Security

last person joined: 4 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Howto: Authenticate to an Aruba Controller via Clearpass and RADIUS

Jump to Best Answer
  • 1.  Howto: Authenticate to an Aruba Controller via Clearpass and RADIUS

    Posted Aug 27, 2013 10:37 AM

    The second of my Clearpass howtos outlines the steps to authenticate an Aruba Controller via RADIUS with Clearpass. As before, I have a Windows 2012 server with defined users and groups and I've built the necessary role mappings under Configuration > Identity > Role Mappings in Clearpass. I've also created Clearpass / Tips roles that are mapped to my Windows 2012 groups.


    Here are the steps necessary for an Aruba Controller running 6.3.0.1 to authenticate to Clearpass 6.2 via RADIUS.

    Aruba Controller:

    I'm lifting the next 3 set of steps from the "Aruba Wireless and Clearpass 6 Integration Guide 1.3." That guide is awesome and I recommend checking it out.

     

    Configure Clearpass as a Radius server on the Aruba Controller

     

    1. Configuration > Security > Authentication > Servers > RADIUS Server
    2. Enter a name for the new server in the text box.
    3. Click "Add" to create the RADIUS server.
    4. Click on the newly created RADIUS server and enter the following information:
       i. Enter the IP address under "Host"
       ii. Enter and verify the RADIUS Shared Key in the "Key" fields
    5. Click "Apply" at the bottom of the page.

     

    Configure Clearpass as an RFC3576 server on the Aruba controller

     

    1. Configuration > Security > Authentication > Servers > RFC 3576 server
    2. Enter an IP address in the text box. This IP address should be the same as your Clearpass server.
    3. Click "Add" to create the RFC 3576 Server.
    4. Click on the newly created RFC 3576 Server and enter and verify the RADIUS Shared Key in the "Key" fields.
    5. Click "Apply" at the bottom of the page.

     

    Create a Clearpass Server group

     

    1. Configuration > Security > Authentication > Servers > Server Group
    2. Enter "Clearpass" for the new Server Group in the text box.
    3. Click "Add" to create the Clearpass RADIUS Server Group.
    4. Click on the newly created Clearpass RADIUS Server Group.
    5. Under Servers, click the "New" button
    6. Under Server name, select the Clearpass Server that you created above.
    7. Click the "Add Server" button.
    8. Click "Apply" at the bottom of the page.


    Configure the Controller Management in the GUI:

    1. Configuration > Management > Administration > Server Group > Select the Server Group that contains Clearpass.
    2. Configuration > Management > Administration > Management Authentication Servers:
       i. Select "no-access" for the Default Role.
       ii. Check "Enable"
       iii. Check "MSCHAPv2"
    3. Click "Apply"
    4. Click "Save Configuration"

     

    Optional - Remove the check from "Allow Local Authentication" to force all controller authentications to go through Clearpass. This will effectively cancel out the local "admin" account. This should only be checked once you're completely happy with the entire procedure.

     

    5. Click "Add"

    Here's what the CLI code looks like:

    aaa authentication mgmt
       default-role "no-access"
       server-group "Clearpass"
       enable
       mschapv2
    !

     

    Optional - to remove all local authentication enter the following in the CLI:

     

    mgmt-user localauth-disable

    ====

     

    Clearpass:

    Add the Aruba Controller as a network device to Clearpass:

    1. Configuration > Network > Device
    2. Add the Aruba Controller's IP in the "IP or Subnet Address"
    3. Enter the "RADIUS Shared Secret" that was defined above.
    4. Select "Vendor Name:" of "Aruba"
    5. Optional: Enter the following on the "SNMP Read Settings":
       i. Check "Enable..." under "Allow SNMP Read:"
       ii. Enter the appropriate "Community String"
       iii. Check "Always read info..." under "Force Read:"
       iv. Check "Read ARP table..." under "Read ARP Table Info"
    6. Click "Save"

    Add the Aruba Controller to a Device Group:

    I use device groups for everything in Clearpass. This step can be optional, it's just my personal preference.

    1. Configuration > Network > Device groups
    2. Select "Add Device Group"
    3. Fill in the "Name" as "Aruba Wireless"
    4. Select "List" under "Format"
    5. Under the "List", move the Aruba Controller IP from the "Available Devices" to "Selected Devices"
    6. Click "Save"

    Create an Aruba Controller Enforcement Profile:

    1. Configuration > Enforcement > Profiles
    2. Click "Add Enforcement Profile"
    3. Select "Aruba RADIUS Enforcement" as the Template
    4. Provide a name, "Aruba Controller"
    5. Make sure that "Accept" is set under "Action"
    6. Under Attributes:
       i. Type - "Radius:Aruba"
       ii. Name - "Aruba-Admin-Role (4)"
       iii. Value - "root"

    Optional - this next line in the policy can be used to allow a root user to SSH directly into enable mode on the controller. I just found out about this last week and I've been rocking it out ever since! (Thanks, Phil!)
     

       i. Type - "Radius:Aruba"
       ii. Name - "Aruba-Priv-Admin-User (3)"
       iii. Value - "1"

     

    7. Finally, click "Save"

    The returned role values correspond to the Aruba roles that are defined on page 939-942 in the 6.3 ArubaOS User Guide.

    Create an Aruba Controller Enforcement Policy:

    1. Configuration > Enforcement > Policies
    2. Click "Add Enforcement Policy"
    3. Under "Enforcement", provide a name, "Aruba Controller Login Enforcement Policy"
    4. Verify that RADIUS is the "Enforcement Type"
    5. Select "[Deny Access Profile] for the "Default Profile
    6. Select "Rules" and click "Add Rule"
    7. Mine looks like this:
       i. Type - Tips
       ii. Name - Role
       iii. Operator - EQUALS
       iv. Aruba-Admins
    8. Enforcement Profiles > "Profile Names" > "[RADIUS] Aruba Controller"
    9. Click "Save"

    Create an Aruba Controller Login Service:

    1. Configuration > Services
    2. Click "Add Service"
    3. Select "Type" of "RADIUS Enforcement ( Generic )"
    4. Provide a name for the service, "Aruba Controller Logins"
    5. Under "Service Rule" enter the following:
       i. Type - Connection
       ii. Name - "NAD-IP-Address"
       iii. Operator - "BELONGS_TO_GROUP"
       iv. Value - "Aruba Wireless"
    6. Under Authentication:
       i. Authentication Methods - MSCHAP, PAP
       ii. Authentication Sources - <your AD>
    7. Under Roles select the "Role Mapping Policy" for your domain. Here's what mine looks like by clicking "Modify."
       i. Type - Authorization:Windows-2012
       ii. Name - memberOf
       iii. Operator - EQUALS
       iv. Value - CN=Aruba-Admins,CN=Users,DC=top,DC=local
       v. Actions > "Role Name" > "Aruba Admins"
    8. Under "Enforcement" > "Enforcement Policy" select the enforcement policy that we created > "Aruba Controller Login Enforcement Policy"
    9. Click "Save"

    You now should be able to log into the wireless controllers on the GUI and the CLI with your AD credentials via RADIUS. The above configuration will also allow you to perform AAA tests in the controller GUI under Diagnostics > AAA Test Server. You can verify that things are working by attempting by performing a AAA test or by logging into the wireless controller and viewing the results in Clearpass' Access Tracker found under Monitoring.

    Let me know what you think and if it works out for you.

    -Mike



  • 2.  RE: Howto: Authenticate to an Aruba Controller via Clearpass and RADIUS

    Posted Aug 27, 2013 10:08 PM

    Excellent work Sir!

    May I recommend as a follow-on searching the Knowledge Base for 'For the Beginner - Configuring Clearpass for User Role assignments to the Aruba Controller' to exercise creating incoming user authentications to CPPM Roles and controller User Roles to build on your work.



  • 3.  RE: Howto: Authenticate to an Aruba Controller via Clearpass and RADIUS

    Posted Mar 11, 2014 02:38 PM
      |   view attached

    I get a java error at this point

     

    Create an Aruba Controller Login Service:

    1. Configuration > Services
    2. Click "Add Service"
    3. Select "Type" of "RADIUS Enforcement ( Generic )"
    4. Provide a name for the service, "Aruba Controller Logins"
    5. Under "Service Rule" enter the following:
       i. Type - Connection
       ii. Name - "NAD-IP-Address"
       iii. Operator - "BELONGS_TO_GROUP"(this is where it throws an error)
       iv. Value - "Aruba Wireless"

     

    tried on diff browsers, computers, rebooted server, etc.. see attached for error



  • 4.  RE: Howto: Authenticate to an Aruba Controller via Clearpass and RADIUS

    Posted Mar 12, 2014 04:06 PM

    make sure you are running the latest patch on 6.2 or 6.3. I also have seen that issue with cached info in the browers. Clear your cache and see if that helps



  • 5.  RE: Howto: Authenticate to an Aruba Controller via Clearpass and RADIUS

    Posted Mar 20, 2014 03:35 PM

    @RR8 wrote:

    I get a java error at this point

     

    Create an Aruba Controller Login Service:

    1. Configuration > Services
    2. Click "Add Service"
    3. Select "Type" of "RADIUS Enforcement ( Generic )"
    4. Provide a name for the service, "Aruba Controller Logins"
    5. Under "Service Rule" enter the following:
       i. Type - Connection
       ii. Name - "NAD-IP-Address"
       iii. Operator - "BELONGS_TO_GROUP"(this is where it throws an error)
       iv. Value - "Aruba Wireless"

     

    tried on diff browsers, computers, rebooted server, etc.. see attached for error


     

    I get the exact same error.  Were you able to get past this?  Thanks

     



  • 6.  RE: Howto: Authenticate to an Aruba Controller via Clearpass and RADIUS

    Posted Mar 20, 2014 03:58 PM

    yes, just export the service.. modify the XML manually and then reimport.  works like a charm :)



  • 7.  RE: Howto: Authenticate to an Aruba Controller via Clearpass and RADIUS
    Best Answer

    Posted Apr 02, 2014 03:22 AM
    That worked. Thanks.
    ------------------------------------------------------------
    The information transmitted is intended only for the person
    or entity to which it is addressed and may contain
    proprietary, business-confidential and/or privileged material.
    If you are not the intended recipient of this message you are
    hereby notified that any use, review, retransmission, dissemination,
    distribution, reproduction or any action taken in reliance upon
    this message is prohibited. If you received this in error, please
    contact the sender and delete the material from any computer.

    Any views expressed in this message are those of the individual
    sender and may not necessarily reflect the views of the company.
    ------------------------------------------------------------


  • 8.  RE: Howto: Authenticate to an Aruba Controller via Clearpass and RADIUS

    Posted Jan 23, 2019 08:21 AM

    That's an awesome explaination Boston, thanks a lot!

    The only difference I made on your scenerio is to disable mschapv2 under Mgmt Auth Servers on controller. Because if I enable it, client cannot be authenticated even if mschap is added as authentication method on cppm. So I disable this option and could be authenticated with PAP sucsessfully.