Super Contributor I

Howto: Airwave authentication via Clearpass

The one thing that I really dig about Clearpass is the flexibility - the one thing that drives me up the wall is the lack of something akin to the VRDs. I figure, if I can't find it in the docs, I might as well create it and share it. I have a couple of solutions that I've put together that I will be sharing in the upcoming weeks.


The first one is how to authenticate Airwave via Clearpass. My lab is running Clearpass 6.2 and Airwave 7.7.3. I have a Windows 2012 server with defined users and groups and I've built the necessary role mappings under Configuration > Identity > Role Mappings in Clearpass. I've also created Clearpass / Tips roles that are mapped to my Windows 2012 groups.


Here's the steps necessary for Airwave to authenticate to Clearpass via RADIUS.




Setup the Radius Configuration in Airwave:


1. AMP Setup > Authentication > Enable RADIUS Authentication and Authorization > "Yes"
2. Add the Clearpass information to "Primary Server Hostname/IP Address"
3. Add the Clearpass shared secret to "Primary Server Secret" and confirm that secret
4. Click "Save"


Add a new Airwave user role:


1. AMP Setup > Roles > Add
2. Create a role called AMP-Administrator
3. Select a type of "AMP Administrator"
4. Check "Enabled" as Yes
5. Click "Add"




Add the Airwave network device to Clearpass:


1. Configuration > Network > Devices
2. Add the Airwave "IP or Subnet Address"
3. Enter the "RADIUS Shared Secret" that was defined above.
4. Select "Vendor Name:" of "Aruba"
5. Click "Save"


Add the Airwave network device to a Device Group:


I use device groups for everything in Clearpass. This step can be optional, it's just my personal preference.

1. Configuration > Network > Device groups
2. Select "Add Device Group"
3. Fill in the "Name" field
4. Select "List" under "Format"
5. Under the "List", move the Airwave Server IP from the "Available Devices" to "Selected Devices"
6. Click "Save"


Create an Airwave Enforcement Profile:


1. Configuration > Enforcement > Profiles
2. Click "Add Enforcement Profile"
3. Select "Aruba RADIUS Enforcement" as the Template
4. Provide a name, "Aruba Airwave"
5. Make sure that "Accept" is set under "Action"
6. Under Attributes:
i. Type - "Radius:Aruba"
ii. Name - "Aruba-Admin-Role (4)",
iii. Value - "AMP-Administrator"
7. Finally, click "Save"


Create an Airwave Enforcement Policy:


1. Configuration > Enforcement > Policies
2. Click "Add Enforcement Policy"
3. Under "Enforcement", provide a name, "Aruba Airwave Login Enforcement Policy"
4. Verify that RADIUS is the "Enforcement Type"
5. Select "[Deny Access Profile] for the "Default Profile
6. Select "Rules" and click "Add Rule"
7. Mine looks like this:
   i. Type - Tips
   ii. Name - Role
   iii. Operator - EQUALS
   iv. Airwave-Admins
8. Enforcement Profiles > "Profile Names" > "[RADIUS] Aruba Airwave"
9. Click "Save"


Create an Airwave Login Service:


1. Configuration > Services
2. Click "Add Service"
3. Select "Type" of "RADIUS Enforcement ( Generic )"

4. Provide a name for the service, "Aruba Airwave Logins"
5. Under "Service Rule" enter the following:
   i. Type - Connection
   ii. Name - "NAD-IP-Address"
   iii. Operator - "BELONGS_TO_GROUP"
   iv. Value - "Aruba Airwave"
6. Under Authentication:
   i. Authentication Methods - PAP
   ii. Authentication Sources - <your AD>
7. Under Roles select the "Role Mapping Policy" for your domain. Here's what mine looks like by clicking "Modify."
   i. Type - Authorization:Windows-2012
   ii. Name - memberOf
   iii. Operator - EQUALS
   iv. Value - CN=Airwave-Admins,CN=Users,DC=top,DC=local
   v. Actions > "Role Name" > "Airwave Admins"
8. Under "Enforcement" > "Enforcement Policy" select the enforcement policy that we created > "Aruba Airwave Login Enforcement Policy"
9. Click "Save"


That should be it. You now should be able to log into Airwave with your AD credentials via RADIUS. You can verify that things are working by attempting to login to Airwave and viewing the results in Clearpass at the Access Tracker found under Monitoring.


Also, the above steps can also be extended to map AD users to other Airwave roles, such as a Help Desk account. 


Let me know what you think and if it works out for you.



Re: Howto: Airwave authentication via Clearpass

Thanks for the guide.

There also is an arubapedia guide but I will check to see what the class level it is. It might be set for partners only.

Thank you,
Troy Arnold

Please excuse any typos
Sent from my mobile device
Thank You,

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.

Re: Howto: Airwave authentication via Clearpass

How did you know I was just about to embark on that step!!?!




if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Super Contributor I

Re: Howto: Airwave authentication via Clearpass



I had a feeling there might be a couple of people out there in a similar boat. 




Re: Howto: Airwave authentication via Clearpass

Excellent work boston1630, thanks for your contribution.


To follow up on your work, I've created an enhancement request for CPPM to add a "Service Template" that does something along these lines.  This should simplify the task of integrating AirWave logins with ClearPass in a future software release - not sure which one at this point, but the ticket is in the system (it's #17427 FYI).


Thanks again and I look forward to seeing more great solutions!

Super Contributor I

Re: Howto: Airwave authentication via Clearpass

Hi Dave,


Thanks - that's an awesome idea! I'll be looking forward to this in future releases.



Super Contributor I

Re: Howto: Airwave authentication via Clearpass

This is something I'm trying to do, but I don't have the liberty of creating the groups in AD. However, I'd WOULD like to use AD for authentication. My thinking was that AD could be used for authN while the clearpass local DB could be used for authZ.


So, "holland" could exist in AD with my password.

Then, "holland" would exist in the CPPM Local DB with associated attributes on which the CPPM enforcement policy leverages to return the appropriate Airwave role.

Has anyone made this work?

Ryan Holland, ACDX #1 ACMX #1
The Ohio State University

Re: Howto: Airwave authentication via Clearpass

Hey Ryan,

Try using AD as your authentication source and the Local Users SQL Db as your authorization source and then in the enforcement profile reference the TIPS role that is assigned in the local user database.





| Tim Cappalli | Aruba Security | @timcappalli | |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Super Contributor I

Re: Howto: Airwave authentication via Clearpass

Did that, except I used custom attributes instead of tips role since I will need more granularity. No dice. I have a TAC case opened but was thinking somebody may have already done this in the community...
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University

Re: Howto: Airwave authentication via Clearpass



You can do what you are trying to accomplish. I just tested in my lab. The only thing is in you AD/LADP source make sure you uncheck "Enable to use this authentication source to also fetch role mapping attributes"


screenshot_01 Sep. 06 00.57.gif


I just made a copy of my AD Auth source and used it only for airwave.


screenshot_03 Sep. 06 01.09.gif

Thank You,

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: