Security

Upcoming community maintenance Oct. 27th through Oct. 29th
For more info click here
Reply
Highlighted
Contributor II

ClearPass Switch Configuration

I haven't seen too many switch configurations for doing ClearPass Wired authentication outside of HPE and Cisco switches so thought I'd start some here. 

 


Accepted Solutions
Highlighted
New Contributor

EXTREME NETWORKS

All, can you help me finding out with AP from Extreme Networks is equivalent to IAP 345  ( JZ 031A)  ? And wich switch from EXTREME NETWORKS is Equivalent to : SWITCH 2930M 48P.  (JL 323A).  Thanks

View solution in original post


All Replies
Highlighted
Contributor II

Extreme Networks 460-G2

ClearPass Integration Switch Configuration for Extreme Networks 460-G2 but should work with most any of the G2 switches and likely the G3s:

 

TACACS Admin Access

 

 

configure tacacs primary server <CPPM VIP> client-ip <SWITCHES-IP-ADDRESS> vr VR-Default
configure tacacs primary shared-secret <TACACS+ SECRET>
enable tacacs
enable tacacs-accounting
enable tacacs-authorization

 

 

Reference:

https://community.extremenetworks.com/extreme/topics/tacacs-configuration

 

Configure ClearPass RADIUS Server

 

configure radius netlogin primary server <CPPM VIP> client-ip <SWITCHES-IP-ADDRESS> vr VR-Default shared-secret <RADIUS SECRET>
configure radius-accounting netlogin primary server <CPPM VIP> client-ip <SWITCHES-IP-ADDRESS> vr VR-Default shared-secret <RADIUS SECRET>

 

Setup 802.1x and MAC Auth

 

 

create vlan nt_login
configure netlogin vlan nt_login
enable netlogin dot1x mac 
configure netlogin mac authentication database-order radius
configure netlogin authentication protocol-order mac dot1x 
configure netlogin add mac-list default
configure netlogin dot1x timers quiet-period 15
configure netlogin dot1x timers supp-resp-timeout 15
 configure netlogin dot1x timers server-timeout 20

 

 

Enable Port Authentication

 

 

configure netlogin ports <access-ports> mode port-based-vlans
enable netlogin ports <access-ports> dot1x mac
configure netlogin ports <access-ports> allowed-users 3 
configure netlogin ports <access-ports> restart

 

 

 

 

Voice:

Adding in Voice VLAN

 

create vlan Voice tag <VOIP vlan ID> vr VR-Default description "Voice VLAN for Phones"
configure vlan Voice add ports <access-ports> tagged

enable lldp ports <access-ports>
configure lldp port <access-ports> advertise vendor-specific dot1 vlan-name vlan <VOIP vlan>
configure lldp port <access-ports> advertise vendor-specific med power-via-mdi
configure lldp port<access-ports> advertise vendor-specific med policy application voice vlan <VOIP vlan> dscp 46
Configure lldp port <access-ports> advertise system-capabilities
Configure lldp port <access-ports> advertise vendor-specific dot1 port-protocol-vlan-id vlan <VOIP vlan>

 

 

Auth Failure VLAN

 

 

configure netlogin authentication failure vlan <Guest-VLAN>
configure netlogin ports <access-ports> mode mac-based-vlans
enable netlogin authentication failure vlan ports <Accesss-ports>

 

Web Authentication / External Captive Portal

Layering in External Captive Portal

 

configure vlan nt_login ipaddress 10.x.x.1 255.255.255.0
configure dns-client add name-server <CPPM VIP> vr VR-Default
configure dns-client add domain-suffix <DNS Suffix>
configure vlan nt_login dhcp-address-range 10.x.x.10 - 10.0.100.250
configure vlan nt_login dhcp-options default-gateway 10.x.x.1
disable netlogin logout-privilege

configure netlogin base-url "<ClearPass URL>/guest/<GuestPageName>.php?mac=%{Connection:Client-Mac-Address}"

configure netlogin web-based authentication database-order radius

configure netlogin authentication protocol-order mac dot1x web-based
enable netlogin dot1x mac web-based

enable netlogin ports <access-ports> dot1x mac web-based
 

 

