Security

Please, I have searched but unable to come across 802.1x wired configuration setup for both user and machine authentication via CPPM. What I see is for 802.1x wireless. 

We have CPPM (version 6.8) in our environment, and I want to setup 802.1x wired where users would use both their AD credentials as well as their domain-joined PCs to gain access to the network. The domain-joined PCs are in an OU in the AD which I want to use.

At the moment, only user authentication works. As soon as I add a role mapping to the conditions under the Enforcement Policy for [machine authenticated], wired 802.1x fails. I'm using an ArubaOS 2920 (version 16.09) switch as well but I do not think my issue is at the switch level. I think I am missing something on CPPM.

Lest I forget, I'm new to Aruba.

Thanks for your help.

The endpoint must have executed a 802.1x Wired machine authentication sucessfully, It then receives the mark [machine authenticated]

After that you can use the role [machine authenitcated] during your user authentication.

Have you enabled cached roles in your 802.1x enforcement?

Thanks Fabian Klaring, 

It worked successfully. I used both the roles [machine authenticated] and another user role which I created that is mapped to the group in the AD; all for user authentication.

But please I just want to understand the essence of enabling cached roles. I actually did it but honestly, I cannot defend the reason why I did it.

You are performing 2 seperate 802.1X authentications (user and computer).

When your machine authentication is successfull, the result is stored (cached) within clearpass for a default period of 24 hours, you can adjust this time in the service paramaters.

Next, you will perform a user authentication, but you need the previous result of the machine auth which is stored in clearpass cache, and combine the 2 results of both machine and user authentication.

This is basicly just some clearpass intelligence of combing 2 seperate auth's into 1 policy.

Thanks Fabian Klaring for the clarification.

Another challenge: I tried testing BYOD and Guest wired. The objective is to allow employees connect with a BYOD laptop to an ArubaOS switch port and be presented with a captive portal to enter their AD username and password; and if successfully authenticated, they gain Internet access only.

Also, a guest should be able to connect his/her laptop to a switch port and be redirected to a captive portal as well for guest user account authentication. Should a guest user account exists, only Internet access is granted; else, the guest can register via the captive portal to get sponsored by an employee.

On the ArubaOS switch, I configured 2 local user roles - one that maps to a captive-portal profile for redirect to CPPM, and the other one that maps a policy for Internet access only.  See details below.

class ipv4 "DNS"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
exit
class ipv4 "DHCP"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
exit
class ipv4 "INTERNAL"
10 match ip 0.0.0.0 255.255.255.255 10.0.0.0 0.255.255.255
exit
class ipv4 "IP-ANY-ANY"
10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
class ipv4 "WEB-TRAFFIC"
10 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 80
exit
class ipv4 "CLEARPASS-WEB"
10 match tcp 0.0.0.0 255.255.255.255 10.100.1.44 0.0.0.0 eq 80
20 match tcp 0.0.0.0 255.255.255.255 10.100.1.44 0.0.0.0 eq 443
exit

policy user "BYOD_GUEST_WIRED"
10 class ipv4 "DNS" action permit
20 class ipv4 "DHCP" action permit
30 class ipv4 "INTERNAL" action deny
40 class ipv4 "IP-ANY-ANY" action permit
exit
policy user "CLEARPASS-REDIRECT"
10 class ipv4 "DNS" action permit
20 class ipv4 "DHCP" action permit
30 class ipv4 "CLEARPASS-WEB" action permit
40 class ipv4 "WEB-TRAFFIC" action redirect captive-portal

aaa authorization user-role enable
aaa authentication port-access eap-radius
aaa authentication captive-portal enable
aaa port-access authenticator 18-20
aaa port-access authenticator 18 client-limit 2
aaa port-access authenticator 19 client-limit 2
aaa port-access authenticator 20 client-limit 2
aaa port-access authenticator active
aaa port-access mac-based 18-20
aaa port-access mac-based 18 addr-limit 2
aaa port-access mac-based 19 addr-limit 2
aaa port-access mac-based 20 addr-limit 2

aaa authorization user-role name "Wired_BYOD_Guest"
policy "BYOD_GUEST_WIRED"
reauth-period 21600
vlan-id 247
exit
aaa authorization user-role name "Wired_BYOD_Guest_Profile"
captive-portal-profile "use-radius-vsa"
policy "CLEARPASS-REDIRECT"
vlan-id 247
exit
radius-server host 10.100.1.44 encrypted-key "xxxxxxxxxx"
radius-server host 10.100.1.44 dyn-authorization
radius-server host 10.100.1.44 time-window plus-or-minus-time-window
radius-server host 10.100.1.44 time-window 0

ip source-interface radius vlan 144

vlan 247
name "BYOD_Guest_VLAN"
untagged 18-20
tagged 24
ip address 192.168.10.2 255.255.255.0
exit

interface 18-20
untagged vlan 247
aaa port-access authenticator
aaa port-access authenticator client-limit 2
aaa port-access mac-based
aaa port-access mac-based addr-limit 2
exit

-------------------------------------------------------------------------

BYOD wired test worked fine. I have 3 services on CPPM - MAC Auth, 802.1x, and WEBAUTH. However, its successful test created an issue for domain-joined PCs/laptops undergoing machine authentication. Right now, a domain-join PC matches both MAC Auth and 802.1x service at the same time, and this makes the domain-PC and even the IP Phones to get stuck at the captive portal page under VLAN 247.

Is there a way to force domain-join PCs out of MAC Auth to match the 802.1x service only. The PCs use Windows supplicant and the authentication method for the 802.1x service is EAP-PEAP and EAP-MSCHAPv2.

I appreciate any advice for best practices in this kind of scenarios. 

Traditionally with Procurve switches they generated the 802.1X and MAC-Auth at a very similar time - where the 802.1X Accept takes precedence over a MAC-Auth Accept which takes precedence over a Reject.

With 16.04 (?) we introduced the concept of order and priority - using the following commands:

aaa port-access 1-5 auth-order authenticator mac-based

aaa port-access 1-5 auth-priority authenticator mac-based

This will preference 802.1X over MAC-Auth.

Thanks dmellor,

Unfortunately, I'm using a 2920 switch and this command is not recognized on it. 

DI, Some time ago I put this presentation together. Have a look at slides 115-124 - there might be something of interest.

There's loads more in this presentation...

This is not an official document so it might have mistakes - treat with care. Any suggestions/feedback welcome.

Attachment(s)

ClearPass in Tech Brief - Deep Dive.pptx   35.01 MB 1 version

Are you using right 802.11x wired sevices in CPPM, in service type NAS Port Type should be Ethernet (15)

If request is coming but authentcation is failing then check access tracker >Alert section for more detials.

If you are tyring to authenticate Windows clients using machine authentcaiton aswell then make sure set authentication mode to user or computer authentication.

Link provides CPPM technical doucments

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/33093/Default.aspx