Security

The second of my Clearpass howtos outlines the steps to authenticate an Aruba Controller via RADIUS with Clearpass. As before, I have a Windows 2012 server with defined users and groups and I've built the necessary role mappings under Configuration > Identity > Role Mappings in Clearpass. I've also created Clearpass / Tips roles that are mapped to my Windows 2012 groups.

Here are the steps necessary for an Aruba Controller running 6.3.0.1 to authenticate to Clearpass 6.2 via RADIUS.

Aruba Controller:

I'm lifting the next 3 set of steps from the "Aruba Wireless and Clearpass 6 Integration Guide 1.3." That guide is awesome and I recommend checking it out.

 

Configure Clearpass as a Radius server on the Aruba Controller

 

1. Configuration > Security > Authentication > Servers > RADIUS Server
2. Enter a name for the new server in the text box.
3. Click "Add" to create the RADIUS server.
4. Click on the newly created RADIUS server and enter the following information:
   i. Enter the IP address under "Host"
   ii. Enter and verify the RADIUS Shared Key in the "Key" fields
5. Click "Apply" at the bottom of the page.

 

Configure Clearpass as an RFC3576 server on the Aruba controller

 

1. Configuration > Security > Authentication > Servers > RFC 3576 server
2. Enter an IP address in the text box. This IP address should be the same as your Clearpass server.
3. Click "Add" to create the RFC 3576 Server.
4. Click on the newly created RFC 3576 Server and enter and verify the RADIUS Shared Key in the "Key" fields.
5. Click "Apply" at the bottom of the page.

 

Create a Clearpass Server group

 

1. Configuration > Security > Authentication > Servers > Server Group
2. Enter "Clearpass" for the new Server Group in the text box.
3. Click "Add" to create the Clearpass RADIUS Server Group.
4. Click on the newly created Clearpass RADIUS Server Group.
5. Under Servers, click the "New" button
6. Under Server name, select the Clearpass Server that you created above.
7. Click the "Add Server" button.
8. Click "Apply" at the bottom of the page.

Configure the Controller Management in the GUI:

1. Configuration > Management > Administration > Server Group > Select the Server Group that contains Clearpass.
2. Configuration > Management > Administration > Management Authentication Servers:
   i. Select "no-access" for the Default Role.
   ii. Check "Enable"
   iii. Check "MSCHAPv2"
3. Click "Apply"
4. Click "Save Configuration"

 

Optional - Remove the check from "Allow Local Authentication" to force all controller authentications to go through Clearpass. This will effectively cancel out the local "admin" account. This should only be checked once you're completely happy with the entire procedure.

 

5. Click "Add"

Here's what the CLI code looks like:

aaa authentication mgmt
   default-role "no-access"
   server-group "Clearpass"
   enable
   mschapv2
!

 

Optional - to remove all local authentication enter the following in the CLI:

 

mgmt-user localauth-disable

====

 

Clearpass:

Add the Aruba Controller as a network device to Clearpass:

1. Configuration > Network > Device
2. Add the Aruba Controller's IP in the "IP or Subnet Address"
3. Enter the "RADIUS Shared Secret" that was defined above.
4. Select "Vendor Name:" of "Aruba"
5. Optional: Enter the following on the "SNMP Read Settings":
   i. Check "Enable..." under "Allow SNMP Read:"
   ii. Enter the appropriate "Community String"
   iii. Check "Always read info..." under "Force Read:"
   iv. Check "Read ARP table..." under "Read ARP Table Info"
6. Click "Save"

Add the Aruba Controller to a Device Group:

I use device groups for everything in Clearpass. This step can be optional, it's just my personal preference.

1. Configuration > Network > Device groups
2. Select "Add Device Group"
3. Fill in the "Name" as "Aruba Wireless"
4. Select "List" under "Format"
5. Under the "List", move the Aruba Controller IP from the "Available Devices" to "Selected Devices"
6. Click "Save"

Create an Aruba Controller Enforcement Profile:

1. Configuration > Enforcement > Profiles
2. Click "Add Enforcement Profile"
3. Select "Aruba RADIUS Enforcement" as the Template
4. Provide a name, "Aruba Controller"
5. Make sure that "Accept" is set under "Action"
6. Under Attributes:
   i. Type - "Radius:Aruba"
   ii. Name - "Aruba-Admin-Role (4)"
   iii. Value - "root"

Optional - this next line in the policy can be used to allow a root user to SSH directly into enable mode on the controller. I just found out about this last week and I've been rocking it out ever since! (Thanks, Phil!)
 

   i. Type - "Radius:Aruba"
   ii. Name - "Aruba-Priv-Admin-User (3)"
   iii. Value - "1"

 

7. Finally, click "Save"

The returned role values correspond to the Aruba roles that are defined on page 939-942 in the 6.3 ArubaOS User Guide.

Create an Aruba Controller Enforcement Policy:

1. Configuration > Enforcement > Policies
2. Click "Add Enforcement Policy"
3. Under "Enforcement", provide a name, "Aruba Controller Login Enforcement Policy"
4. Verify that RADIUS is the "Enforcement Type"
5. Select "[Deny Access Profile] for the "Default Profile
6. Select "Rules" and click "Add Rule"
7. Mine looks like this:
   i. Type - Tips
   ii. Name - Role
   iii. Operator - EQUALS
   iv. Aruba-Admins
8. Enforcement Profiles > "Profile Names" > "[RADIUS] Aruba Controller"
9. Click "Save"

Create an Aruba Controller Login Service:

1. Configuration > Services
2. Click "Add Service"
3. Select "Type" of "RADIUS Enforcement ( Generic )"
4. Provide a name for the service, "Aruba Controller Logins"
5. Under "Service Rule" enter the following:
   i. Type - Connection
   ii. Name - "NAD-IP-Address"
   iii. Operator - "BELONGS_TO_GROUP"
   iv. Value - "Aruba Wireless"
6. Under Authentication:
   i. Authentication Methods - MSCHAP, PAP
   ii. Authentication Sources - <your AD>
7. Under Roles select the "Role Mapping Policy" for your domain. Here's what mine looks like by clicking "Modify."
   i. Type - Authorization:Windows-2012
   ii. Name - memberOf
   iii. Operator - EQUALS
   iv. Value - CN=Aruba-Admins,CN=Users,DC=top,DC=local
   v. Actions > "Role Name" > "Aruba Admins"
8. Under "Enforcement" > "Enforcement Policy" select the enforcement policy that we created > "Aruba Controller Login Enforcement Policy"
9. Click "Save"

You now should be able to log into the wireless controllers on the GUI and the CLI with your AD credentials via RADIUS. The above configuration will also allow you to perform AAA tests in the controller GUI under Diagnostics > AAA Test Server. You can verify that things are working by attempting by performing a AAA test or by logging into the wireless controller and viewing the results in Clearpass' Access Tracker found under Monitoring.

Let me know what you think and if it works out for you.

-Mike

Excellent work Sir!

May I recommend as a follow-on searching the Knowledge Base for 'For the Beginner - Configuring Clearpass for User Role assignments to the Aruba Controller' to exercise creating incoming user authentications to CPPM Roles and controller User Roles to build on your work.

I get a java error at this point

 

Create an Aruba Controller Login Service:

1. Configuration > Services
2. Click "Add Service"
3. Select "Type" of "RADIUS Enforcement ( Generic )"
4. Provide a name for the service, "Aruba Controller Logins"
5. Under "Service Rule" enter the following:
   i. Type - Connection
   ii. Name - "NAD-IP-Address"
   iii. Operator - "BELONGS_TO_GROUP"(this is where it throws an error)
   iv. Value - "Aruba Wireless"

 

tried on diff browsers, computers, rebooted server, etc.. see attached for error

make sure you are running the latest patch on 6.2 or 6.3. I also have seen that issue with cached info in the browers. Clear your cache and see if that helps

---

@RR8 wrote:

I get a java error at this point

 

Create an Aruba Controller Login Service:

1. Configuration > Services
2. Click "Add Service"
3. Select "Type" of "RADIUS Enforcement ( Generic )"
4. Provide a name for the service, "Aruba Controller Logins"
5. Under "Service Rule" enter the following:
   i. Type - Connection
   ii. Name - "NAD-IP-Address"
   iii. Operator - "BELONGS_TO_GROUP"(this is where it throws an error)
   iv. Value - "Aruba Wireless"

 

tried on diff browsers, computers, rebooted server, etc.. see attached for error

---

 

I get the exact same error.  Were you able to get past this?  Thanks

 

yes, just export the service.. modify the XML manually and then reimport.  works like a charm :)

That worked. Thanks.
------------------------------------------------------------
The information transmitted is intended only for the person
or entity to which it is addressed and may contain
proprietary, business-confidential and/or privileged material.
If you are not the intended recipient of this message you are
hereby notified that any use, review, retransmission, dissemination,
distribution, reproduction or any action taken in reliance upon
this message is prohibited. If you received this in error, please
contact the sender and delete the material from any computer.

Any views expressed in this message are those of the individual
sender and may not necessarily reflect the views of the company.
------------------------------------------------------------

That's an awesome explaination Boston, thanks a lot!

The only difference I made on your scenerio is to disable mschapv2 under Mgmt Auth Servers on controller. Because if I enable it, client cannot be authenticated even if mschap is added as authentication method on cppm. So I disable this option and could be authenticated with PAP sucsessfully.