Security

 View Only
last person joined: 23 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Colorless ports with Clearpass and Juniper

This thread has been viewed 66 times
  • 1.  Colorless ports with Clearpass and Juniper

    Posted Oct 27, 2022 03:26 PM
    Has anyone gotten the colorless port configuration between Juniper and Clearpass with Juniper's following guide?  If you have could you share some tips or configuration sample with me?
    Configuring Colorless Ports on EX Series Switches with Aruba ClearPass Policy Manager and Cisco ISE
    Juniper remove preview
    Configuring Colorless Ports on EX Series Switches with Aruba ClearPass Policy Manager and Cisco ISE
    Starting from Junos OS Release 20.4R1, EX switches support Colorless ports. Colorless ports are used in conjunction with device profiling with any standards-based radius server, and convert an access port to a trunk port and allow the necessary VLANs with necessary tagging.
    View this on Juniper >


  • 2.  RE: Colorless ports with Clearpass and Juniper

    Posted Oct 28, 2022 04:24 PM
    Hello?


  • 3.  RE: Colorless ports with Clearpass and Juniper

    EMPLOYEE
    Posted Oct 31, 2022 09:55 AM
    What is the issue you have? I don't know EX switches, but the guide looks good to me. On the previous page, there is the EX switch config needed.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 4.  RE: Colorless ports with Clearpass and Juniper

    Posted Oct 31, 2022 02:05 PM
    I've been using that configuration but its only been working with out the firewall portion.  I've been trying to get the colorless port configuration working
    https://www.juniper.net/documentation/en_US/release-independent/nce/topics/example/nce-209-configuring-colorless-ports-ex-aruba-clearpass-policy.html

    The Clearpass approval/authentication is working but its not pushing back the vlan option.  I'm only getting the voip vlan working or the switch will just default to vlan 1


  • 5.  RE: Colorless ports with Clearpass and Juniper

    EMPLOYEE
    Posted 30 days ago
    What are the attributes that ClearPass returns to the switch (Access Tracker, Output tab, expand the RADIUS Response)?

    Do you see something in the switch logs?
    What does the dot1x detail show on the interface (show dot1x interface ge-0/0/6 detail)?

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: Colorless ports with Clearpass and Juniper

    EMPLOYEE
    Posted 30 days ago
    This discussion seems to have a duplicate here. Let's continue there for follow-up.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: Colorless ports with Clearpass and Juniper

    Posted 30 days ago
    not quite the same.  That post is discussing the approval/enforcement.  It doesn't send the vlan tag back to the switch.


  • 8.  RE: Colorless ports with Clearpass and Juniper

    Posted 30 days ago
    added snippet of enforcement profile, dot1x command, and switch vlans. Uploading... Upload file


  • 9.  RE: Colorless ports with Clearpass and Juniper

    Posted 30 days ago
    redacted config:
    system {
    host-name Mark-Test;
    root-authentication {
    encrypted-password "123123123123123"; ## SECRET-DATA
    }
    login {