 

References:
https://community.extremenetworks.com/extreme/topics/web_based_authentication_problem-1kp2qk
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-802-1x-based-Netlogin-with-Radius-on-EXOS
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-netlogin-dot1x-via-policy-manager-in-exos
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-802-1x-based-Netlogin-with-Radius-on-EXOS
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Mac-based-Netlogin-with-Radius

 

Highlighted
Contributor II

Juniper EX Switches

For Captive Portal to work you must be running at least 15.1R6S3, for Juniper Port Bounce (Needed if you're going to do CoA with a different VLAN/Subnet) to work you must be running at least 17.3R1 

 

Check the JTAC recommended release here

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21476 

 

Also Check Out the fine ASE solution here: 

https://ase.arubanetworks.com/solutions/id/97 

 

 

 TACACS+ Admin Access

 

Create Login Class

 

set system login class su-with-timeout idle-timeout 30
set system login class su-with-timeout permissions all


 Create remote User

 

 

set system login user <TACACS Username> uid 1111
set system login user <TACACS Username> class su-with-timeout

 

Setup NTP

 

set system ntp boot-server <Your NTP1>
set system ntp server <Your NTP1> version 3
set system ntp server <Your NTP1> prefer
set system ntp server <Your NTP2> version 3

 

 

Set the Server

 

set system tacplus-server <CPPM-VIP-IP-Address> secret <TACACS+ Shared Secret> 
set system tacplus-server <CPPM-VIP-IP-Address> source-address <IRB IP> 
set system tacplus-server <CPPM-VIP-IP-Address> timeout 30
set system authentication-order [ tacplus password ]

 TACACS accounting

 

 

set system accounting events [ change-log  login ]
set system accounting destination tacplus server <CPPM-VIP-IP-Address> secret <TACACS+ Shared Secret>  timeout 30 
set system accounting destination tacplus server <CPPM-VIP-IP-Address>  source-address <IRB IP> 

 

 

Reference: 

https://www.juniper.net/documentation/en_US/junos/topics/concept/access-privileges-levels-overview.html

 

 

RADIUS Port Authentication

 

ClearPass service assumes the default port configuration is configured for the authenticated user VLAN

 

delete interfaces ge-0/0/x unit 0 family ethernet-switching vlan members 
set interfaces ge-0/0/x unit 0 family ethernet-switching vlan members <Default VLAN>

 

 

Enable HTTP and HTTPS services.

These services must be enabled for URL redirection. Please ensure that you have proper firewall filters to block management access. 

 

set system services web-management http
set system services web-management https system-generated-certificate

Setup NTP

If you did not set up NTP with TACACS above please ensure NTP is properly configured. 

set system ntp boot-server <Your NTP1>
set system ntp server <Your NTP1> version 3
set system ntp server <Your NTP1> prefer
set system ntp server <Your NTP2> version 3

Radius Server Configuration

set access profile ClearPass_Auth radius authentication-server <CPPM-VIP-IP-Address>
set access profile ClearPass_Auth accounting-order radius
set access profile ClearPass_Auth authentication-order radius
set access profile ClearPass_Auth radius accounting-server <CPPM-VIP-IP-Address>
set access profile ClearPass_Auth radius options nas-identifier JuniperSwitch
set access radius-options interim-rate 60

DHCP Forwarding Options

set forwarding-options dhcp-relay group DHCP_Relay interface <L3 Interfaces>
set forwarding-options dhcp-relay server-group DHCP_Relay <CPPM1-IP-Address>
set forwarding-options dhcp-relay server-group DHCP_Relay <CPPM2-IP-Address>

Port Authentication (Dot1x/MAC)

set protocols dot1x authenticator no-mac-table-binding
set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all supplicant multiple
set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all mac-radius authentication-protocol pap

set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all mac-radius flap-on-disconnect

ASE Recommended Timers

 

	set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all quiet-period 10
	set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all transmit-period 5
	set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all reauthentication 600
	set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all supplicant-timeout 10
	set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all server-timeout 5
	set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all maximum-requests 3
set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all server-fail use-cache

Disable 802.1x (MAC Auth Only)

set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all mac-radius restrict

 

Firewall Filters

 

Port ACL/Firewall filters can be passed back from ClearPass as a Filter-ID. 

