The third of my Clearpass howtos outlines the steps to authenticate an Aruba Switch via RADIUS with Clearpass. This post is going to build directly on the work that was completed in the second post. That post, how to authenticate an Aruba Wireless Controller can be found here:
http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Howto-Authenticate-to-an-Aruba-Controller-via-Clearpass-and/m-p/94828
The first thing to note is that we're going to set this up in the Aruba Switch CLI. Please let me know if you can figure out how to do this in the GUI, because I don't think it's possible with the most recent release.
Here are the steps necessary for an Aruba Switch running 7.2.3.0 to authenticate to Clearpass 6.2.1 via RADIUS.
Aruba Switch:
Configure Clearpass as a Radius server on the Aruba Switch:
1. SSH into the Aruba switch, enter enable mode, and enter the configuration mode.
2. Enter the following commands:
i. aaa authentication-server radius "<Clearpass server name>"
ii. host "<Clearpass IP address>"
iii. key <RADIUS shared secret key>
Create a Clearpass Server group on the Aruba Switch:
1. Enter the following commands:
i. aaa server-group "Clearpass"
ii. auth-server <Name of the server referenced above>
Configure Switch Management access via Clearpass:
1. Enter the following commands:
i. aaa authentication mgmt
ii. default-role "no-access"
iii. server-group "Clearpass"
iv. enable
v. mschapv2
Optional - to remove all local authentication add the following in the CLI:
mgmt-user localauth-disable
Clearpass:
There's only two changes that you'll need to make in order for the Aruba Switch to authenticate via Clearpass.
First, add the Aruba Switch as a network device to Clearpass:
1. Configuration > Network > Device
2. Add the Aruba Switch's IP in the "IP or Subnet Address"
3. Enter the "RADIUS Shared Secret" that was defined above.
4. Select "Vendor Name:" of "Aruba"
5. Optional: Enter the following on the "SNMP Read Settings":
i. Check "Enable..." under "Allow SNMP Read:"
ii. Enter the appropriate "Community String"
iii. Check "Always read info..." under "Force Read:"
iv. Check "Read ARP table..." under "Read ARP Table Info"
6. Click "Save"
Second, add the Aruba Switch to the "Aruba Wireless" Device Group that was defined in the previous post.
1. Configuration > Network > Device groups > "Aruba Wireless"
2. Under the "List", move the Aruba Switch IP from the "Available Devices" to "Selected Devices"
3. Click "Save"
You now should be able to log into the Aruba Switch via the CLI or GUI with your AD credentials. The Aruba Switch uses the same management format and roles as an Aruba Controller. This means that the same RADIUS attributes that were defined in the previous post for the Aruba Controller will work with the Aruba Switch.
-Mike