Security

We are a higher edu environment and have several hundred 205H and 303H Access points in our dorms. We are attempting to secure the switch ports in the bottom of these APs. We would like to manage this with Clearpass. There are a few types of devices and associated VLANs those devices get assigned to. This design is all implemented on wireless networks currently, but I cannot seem to get it functioning correctly for the wired ports.

 

Device types are:

-gaming/streaming (non 802.1x)

-computers and other 802.1x devices.

 

We have Windows environment with AD and NPS servers handling logins.

 

When a device is plugged into the ports on the 25/303 AP, we need Clearpass to check if it is a registered device and then do MAC Auth assignment for the non 802.1x devices. If it is a laptop, that is not registered for MAC auth then Clearpass needs to request 802.1x credentials from the client for proper authentication and VLAN assignment.

 

Does anyone have a how to guide to guide us through the controller and clearness setup of this? We have already started to make some of the appropriate profiles and changes, for example we have changed our controller ports, so clients connected now show up as users int he controller, and we have built out or plan assignment profiles. We are looking for a thorough guide to assist us with the remainder of this setup.

 

Thank you in advance

Take a look at the ClearPass Solution Guide for Wired Policy Enforcement. It does not specifically cover the AP wired ports, but the concepts for policy creation are similar to an Aruba switch.

What version AOS are you running ?

Do you want to support Mac and 802.1X on the same port ?


Sent from Mail for Windows 10

Hi Victor,

 

Thank you for the response.

 

We are running 6.5.4.5 and yes we want to be able to support both on the same port.

 

We will acctually be rolling this out to our standard wired ports on Juniper switches down the road as well. Any suggestions to make everything work the way needed, so roll out to Juniper switches goes smoothly?

You should be able to implement this with Juniper switches as well.

Sent from Mail for Windows 10

The following configurations on the controller seems to be correctly sending the traffic to clearpass and allowing 802.1x. This also allows devices wired into the access points to be viewable in the controller.

 

Wired AP Profile

• Shut down: Unchecked
• Remote AP Backup: Unchecked

Wired AP:

• Wired AP: Checked
• Trusted: Unchecked
• Forward Mode: Tunnel
• Switchport Mode: Access
• Access mode VLAN: Guest VLAN
• Broadcast: checked

AAA Profile:

• L2 Authentication Fail Through: Checked

• MAC Authentication: Standard MAC Auth profile
• MAC Authentication Server Group: Clearpass-server-group
• 802.1x Authentication:
  • Termination: Checked
  • Termination EAP Type: eap-peap
  • Temrination Inner-eap type: eap-MSCHAPv2
  • Advanced > Reauthentication: Unchecked
• 802.1x Athentication Server Group: Clearpass-Server-Group
• RADIUS Server Group: Clearpass-Server-Group

• User Role: ResidentialWired
  • Global-sacl, apprf-ResidentialWired-sacl, clearpass, logon-control

 

Any suggestions on the clearpass side?

I believe I have 802.1x devices authenticating properly. I am however having trouble with MAC auth, the delay in profiling requires me to physically unplug and reconnect to get the correct profiles after profiling. I tried creating a COA to bounce the port but it does not seem to be working. Also, any suggestions on combining the mac-auth and 802.1x into the same service or should they be seperated? Any examples or how-to guides would be greatly appreciated.

Can you even do both on the same port in ArubaOS?


#AirheadsMobile

Yes , just need to enable L2 fail thru under the AAA profile



Thank you

Victor Fabian

Pardon typos sent from Mobile