 

GuestUserFilter

 

set firewall family ethernet-switching filter GuestUserFilter term BlockDHCPServer from destination-port 68
set firewall family ethernet-switching filter GuestUserFilter term BlockDHCPServer from ip-protocol udp
set firewall family ethernet-switching filter GuestUserFilter term BlockDHCPServer then discard

set firewall family ethernet-switching filter GuestUserFilter term ra-guard from icmp-type router-advertisement
set firewall family ethernet-switching filter GuestUserFilter term ra-guard from icmp-type ip-protocol icmp6;
set firewall family ethernet-switching filter GuestUserFilter term ra-guard then discard

set firewall family ethernet-switching filter GuestUserFilter term <YourResource> from ip-destination-address <IP Address>
set firewall family ethernet-switching filter GuestUserFilter term <YourResource> from destination-port [ <Ports Used> ]
set firewall family ethernet-switching filter GuestUserFilter term <YourResource> then accept


set firewall family ethernet-switching filter GuestUserFilter term AllowDNS from destination-port domain
set firewall family ethernet-switching filter GuestUserFilter term AllowDNS from ip-destination-address <Internal DNS / DNS Proxy If Needed>/32
set firewall family ethernet-switching filter GuestUserFilter term AllowDNS from ip-destination-address <Internal DNS / DNS Proxy If Needed>/32
set firewall family ethernet-switching filter GuestUserFilter term AllowDNS then accept

set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_10 from ip-destination-address 10.0.0.0/8
set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_10 then discard

set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_172 from ip-destination-address 172.16.0.0/12
set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_172 then discard

set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_192 from ip-destination-address 192.168.0.0/16
set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_192 then discard

set firewall family ethernet-switching filter GuestUserFilter term AllowInternet then accept

 

AuthorizedUserFilter

set firewall family ethernet-switching filter AuthorizedUserFilter term BlockDHCPServer from source-port 68
set firewall family ethernet-switching filter AuthorizedUserFilter term BlockDHCPServer from ip-protocol udp
set firewall family ethernet-switching filter AuthorizedUserFilter term BlockDHCPServer then discard

set firewall family ethernet-switching filter AuthorizedUserFilter term ra-guard from icmp-type router-advertisement
set firewall family ethernet-switching filter AuthorizedUserFilter term ra-guard from icmp-type ip-protocol icmp6;
set firewall family ethernet-switching filter AuthorizedUserFilter term ra-guard then discard

set firewall family ethernet-switching filter AuthorizedUserFilter term term allowall then accept

References:

 

https://ase.arubanetworks.com/solutions/id/97 

 

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/radius-authentication-configuring.html 

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/802-1x-pnac-vsa-understanding.html 

 

https://www.juniper.net/documentation/en_US/release-independent/nce/information-products/pathway-pages/nce/nce-159-aruba-device-profiling.pdf

 

https://www.juniper.net/documentation/en_US/release-independent/nce/topics/example/nce160-example-aruba-guest-access.html

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/aaa-radius-coa-overview.html

 

https://www.juniper.net/documentation/en_US/release-independent/nce/information-products/pathway-pages/nce/nce-157-aruba-dot1x-mac-configuring.pdf

 

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/central-web-authentication-configuring.html

 

https://www.juniper.net/documentation/en_US/junos/topics/example/authentication-captive-portal-els.html

 

https://www.juniper.net/documentation/en_US/junos/topics/reference/general/authentication-process-flow-chart-ex-series-switches.html

 

VoIP LLDP Med

https://www.juniper.net/documentation/en_US/junos/topics/example/802-1x-pnac-voip-ex-series-configuring.html

 

 

Highlighted
New Contributor

EXTREME NETWORKS

All, can you help me finding out with AP from Extreme Networks is equivalent to IAP 345  ( JZ 031A)  ? And wich switch from EXTREME NETWORKS is Equivalent to : SWITCH 2930M 48P.  (JL 323A).  Thanks

View solution in original post

Highlighted
New Contributor

Re: Extreme Networks 460-G2

 

For the Extreme, did you have to do anything special other than what you have here?  I can't get the webportal to show up on the re-direct.  

Highlighted
Contributor II

Re: Extreme Networks 460-G2

Victor actually came up with the solution for this:

https://community.arubanetworks.com/t5/user/viewprofilepage/user-id/9462 

 

SWITCH CONFIGURATION

configure policy captive-portal web-redirect 1 server 1 url https://ClearPassVIP.fqdn.com/guest/YourGuestPageName.php enable ----> Defines the URL

configure policy profile 1 name "GUEST-LOGON-ROLE" pvid-status "enable" pvid 0 cos 4 web-redirect 1 ----> Captive Portal Role

configure policy profile 2 name "GUEST-ROLE" pvid-status "enable" pvid 4095----> Final Guest Role

configure policy rule 1 udpdestportIP 53 mask 16 forward ----> Allows DNS

configure policy rule 1 udpdestportIP 67 mask 16 forward ----> Allows DHCP

configure policy rule 1 tcpdestportIP 80 mask 16 forward ----> Allows HTTP

configure policy rule 1 tcpdestportIP 443 mask 16 forward ----> Allows HTTPs

configure policy rule 1 ether 0x0806 mask 16 forward----> Allows ARP

configure policy captive-portal listening 80 ----> Forces Redirect on port 80

configure policy captive-portal listening 8080 ----> Forces Redirect on port 8080

configure policy captive-portal listening 443 ----> Forces Redirect on port 443

enable policy ----> Enables the capability on the switch to do policy

 

 

 

 

 

 

Highlighted
MVP Expert

Re: Extreme Networks 460-G2

Here you go:

 
 
 

EXTREME SWITCH CONFIGURATION 

********ENABLE GLOBAL RADIUS AUTH***********

configure radius netlogin 1 server <CPPM-1_IP> 1812 client-ip <SWITCH-MGMT-IP> vr VR-Default

configure radius netlogin 2 server <CPPM-2_IP> 1812 client-ip <SWITCH-MGMT-IP> vr VR-Default

configure radius 1 shared-secret "<RADIUS-SHARED-KEY>"

configure radius 2 shared-secret "<RADIUS-SHARED-KEY>"

client-ip <SWITCH-MGMT-IP> vr VR-Default

create vlan NETLOGIN-VLAN 
configure netlogin vlan NETLOGIN-VLAN

enable radius netlogin

configure radius timeout 5

configure radius netlogin timeout 5

enable netlogin dot1x mac

configure netlogin mac authentication database-order radius

configure netlogin authentication protocol-order dot1x mac

disable netlogin logout-privilege

disable netlogin session-refresh

configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48

configure netlogin mac timers reauth-period 86400

configure policy vlanauthorization enable ---> Allows dynamic VLAN creation from RADIUS attributes
configure policy maptable response both ---> Accept both filter ID and RADIUS attributes for policy mapping

 

***********ENABLE RADIUS ACCOUNTING*************

configure radius-accounting netlogin primary server <CPPM-1_IP> 1813 client-ip <SWITCH-MGMT-IP> vr VR-Default

configure radius-accounting netlogin primary shared-secret "<RADIUS-SHARED-KEY>"

configure radius-accounting netlogin primary server <CPPM-2_IP> 1813 client-ip <SWITCH-MGMT-IP> vr VR-Default

configure radius-accounting netlogin primary shared-secret "<RADIUS-SHARED-KEY>"

enable radius-accounting netlogin

 

***********ENABLE RADIUS COA**************

configure radius dynamic-authorization 1 server <CPPM-1_IP> client-ip <SWITCH-MGMT-IP> vr VR-Default shared-secret "<RADIUS-SHARED-KEY>"

configure radius dynamic-authorization 2 server <CPPM-2_IP> client-ip <SWITCH-MGMT-IP> vr VR-Default shared-secret "<RADIUS-SHARED-KEY>"

enable radius dynamic-authorization

 

*****ENABLE RADIUS (802.1X/MAC) AUTH ON PORT********

enable netlogin ports <PORT-LIST> dot1x mac 

configure netlogin mac ports <PORT-LIST> timers reauth-period 86400 reauthentication on

configure netlogin dot1x ports <PORT-LIST> timers server-timeout 10 reauth-period 84600

 

****ENABLE POLICY FOR CAPTIVE PORTAL AUTH*********

Enable Extreme Policy.png

 

CLEARPASS CONFIGURATION 

***COA PROFILE*****

ClearPass CoA.png

****ENFORCEMENT PROFILE TO RETURN ROLE/POLICY*****

Captive Portal Role

Final / Full Access Role

After the user performs captive portal authentication, assuming the authentication is successful, we will need to send the REGISTERED-ROLE, COA and add the mac caching information/attribute to the endpoint db. The CoA will force the device to re-authenticate and we will use the endpoint db mac caching attributes to provide the device access to the network  

*****WEB-LOGIN CONFIGURATION (LOGIN PAGE)******

To give time for the re-authentication to happen , we need add 20 seconds 

Web Login Page.png

Web Login Page 2.png

We also need to change the CoA from 2 to 5 seconds

 

**********WEB-AUTH SERVICE*********

ClearPass Web Auth Service 2.png

**********FLOWCHART**********

 

Workflow.png

Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
New Contributor

Re: Extreme Networks 460-G2

Hi,

Thanks very much for this. However, what I don't see (and it's more than likley me) is where do you specify the clearpass url?

Here is a sample of the output from a show config

configure netlogin vlan temp
enable netlogin dot1x mac web-based
configure netlogin agingtime 1
configure netlogin web-based authentication database-order radius
configure netlogin authentication protocol-order dot1x mac web-based
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
configure netlogin mac timers reauth-period 60
enable netlogin ports 1 dot1x
enable netlogin ports 1 web-based
configure netlogin dot1x ports 1 timers quiet-period 15 supp-resp-timeout 2



disable netlogin logout-privilege
disable netlogin session-refresh
configure netlogin base-url "cppm-vip/guest/wired_main.php"
configure netlogin redirect-page "https://ukaea.uk"
configure netlogin ports 1 mode mac-based-vlans
Press to continue or to quit:c


Thanks



[UKAEA Logo]



Jody Green

Computer Network Engineer

United Kingdom Atomic Energy Authority

Culham Science Centre, Abingdon, OX14 3DB, UK

Tel. +44 (0)1235 464909

Mob. +44 (0) 7966223052

Email: jody.green@ukaea.uk

[cid:08a46d67-6d37-4168-951c-518b3ee64b75][cid:b7d6dd8c-0fae-4a38-a2fd-b2b4e92e6201][cid:a554a472-4b3b-4425-8590-8b2e988313bf] [cid:c528af8d-2fc2-4340-bcef-5d5d282bb084] [cid:14fa7902-17a7-4380-9096-c90b075ea5ee]

The content of this email is confidential and intended for the recipient specified in the message only. It is forbidden to share any part of this message with any third party, without the written consent of the sender. If you received this message by mistake, please reply to this message and then delete it, so that we can ensure it does not occur in the future.
Highlighted
MVP Expert

Re: Extreme Networks 460-G2

Forgot to add that part, just updated the post
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: