Security

Hello All,

I'm hoping you can point me to a guide. I'm striking out in my search. I'm new to clearpass and, though we had help setting our solution up, nothing was one to secure access point ports. I am hoping to configure our switch ports to send authentication attempts through Clearpass on our access points like I have with all other devices plugged into the switch. Our standard config is:

 switchport access vlan 500
 switchport mode access
 switchport voice vlan 20
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 7

This works well for any non-trunk port. I saw some other posts saying trunk ports will not properly work with this type of radius authentication, which is generally fine for switches, but some of our access points are accessible (difficult put possible). I'm hoping to set the port to try to authenticate the Aruba AP port into clearpass and, if it's no longer an AP, sinkhole / shut the port.

Is that possible? We have AOS 10 running in Aruba cloud and CPPM is already running our wireless authentication for users / devices, but I cannot find any traction for this setup.

Thanks!

Hi.

Yes, it is possible. Just as any universal port. Port mode need to be set to port or device mode instead of user mode. AP support dot1x authentication. Authenticate APs via dot1x and send appropriate untagged and tagged vlans to the port via RADIUS attributes appropriate to your switches. If your switch support setting port mode to port/device via RADIUS attribute, you just add this attribute to the response. If not, then you need to dedicate ports to APs.

Best, Gorazd

Hello All,

I'm hoping you can point me to a guide. I'm striking out in my search. I'm new to clearpass and, though we had help setting our solution up, nothing was one to secure access point ports. I am hoping to configure our switch ports to send authentication attempts through Clearpass on our access points like I have with all other devices plugged into the switch. Our standard config is:

 switchport access vlan 500
 switchport mode access
 switchport voice vlan 20
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 7

This works well for any non-trunk port. I saw some other posts saying trunk ports will not properly work with this type of radius authentication, which is generally fine for switches, but some of our access points are accessible (difficult put possible). I'm hoping to set the port to try to authenticate the Aruba AP port into clearpass and, if it's no longer an AP, sinkhole / shut the port.

Is that possible? We have AOS 10 running in Aruba cloud and CPPM is already running our wireless authentication for users / devices, but I cannot find any traction for this setup.

Thanks!

Hello All,

I'm hoping you can point me to a guide. I'm striking out in my search. I'm new to clearpass and, though we had help setting our solution up, nothing was one to secure access point ports. I am hoping to configure our switch ports to send authentication attempts through Clearpass on our access points like I have with all other devices plugged into the switch. Our standard config is:

 switchport access vlan 500
 switchport mode access
 switchport voice vlan 20
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 7

This works well for any non-trunk port. I saw some other posts saying trunk ports will not properly work with this type of radius authentication, which is generally fine for switches, but some of our access points are accessible (difficult put possible). I'm hoping to set the port to try to authenticate the Aruba AP port into clearpass and, if it's no longer an AP, sinkhole / shut the port.

Is that possible? We have AOS 10 running in Aruba cloud and CPPM is already running our wireless authentication for users / devices, but I cannot find any traction for this setup.

Thanks!

I've noticed a few posts without follow up, so I wanted to update this in case anyone struggles to find the solution like I did. Gorazd and ariyap provided information that is correct and pointed me in the right direction. My 'authentication host-mode multi-domain' was in place to allow 1 data and 1 voice VLAN, which was the main issue. When I changed this setting to multi-auth mode (Cisco) / client-mode (Aruba) the AP and all clients attempted to authenticate through Aruba, which was perfect. 

I unfortunately have run into another wall. The Aruba AP's get client certificates using Enrollment over Secure Transport Server(EST). I do not have access to a server with this protocol currently. From what I can see, the Windows CA does not support this method, but Azure IoT edge does support this, for anyone looking. I'm still researching to see if my Clearpass licensing will allow me to do EST.

Hello All,

I'm hoping you can point me to a guide. I'm striking out in my search. I'm new to clearpass and, though we had help setting our solution up, nothing was one to secure access point ports. I am hoping to configure our switch ports to send authentication attempts through Clearpass on our access points like I have with all other devices plugged into the switch. Our standard config is:

 switchport access vlan 500
 switchport mode access
 switchport voice vlan 20
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 7

This works well for any non-trunk port. I saw some other posts saying trunk ports will not properly work with this type of radius authentication, which is generally fine for switches, but some of our access points are accessible (difficult put possible). I'm hoping to set the port to try to authenticate the Aruba AP port into clearpass and, if it's no longer an AP, sinkhole / shut the port.

Is that possible? We have AOS 10 running in Aruba cloud and CPPM is already running our wireless authentication for users / devices, but I cannot find any traction for this setup.

Thanks!