Security

 View Only
last person joined: 21 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Campus AP DUR - CleaPass Service Build

This thread has been viewed 46 times
  • 1.  Campus AP DUR - CleaPass Service Build

    Posted 13 days ago

    Hello all, and forgive me if there is a related discussion already out there that I could not find.

    I am looking to port-access, access point controller uplinks to dynmically assign VLAN using a DUR. We are currently using the LLDP system info to port-access locally on the switch, but there is som sort of bug causing LLDP to continuously age out dropping the dynamic vlan form the port resulting in degraded user experience and the AP rebooting. We have worked aorund this for now by statically assigning VLANs to some AP ports, but this is not secure.

    I do not want to use the OIU to auth the AP, Does anyone have something working that is effective across all Aruba APs? 

    I am going to proceed with testing using some of the, seemingly useful, computed attributes that showed up in access tracker.

    I appreciate any recomendations!!



  • 2.  RE: Campus AP DUR - CleaPass Service Build

    Posted 13 days ago

    I would use the endpoint database as an authorization source and look for the category that it derived from the DHCP fingerprint. 




  • 3.  RE: Campus AP DUR - CleaPass Service Build

    Posted 12 days ago

    Thanks MT9! That is how I am proceeding for now to get immediate results.




  • 4.  RE: Campus AP DUR - CleaPass Service Build

    Posted 12 days ago

    All APs have a factory certificate in the TPM chip that can be used for 802.1X authentication against your access switch. You can use that in combo with fetching authorization data like the serial number of the AP.

    802.1x Supplicant Support on an AP

    Arubanetworks remove preview
    802.1x Supplicant Support on an AP
    Provides an overview about how to provision an AP as an 802.1X supplicant in the Managed Network node hierarchy. The 802.1X supplicant support on an AP can be enabled only after an AP is configured with the credentials for 802.1X authentication.
    View this on Arubanetworks >


    You can also issue unique certificates via EST and ClearPass Onboard to the APs, there is a tech note on that on the HPE Aruba Network support portal. 

    https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00132816en_us




  • 5.  RE: Campus AP DUR - CleaPass Service Build

    MVP EXPERT
    Posted 12 days ago

    Yup thats the way we're heading, works a treat 

    A




  • 6.  RE: Campus AP DUR - CleaPass Service Build

    Posted 12 days ago

    Thank you for this documented recommendation! I am going to dig into this process and report back.




  • 7.  RE: Campus AP DUR - CleaPass Service Build

    Posted 11 days ago

    Hey @oden74

    So, I have the AP provisioned just fine, however, I am not sure how to configure the auth source given the cert is factory. I have enabled the Aruba CA root cert in the Trust store on ClearPass but not sure if there is some built in mechanism I am missing or what. Any thoughts or docs on how to proceed? 

    Thanks in advance!




  • 8.  RE: Campus AP DUR - CleaPass Service Build

    EMPLOYEE
    Posted 11 days ago

    you can refer to these two technote that covers LUR and DUR with IAPs that are configured for dot1x supplicant.

    check part 3 and part 6.

    https://solutiontechlab.com/?s=wired+enforcement



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 9.  RE: Campus AP DUR - CleaPass Service Build

    MVP EXPERT
    Posted 10 days ago
    Hi,

    See attached images.
    Assuming you. Have enabled city based auth for your AP on the controller with the default domain of Aruba.ap ….
    So assuming you’ve set the Aruba cert up to be used for EAP in the trust list and you’ve got other check of whether the enforcement client device is an AP ( do some role mapping and assign a role)
    The enforcement policy shown uses either fact that client using Aruba cert or I’ve checked that its an AP and assigned a role

    ( I use fingerprinting ( dhcp/lldp) to identify Aruba APs)

    Then set up your enforcement policy as appropriate.
    A




  • 10.  RE: Campus AP DUR - CleaPass Service Build

    Posted 7 days ago

    Thanks for the help and documentation @ariyap




  • 11.  RE: Campus AP DUR - CleaPass Service Build
    Best Answer

    Posted 10 days ago

    EAP-TLS with TPM Certificate on Aruba AP Uplink 802.1X

    YouTube remove preview
    EAP-TLS with TPM Certificate on Aruba AP Uplink 802.1X
    This video shows how to configure your ArubaOS 8 MM/MD and Aruba ClearPass to use the factory certificate that is securely stored in each AP's Trusted Platform Module (TPM) to authenticate the Access Point to the wired network.
    View this on YouTube >






  • 12.  RE: Campus AP DUR - CleaPass Service Build

    Posted 7 days ago

    Not sure how I was unable to result to this video in all my searches, apparently Google is lacking these days. Credit technically goes to @Herman Robers for making the video, but this is exactly what I needed. My struggle before watching this was in knowing how to build the new TLS auth method. It is tested and working, now for the deployment.

    Thanks again @oden74!!