Education – Australia / New Zealand

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Highlighted
Frequent Contributor I

Aruba ClearPass with Cisco WLC 802.1X Role Based Access

Overview:

The following post will detail how to configure and integrate Aruba ClearPass with a Cisco wireless LAN controller, for role based access.  The example will use both a staff and student type account.

 

Lab Setup:

ClearPass 6.6.10.x

Cisco vWLC 8.0.x

 

Cisco WLC Configuration:

 

I have created two interfaces on the Cisco WLC, one for students, and one for staff. (note: i have not assigned IP addresses but this would be required for production).21.PNG

 

 

 

Next i am going to create an access list that will be used by both account types (student and staff).  I could use any number of ACL's to restrict traffic based on use case, but for this example i am keeping it simple.
7.PNG

 

 

You will need to ensure that "Support for RFC 3576" is enabled, otherwise role based policy from ClearPass won't work.
1.PNG

 

Finally i am going to configure "Allow AAA Override" on the "Secure" SSID.  Without this configuration i wont be able to provide role based access to this SSID.5.PNG

 

 

ClearPass Configuration:

First up i am going to add the Cisco WLC as a network device on ClearPass, making sure to set the "Vendor Name" as "Cisco".10.PNG

 

 

To make policy creation a little easier i am going to use device groups to determine what is a Cisco device and what is an Aruba device.
11.PNG

 

 

 

Don't forget to enable the "Airespace" RADIUS attributes on ClearPass, as we will be using these later.01.PNG

 

 

 

 

Now i am going to create a couple of roles to be used for applying policy to the Cisco WLC.8.PNG

 

 

Next up i am going to create a role mapping policy to determine who is a staff user and who is a student user; and from what type of network device they are connecting.  (i.e. if the user authenticating is a member of the "StaffGroup" in Active Directory and the network device they are authenticating from is a Cisco device, then i will assign the role "staff-role-cisco".
12.PNG

 

 

The next step is to create the enforcement profiles that will be sent to the Cisco WLC.  These profiles will set the ACL and VLAN that the user will be put on.13.PNG

 14.PNG

 

 

 

Now that we have created the profiles, it's time to create the policy.  The policy will map the roles created earlier to the enforcement profiles.15.PNG

 

 

Finally we can create the servive for the secure SSID.  This service will match on the "secure" SSID for wireless authentications.16.PNG

 

Testing:17.PNG

 

18.PNG

 

19.PNG

 

20.PNG

 

 

 

 

 

ACCX#1050 ACMP CWDP CWSP
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: