Security

last person joined: an hour ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Switch authentication

  • 1.  Switch authentication

    Posted Dec 02, 2013 10:23 AM

    I am needing to configure Clearpass to authenticate users for switch access (logging on the switch) using RADIUS. Can someone point me to a document showing how to configure Clearpass to accomplish this?

    Thank you!



  • 2.  RE: Switch authentication

    Posted Dec 02, 2013 10:30 AM

    Which switch?



  • 3.  RE: Switch authentication

    Posted Dec 02, 2013 10:39 AM

    The switches will be Brocade and Avaya.

    Thank you,



  • 4.  RE: Switch authentication

    Posted Dec 02, 2013 11:11 AM

    You can create a generic RADIUS service and look for authentications coming from those NAS IPs.  I would place this service towards the end of your services list so it won't step on any other services you have enabled.  

     

    In terms of then running through the service, select the auth methods used by Avaya and Brocade (most likely PAP and MSCHAP) and then the auth source (AD or admin user repository) and test with the default enforcement policy named "Sample Allow Access Policy"

     

    Once you have that working, you can layer in more restrictive access based on AD memberof or other parameters.



  • 5.  RE: Switch authentication

    Posted Dec 02, 2013 11:24 AM

    Do you have a document showing how to configure this? I don’t have much experience with Clearpass…

    Thank you!



  • 6.  RE: Switch authentication

    Posted Dec 02, 2013 12:33 PM

    Please find below link for step by step doc to explain you about clear pass and controller integration. let us know if you have any queries or questions on the same.

     

    http://community.arubanetworks.com/aruba/attachments/aruba/tkb@tkb/220/2/Aruba%20Wireless%20and%20ClearPass%206%20Integration%20Guide%20v1.3.pdf

     

    Thank you



  • 7.  RE: Switch authentication

    Posted Dec 02, 2013 12:58 PM

    I am needing a configuration doc show how to configure Clearpass to do RADIUS authentication to allow access to a network switch. I am going to be using Brocade and Avaya, but a document using Cisco (or any other vendor) would be great.
    Thank you,

     



  • 8.  RE: Switch authentication

    Posted Dec 02, 2013 01:38 PM

    The documents for those vendors should be found at their respective support or documentation sites.  



  • 9.  RE: Switch authentication

    Posted Dec 02, 2013 01:45 PM

    I am just looking for the Clearpass relevant configuration to accomplish what I need to do. Which is to authenticate a user who is trying to logon to a network switch using RADIUS.

     

    I have the individual switch configurations already.

    Thank you,



  • 10.  RE: Switch authentication

    Posted Dec 02, 2013 01:49 PM

    Got it...so...in the Configuration --> Start here screen, click RADIUS Enforcement Generic towards the bottom of the list.

     

    For the services tab, here is my output:

     

    Screen Shot 2013-12-02 at 1.46.05 PM.png

     

    Then, on the Authentication Tab, here is a screen shot:

     

    Screen Shot 2013-12-02 at 1.46.12 PM.png

     

    You can add AD as the auth source here.

     

    Finally, on the Enforcement Tab (skip Roles), choose the one called Sample Allow Access Policy.



  • 11.  RE: Switch authentication

    Posted Dec 03, 2013 09:22 AM

    Chris -- Did a web search and I guess below link may help you with regads to Cisco configuration explains you the best practices of aaa.

     

    http://www.routerfreak.com/aaa-best-practices/

     

    Thank you



  • 12.  RE: Switch authentication

    Posted Dec 03, 2013 03:46 PM

    Seth,

    Thank you for the great information!!! Can you tell me where in CPPM I would add the network switches I want to have authenticate using CPPM?



  • 13.  RE: Switch authentication

    Posted Dec 03, 2013 04:30 PM
    Configuration > Network > Devices


  • 14.  RE: Switch authentication

    Posted Dec 03, 2013 04:36 PM

    Right!  Forgot that step.  Make sure the shared secret matches on both ends.  You can also define an entire subnet as well...this will cut down on the entries here as you can define a management subnet for all switches.



  • 15.  RE: Switch authentication

    Posted Dec 03, 2013 04:39 PM

    Ok... I have this working now. Last two questions, how would I configure CPPM to allow certain user accounts to only have Read Only access?

    And, how would I limit only users in a certain AD group to have access to logon to the switches?

    Thank you!!!!



  • 16.  RE: Switch authentication

    Posted Dec 03, 2013 04:50 PM

    For that, you need to configure a role map.  See this example.  Using a role map, you can use memberof as an attribute and say if it CONTAINS a certain value like "IT administrator" then assign a role.  This role is INTERNAL TO CLEARPASS!!!  That is important to remember.  It has nothing to do with what is sent back to the NAS device.  Using these internally derived roles, you can then assign appropriate enforcement profiles to the NAS switches.  In order to tell you what to send back as an enforcement profile (action), we would need to know what format they need the reply to be sent as.  

     

    Now...here is a screen shot of a sample role map.  These are for TACACS but you can easily see the logic and use RADIUS enforcement instead.

     

    Screen Shot 2013-12-03 at 4.45.56 PM.png

     

    Then in your enforcement policy, you use the roles here and assign the profiles needed.  

     

    For example:

     

    Screen Shot 2013-12-03 at 4.49.16 PM.png



  • 17.  RE: Switch authentication

    Posted Dec 03, 2013 05:57 PM

    In my Enforcement Policy, if I use Default Profile of Deny Access Profile, my authentication fails. If I use Allow Access Profile, my authentication is successful but my Roll Mappings never seem to be used.

    It is using the Default Profile in the Enforcement Policy and stopping there...



  • 18.  RE: Switch authentication

    Posted Dec 03, 2013 07:25 PM
    Remember that the roll mapping is only "tagging" accounts with internal
    ClearPass roles. Are you mapping the ClearPass roles to an action in the
    enforcement policy?


  • 19.  RE: Switch authentication

    Posted Dec 03, 2013 07:28 PM
      |   view attached

    Here's a screen shot...



  • 20.  RE: Switch authentication

    Posted Dec 03, 2013 07:33 PM

    Can you check in access tracker and on the first Summary tab of the request, does it show that you have the [TACACS Super Admin] role?

     

     



  • 21.  RE: Switch authentication

    Posted Dec 03, 2013 07:35 PM
      |   view attached

    No. It shows Employee and User Authenticated.



  • 22.  RE: Switch authentication

    Posted Dec 03, 2013 07:40 PM

    OK, so it sounds like it may be an issue with your authorization source.

     

    On the input tab of the request under Authorization, do you see the AD groups listed for that user account?

     

    input-authorization.PNG



  • 23.  RE: Switch authentication

    Posted Dec 03, 2013 07:43 PM
      |   view attached

    I have attached a screen shot of what it shows..



  • 24.  RE: Switch authentication

    Posted Dec 03, 2013 07:51 PM

    Hm. OK. Just to be sure, is the roll mapping policy selected in the drop down in the service?



  • 25.  RE: Switch authentication

    Posted Dec 03, 2013 07:54 PM
    You can select roles from the services tab in the service. You can add new roles as well once you make the roles tab visible. Keep in mind that these roles are internal to clear pass.

    Sent from my iPhone


  • 26.  RE: Switch authentication

    Posted Dec 03, 2013 07:57 PM
      |   view attached

    Yes it is. Attached a screen shot as well..



  • 27.  RE: Switch authentication

    Posted Dec 03, 2013 07:59 PM

    Last screenshot! Can you post the roll mapping policy?



  • 28.  RE: Switch authentication

    Posted Dec 03, 2013 08:01 PM
      |   view attached

    Here you go..



  • 29.  RE: Switch authentication

    Posted Dec 03, 2013 08:04 PM

    It looks like you are referencing "Users" which the account isn't a member of. Are you referring to the account's OU? In that case use AD:UserDN CONTAINS Users instead of MemberOf.



  • 30.  RE: Switch authentication

    Posted Dec 03, 2013 08:26 PM

    That worked like a charm!!!!! Thank you very much!!!!



  • 31.  RE: Switch authentication

    Posted Dec 03, 2013 08:29 PM

    Awesome!

     

    So UserDN is useful if you organize your AD domain with high-level OU's such as Staff, Vendors, Students, etc where MemberOf can get much more granular based on multiple group memberships.



  • 32.  RE: Switch authentication

    Posted Dec 02, 2013 10:31 AM

    Does the switch support TACACS?