The second of my Clearpass howtos outlines the steps to authenticate an Aruba Controller via RADIUS with Clearpass. As before, I have a Windows 2012 server with defined users and groups and I've built the necessary role mappings under Configuration > Identity > Role Mappings in Clearpass. I've also created Clearpass / Tips roles that are mapped to my Windows 2012 groups.
Here are the steps necessary for an Aruba Controller running 6.3.0.1 to authenticate to Clearpass 6.2 via RADIUS.
Aruba Controller:
I'm lifting the next 3 set of steps from the "Aruba Wireless and Clearpass 6 Integration Guide 1.3." That guide is awesome and I recommend checking it out.
Configure Clearpass as a Radius server on the Aruba Controller
1. Configuration > Security > Authentication > Servers > RADIUS Server
2. Enter a name for the new server in the text box.
3. Click "Add" to create the RADIUS server.
4. Click on the newly created RADIUS server and enter the following information:
i. Enter the IP address under "Host"
ii. Enter and verify the RADIUS Shared Key in the "Key" fields
5. Click "Apply" at the bottom of the page.
Configure Clearpass as an RFC3576 server on the Aruba controller
1. Configuration > Security > Authentication > Servers > RFC 3576 server
2. Enter an IP address in the text box. This IP address should be the same as your Clearpass server.
3. Click "Add" to create the RFC 3576 Server.
4. Click on the newly created RFC 3576 Server and enter and verify the RADIUS Shared Key in the "Key" fields.
5. Click "Apply" at the bottom of the page.
Create a Clearpass Server group
1. Configuration > Security > Authentication > Servers > Server Group
2. Enter "Clearpass" for the new Server Group in the text box.
3. Click "Add" to create the Clearpass RADIUS Server Group.
4. Click on the newly created Clearpass RADIUS Server Group.
5. Under Servers, click the "New" button
6. Under Server name, select the Clearpass Server that you created above.
7. Click the "Add Server" button.
8. Click "Apply" at the bottom of the page.
Configure the Controller Management in the GUI:
1. Configuration > Management > Administration > Server Group > Select the Server Group that contains Clearpass.
2. Configuration > Management > Administration > Management Authentication Servers:
i. Select "no-access" for the Default Role.
ii. Check "Enable"
iii. Check "MSCHAPv2"
3. Click "Apply"
4. Click "Save Configuration"
Optional - Remove the check from "Allow Local Authentication" to force all controller authentications to go through Clearpass. This will effectively cancel out the local "admin" account. This should only be checked once you're completely happy with the entire procedure.
5. Click "Add"
Here's what the CLI code looks like:
aaa authentication mgmt
default-role "no-access"
server-group "Clearpass"
enable
mschapv2
!
Optional - to remove all local authentication enter the following in the CLI:
mgmt-user localauth-disable
====
Clearpass:
Add the Aruba Controller as a network device to Clearpass:
1. Configuration > Network > Device
2. Add the Aruba Controller's IP in the "IP or Subnet Address"
3. Enter the "RADIUS Shared Secret" that was defined above.
4. Select "Vendor Name:" of "Aruba"
5. Optional: Enter the following on the "SNMP Read Settings":
i. Check "Enable..." under "Allow SNMP Read:"
ii. Enter the appropriate "Community String"
iii. Check "Always read info..." under "Force Read:"
iv. Check "Read ARP table..." under "Read ARP Table Info"
6. Click "Save"
Add the Aruba Controller to a Device Group:
I use device groups for everything in Clearpass. This step can be optional, it's just my personal preference.
1. Configuration > Network > Device groups
2. Select "Add Device Group"
3. Fill in the "Name" as "Aruba Wireless"
4. Select "List" under "Format"
5. Under the "List", move the Aruba Controller IP from the "Available Devices" to "Selected Devices"
6. Click "Save"
Create an Aruba Controller Enforcement Profile:
1. Configuration > Enforcement > Profiles
2. Click "Add Enforcement Profile"
3. Select "Aruba RADIUS Enforcement" as the Template
4. Provide a name, "Aruba Controller"
5. Make sure that "Accept" is set under "Action"
6. Under Attributes:
i. Type - "Radius:Aruba"
ii. Name - "Aruba-Admin-Role (4)"
iii. Value - "root"
Optional - this next line in the policy can be used to allow a root user to SSH directly into enable mode on the controller. I just found out about this last week and I've been rocking it out ever since! (Thanks, Phil!)
i. Type - "Radius:Aruba"
ii. Name - "Aruba-Priv-Admin-User (3)"
iii. Value - "1"
7. Finally, click "Save"
The returned role values correspond to the Aruba roles that are defined on page 939-942 in the 6.3 ArubaOS User Guide.
Create an Aruba Controller Enforcement Policy:
1. Configuration > Enforcement > Policies
2. Click "Add Enforcement Policy"
3. Under "Enforcement", provide a name, "Aruba Controller Login Enforcement Policy"
4. Verify that RADIUS is the "Enforcement Type"
5. Select "[Deny Access Profile] for the "Default Profile
6. Select "Rules" and click "Add Rule"
7. Mine looks like this:
i. Type - Tips
ii. Name - Role
iii. Operator - EQUALS
iv. Aruba-Admins
8. Enforcement Profiles > "Profile Names" > "[RADIUS] Aruba Controller"
9. Click "Save"
Create an Aruba Controller Login Service:
1. Configuration > Services
2. Click "Add Service"
3. Select "Type" of "RADIUS Enforcement ( Generic )"
4. Provide a name for the service, "Aruba Controller Logins"
5. Under "Service Rule" enter the following:
i. Type - Connection
ii. Name - "NAD-IP-Address"
iii. Operator - "BELONGS_TO_GROUP"
iv. Value - "Aruba Wireless"
6. Under Authentication:
i. Authentication Methods - MSCHAP, PAP
ii. Authentication Sources - <your AD>
7. Under Roles select the "Role Mapping Policy" for your domain. Here's what mine looks like by clicking "Modify."
i. Type - Authorization:Windows-2012
ii. Name - memberOf
iii. Operator - EQUALS
iv. Value - CN=Aruba-Admins,CN=Users,DC=top,DC=local
v. Actions > "Role Name" > "Aruba Admins"
8. Under "Enforcement" > "Enforcement Policy" select the enforcement policy that we created > "Aruba Controller Login Enforcement Policy"
9. Click "Save"
You now should be able to log into the wireless controllers on the GUI and the CLI with your AD credentials via RADIUS. The above configuration will also allow you to perform AAA tests in the controller GUI under Diagnostics > AAA Test Server. You can verify that things are working by attempting by performing a AAA test or by logging into the wireless controller and viewing the results in Clearpass' Access Tracker found under Monitoring.
Let me know what you think and if it works out for you.
-Mike