Aruba Employee

Network access control with Aruba ClearPass and Siemens Switch

As a result of digitization, IT (Information Technology) and OT (Operational Technology) are growing closer and closer together, leading to an increasing number of IT-based systems in OT. These systems are potentially not under the control of IT operations and represent a possible security gap, so the use of network access control systems in OT is becoming increasingly important. Aruba and Siemens formed a strategic partnership to bridge the gap between IT and OT.




This post is about how the network access of a Siemens Switch (Scalance XC216-4C G, Version 04.01.00) can be controlled with Aruba ClearPass (6.8.0). For this purpose, MAC authentication is used. This means, based on the identity of the end systems maintained in ClearPass, these devices are authenticated on the Switch port. If the authentication is successful, the communication on the Switch port is allowed. If the device is not authorized, no communication is allowed.


How to use MAC Authentication:


Add ClearPass as RADIUS server on Switch Interface:

On Switch Interface go to Security -> AAA -> RADIUS Client -> Create

Add ClearPass with following information: Auth. Server Type, Server Address, Server Port, Shared Secret



Configure ports to be used by ClearPass:

On Switch Interface go to Security -> AAA -> 802.1X Authenticator

Select Ports, which should be used by ClearPass



Add Switch in ClearPass:

In ClearPass go to Configuration -> Network -> Devices -> Add Switch

With Name, IP Address and Shared Secret



Create new Enforcement Policy:

Configuration -> Enforcement Policies -> Add

Add following parameters:

Enforcement Type = RADIUS

Default Profile = Drop Access Profile

Add 2 rules:

          Authorization failed -> Deny Access Profile

          Authorization successed -> Allow Access Profile



Create new Service:

Configuration -> Services -> Add

Add following parameters:

Type = MAC Authentication

Conditions = NAS-Port-Type belongs to Ethernet & Client-MAC-Address equals Radius Username

Authentication = Method Allow All MAC Auth, Source Endpoints Repository

Authorization = Endpoints Repository

Enforcement = Above created Enforcement Policy



See authorized and unauthorized devices:

Configuration -> Identity -> Endpoints

Set Status to Known if a device should be authorized or add new devices



MAC Authentication with Aruba ClearPass is the basis for various use cases. It is possible to further process the result of the authentication with another enforcement profile which is used in the enforcement policy. For example, the enforcement profile could trigger a lamp with different colors to give a visual representation of the authentication result.


Addition: MAC Authentication with VLAN assignment:


VLAN Configuration on Switch Interface:

On Switch Interface go to Layer 2 -> VLAN

Assign Uplink Port statically to a VLAN (VLAN10)



Create new Enforcement Policy:

Configuration -> Enforcement Policies -> Add

Add following parameters:

Name = VLAN Enforcement

Enforcement Type = RADIUS

Default Profile = Deny Access Profile

Add rules for VLAN assignment, for example:

          Authorization successed & Description = COTSPD -> VLAN 30 Enforcement



Exchange this Enforcement Policy with the old one in the Service:

Configuration -> Service -> Edit Service (Siemens MAC Auth) -> Enforcement Tab

Select VLAN Enforcement


Create Enforcement Profiles based on the Actions in the Rule of Enforcement Policy:

Configuration -> Enforcement -> Profiles -> Add

Add following parameters:

Name (VLAN 30 Enforcement)

Action = Accept


          Important to add: Type Radius: Avenda, Name Avenda-Tag-Id, Value 0



Devices are associated to VLAN based on attributes:

See in Endpoints Repository (Configuration -> Identity -> Endpoints -> Edit)






Re: Network access control with Aruba ClearPass and Siemens Switch

Thank you Isabel,



We're currently in the process {COVID did not help} of validating interoperability between a number of Siemens OT switching lines and ClearPass Policy Manager.


We've completed our testing here for Scalance and pretty much had completed our testing with Ruggedcom for the 'basic' mac-auth/profile use-cases.


What we had just started before the lock-down bit us, testing the interop with the Ruggedcom + APE with Nozomi and Fortinet. The COVID unfortunately has stopped that validating in its tracks but once we're back in the office we hope to re-start that project.



Best Regards

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: