Security

Reply
Contributor II

ClearPass Switch Configuration

I haven't seen too many switch configurations for doing ClearPass Wired authentication outside of HPE and Cisco switches so thought I'd start some here. 

 

Contributor II

Extreme Networks 460-G2

ClearPass Integration Switch Configuration for Extreme Networks 460-G2 but should work with most any of the G2 switches and likely the G3s:

 

TACACS Admin Access

 

 

configure tacacs primary server <CPPM VIP> client-ip <SWITCHES-IP-ADDRESS> vr VR-Default
configure tacacs primary shared-secret <TACACS+ SECRET>
enable tacacs
enable tacacs-accounting
enable tacacs-authorization

 

 

Reference:

https://community.extremenetworks.com/extreme/topics/tacacs-configuration

 

Configure ClearPass RADIUS Server

 

configure radius netlogin primary server <CPPM VIP> client-ip <SWITCHES-IP-ADDRESS> vr VR-Default shared-secret <RADIUS SECRET>
configure radius-accounting netlogin primary server <CPPM VIP> client-ip <SWITCHES-IP-ADDRESS> vr VR-Default shared-secret <RADIUS SECRET>

 

Setup 802.1x and MAC Auth

 

 

create vlan nt_login
configure netlogin vlan nt_login
enable netlogin dot1x mac 
configure netlogin mac authentication database-order radius
configure netlogin authentication protocol-order mac dot1x 
configure netlogin add mac-list default
configure netlogin dot1x timers quiet-period 15
configure netlogin dot1x timers supp-resp-timeout 15
 configure netlogin dot1x timers server-timeout 20

 

 

Enable Port Authentication

 

 

configure netlogin ports <access-ports> mode port-based-vlans
enable netlogin ports <access-ports> dot1x mac
configure netlogin ports <access-ports> allowed-users 3 
configure netlogin ports <access-ports> restart

 

 

 

 

Voice:

Adding in Voice VLAN

 

create vlan Voice tag <VOIP vlan ID> vr VR-Default description "Voice VLAN for Phones"
configure vlan Voice add ports <access-ports> tagged

enable lldp ports <access-ports>
configure lldp port <access-ports> advertise vendor-specific dot1 vlan-name vlan <VOIP vlan>
configure lldp port <access-ports> advertise vendor-specific med power-via-mdi
configure lldp port<access-ports> advertise vendor-specific med policy application voice vlan <VOIP vlan> dscp 46
Configure lldp port <access-ports> advertise system-capabilities
Configure lldp port <access-ports> advertise vendor-specific dot1 port-protocol-vlan-id vlan <VOIP vlan>

 

 

Auth Failure VLAN

 

 

configure netlogin authentication failure vlan <Guest-VLAN>
configure netlogin ports <access-ports> mode mac-based-vlans
enable netlogin authentication failure vlan ports <Accesss-ports>

 

Web Authentication / External Captive Portal

Layering in External Captive Portal

 

configure vlan nt_login ipaddress 10.x.x.1 255.255.255.0
configure dns-client add name-server <CPPM VIP> vr VR-Default
configure dns-client add domain-suffix <DNS Suffix>
configure vlan nt_login dhcp-address-range 10.x.x.10 - 10.0.100.250
configure vlan nt_login dhcp-options default-gateway 10.x.x.1
disable netlogin logout-privilege

configure netlogin base-url "<ClearPass URL>/guest/<GuestPageName>.php?mac=%{Connection:Client-Mac-Address}"

configure netlogin web-based authentication database-order radius

configure netlogin authentication protocol-order mac dot1x web-based
enable netlogin dot1x mac web-based

enable netlogin ports <access-ports> dot1x mac web-based
 

 

 

References:
https://community.extremenetworks.com/extreme/topics/web_based_authentication_problem-1kp2qk
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-802-1x-based-Netlogin-with-Radius-on-EXOS
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-netlogin-dot1x-via-policy-manager-in-exos
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-802-1x-based-Netlogin-with-Radius-on-EXOS
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Mac-based-Netlogin-with-Radius

 

Highlighted
Contributor II

Juniper EX Switches

For Captive Portal to work you must be running at least 15.1R6S3, for Juniper Port Bounce (Needed if you're going to do CoA with a different VLAN/Subnet) to work you must be running at least 17.3R1 

 

Check the JTAC recommended release here

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21476 

 

Also Check Out the fine ASE solution here: 

https://ase.arubanetworks.com/solutions/id/97 

 

 

 TACACS+ Admin Access

 

Create Login Class

 

set system login class su-with-timeout idle-timeout 30
set system login class su-with-timeout permissions all


 Create remote User

 

 

set system login user <TACACS Username> uid 1111
set system login user <TACACS Username> class su-with-timeout

 

Setup NTP

 

set system ntp boot-server <Your NTP1>
set system ntp server <Your NTP1> version 3
set system ntp server <Your NTP1> prefer
set system ntp server <Your NTP2> version 3

 

 

Set the Server

 

set system tacplus-server <CPPM-VIP-IP-Address> secret <TACACS+ Shared Secret> 
set system tacplus-server <CPPM-VIP-IP-Address> source-address <IRB IP> 
set system tacplus-server <CPPM-VIP-IP-Address> timeout 30
set system authentication-order [ tacplus password ]

 TACACS accounting

 

 

set system accounting events [ change-log  login ]
set system accounting destination tacplus server <CPPM-VIP-IP-Address> secret <TACACS+ Shared Secret>  timeout 30 
set system accounting destination tacplus server <CPPM-VIP-IP-Address>  source-address <IRB IP> 

 

 

Reference: 

https://www.juniper.net/documentation/en_US/junos/topics/concept/access-privileges-levels-overview.html

 

 

RADIUS Port Authentication

 

ClearPass service assumes the default port configuration is configured for the authenticated user VLAN

 

delete interfaces ge-0/0/x unit 0 family ethernet-switching vlan members 
set interfaces ge-0/0/x unit 0 family ethernet-switching vlan members <Default VLAN>

 

 

Enable HTTP and HTTPS services.

These services must be enabled for URL redirection. Please ensure that you have proper firewall filters to block management access. 

 

set system services web-management http
set system services web-management https system-generated-certificate

Setup NTP

If you did not set up NTP with TACACS above please ensure NTP is properly configured. 

set system ntp boot-server <Your NTP1>
set system ntp server <Your NTP1> version 3
set system ntp server <Your NTP1> prefer
set system ntp server <Your NTP2> version 3

Radius Server Configuration

set access profile ClearPass_Auth radius authentication-server <CPPM-VIP-IP-Address>
set access profile ClearPass_Auth accounting-order radius
set access profile ClearPass_Auth authentication-order radius
set access profile ClearPass_Auth radius accounting-server <CPPM-VIP-IP-Address>
set access profile ClearPass_Auth radius options nas-identifier JuniperSwitch
set access radius-options interim-rate 60

DHCP Forwarding Options

set forwarding-options dhcp-relay group DHCP_Relay interface <L3 Interfaces>
set forwarding-options dhcp-relay server-group DHCP_Relay <CPPM1-IP-Address>
set forwarding-options dhcp-relay server-group DHCP_Relay <CPPM2-IP-Address>

Port Authentication (Dot1x/MAC)

set protocols dot1x authenticator no-mac-table-binding
set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all supplicant multiple
set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all mac-radius authentication-protocol pap

set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all mac-radius flap-on-disconnect

ASE Recommended Timers

 

	set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all quiet-period 10
	set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all transmit-period 5
	set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all reauthentication 600
	set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all supplicant-timeout 10
	set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all server-timeout 5
	set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all maximum-requests 3
set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all server-fail use-cache

Disable 802.1x (MAC Auth Only)

set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all mac-radius restrict

 

Firewall Filters

 

Port ACL/Firewall filters can be passed back from ClearPass as a Filter-ID. 

 

GuestUserFilter

 

set firewall family ethernet-switching filter GuestUserFilter term BlockDHCPServer from destination-port 68
set firewall family ethernet-switching filter GuestUserFilter term BlockDHCPServer from ip-protocol udp
set firewall family ethernet-switching filter GuestUserFilter term BlockDHCPServer then discard

set firewall family ethernet-switching filter GuestUserFilter term ra-guard from icmp-type router-advertisement
set firewall family ethernet-switching filter GuestUserFilter term ra-guard from icmp-type ip-protocol icmp6;
set firewall family ethernet-switching filter GuestUserFilter term ra-guard then discard

set firewall family ethernet-switching filter GuestUserFilter term <YourResource> from ip-destination-address <IP Address>
set firewall family ethernet-switching filter GuestUserFilter term <YourResource> from destination-port [ <Ports Used> ]
set firewall family ethernet-switching filter GuestUserFilter term <YourResource> then accept


set firewall family ethernet-switching filter GuestUserFilter term AllowDNS from destination-port domain
set firewall family ethernet-switching filter GuestUserFilter term AllowDNS from ip-destination-address <Internal DNS / DNS Proxy If Needed>/32
set firewall family ethernet-switching filter GuestUserFilter term AllowDNS from ip-destination-address <Internal DNS / DNS Proxy If Needed>/32
set firewall family ethernet-switching filter GuestUserFilter term AllowDNS then accept

set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_10 from ip-destination-address 10.0.0.0/8
set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_10 then discard

set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_172 from ip-destination-address 172.16.0.0/12
set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_172 then discard

set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_192 from ip-destination-address 192.168.0.0/16
set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_192 then discard

set firewall family ethernet-switching filter GuestUserFilter term AllowInternet then accept

 

AuthorizedUserFilter

set firewall family ethernet-switching filter AuthorizedUserFilter term BlockDHCPServer from source-port 68
set firewall family ethernet-switching filter AuthorizedUserFilter term BlockDHCPServer from ip-protocol udp
set firewall family ethernet-switching filter AuthorizedUserFilter term BlockDHCPServer then discard

set firewall family ethernet-switching filter AuthorizedUserFilter term ra-guard from icmp-type router-advertisement
set firewall family ethernet-switching filter AuthorizedUserFilter term ra-guard from icmp-type ip-protocol icmp6;
set firewall family ethernet-switching filter AuthorizedUserFilter term ra-guard then discard

set firewall family ethernet-switching filter AuthorizedUserFilter term term allowall then accept

References:

 

https://ase.arubanetworks.com/solutions/id/97 

 

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/radius-authentication-configuring.html 

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/802-1x-pnac-vsa-understanding.html 

 

https://www.juniper.net/documentation/en_US/release-independent/nce/information-products/pathway-pages/nce/nce-159-aruba-device-profiling.pdf

 

https://www.juniper.net/documentation/en_US/release-independent/nce/topics/example/nce160-example-aruba-guest-access.html

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/aaa-radius-coa-overview.html

 

https://www.juniper.net/documentation/en_US/release-independent/nce/information-products/pathway-pages/nce/nce-157-aruba-dot1x-mac-configuring.pdf

 

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/central-web-authentication-configuring.html

 

https://www.juniper.net/documentation/en_US/junos/topics/example/authentication-captive-portal-els.html

 

https://www.juniper.net/documentation/en_US/junos/topics/reference/general/authentication-process-flow-chart-ex-series-switches.html

 

VoIP LLDP Med

https://www.juniper.net/documentation/en_US/junos/topics/example/802-1x-pnac-voip-ex-series-configuring.html

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: