Security

boston1630 · ‎08-27-2013

The second of my Clearpass howtos outlines the steps to authenticate an Aruba Controller via RADIUS with Clearpass. As before, I have a Windows 2012 server with defined users and groups and I've built the necessary role mappings under Configuration > Identity > Role Mappings in Clearpass. I've also created Clearpass / Tips roles that are mapped to my Windows 2012 groups.

Here are the steps necessary for an Aruba Controller running 6.3.0.1 to authenticate to Clearpass 6.2 via RADIUS.

Aruba Controller:

I'm lifting the next 3 set of steps from the "Aruba Wireless and Clearpass 6 Integration Guide 1.3." That guide is awesome and I recommend checking it out.

Configure Clearpass as a Radius server on the Aruba Controller

1. Configuration > Security > Authentication > Servers > RADIUS Server
2. Enter a name for the new server in the text box.
3. Click "Add" to create the RADIUS server.
4. Click on the newly created RADIUS server and enter the following information:
i. Enter the IP address under "Host"
ii. Enter and verify the RADIUS Shared Key in the "Key" fields
5. Click "Apply" at the bottom of the page.

Configure Clearpass as an RFC3576 server on the Aruba controller

1. Configuration > Security > Authentication > Servers > RFC 3576 server
2. Enter an IP address in the text box. This IP address should be the same as your Clearpass server.
3. Click "Add" to create the RFC 3576 Server.
4. Click on the newly created RFC 3576 Server and enter and verify the RADIUS Shared Key in the "Key" fields.
5. Click "Apply" at the bottom of the page.

Create a Clearpass Server group

1. Configuration > Security > Authentication > Servers > Server Group
2. Enter "Clearpass" for the new Server Group in the text box.
3. Click "Add" to create the Clearpass RADIUS Server Group.
4. Click on the newly created Clearpass RADIUS Server Group.
5. Under Servers, click the "New" button
6. Under Server name, select the Clearpass Server that you created above.
7. Click the "Add Server" button.
8. Click "Apply" at the bottom of the page.

Configure the Controller Management in the GUI:

1. Configuration > Management > Administration > Server Group > Select the Server Group that contains Clearpass.
2. Configuration > Management > Administration > Management Authentication Servers:
i. Select "no-access" for the Default Role.
ii. Check "Enable"
iii. Check "MSCHAPv2"
3. Click "Apply"
4. Click "Save Configuration"

Optional - Remove the check from "Allow Local Authentication" to force all controller authentications to go through Clearpass. This will effectively cancel out the local "admin" account. This should only be checked once you're completely happy with the entire procedure.

5. Click "Add"

Here's what the CLI code looks like:

aaa authentication mgmt
default-role "no-access"
server-group "Clearpass"
enable
mschapv2
!

Optional - to remove all local authentication enter the following in the CLI:

mgmt-user localauth-disable

====

Clearpass:

Add the Aruba Controller as a network device to Clearpass:

1. Configuration > Network > Device
2. Add the Aruba Controller's IP in the "IP or Subnet Address"
3. Enter the "RADIUS Shared Secret" that was defined above.
4. Select "Vendor Name:" of "Aruba"
5. Optional: Enter the following on the "SNMP Read Settings":
i. Check "Enable..." under "Allow SNMP Read:"
ii. Enter the appropriate "Community String"
iii. Check "Always read info..." under "Force Read:"
iv. Check "Read ARP table..." under "Read ARP Table Info"
6. Click "Save"

Add the Aruba Controller to a Device Group:

I use device groups for everything in Clearpass. This step can be optional, it's just my personal preference.

