I haven't seen too many switch configurations for doing ClearPass Wired authentication outside of HPE and Cisco switches so thought I'd start some here.
ClearPass Integration Switch Configuration for Extreme Networks 460-G2 but should work with most any of the G2 switches and likely the G3s:
TACACS Admin Access
configure tacacs primary server <CPPM VIP> client-ip <SWITCHES-IP-ADDRESS> vr VR-Default configure tacacs primary shared-secret <TACACS+ SECRET> enable tacacs enable tacacs-accounting enable tacacs-authorization
Reference:
https://community.extremenetworks.com/extreme/topics/tacacs-configuration
Configure ClearPass RADIUS Server
configure radius netlogin primary server <CPPM VIP> client-ip <SWITCHES-IP-ADDRESS> vr VR-Default shared-secret <RADIUS SECRET> configure radius-accounting netlogin primary server <CPPM VIP> client-ip <SWITCHES-IP-ADDRESS> vr VR-Default shared-secret <RADIUS SECRET>
Setup 802.1x and MAC Auth
create vlan nt_login configure netlogin vlan nt_login enable netlogin dot1x mac configure netlogin mac authentication database-order radius configure netlogin authentication protocol-order mac dot1x configure netlogin add mac-list default configure netlogin dot1x timers quiet-period 15 configure netlogin dot1x timers supp-resp-timeout 15 configure netlogin dot1x timers server-timeout 20
Enable Port Authentication
configure netlogin ports <access-ports> mode port-based-vlans enable netlogin ports <access-ports> dot1x mac configure netlogin ports <access-ports> allowed-users 3 configure netlogin ports <access-ports> restart
Voice:
Adding in Voice VLAN
create vlan Voice tag <VOIP vlan ID> vr VR-Default description "Voice VLAN for Phones" configure vlan Voice add ports <access-ports> tagged enable lldp ports <access-ports> configure lldp port <access-ports> advertise vendor-specific dot1 vlan-name vlan <VOIP vlan> configure lldp port <access-ports> advertise vendor-specific med power-via-mdi configure lldp port<access-ports> advertise vendor-specific med policy application voice vlan <VOIP vlan> dscp 46 Configure lldp port <access-ports> advertise system-capabilities Configure lldp port <access-ports> advertise vendor-specific dot1 port-protocol-vlan-id vlan <VOIP vlan>
Auth Failure VLAN
configure netlogin authentication failure vlan <Guest-VLAN> configure netlogin ports <access-ports> mode mac-based-vlans enable netlogin authentication failure vlan ports <Accesss-ports>
Web Authentication / External Captive Portal
Layering in External Captive Portal
configure vlan nt_login ipaddress 10.x.x.1 255.255.255.0 configure dns-client add name-server <CPPM VIP> vr VR-Default configure dns-client add domain-suffix <DNS Suffix> configure vlan nt_login dhcp-address-range 10.x.x.10 - 10.0.100.250 configure vlan nt_login dhcp-options default-gateway 10.x.x.1 disable netlogin logout-privilege configure netlogin base-url "<ClearPass URL>/guest/<GuestPageName>.php?mac=%{Connection:Client-Mac-Address}" configure netlogin web-based authentication database-order radius configure netlogin authentication protocol-order mac dot1x web-based enable netlogin dot1x mac web-based enable netlogin ports <access-ports> dot1x mac web-based
References:https://community.extremenetworks.com/extreme/topics/web_based_authentication_problem-1kp2qkhttps://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-802-1x-based-Netlogin-with-Radius-on-EXOShttps://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-netlogin-dot1x-via-policy-manager-in-exoshttps://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-802-1x-based-Netlogin-with-Radius-on-EXOShttps://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Mac-based-Netlogin-with-Radius
For the Extreme, did you have to do anything special other than what you have here? I can't get the webportal to show up on the re-direct.
Victor actually came up with the solution for this:
https://community.arubanetworks.com/t5/user/viewprofilepage/user-id/9462
SWITCH CONFIGURATION
configure policy captive-portal web-redirect 1 server 1 url https://ClearPassVIP.fqdn.com/guest/YourGuestPageName.php enable ----> Defines the URL
configure policy profile 1 name "GUEST-LOGON-ROLE" pvid-status "enable" pvid 0 cos 4 web-redirect 1 ----> Captive Portal Role
configure policy profile 2 name "GUEST-ROLE" pvid-status "enable" pvid 4095----> Final Guest Role
configure policy rule 1 udpdestportIP 53 mask 16 forward ----> Allows DNS
configure policy rule 1 udpdestportIP 67 mask 16 forward ----> Allows DHCP
configure policy rule 1 tcpdestportIP 80 mask 16 forward ----> Allows HTTP
configure policy rule 1 tcpdestportIP 443 mask 16 forward ----> Allows HTTPs
configure policy rule 1 ether 0x0806 mask 16 forward----> Allows ARP
configure policy captive-portal listening 80 ----> Forces Redirect on port 80
configure policy captive-portal listening 8080 ----> Forces Redirect on port 8080
configure policy captive-portal listening 443 ----> Forces Redirect on port 443
enable policy ----> Enables the capability on the switch to do policy
Here you go:
EXTREME SWITCH CONFIGURATION
********ENABLE GLOBAL RADIUS AUTH***********
configure radius netlogin 1 server <CPPM-1_IP> 1812 client-ip <SWITCH-MGMT-IP> vr VR-Default
configure radius netlogin 2 server <CPPM-2_IP> 1812 client-ip <SWITCH-MGMT-IP> vr VR-Default
configure radius 1 shared-secret "<RADIUS-SHARED-KEY>"
configure radius 2 shared-secret "<RADIUS-SHARED-KEY>"
client-ip <SWITCH-MGMT-IP> vr VR-Default
create vlan NETLOGIN-VLAN configure netlogin vlan NETLOGIN-VLAN
enable radius netlogin
configure radius timeout 5
configure radius netlogin timeout 5
enable netlogin dot1x mac
configure netlogin mac authentication database-order radius
configure netlogin authentication protocol-order dot1x mac
disable netlogin logout-privilege
disable netlogin session-refresh
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
configure netlogin mac timers reauth-period 86400
configure policy vlanauthorization enable ---> Allows dynamic VLAN creation from RADIUS attributesconfigure policy maptable response both ---> Accept both filter ID and RADIUS attributes for policy mapping
***********ENABLE RADIUS ACCOUNTING*************
configure radius-accounting netlogin primary server <CPPM-1_IP> 1813 client-ip <SWITCH-MGMT-IP> vr VR-Default
configure radius-accounting netlogin primary shared-secret "<RADIUS-SHARED-KEY>"
configure radius-accounting netlogin primary server <CPPM-2_IP> 1813 client-ip <SWITCH-MGMT-IP> vr VR-Default
enable radius-accounting netlogin
***********ENABLE RADIUS COA**************
configure radius dynamic-authorization 1 server <CPPM-1_IP> client-ip <SWITCH-MGMT-IP> vr VR-Default shared-secret "<RADIUS-SHARED-KEY>"
configure radius dynamic-authorization 2 server <CPPM-2_IP> client-ip <SWITCH-MGMT-IP> vr VR-Default shared-secret "<RADIUS-SHARED-KEY>"
enable radius dynamic-authorization
*****ENABLE RADIUS (802.1X/MAC) AUTH ON PORT********
enable netlogin ports <PORT-LIST> dot1x mac
configure netlogin mac ports <PORT-LIST> timers reauth-period 86400 reauthentication on
configure netlogin dot1x ports <PORT-LIST> timers server-timeout 10 reauth-period 84600
****ENABLE POLICY FOR CAPTIVE PORTAL AUTH*********
CLEARPASS CONFIGURATION
***COA PROFILE*****
****ENFORCEMENT PROFILE TO RETURN ROLE/POLICY*****
Captive Portal Role
Final / Full Access Role
After the user performs captive portal authentication, assuming the authentication is successful, we will need to send the REGISTERED-ROLE, COA and add the mac caching information/attribute to the endpoint db. The CoA will force the device to re-authenticate and we will use the endpoint db mac caching attributes to provide the device access to the network
*****WEB-LOGIN CONFIGURATION (LOGIN PAGE)******
To give time for the re-authentication to happen , we need add 20 seconds
We also need to change the CoA from 2 to 5 seconds
**********WEB-AUTH SERVICE*********
**********FLOWCHART**********
This has been great!
We have the following issues though: we want the dot1x authentication to go first. our clearpass gets an authentication request from the dot1x policy and from the Mac policy. clearpass accepts both.
Now we also have the issue the endpoints do not get dhcp.
A virtual port does though.
We have the 5320 line of extreme switches.
For Captive Portal to work you must be running at least 15.1R6S3, for Juniper Port Bounce (Needed if you're going to do CoA with a different VLAN/Subnet) to work you must be running at least 17.3R1
Check the JTAC recommended release here
https://kb.juniper.net/InfoCenter/index?page=content&id=KB21476
Also Check Out the fine ASE solution here:
https://ase.arubanetworks.com/solutions/id/97
TACACS+ Admin Access
Create Login Class
set system login class su-with-timeout idle-timeout 30 set system login class su-with-timeout permissions all
Create remote User
set system login user <TACACS Username> uid 1111 set system login user <TACACS Username> class su-with-timeout
Setup NTP
set system ntp boot-server <Your NTP1> set system ntp server <Your NTP1> version 3 set system ntp server <Your NTP1> prefer set system ntp server <Your NTP2> version 3
Set the Server
set system tacplus-server <CPPM-VIP-IP-Address> secret <TACACS+ Shared Secret> set system tacplus-server <CPPM-VIP-IP-Address> source-address <IRB IP> set system tacplus-server <CPPM-VIP-IP-Address> timeout 30 set system authentication-order [ tacplus password ]
TACACS accounting
set system accounting events [ change-log login ] set system accounting destination tacplus server <CPPM-VIP-IP-Address> secret <TACACS+ Shared Secret> timeout 30 set system accounting destination tacplus server <CPPM-VIP-IP-Address> source-address <IRB IP>
https://www.juniper.net/documentation/en_US/junos/topics/concept/access-privileges-levels-overview.html
RADIUS Port Authentication
HTTPS Redirect
Send Juniper-Switch-filter rather than CWA filter
Juniper:Juniper-CWA-Redirect-URL” = https://ClearPass FQDN/guest/YourPage.php?&mac=%{Radius:IETF:Calling-Station-Id
Do not send built in CWA filter sent a Juniper-Switching-Filter instead: Juniper-Switching-Filter = match destination-ip <ClearPass-VIP> ip-protocol 6 destination-port 443 action allow
Ref: https://amzia.wordpress.com/2018/11/30/juniper-ex-cwa-cisco-ise/#jp-carousel-128 Ref: https://www.juniper.net/documentation/us/en/software/junos/user-access/topics/topic-map/user-access-radius-authentication.html#id-juniper-switching-filter-vsa-match-conditions-and-actions
ClearPass service assumes the default port configuration is configured for the authenticated user VLAN
delete interfaces ge-0/0/x unit 0 family ethernet-switching vlan members set interfaces ge-0/0/x unit 0 family ethernet-switching vlan members <Default VLAN>
Enable HTTP and HTTPS services.
These services must be enabled for URL redirection. Please ensure that you have proper firewall filters to block management access.
set system services web-management http set system services web-management https system-generated-certificate
If you did not set up NTP with TACACS above please ensure NTP is properly configured.
Radius Server Configuration
set access profile ClearPass_Auth radius authentication-server <CPPM-VIP-IP-Address> set access profile ClearPass_Auth accounting-order radius set access profile ClearPass_Auth authentication-order radius set access profile ClearPass_Auth radius accounting-server <CPPM-VIP-IP-Address> set access profile ClearPass_Auth radius options nas-identifier JuniperSwitch set access radius-options interim-rate 60
DHCP Forwarding Options
set forwarding-options dhcp-relay group DHCP_Relay interface <L3 Interfaces> set forwarding-options dhcp-relay server-group DHCP_Relay <CPPM1-IP-Address> set forwarding-options dhcp-relay server-group DHCP_Relay <CPPM2-IP-Address>
Port Authentication (Dot1x/MAC)
set protocols dot1x authenticator no-mac-table-binding set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all supplicant multiple set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all mac-radius authentication-protocol papset protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all mac-radius flap-on-disconnect
ASE Recommended Timers
set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all quiet-period 10 set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all transmit-period 5 set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all reauthentication 600 set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all supplicant-timeout 10 set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all server-timeout 5 set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all maximum-requests 3 set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all server-fail use-cache
Disable 802.1x (MAC Auth Only)
set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all mac-radius restrict
Firewall Filters
Port ACL/Firewall filters can be passed back from ClearPass as a Filter-ID.
GuestUserFilter
set firewall family ethernet-switching filter GuestUserFilter term BlockDHCPServer from destination-port 68 set firewall family ethernet-switching filter GuestUserFilter term BlockDHCPServer from ip-protocol udp set firewall family ethernet-switching filter GuestUserFilter term BlockDHCPServer then discard set firewall family ethernet-switching filter GuestUserFilter term ra-guard from icmp-type router-advertisement set firewall family ethernet-switching filter GuestUserFilter term ra-guard from icmp-type ip-protocol icmp6; set firewall family ethernet-switching filter GuestUserFilter term ra-guard then discard set firewall family ethernet-switching filter GuestUserFilter term <YourResource> from ip-destination-address <IP Address> set firewall family ethernet-switching filter GuestUserFilter term <YourResource> from destination-port [ <Ports Used> ] set firewall family ethernet-switching filter GuestUserFilter term <YourResource> then accept set firewall family ethernet-switching filter GuestUserFilter term AllowDNS from destination-port domain set firewall family ethernet-switching filter GuestUserFilter term AllowDNS from ip-destination-address <Internal DNS / DNS Proxy If Needed>/32 set firewall family ethernet-switching filter GuestUserFilter term AllowDNS from ip-destination-address <Internal DNS / DNS Proxy If Needed>/32 set firewall family ethernet-switching filter GuestUserFilter term AllowDNS then accept set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_10 from ip-destination-address 10.0.0.0/8 set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_10 then discard set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_172 from ip-destination-address 172.16.0.0/12 set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_172 then discard set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_192 from ip-destination-address 192.168.0.0/16 set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_192 then discard set firewall family ethernet-switching filter GuestUserFilter term AllowInternet then accept
AuthorizedUserFilter
set firewall family ethernet-switching filter AuthorizedUserFilter term BlockDHCPServer from source-port 68 set firewall family ethernet-switching filter AuthorizedUserFilter term BlockDHCPServer from ip-protocol udp set firewall family ethernet-switching filter AuthorizedUserFilter term BlockDHCPServer then discard set firewall family ethernet-switching filter AuthorizedUserFilter term ra-guard from icmp-type router-advertisement set firewall family ethernet-switching filter AuthorizedUserFilter term ra-guard from icmp-type ip-protocol icmp6; set firewall family ethernet-switching filter AuthorizedUserFilter term ra-guard then discard set firewall family ethernet-switching filter AuthorizedUserFilter term term allowall then accept
References:
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/radius-authentication-configuring.html
https://www.juniper.net/documentation/en_US/junos/topics/concept/802-1x-pnac-vsa-understanding.html
https://www.juniper.net/documentation/en_US/release-independent/nce/information-products/pathway-pages/nce/nce-159-aruba-device-profiling.pdf
https://www.juniper.net/documentation/en_US/release-independent/nce/topics/example/nce160-example-aruba-guest-access.html
https://www.juniper.net/documentation/en_US/junos/topics/concept/aaa-radius-coa-overview.html
https://www.juniper.net/documentation/en_US/release-independent/nce/information-products/pathway-pages/nce/nce-157-aruba-dot1x-mac-configuring.pdf
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/central-web-authentication-configuring.html
https://www.juniper.net/documentation/en_US/junos/topics/example/authentication-captive-portal-els.html
https://www.juniper.net/documentation/en_US/junos/topics/reference/general/authentication-process-flow-chart-ex-series-switches.html
VoIP LLDP Med
https://www.juniper.net/documentation/en_US/junos/topics/example/802-1x-pnac-voip-ex-series-configuring.html
All, can you help me finding out with AP from Extreme Networks is equivalent to IAP 345 ( JZ 031A) ? And wich switch from EXTREME NETWORKS is Equivalent to : SWITCH 2930M 48P. (JL 323A). Thanks
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.