasing number of IT-based systems in OT. These systems are potentially not under the control of IT operations and represent a possible security gap, so the use of network access control systems in OT is becoming increasingly important. Aruba and Siemens formed a strategic partnership to bridge the gap between IT and OT.




    This post is about how the network access of a Siemens Switch (Scalance XC216-4C G, Version 04.01.00) can be controlled with Aruba ClearPass (6.8.0). For this purpose, MAC authentication is used. This means, based on the identity of the end systems maintained in ClearPass, these devices are authenticated on the Switch port. If the authentication is successful, the communication on the Switch port is allowed. If the device is not authorized, no communication is allowed.


    How to use MAC Authentication:


    Add ClearPass as RADIUS server on Switch Interface:

    On Switch Interface go to Security -> AAA -> RADIUS Client -> Create

    Add ClearPass with following information: Auth. Server Type, Server Address, Server Port, Shared Secret



    Configure ports to be used by ClearPass:

    On Switch Interface go to Security -> AAA -> 802.1X Authenticator

    Select Ports, which should be used by ClearPass



    Add Switch in ClearPass:

    In ClearPass go to Configuration -> Network -> Devices -> Add Switch

    With Name, IP Address and Shared Secret



    Create new Enforcement Policy:

    Configuration -> Enforcement Policies -> Add

    Add following parameters:

    Enforcement Type = RADIUS

    Default Profile = Drop Access Profile

    Add 2 rules:

              Authorization failed -> Deny Access Profile

              Authorization successed -> Allow Access Profile



    Create new Service:

    Configuration -> Services -> Add

    Add following parameters:

    Type = MAC Authentication

    Conditions = NAS-Port-Type belongs to Ethernet & Client-MAC-Address equals Radius Username

    Authentication = Method Allow All MAC Auth, Source Endpoints Repository

    Authorization = Endpoints Repository

    Enforcement = Above created Enforcement Policy



    See authorized and unauthorized devices:

    Configuration -> Identity -> Endpoints

    Set Status to Known if a device should be authorized or add new devices



    MAC Authentication with Aruba ClearPass is the basis for various use cases. It is possible to further process the result of the authentication with another enforcement profile which is used in the enforcement policy. For example, the enforcement profile could trigger a lamp with different colors to give a visual representation of the authentication result.


    Addition: MAC Authentication with VLAN assignment:


    VLAN Configuration on Switch Interface:

    On Switch Interface go to Layer 2 -> VLAN

    Assign Uplink Port statically to a VLAN (VLAN10)



    Create new Enforcement Policy:

    Configuration -> Enforcement Policies -> Add

    Add following parameters:

    Name = VLAN Enforcement

    Enforcement Type = RADIUS

    Default Profile = Deny Access Profile

    Add rules for VLAN assignment, for example:

              Authorization successed & Description = COTSPD -> VLAN 30 Enforcement



    Exchange this Enforcement Policy with the old one in the Service:

    Configuration -> Service -> Edit Service (Siemens MAC Auth) -> Enforcement Tab

    Select VLAN Enforcement


    Create Enforcement Profiles based on the Actions in the Rule of Enforcement Policy:

    Configuration -> Enforcement -> Profiles -> Add

    Add following parameters:

    Name (VLAN 30 Enforcement)
    Type = RADIUS

    Action = Accept


              Important to add: Type Radius: Avenda, Name Avenda-Tag-Id, Value 0



    Devices are associated to VLAN based on attributes:

    See in Endpoints Repository (Configuration -> Identity -> Endpoints -> Edit)





  • 2.  RE: Network access control with Aruba ClearPass and Siemens Switch

    Posted Jul 07, 2020 07:35 PM

    Thank you Isabel,



    We're currently in the process {COVID did not help} of validating interoperability between a number of Siemens OT switching lines and ClearPass Policy Manager.


    We've completed our testing here for Scalance and pretty much had completed our testing with Ruggedcom for the 'basic' mac-auth/profile use-cases.


    What we had just started before the lock-down bit us, testing the interop with the Ruggedcom + APE with Nozomi and Fortinet. The COVID unfortunately has stopped that validating in its tracks but once we're back in the office we hope to re-start that project.



  • 3.  RE: Network access control with Aruba ClearPass and Siemens Switch

    Posted 7 days ago
    Hi! Thank you so much for this helpful information.
    Do you have any idea how you can force the Siemens switch to fallback to a default VLAN once the device disconnects?

    Also when the switch port starts with no vlan config on an interface like explained, it perfectly gets assigned a vlan by Clearpass.. but when I try shortly after that to change it back to another vlan, it stays on the first assigned one?

    Cedric De Witte

  • 4.  RE: Network access control with Aruba ClearPass and Siemens Switch

    Posted 6 days ago
    Please identify the Siemens switching range in use + s/w version?

    Danny Jump
    "Passionate about CPPM"

  • 5.  RE: Network access control with Aruba ClearPass and Siemens Switch

    Posted 6 days ago
    Thanks for reply!
    The s/w version is: V04.01.00. Device type is SCALANCE XC216.
    Switch ranges are my vlan's I guess?
    I have 4 VLAN's uplinked on the switch, 2 is Management with Clearpass & switch interface in it, and 3 & 4 are to separate vlan's.
    Ranges are 10.0.<vlanid>.0/24. 3 & 4 both have DHCP from the firewall. (This all works fine when I assign untagged manually)

    The port fa0/2 on which I attached a client doing machine authentication is configured for AAA, also I made this one as 'start configuration' an access port with no untagged vlans configured. On first attempt Clearpass assigned correctly VLAN 3 untagged, but when I change this enforcement policy to assign VLAN 4, the port stays on 3 with an authentication succesfull. So it doesn't change it anymore.

    On Aruba switches, the AAA ports always fallback to the default vlan and port is set every time clearpass configures it after succesfull auth.

    Cedric De Witte