1. Configuration > Network > Device groups
2. Select "Add Device Group"
3. Fill in the "Name" as "Aruba Wireless"
4. Select "List" under "Format"
5. Under the "List", move the Aruba Controller IP from the "Available Devices" to "Selected Devices"
6. Click "Save"

Create an Aruba Controller Enforcement Profile:

1. Configuration > Enforcement > Profiles
2. Click "Add Enforcement Profile"
3. Select "Aruba RADIUS Enforcement" as the Template
4. Provide a name, "Aruba Controller"
5. Make sure that "Accept" is set under "Action"
6. Under Attributes:
i. Type - "Radius:Aruba"
ii. Name - "Aruba-Admin-Role (4)"
iii. Value - "root"

Optional - this next line in the policy can be used to allow a root user to SSH directly into enable mode on the controller. I just found out about this last week and I've been rocking it out ever since! (Thanks, Phil!)

i. Type - "Radius:Aruba"
ii. Name - "Aruba-Priv-Admin-User (3)"
iii. Value - "1"

7. Finally, click "Save"

The returned role values correspond to the Aruba roles that are defined on page 939-942 in the 6.3 ArubaOS User Guide.

Create an Aruba Controller Enforcement Policy:

1. Configuration > Enforcement > Policies
2. Click "Add Enforcement Policy"
3. Under "Enforcement", provide a name, "Aruba Controller Login Enforcement Policy"
4. Verify that RADIUS is the "Enforcement Type"
5. Select "[Deny Access Profile] for the "Default Profile
6. Select "Rules" and click "Add Rule"
7. Mine looks like this:
i. Type - Tips
ii. Name - Role
iii. Operator - EQUALS
iv. Aruba-Admins
8. Enforcement Profiles > "Profile Names" > "[RADIUS] Aruba Controller"
9. Click "Save"

Create an Aruba Controller Login Service:

1. Configuration > Services
2. Click "Add Service"
3. Select "Type" of "RADIUS Enforcement ( Generic )"
4. Provide a name for the service, "Aruba Controller Logins"
5. Under "Service Rule" enter the following:
i. Type - Connection
ii. Name - "NAD-IP-Address"
iii. Operator - "BELONGS_TO_GROUP"
iv. Value - "Aruba Wireless"
6. Under Authentication:
i. Authentication Methods - MSCHAP, PAP
ii. Authentication Sources - <your AD>
7. Under Roles select the "Role Mapping Policy" for your domain. Here's what mine looks like by clicking "Modify."
i. Type - Authorization:Windows-2012
ii. Name - memberOf
iii. Operator - EQUALS
iv. Value - CN=Aruba-Admins,CN=Users,DC=top,DC=local
v. Actions > "Role Name" > "Aruba Admins"
8. Under "Enforcement" > "Enforcement Policy" select the enforcement policy that we created > "Aruba Controller Login Enforcement Policy"
9. Click "Save"

You now should be able to log into the wireless controllers on the GUI and the CLI with your AD credentials via RADIUS. The above configuration will also allow you to perform AAA tests in the controller GUI under Diagnostics > AAA Test Server. You can verify that things are working by attempting by performing a AAA test or by logging into the wireless controller and viewing the results in Clearpass' Access Tracker found under Monitoring.

Let me know what you think and if it works out for you.

-Mike

mrubino · ‎08-27-2013

Excellent work Sir!

May I recommend as a follow-on searching the Knowledge Base for 'For the Beginner - Configuring Clearpass for User Role assignments to the Aruba Controller' to exercise creating incoming user authentications to CPPM Roles and controller User Roles to build on your work.

RR8 · ‎03-11-2014

I get a java error at this point

Create an Aruba Controller Login Service:

1. Configuration > Services
2. Click "Add Service"
3. Select "Type" of "RADIUS Enforcement ( Generic )"
4. Provide a name for the service, "Aruba Controller Logins"
5. Under "Service Rule" enter the following:
i. Type - Connection
ii. Name - "NAD-IP-Address"
iii. Operator - "BELONGS_TO_GROUP"(this is where it throws an error)
iv. Value - "Aruba Wireless"

tried on diff browsers, computers, rebooted server, etc.. see attached for error

tarnold · ‎03-12-2014

make sure you are running the latest patch on 6.2 or 6.3. I also have seen that issue with cached info in the browers. Clear your cache and see if that helps

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.

scottmbritton · ‎03-20-2014

@RR8 wrote:
I get a java error at this point

Create an Aruba Controller Login Service:

1. Configuration > Services
2. Click "Add Service"
3. Select "Type" of "RADIUS Enforcement ( Generic )"
4. Provide a name for the service, "Aruba Controller Logins"
5. Under "Service Rule" enter the following:
i. Type - Connection
ii. Name - "NAD-IP-Address"
iii. Operator - "BELONGS_TO_GROUP"(this is where it throws an error)
iv. Value - "Aruba Wireless"

tried on diff browsers, computers, rebooted server, etc.. see attached for error

I get the exact same error. Were you able to get past this? Thanks

RR8 · ‎03-20-2014

yes, just export the service.. modify the XML manually and then reimport. works like a charm :)

scottmbritton · ‎04-02-2014

That worked. Thanks.
------------------------------------------------------------
The information transmitted is intended only for the person
or entity to which it is addressed and may contain
proprietary, business-confidential and/or privileged material.
If you are not the intended recipient of this message you are
hereby notified that any use, review, retransmission, dissemination,
distribution, reproduction or any action taken in reliance upon
this message is prohibited. If you received this in error, please
contact the sender and delete the material from any computer.

Any views expressed in this message are those of the individual
sender and may not necessarily reflect the views of the company.
------------------------------------------------------------

emreaydin · ‎01-23-2019

That's an awesome explaination Boston, thanks a lot!

The only difference I made on your scenerio is to disable mschapv2 under Mgmt Auth Servers on controller. Because if I enable it, client cannot be authenticated even if mschap is added as authentication method on cppm. So I disable this option and could be authenticated with PAP sucsessfully.

Security

Howto: Authenticate to an Aruba Controller via Clearpass and RADIUS

Re: Howto: Authenticate to an Aruba Controller via Clearpass and RADIUS

Re: Howto: Authenticate to an Aruba Controller via Clearpass and RADIUS

Re: Howto: Authenticate to an Aruba Controller via Clearpass and RADIUS

Re: Howto: Authenticate to an Aruba Controller via Clearpass and RADIUS

Re: Howto: Authenticate to an Aruba Controller via Clearpass and RADIUS

Re: Howto: Authenticate to an Aruba Controller via Clearpass and RADIUS

Re: Howto: Authenticate to an Aruba Controller via Clearpass and RADIUS

Encrypting Guest traffic

NPS 2008 - user auth and fails not showing in eventviewer?

Step-by-Step: How to Configure Microsoft IAS Radius Server from Scratch

limiting the number of device s a user can have

IAP and external Captive Portal

Creative Configurations

Ap-80mb

Remote AP Split Tunneling

Remote AP

AP Groups

WPA-PSK and VLAN assignment via MAC address

Cisco ACS and Aruba Radius Auth

Rolling out 802.1x with GTC

Making DHCP mandatory on Aruba WLAN

Wireless Group Policy on Windows 2008

AirWave Downloads

Amigopod Downloads

Analytics and Location Engine Downloads

Aruba Access Point 80 SB/MB Download

Aruba Instant Downloads

Remote AP Networks

Indoor 802.11n Site Survey and Planning

ClearPass 6.3.2 Release Notes

ClearPass Policy Manager 6.3 User Guide

Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide

Security

Howto: Authenticate to an Aruba Controller via Clearpass and RADIUS

Re: Howto: Authenticate to an Aruba Controller via Clearpass and RADIUS

Re: Howto: Authenticate to an Aruba Controller via Clearpass and RADIUS

Re: Howto: Authenticate to an Aruba Controller via Clearpass and RADIUS

Re: Howto: Authenticate to an Aruba Controller via Clearpass and RADIUS

Re: Howto: Authenticate to an Aruba Controller via Clearpass and RADIUS

Re: Howto: Authenticate to an Aruba Controller via Clearpass and RADIUS

Re: Howto: Authenticate to an Aruba Controller via Clearpass and RADIUS

Follow Us