AP Whitelist with CPPM
This feature allows to externally maintain AP (RAP, CAP and IAP) whitelist in a ClearPass Policy Manager (CPPM) server.
The controller, if configured to use an external server, can send a RADIUS access request to a CPPM server.
The MAC address of the AP is used as a username and password to construct the access request packet. The CPPM server validates the RADIUS message and returns the relevant parameters for the authorized APs.
CPPM server sends the following attributes in RADIUS access accept packet to the requested controller.
- ap-group: <Aruba-AP-Group>
- ap-name: <Aruba-Location-ID>
The above attributes need to be configured in CPPM with the help of enforcement profile.
The following defaults are used by the Controller when any of the supported parameters are not provided by the CPPM server in the RADIUS access accept response:
- ap-group: The default ap-group is assigned to the AP.
- ap-name: The MAC address of the AP is used as the AP name.
Note : The role returned by the CPPM will not have any significance, Controller will map Default-RAP role.
1. Create a server group that contains the CPPM server.
2. Navigate to Configuration > All Profile Management > Wireless LAN > VPN Authentication >
default-rap > Server Group.
3. Select the CPPM server from the Server Group drop-down list.
4. Click Apply.
Note : When we are converting an IAP (RAP-3, RAP-155 etc) to RAP or CAP, we need to configure the Server group under default-IAP instead of default-RAP.
CPPM configuration :
Configure a service Ex : Aruba 802.1X Wireless, with the following components and Enforcement enabled
- Authentication type : EAP-PEAP, EAP-MSCHAPV2 and MAC Auth
- Authentication source : Local or external where the RAP MAC address is configured
- Enforcement Policy : An enforcement policy which will return “Aruba-AP-Group” and “Aruba-AP-Location-ID” on successful authentication.
How it works :
- When AP contacts Controller with it’s MAC address, Controller will send the MAC address to the server (CPPM) which is configured in the server group mapped to the respective AP default profile (Default-AP/Default-IAP/Default-RAP) for authentication ( Whitelist )
- CPPM will convert the received MAC address into all cap without delimiter format ( EX : 010A123456) and lookup in the user database as per the Authentication source selected in the service.
- When the MAC address is found in the user DB, CPPM will send RADIUS accept message along with the AP-Group and AP-Location-ID attributes if configured through enforcement policy.