    services {
    ssh {
    root-login allow;
    protocol-version v2;
    max-sessions-per-connection 64;
    }
    netconf {
    ssh;
    }
    }
    auto-snapshot;
    domain-name state.sd.us;
    time-zone cst6cdt;
    no-redirects;
    arp {
    aging-timer 5;
    }
    name-server {
    x.x.x.x;
    }
    syslog {
    user * {
    any emergency;
    }
    host x.x.x.x {
    any any;
    }
    file cli-commands {
    interactive-commands any;
    archive size 5m files 20;
    }
    file config-changes {
    change-log info;
    archive size 5m files 20;
    }
    file default-log-messages {
    any any;
    match "(FRU Offline)|(FRU Online)|(FRU insertion)|(FRU power)|(FRU removal)|(commit complete)|(copying configuration to juniper.save)|(license add)|(license delete)|(link UP)|(package -X delete)|(package -X update)|(plugged in)|(requested 'commit synchronize' operation)|(requested 'commit' operation)|(unplugged)|Transferred|ifAdminStatus|transfer-file|transitioned| LFMD_3AH | RPD_MPLS_PATH_BFD|(Backup changed)|(Backup detected)|(Master Changed, Members Changed)|(Master Detected, Members Changed)|(Master Unchanged, Members Changed)|(Master changed)|(Master detected)|(interface vcp-)|(vc add)|(vc delete)|CFMD_CCM_DEFECT|(AIS_DATA_AVAILABLE)|BR_INFRA_DEVICE";
    structured-data;
    }
    file errors {
    any error;
    explicit-priority;
    }
    file interactive-commands {
    interactive-commands any;
    }
    file messages {
    any notice;
    authorization info;
    archive size 5m files 20;
    }
    file router-firewall {
    firewall any;
    }
    }
    ntp {
    server x.x.x.x prefer;
    }
    }
    chassis {
    alarm {
    management-ethernet {
    link-down ignore;
    }
    }
    }
    interfaces {
    interface-range Trunks {
    member ge-0/0/11;
    unit 0 {
    family ethernet-switching {
    interface-mode trunk;
    vlan {
    members [ vlan10 vlan11 vlan12 vlan13 vlan14 vlan15 ];
    }
    storm-control default;
    }
    }
    }
    interface-range Switch {
    member-range ge-0/0/0 to ge-0/0/10;
    description "State Network";
    unit 0 {
    family ethernet-switching {
    interface-mode access;
    storm-control default;
    }
    }
    }
    irb {
    unit 10 {
    description "State Network";
    family inet {
    address x.x.x.x/24;
    }
    }
    }
    lo0 {
    unit 0 {
    family inet;
    }
    }
    }
    snmp {
    contact "xxxx";
    client-list sdn-snmp {
    x.x.x.x;
    }
    community sdbit {
    client-list-name sdn-snmp;
    }
    trap-options;
    trap-group sdn-traps {
    version v2;
    categories {
    authentication;
    chassis;
    link;
    routing;
    startup;
    rmon-alarm;
    vrrp-events;
    }
    targets {
    x.x.x.x;
    }
    }
    }
    forwarding-options {
    storm-control-profiles default {
    all;
    }
    dhcp-relay {
    forward-snooped-clients all-interfaces;
    overrides {
    trust-option-82;
    delete-binding-on-renegotiation;
    }
    server-group {
    dhcp-dot1x {
    x.x.x.x;
    }
    }
    active-server-group dhcp-dot1x;
    group all {
    interface ge-0/0/11.0;
    interface irb.0;
    }
    }
    }
    access {
    radius-server {
    x.x.x.x {
    dynamic-request-port 3799;
    secret "123123123123"; ## SECRET-DATA
    source-address x.x.x.x;
    }
    }
    profile CP-BITs-Profile {
    accounting-order radius;
    authentication-order radius;
    radius {
    authentication-server x.x.x.x;
    accounting-server x.x.x.x;
    }
    }
    }
    routing-options {
    graceful-restart;
    static {
    route 0.0.0.0/0 next-hop x.x.x.x;
    }
    }
    protocols {
    dot1x {
    authenticator {
    authentication-profile-name CP-BITs-Profile;
    interface {
    Switch {
    supplicant multiple;
    mac-radius {
    authentication-protocol {
    pap;
    }
    }
    }
    }
    }
    }
    lldp {
    interface all;
    }
    lldp-med {
    interface all;
    }
    igmp-snooping {
    vlan default;
    }
    vstp {
    interface all;
    vlan all;
    }
    }
    switch-options {
    voip {
    interface access-ports {
    vlan vlan11;
    forwarding-class assured-forwarding;
    }
    }
    }
    poe {
    interface all;
    interface Trunks {
    disable;
    }
    }
    vlans {
    vlan10 {
    description "Network";
    vlan-id 10;
    l3-interface irb.10;
    }
    vlan11 {
    description VoIP;
    vlan-id 11;
    }
    vlan12 {
    description "Non-Domain State Device Without Internet Access";
    vlan-id 12;
    }
    vlan13 {
    description "Non-Domain State Device With Internet Access";
    vlan-id 13;
    }
    vlan14 {
    description "Non-State Users Without Internet Access";
    vlan-id 14;
    }
    vlan15 {
    description "Non-State Users With Internet Access";
    vlan-id 15;
    }
    }


  • 10.  RE: Colorless ports with Clearpass and Juniper

    MVP GURU
    Posted 30 days ago
    Send back the following for a VLAN:



    ------------------------------
    Dustin Burns

    Lead Mobility Engineer @Worldcom Exchange, Inc.

    ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
    If my post was useful accept solution and/or give kudos
    ------------------------------



  • 11.  RE: Colorless ports with Clearpass and Juniper

    Posted 30 days ago
    But that's not what what i'm trying to accomplish:
    https://www.juniper.net/documentation/en_US/release-independent/nce/topics/example/nce-209-configuring-colorless-ports-ex-aruba-clearpass-policy.html



  • 12.  RE: Colorless ports with Clearpass and Juniper

    MVP GURU
    Posted 30 days ago
    This will work as well. You must make sure to convert the VLAN ID to HEX.

    Tagged VLANID = 102 (66 in HEX)
    HEX = 3100066 (31 FOR TAGGED, 32 FOR UNTAGGED)
    Decimal = 51380326 (3100066 in Decimal)

    ------------------------------
    Dustin Burns

    Lead Mobility Engineer @Worldcom Exchange, Inc.

    ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
    If my post was useful accept solution and/or give kudos
    ------------------------------



  • 13.  RE: Colorless ports with Clearpass and Juniper

    Posted 30 days ago
    i'm going to work with your idea tomorrow because it makes more sense to me.  I'll post some feedback by the end of the week.


  • 14.  RE: Colorless ports with Clearpass and Juniper

    Posted 27 days ago
    for your profile how do you pass the untagged option?


  • 15.  RE: Colorless ports with Clearpass and Juniper

    MVP GURU
    Posted 27 days ago
    You can control tagged and untagged by doing the following:

    You must make sure to convert the VLAN ID assignment to HEX, and then to decimal.

    Tagged VLANID = 102
    HEX = 3100066 (31 FOR TAGGED, 32 FOR UNTAGGED)
    Decimal = 51380326




    ------------------------------
    Dustin Burns

    Lead Mobility Engineer @Worldcom Exchange, Inc.

    ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
    If my post was useful accept solution and/or give kudos
    ------------------------------