Security

Reply
Contributor II

ClearPass Switch Configuration

I haven't seen too many switch configurations for doing ClearPass Wired authentication outside of HPE and Cisco switches so thought I'd start some here. 

 

Contributor II

Extreme Networks 460-G2

ClearPass Integration Switch Configuration for Extreme Networks 460-G2 but should work with most any of the G2 switches and likely the G3s:

 

TACACS Admin Access

 

 

configure tacacs primary server <CPPM VIP> client-ip <SWITCHES-IP-ADDRESS> vr VR-Default
configure tacacs primary shared-secret <TACACS+ SECRET>
enable tacacs
enable tacacs-accounting
enable tacacs-authorization

 

 

Reference:

https://community.extremenetworks.com/extreme/topics/tacacs-configuration

 

Configure ClearPass RADIUS Server

 

configure radius netlogin primary server <CPPM VIP> client-ip <SWITCHES-IP-ADDRESS> vr VR-Default shared-secret <RADIUS SECRET>
configure radius-accounting netlogin primary server <CPPM VIP> client-ip <SWITCHES-IP-ADDRESS> vr VR-Default shared-secret <RADIUS SECRET>

 

Setup 802.1x and MAC Auth

 

 

create vlan nt_login
configure netlogin vlan nt_login
enable netlogin dot1x mac 
configure netlogin mac authentication database-order radius
configure netlogin authentication protocol-order mac dot1x 
configure netlogin add mac-list default
configure netlogin dot1x timers quiet-period 15
configure netlogin dot1x timers supp-resp-timeout 15
 configure netlogin dot1x timers server-timeout 20

 

 

Enable Port Authentication

 

 

configure netlogin ports <access-ports> mode port-based-vlans
enable netlogin ports <access-ports> dot1x mac
configure netlogin ports <access-ports> allowed-users 3 
configure netlogin ports <access-ports> restart

 

 

 

 

Voice:

Adding in Voice VLAN

 

create vlan Voice tag <VOIP vlan ID> vr VR-Default description "Voice VLAN for Phones"
configure vlan Voice add ports <access-ports> tagged

enable lldp ports <access-ports>
configure lldp port <access-ports> advertise vendor-specific dot1 vlan-name vlan <VOIP vlan>
configure lldp port <access-ports> advertise vendor-specific med power-via-mdi
configure lldp port<access-ports> advertise vendor-specific med policy application voice vlan <VOIP vlan> dscp 46
Configure lldp port <access-ports> advertise system-capabilities
Configure lldp port <access-ports> advertise vendor-specific dot1 port-protocol-vlan-id vlan <VOIP vlan>

 

 

Auth Failure VLAN

 

 

configure netlogin authentication failure vlan <Guest-VLAN>
configure netlogin ports <access-ports> mode mac-based-vlans
enable netlogin authentication failure vlan ports <Accesss-ports>

 

Web Authentication / External Captive Portal

Layering in External Captive Portal

 

configure vlan nt_login ipaddress 10.x.x.1 255.255.255.0
configure dns-client add name-server <CPPM VIP> vr VR-Default
configure dns-client add domain-suffix <DNS Suffix>
configure vlan nt_login dhcp-address-range 10.x.x.10 - 10.0.100.250
configure vlan nt_login dhcp-options default-gateway 10.x.x.1
disable netlogin logout-privilege

configure netlogin base-url "<ClearPass URL>/guest/<GuestPageName>.php?mac=%{Connection:Client-Mac-Address}"

configure netlogin web-based authentication database-order radius

configure netlogin authentication protocol-order mac dot1x web-based
enable netlogin dot1x mac web-based

enable netlogin ports <access-ports> dot1x mac web-based
 

 

 

References:
https://community.extremenetworks.com/extreme/topics/web_based_authentication_problem-1kp2qk
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-802-1x-based-Netlogin-with-Radius-on-EXOS
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-netlogin-dot1x-via-policy-manager-in-exos
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-802-1x-based-Netlogin-with-Radius-on-EXOS
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Mac-based-Netlogin-with-Radius

 

Contributor II

Juniper EX Switches

For Captive Portal to work you must be running at least 15.1R6S3, for Juniper Port Bounce (Needed if you're going to do CoA with a different VLAN/Subnet) to work you must be running at least 17.3R1 

 

Check the JTAC recommended release here

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21476 

 

Also Check Out the fine ASE solution here: 

https://ase.arubanetworks.com/solutions/id/97 

 

 

 TACACS+ Admin Access

 

Create Login Class

 

set system login class su-with-timeout idle-timeout 30
set system login class su-with-timeout permissions all


 Create remote User

 

 

set system login user <TACACS Username> uid 1111
set system login user <TACACS Username> class su-with-timeout

 

Setup NTP

 

set system ntp boot-server <Your NTP1>
set system ntp server <Your NTP1> version 3
set system ntp server <Your NTP1> prefer
set system ntp server <Your NTP2> version 3

 

 

Set the Server

 

set system tacplus-server <CPPM-VIP-IP-Address> secret <TACACS+ Shared Secret> 
set system tacplus-server <CPPM-VIP-IP-Address> source-address <IRB IP> 
set system tacplus-server <CPPM-VIP-IP-Address> timeout 30
set system authentication-order [ tacplus password ]

 TACACS accounting

 

 

set system accounting events [ change-log  login ]
set system accounting destination tacplus server <CPPM-VIP-IP-Address> secret <TACACS+ Shared Secret>  timeout 30 
set system accounting destination tacplus server <CPPM-VIP-IP-Address>  source-address <IRB IP> 

 

 

Reference: 

https://www.juniper.net/documentation/en_US/junos/topics/concept/access-privileges-levels-overview.html

 

 

RADIUS Port Authentication

 

ClearPass service assumes the default port configuration is configured for the authenticated user VLAN

 

delete interfaces ge-0/0/x unit 0 family ethernet-switching vlan members 
set interfaces ge-0/0/x unit 0 family ethernet-switching vlan members <Default VLAN>

 

 

Enable HTTP and HTTPS services.

These services must be enabled for URL redirection. Please ensure that you have proper firewall filters to block management access. 

 

set system services web-management http
set system services web-management https system-generated-certificate

Setup NTP

If you did not set up NTP with TACACS above please ensure NTP is properly configured. 

set system ntp boot-server <Your NTP1>
set system ntp server <Your NTP1> version 3
set system ntp server <Your NTP1> prefer
set system ntp server <Your NTP2> version 3

Radius Server Configuration

set access profile ClearPass_Auth radius authentication-server <CPPM-VIP-IP-Address>
set access profile ClearPass_Auth accounting-order radius
set access profile ClearPass_Auth authentication-order radius
set access profile ClearPass_Auth radius accounting-server <CPPM-VIP-IP-Address>
set access profile ClearPass_Auth radius options nas-identifier JuniperSwitch
set access radius-options interim-rate 60

DHCP Forwarding Options

set forwarding-options dhcp-relay group DHCP_Relay interface <L3 Interfaces>
set forwarding-options dhcp-relay server-group DHCP_Relay <CPPM1-IP-Address>
set forwarding-options dhcp-relay server-group DHCP_Relay <CPPM2-IP-Address>

Port Authentication (Dot1x/MAC)

set protocols dot1x authenticator no-mac-table-binding
set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all supplicant multiple
set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all mac-radius authentication-protocol pap

set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all mac-radius flap-on-disconnect

ASE Recommended Timers

 

	set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all quiet-period 10
	set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all transmit-period 5
	set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all reauthentication 600
	set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all supplicant-timeout 10
	set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all server-timeout 5
	set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all maximum-requests 3
set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all server-fail use-cache

Disable 802.1x (MAC Auth Only)

set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all mac-radius restrict

 

Firewall Filters

 

Port ACL/Firewall filters can be passed back from ClearPass as a Filter-ID. 

 

GuestUserFilter

 

set firewall family ethernet-switching filter GuestUserFilter term BlockDHCPServer from destination-port 68
set firewall family ethernet-switching filter GuestUserFilter term BlockDHCPServer from ip-protocol udp
set firewall family ethernet-switching filter GuestUserFilter term BlockDHCPServer then discard

set firewall family ethernet-switching filter GuestUserFilter term ra-guard from icmp-type router-advertisement
set firewall family ethernet-switching filter GuestUserFilter term ra-guard from icmp-type ip-protocol icmp6;
set firewall family ethernet-switching filter GuestUserFilter term ra-guard then discard

set firewall family ethernet-switching filter GuestUserFilter term <YourResource> from ip-destination-address <IP Address>
set firewall family ethernet-switching filter GuestUserFilter term <YourResource> from destination-port [ <Ports Used> ]
set firewall family ethernet-switching filter GuestUserFilter term <YourResource> then accept


set firewall family ethernet-switching filter GuestUserFilter term AllowDNS from destination-port domain
set firewall family ethernet-switching filter GuestUserFilter term AllowDNS from ip-destination-address <Internal DNS / DNS Proxy If Needed>/32
set firewall family ethernet-switching filter GuestUserFilter term AllowDNS from ip-destination-address <Internal DNS / DNS Proxy If Needed>/32
set firewall family ethernet-switching filter GuestUserFilter term AllowDNS then accept

set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_10 from ip-destination-address 10.0.0.0/8
set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_10 then discard

set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_172 from ip-destination-address 172.16.0.0/12
set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_172 then discard

set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_192 from ip-destination-address 192.168.0.0/16
set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_192 then discard

set firewall family ethernet-switching filter GuestUserFilter term AllowInternet then accept

 

AuthorizedUserFilter

set firewall family ethernet-switching filter AuthorizedUserFilter term BlockDHCPServer from source-port 68
set firewall family ethernet-switching filter AuthorizedUserFilter term BlockDHCPServer from ip-protocol udp
set firewall family ethernet-switching filter AuthorizedUserFilter term BlockDHCPServer then discard

set firewall family ethernet-switching filter AuthorizedUserFilter term ra-guard from icmp-type router-advertisement
set firewall family ethernet-switching filter AuthorizedUserFilter term ra-guard from icmp-type ip-protocol icmp6;
set firewall family ethernet-switching filter AuthorizedUserFilter term ra-guard then discard

set firewall family ethernet-switching filter AuthorizedUserFilter term term allowall then accept

References:

 

https://ase.arubanetworks.com/solutions/id/97 

 

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/radius-authentication-configuring.html 

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/802-1x-pnac-vsa-understanding.html 

 

https://www.juniper.net/documentation/en_US/release-independent/nce/information-products/pathway-pages/nce/nce-159-aruba-device-profiling.pdf

 

https://www.juniper.net/documentation/en_US/release-independent/nce/topics/example/nce160-example-aruba-guest-access.html

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/aaa-radius-coa-overview.html

 

https://www.juniper.net/documentation/en_US/release-independent/nce/information-products/pathway-pages/nce/nce-157-aruba-dot1x-mac-configuring.pdf

 

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/central-web-authentication-configuring.html

 

https://www.juniper.net/documentation/en_US/junos/topics/example/authentication-captive-portal-els.html

 

https://www.juniper.net/documentation/en_US/junos/topics/reference/general/authentication-process-flow-chart-ex-series-switches.html

 

VoIP LLDP Med

https://www.juniper.net/documentation/en_US/junos/topics/example/802-1x-pnac-voip-ex-series-configuring.html

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: