Security

As a result of digitization, IT (Information Technology) and OT (Operational Technology) are growing closer and closer together, leading to an increasing number of IT-based systems in OT. These systems are potentially not under the control of IT operations and represent a possible security gap, so the use of network access control systems in OT is becoming increasingly important. Aruba and Siemens formed a strategic partnership to bridge the gap between IT and OT.

This post is about how the network access of a Siemens Switch (Scalance XC216-4C G, Version 04.01.00) can be controlled with Aruba ClearPass (6.8.0). For this purpose, MAC authentication is used. This means, based on the identity of the end systems maintained in ClearPass, these devices are authenticated on the Switch port. If the authentication is successful, the communication on the Switch port is allowed. If the device is not authorized, no communication is allowed.

How to use MAC Authentication:

Add ClearPass as RADIUS server on Switch Interface:

On Switch Interface go to Security -> AAA -> RADIUS Client -> Create

Add ClearPass with following information: Auth. Server Type, Server Address, Server Port, Shared Secret

Configure ports to be used by ClearPass:

On Switch Interface go to Security -> AAA -> 802.1X Authenticator

Select Ports, which should be used by ClearPass

Add Switch in ClearPass:

In ClearPass go to Configuration -> Network -> Devices -> Add Switch

With Name, IP Address and Shared Secret

Create new Enforcement Policy:

Configuration -> Enforcement Policies -> Add

Add following parameters:

Enforcement Type = RADIUS

Default Profile = Drop Access Profile

Add 2 rules:

          Authorization failed -> Deny Access Profile

          Authorization successed -> Allow Access Profile

Create new Service:

Configuration -> Services -> Add

Add following parameters:

Type = MAC Authentication

Conditions = NAS-Port-Type belongs to Ethernet & Client-MAC-Address equals Radius Username

Authentication = Method Allow All MAC Auth, Source Endpoints Repository

Authorization = Endpoints Repository

Enforcement = Above created Enforcement Policy

See authorized and unauthorized devices:

Configuration -> Identity -> Endpoints

Set Status to Known if a device should be authorized or add new devices

MAC Authentication with Aruba ClearPass is the basis for various use cases. It is possible to further process the result of the authentication with another enforcement profile which is used in the enforcement policy. For example, the enforcement profile could trigger a lamp with different colors to give a visual representation of the authentication result.

Addition: MAC Authentication with VLAN assignment:

VLAN Configuration on Switch Interface:

On Switch Interface go to Layer 2 -> VLAN

Assign Uplink Port statically to a VLAN (VLAN10)

Create new Enforcement Policy:

Configuration -> Enforcement Policies -> Add

Add following parameters:

Name = VLAN Enforcement

Enforcement Type = RADIUS

Default Profile = Deny Access Profile

Add rules for VLAN assignment, for example:

          Authorization successed & Description = COTSPD -> VLAN 30 Enforcement

Exchange this Enforcement Policy with the old one in the Service:

Configuration -> Service -> Edit Service (Siemens MAC Auth) -> Enforcement Tab

Select VLAN Enforcement

Create Enforcement Profiles based on the Actions in the Rule of Enforcement Policy:

Configuration -> Enforcement -> Profiles -> Add

Add following parameters:

Name (VLAN 30 Enforcement)
Type = RADIUS

Action = Accept

Attributes:

          Important to add: Type Radius: Avenda, Name Avenda-Tag-Id, Value 0

Devices are associated to VLAN based on attributes:

See in Endpoints Repository (Configuration -> Identity -> Endpoints -> Edit)

As a result of digitization, IT (Information Technology) and OT (Operational Technology) are growing closer and closer together, leading to an increasing number of IT-based systems in OT. These systems are potentially not under the control of IT operations and represent a possible security gap, so the use of network access control systems in OT is becoming increasingly important. Aruba and Siemens formed a strategic partnership to bridge the gap between IT and OT.

This post is about how the network access of a Siemens Switch (Scalance XC216-4C G, Version 04.01.00) can be controlled with Aruba ClearPass (6.8.0). For this purpose, MAC authentication is used. This means, based on the identity of the end systems maintained in ClearPass, these devices are authenticated on the Switch port. If the authentication is successful, the communication on the Switch port is allowed. If the device is not authorized, no communication is allowed.

How to use MAC Authentication:

Add ClearPass as RADIUS server on Switch Interface:

On Switch Interface go to Security -> AAA -> RADIUS Client -> Create

Add ClearPass with following information: Auth. Server Type, Server Address, Server Port, Shared Secret

Configure ports to be used by ClearPass:

On Switch Interface go to Security -> AAA -> 802.1X Authenticator

Select Ports, which should be used by ClearPass

Add Switch in ClearPass:

In ClearPass go to Configuration -> Network -> Devices -> Add Switch

With Name, IP Address and Shared Secret

Create new Enforcement Policy:

Configuration -> Enforcement Policies -> Add

Add following parameters:

Enforcement Type = RADIUS

Default Profile = Drop Access Profile

Add 2 rules:

          Authorization failed -> Deny Access Profile

          Authorization successed -> Allow Access Profile

Create new Service:

Configuration -> Services -> Add

Add following parameters:

Type = MAC Authentication

Conditions = NAS-Port-Type belongs to Ethernet & Client-MAC-Address equals Radius Username

Authentication = Method Allow All MAC Auth, Source Endpoints Repository

Authorization = Endpoints Repository

Enforcement = Above created Enforcement Policy

See authorized and unauthorized devices:

Configuration -> Identity -> Endpoints

Set Status to Known if a device should be authorized or add new devices

MAC Authentication with Aruba ClearPass is the basis for various use cases. It is possible to further process the result of the authentication with another enforcement profile which is used in the enforcement policy. For example, the enforcement profile could trigger a lamp with different colors to give a visual representation of the authentication result.

Addition: MAC Authentication with VLAN assignment:

VLAN Configuration on Switch Interface:

On Switch Interface go to Layer 2 -> VLAN

Assign Uplink Port statically to a VLAN (VLAN10)

Create new Enforcement Policy:

Configuration -> Enforcement Policies -> Add

Add following parameters:

Name = VLAN Enforcement

Enforcement Type = RADIUS

Default Profile = Deny Access Profile

Add rules for VLAN assignment, for example:

          Authorization successed & Description = COTSPD -> VLAN 30 Enforcement

Exchange this Enforcement Policy with the old one in the Service:

Configuration -> Service -> Edit Service (Siemens MAC Auth) -> Enforcement Tab

Select VLAN Enforcement

Create Enforcement Profiles based on the Actions in the Rule of Enforcement Policy:

Configuration -> Enforcement -> Profiles -> Add

Add following parameters:

Name (VLAN 30 Enforcement)
Type = RADIUS

Action = Accept

Attributes:

          Important to add: Type Radius: Avenda, Name Avenda-Tag-Id, Value 0

Devices are associated to VLAN based on attributes:

See in Endpoints Repository (Configuration -> Identity -> Endpoints -> Edit)

As a result of digitization, IT (Information Technology) and OT (Operational Technology) are growing closer and closer together, leading to an increasing number of IT-based systems in OT. These systems are potentially not under the control of IT operations and represent a possible security gap, so the use of network access control systems in OT is becoming increasingly important. Aruba and Siemens formed a strategic partnership to bridge the gap between IT and OT.

This post is about how the network access of a Siemens Switch (Scalance XC216-4C G, Version 04.01.00) can be controlled with Aruba ClearPass (6.8.0). For this purpose, MAC authentication is used. This means, based on the identity of the end systems maintained in ClearPass, these devices are authenticated on the Switch port. If the authentication is successful, the communication on the Switch port is allowed. If the device is not authorized, no communication is allowed.

How to use MAC Authentication:

Add ClearPass as RADIUS server on Switch Interface:

On Switch Interface go to Security -> AAA -> RADIUS Client -> Create

Add ClearPass with following information: Auth. Server Type, Server Address, Server Port, Shared Secret

Configure ports to be used by ClearPass:

On Switch Interface go to Security -> AAA -> 802.1X Authenticator

Select Ports, which should be used by ClearPass

Add Switch in ClearPass:

In ClearPass go to Configuration -> Network -> Devices -> Add Switch

With Name, IP Address and Shared Secret

Create new Enforcement Policy:

Configuration -> Enforcement Policies -> Add

Add following parameters:

Enforcement Type = RADIUS

Default Profile = Drop Access Profile

Add 2 rules:

          Authorization failed -> Deny Access Profile

          Authorization successed -> Allow Access Profile

Create new Service:

Configuration -> Services -> Add

Add following parameters:

Type = MAC Authentication

Conditions = NAS-Port-Type belongs to Ethernet & Client-MAC-Address equals Radius Username

Authentication = Method Allow All MAC Auth, Source Endpoints Repository

Authorization = Endpoints Repository

Enforcement = Above created Enforcement Policy

See authorized and unauthorized devices:

Configuration -> Identity -> Endpoints

Set Status to Known if a device should be authorized or add new devices

MAC Authentication with Aruba ClearPass is the basis for various use cases. It is possible to further process the result of the authentication with another enforcement profile which is used in the enforcement policy. For example, the enforcement profile could trigger a lamp with different colors to give a visual representation of the authentication result.

Addition: MAC Authentication with VLAN assignment:

VLAN Configuration on Switch Interface:

On Switch Interface go to Layer 2 -> VLAN

Assign Uplink Port statically to a VLAN (VLAN10)

Create new Enforcement Policy:

Configuration -> Enforcement Policies -> Add

Add following parameters:

Name = VLAN Enforcement

Enforcement Type = RADIUS

Default Profile = Deny Access Profile

Add rules for VLAN assignment, for example:

          Authorization successed & Description = COTSPD -> VLAN 30 Enforcement

Exchange this Enforcement Policy with the old one in the Service:

Configuration -> Service -> Edit Service (Siemens MAC Auth) -> Enforcement Tab

Select VLAN Enforcement

Create Enforcement Profiles based on the Actions in the Rule of Enforcement Policy:

Configuration -> Enforcement -> Profiles -> Add

Add following parameters:

Name (VLAN 30 Enforcement)
Type = RADIUS

Action = Accept

Attributes:

          Important to add: Type Radius: Avenda, Name Avenda-Tag-Id, Value 0

Devices are associated to VLAN based on attributes:

See in Endpoints Repository (Configuration -> Identity -> Endpoints -> Edit)

As a result of digitization, IT (Information Technology) and OT (Operational Technology) are growing closer and closer together, leading to an increasing number of IT-based systems in OT. These systems are potentially not under the control of IT operations and represent a possible security gap, so the use of network access control systems in OT is becoming increasingly important. Aruba and Siemens formed a strategic partnership to bridge the gap between IT and OT.

This post is about how the network access of a Siemens Switch (Scalance XC216-4C G, Version 04.01.00) can be controlled with Aruba ClearPass (6.8.0). For this purpose, MAC authentication is used. This means, based on the identity of the end systems maintained in ClearPass, these devices are authenticated on the Switch port. If the authentication is successful, the communication on the Switch port is allowed. If the device is not authorized, no communication is allowed.

How to use MAC Authentication:

Add ClearPass as RADIUS server on Switch Interface:

On Switch Interface go to Security -> AAA -> RADIUS Client -> Create

Add ClearPass with following information: Auth. Server Type, Server Address, Server Port, Shared Secret

Configure ports to be used by ClearPass:

On Switch Interface go to Security -> AAA -> 802.1X Authenticator

Select Ports, which should be used by ClearPass

Add Switch in ClearPass:

In ClearPass go to Configuration -> Network -> Devices -> Add Switch

With Name, IP Address and Shared Secret

Create new Enforcement Policy:

Configuration -> Enforcement Policies -> Add

Add following parameters:

Enforcement Type = RADIUS

Default Profile = Drop Access Profile

Add 2 rules:

          Authorization failed -> Deny Access Profile

          Authorization successed -> Allow Access Profile

Create new Service:

Configuration -> Services -> Add

Add following parameters:

Type = MAC Authentication

Conditions = NAS-Port-Type belongs to Ethernet & Client-MAC-Address equals Radius Username

Authentication = Method Allow All MAC Auth, Source Endpoints Repository

Authorization = Endpoints Repository

Enforcement = Above created Enforcement Policy

See authorized and unauthorized devices:

Configuration -> Identity -> Endpoints

Set Status to Known if a device should be authorized or add new devices

MAC Authentication with Aruba ClearPass is the basis for various use cases. It is possible to further process the result of the authentication with another enforcement profile which is used in the enforcement policy. For example, the enforcement profile could trigger a lamp with different colors to give a visual representation of the authentication result.

Addition: MAC Authentication with VLAN assignment:

VLAN Configuration on Switch Interface:

On Switch Interface go to Layer 2 -> VLAN

Assign Uplink Port statically to a VLAN (VLAN10)

Create new Enforcement Policy:

Configuration -> Enforcement Policies -> Add

Add following parameters:

Name = VLAN Enforcement

Enforcement Type = RADIUS

Default Profile = Deny Access Profile

Add rules for VLAN assignment, for example:

          Authorization successed & Description = COTSPD -> VLAN 30 Enforcement

Exchange this Enforcement Policy with the old one in the Service:

Configuration -> Service -> Edit Service (Siemens MAC Auth) -> Enforcement Tab

Select VLAN Enforcement

Create Enforcement Profiles based on the Actions in the Rule of Enforcement Policy:

Configuration -> Enforcement -> Profiles -> Add

Add following parameters:

Name (VLAN 30 Enforcement)
Type = RADIUS

Action = Accept

Attributes:

          Important to add: Type Radius: Avenda, Name Avenda-Tag-Id, Value 0

Devices are associated to VLAN based on attributes:

See in Endpoints Repository (Configuration -> Identity -> Endpoints -> Edit)

As a result of digitization, IT (Information Technology) and OT (Operational Technology) are growing closer and closer together, leading to an increasing number of IT-based systems in OT. These systems are potentially not under the control of IT operations and represent a possible security gap, so the use of network access control systems in OT is becoming increasingly important. Aruba and Siemens formed a strategic partnership to bridge the gap between IT and OT.

This post is about how the network access of a Siemens Switch (Scalance XC216-4C G, Version 04.01.00) can be controlled with Aruba ClearPass (6.8.0). For this purpose, MAC authentication is used. This means, based on the identity of the end systems maintained in ClearPass, these devices are authenticated on the Switch port. If the authentication is successful, the communication on the Switch port is allowed. If the device is not authorized, no communication is allowed.

How to use MAC Authentication:

Add ClearPass as RADIUS server on Switch Interface:

On Switch Interface go to Security -> AAA -> RADIUS Client -> Create

Add ClearPass with following information: Auth. Server Type, Server Address, Server Port, Shared Secret

Configure ports to be used by ClearPass:

On Switch Interface go to Security -> AAA -> 802.1X Authenticator

Select Ports, which should be used by ClearPass

Add Switch in ClearPass:

In ClearPass go to Configuration -> Network -> Devices -> Add Switch

With Name, IP Address and Shared Secret

Create new Enforcement Policy:

Configuration -> Enforcement Policies -> Add

Add following parameters:

Enforcement Type = RADIUS

Default Profile = Drop Access Profile

Add 2 rules:

          Authorization failed -> Deny Access Profile

          Authorization successed -> Allow Access Profile

Create new Service:

Configuration -> Services -> Add

Add following parameters:

Type = MAC Authentication

Conditions = NAS-Port-Type belongs to Ethernet & Client-MAC-Address equals Radius Username

Authentication = Method Allow All MAC Auth, Source Endpoints Repository

Authorization = Endpoints Repository

Enforcement = Above created Enforcement Policy

See authorized and unauthorized devices:

Configuration -> Identity -> Endpoints

Set Status to Known if a device should be authorized or add new devices

MAC Authentication with Aruba ClearPass is the basis for various use cases. It is possible to further process the result of the authentication with another enforcement profile which is used in the enforcement policy. For example, the enforcement profile could trigger a lamp with different colors to give a visual representation of the authentication result.

Addition: MAC Authentication with VLAN assignment:

VLAN Configuration on Switch Interface:

On Switch Interface go to Layer 2 -> VLAN

Assign Uplink Port statically to a VLAN (VLAN10)

Create new Enforcement Policy:

Configuration -> Enforcement Policies -> Add

Add following parameters:

Name = VLAN Enforcement

Enforcement Type = RADIUS

Default Profile = Deny Access Profile

Add rules for VLAN assignment, for example:

          Authorization successed & Description = COTSPD -> VLAN 30 Enforcement

Exchange this Enforcement Policy with the old one in the Service:

Configuration -> Service -> Edit Service (Siemens MAC Auth) -> Enforcement Tab

Select VLAN Enforcement

Create Enforcement Profiles based on the Actions in the Rule of Enforcement Policy:

Configuration -> Enforcement -> Profiles -> Add

Add following parameters:

Name (VLAN 30 Enforcement)
Type = RADIUS

Action = Accept

Attributes:

          Important to add: Type Radius: Avenda, Name Avenda-Tag-Id, Value 0

Devices are associated to VLAN based on attributes:

See in Endpoints Repository (Configuration -> Identity -> Endpoints -> Edit)

As a result of digitization, IT (Information Technology) and OT (Operational Technology) are growing closer and closer together, leading to an increasing number of IT-based systems in OT. These systems are potentially not under the control of IT operations and represent a possible security gap, so the use of network access control systems in OT is becoming increasingly important. Aruba and Siemens formed a strategic partnership to bridge the gap between IT and OT.

This post is about how the network access of a Siemens Switch (Scalance XC216-4C G, Version 04.01.00) can be controlled with Aruba ClearPass (6.8.0). For this purpose, MAC authentication is used. This means, based on the identity of the end systems maintained in ClearPass, these devices are authenticated on the Switch port. If the authentication is successful, the communication on the Switch port is allowed. If the device is not authorized, no communication is allowed.

How to use MAC Authentication:

Add ClearPass as RADIUS server on Switch Interface:

On Switch Interface go to Security -> AAA -> RADIUS Client -> Create

Add ClearPass with following information: Auth. Server Type, Server Address, Server Port, Shared Secret

Configure ports to be used by ClearPass:

On Switch Interface go to Security -> AAA -> 802.1X Authenticator

Select Ports, which should be used by ClearPass

Add Switch in ClearPass:

In ClearPass go to Configuration -> Network -> Devices -> Add Switch

With Name, IP Address and Shared Secret

Create new Enforcement Policy:

Configuration -> Enforcement Policies -> Add

Add following parameters:

Enforcement Type = RADIUS

Default Profile = Drop Access Profile

Add 2 rules:

          Authorization failed -> Deny Access Profile

          Authorization successed -> Allow Access Profile

Create new Service:

Configuration -> Services -> Add

Add following parameters:

Type = MAC Authentication

Conditions = NAS-Port-Type belongs to Ethernet & Client-MAC-Address equals Radius Username

Authentication = Method Allow All MAC Auth, Source Endpoints Repository

Authorization = Endpoints Repository

Enforcement = Above created Enforcement Policy

See authorized and unauthorized devices:

Configuration -> Identity -> Endpoints

Set Status to Known if a device should be authorized or add new devices

MAC Authentication with Aruba ClearPass is the basis for various use cases. It is possible to further process the result of the authentication with another enforcement profile which is used in the enforcement policy. For example, the enforcement profile could trigger a lamp with different colors to give a visual representation of the authentication result.

Addition: MAC Authentication with VLAN assignment:

VLAN Configuration on Switch Interface:

On Switch Interface go to Layer 2 -> VLAN

Assign Uplink Port statically to a VLAN (VLAN10)

Create new Enforcement Policy:

Configuration -> Enforcement Policies -> Add

Add following parameters:

Name = VLAN Enforcement

Enforcement Type = RADIUS

Default Profile = Deny Access Profile

Add rules for VLAN assignment, for example:

          Authorization successed & Description = COTSPD -> VLAN 30 Enforcement

Exchange this Enforcement Policy with the old one in the Service:

Configuration -> Service -> Edit Service (Siemens MAC Auth) -> Enforcement Tab

Select VLAN Enforcement

Create Enforcement Profiles based on the Actions in the Rule of Enforcement Policy:

Configuration -> Enforcement -> Profiles -> Add

Add following parameters:

Name (VLAN 30 Enforcement)
Type = RADIUS

Action = Accept

Attributes:

          Important to add: Type Radius: Avenda, Name Avenda-Tag-Id, Value 0

Devices are associated to VLAN based on attributes:

See in Endpoints Repository (Configuration -> Identity -> Endpoints -> Edit)

As a result of digitization, IT (Information Technology) and OT (Operational Technology) are growing closer and closer together, leading to an increasing number of IT-based systems in OT. These systems are potentially not under the control of IT operations and represent a possible security gap, so the use of network access control systems in OT is becoming increasingly important. Aruba and Siemens formed a strategic partnership to bridge the gap between IT and OT.

This post is about how the network access of a Siemens Switch (Scalance XC216-4C G, Version 04.01.00) can be controlled with Aruba ClearPass (6.8.0). For this purpose, MAC authentication is used. This means, based on the identity of the end systems maintained in ClearPass, these devices are authenticated on the Switch port. If the authentication is successful, the communication on the Switch port is allowed. If the device is not authorized, no communication is allowed.

How to use MAC Authentication:

Add ClearPass as RADIUS server on Switch Interface:

On Switch Interface go to Security -> AAA -> RADIUS Client -> Create

Add ClearPass with following information: Auth. Server Type, Server Address, Server Port, Shared Secret

Configure ports to be used by ClearPass:

On Switch Interface go to Security -> AAA -> 802.1X Authenticator

Select Ports, which should be used by ClearPass

Add Switch in ClearPass:

In ClearPass go to Configuration -> Network -> Devices -> Add Switch

With Name, IP Address and Shared Secret

Create new Enforcement Policy:

Configuration -> Enforcement Policies -> Add

Add following parameters:

Enforcement Type = RADIUS

Default Profile = Drop Access Profile

Add 2 rules:

          Authorization failed -> Deny Access Profile

          Authorization successed -> Allow Access Profile

Create new Service:

Configuration -> Services -> Add

Add following parameters:

Type = MAC Authentication

Conditions = NAS-Port-Type belongs to Ethernet & Client-MAC-Address equals Radius Username

Authentication = Method Allow All MAC Auth, Source Endpoints Repository

Authorization = Endpoints Repository

Enforcement = Above created Enforcement Policy

See authorized and unauthorized devices:

Configuration -> Identity -> Endpoints

Set Status to Known if a device should be authorized or add new devices

MAC Authentication with Aruba ClearPass is the basis for various use cases. It is possible to further process the result of the authentication with another enforcement profile which is used in the enforcement policy. For example, the enforcement profile could trigger a lamp with different colors to give a visual representation of the authentication result.

Addition: MAC Authentication with VLAN assignment:

VLAN Configuration on Switch Interface:

On Switch Interface go to Layer 2 -> VLAN

Assign Uplink Port statically to a VLAN (VLAN10)

Create new Enforcement Policy:

Configuration -> Enforcement Policies -> Add

Add following parameters:

Name = VLAN Enforcement

Enforcement Type = RADIUS

Default Profile = Deny Access Profile

Add rules for VLAN assignment, for example:

          Authorization successed & Description = COTSPD -> VLAN 30 Enforcement

Exchange this Enforcement Policy with the old one in the Service:

Configuration -> Service -> Edit Service (Siemens MAC Auth) -> Enforcement Tab

Select VLAN Enforcement

Create Enforcement Profiles based on the Actions in the Rule of Enforcement Policy:

Configuration -> Enforcement -> Profiles -> Add

Add following parameters:

Name (VLAN 30 Enforcement)
Type = RADIUS

Action = Accept

Attributes:

          Important to add: Type Radius: Avenda, Name Avenda-Tag-Id, Value 0

Devices are associated to VLAN based on attributes:

See in Endpoints Repository (Configuration -> Identity -> Endpoints -> Edit)

Hi,

i am currently trying to get 802.1X (not MAC-Auth) on Siemens XC208G against ClearPass up and running.
So far the "Guide" provided is very helpfull. I am currently stuck at NOT receiving an "End-Host Identifier" in the Radius request. This is leading to ClearPass not beeing able to properly assign Roles based on the Endpoints repository. I Have checked all information i could get on thte Scalance XC208G Switches but it does not mention anything related.

ClearPass is on 6.10.7.187596
Siemens Scalance XC208G is on V04.03.01

Any help would be highly appreciated

As a result of digitization, IT (Information Technology) and OT (Operational Technology) are growing closer and closer together, leading to an increasing number of IT-based systems in OT. These systems are potentially not under the control of IT operations and represent a possible security gap, so the use of network access control systems in OT is becoming increasingly important. Aruba and Siemens formed a strategic partnership to bridge the gap between IT and OT.

This post is about how the network access of a Siemens Switch (Scalance XC216-4C G, Version 04.01.00) can be controlled with Aruba ClearPass (6.8.0). For this purpose, MAC authentication is used. This means, based on the identity of the end systems maintained in ClearPass, these devices are authenticated on the Switch port. If the authentication is successful, the communication on the Switch port is allowed. If the device is not authorized, no communication is allowed.

How to use MAC Authentication:

Add ClearPass as RADIUS server on Switch Interface:

On Switch Interface go to Security -> AAA -> RADIUS Client -> Create

Add ClearPass with following information: Auth. Server Type, Server Address, Server Port, Shared Secret

Configure ports to be used by ClearPass:

On Switch Interface go to Security -> AAA -> 802.1X Authenticator

Select Ports, which should be used by ClearPass

Add Switch in ClearPass:

In ClearPass go to Configuration -> Network -> Devices -> Add Switch

With Name, IP Address and Shared Secret

Create new Enforcement Policy:

Configuration -> Enforcement Policies -> Add

Add following parameters:

Enforcement Type = RADIUS

Default Profile = Drop Access Profile

Add 2 rules:

          Authorization failed -> Deny Access Profile

          Authorization successed -> Allow Access Profile

Create new Service:

Configuration -> Services -> Add

Add following parameters:

Type = MAC Authentication

Conditions = NAS-Port-Type belongs to Ethernet & Client-MAC-Address equals Radius Username

Authentication = Method Allow All MAC Auth, Source Endpoints Repository

Authorization = Endpoints Repository

Enforcement = Above created Enforcement Policy

See authorized and unauthorized devices:

Configuration -> Identity -> Endpoints

Set Status to Known if a device should be authorized or add new devices

MAC Authentication with Aruba ClearPass is the basis for various use cases. It is possible to further process the result of the authentication with another enforcement profile which is used in the enforcement policy. For example, the enforcement profile could trigger a lamp with different colors to give a visual representation of the authentication result.

Addition: MAC Authentication with VLAN assignment:

VLAN Configuration on Switch Interface:

On Switch Interface go to Layer 2 -> VLAN

Assign Uplink Port statically to a VLAN (VLAN10)

Create new Enforcement Policy:

Configuration -> Enforcement Policies -> Add

Add following parameters:

Name = VLAN Enforcement

Enforcement Type = RADIUS

Default Profile = Deny Access Profile

Add rules for VLAN assignment, for example:

          Authorization successed & Description = COTSPD -> VLAN 30 Enforcement

Exchange this Enforcement Policy with the old one in the Service:

Configuration -> Service -> Edit Service (Siemens MAC Auth) -> Enforcement Tab

Select VLAN Enforcement

Create Enforcement Profiles based on the Actions in the Rule of Enforcement Policy:

Configuration -> Enforcement -> Profiles -> Add

Add following parameters:

Name (VLAN 30 Enforcement)
Type = RADIUS

Action = Accept

Attributes:

          Important to add: Type Radius: Avenda, Name Avenda-Tag-Id, Value 0

Devices are associated to VLAN based on attributes:

See in Endpoints Repository (Configuration -> Identity -> Endpoints -> Edit)

Hi,

i am currently trying to get 802.1X (not MAC-Auth) on Siemens XC208G against ClearPass up and running.
So far the "Guide" provided is very helpfull. I am currently stuck at NOT receiving an "End-Host Identifier" in the Radius request. This is leading to ClearPass not beeing able to properly assign Roles based on the Endpoints repository. I Have checked all information i could get on thte Scalance XC208G Switches but it does not mention anything related.

ClearPass is on 6.10.7.187596
Siemens Scalance XC208G is on V04.03.01

Any help would be highly appreciated

As a result of digitization, IT (Information Technology) and OT (Operational Technology) are growing closer and closer together, leading to an increasing number of IT-based systems in OT. These systems are potentially not under the control of IT operations and represent a possible security gap, so the use of network access control systems in OT is becoming increasingly important. Aruba and Siemens formed a strategic partnership to bridge the gap between IT and OT.

This post is about how the network access of a Siemens Switch (Scalance XC216-4C G, Version 04.01.00) can be controlled with Aruba ClearPass (6.8.0). For this purpose, MAC authentication is used. This means, based on the identity of the end systems maintained in ClearPass, these devices are authenticated on the Switch port. If the authentication is successful, the communication on the Switch port is allowed. If the device is not authorized, no communication is allowed.

How to use MAC Authentication:

Add ClearPass as RADIUS server on Switch Interface:

On Switch Interface go to Security -> AAA -> RADIUS Client -> Create

Add ClearPass with following information: Auth. Server Type, Server Address, Server Port, Shared Secret

Configure ports to be used by ClearPass:

On Switch Interface go to Security -> AAA -> 802.1X Authenticator

Select Ports, which should be used by ClearPass

Add Switch in ClearPass:

In ClearPass go to Configuration -> Network -> Devices -> Add Switch

With Name, IP Address and Shared Secret

Create new Enforcement Policy:

Configuration -> Enforcement Policies -> Add

Add following parameters:

Enforcement Type = RADIUS

Default Profile = Drop Access Profile

Add 2 rules:

          Authorization failed -> Deny Access Profile

          Authorization successed -> Allow Access Profile

Create new Service:

Configuration -> Services -> Add

Add following parameters:

Type = MAC Authentication

Conditions = NAS-Port-Type belongs to Ethernet & Client-MAC-Address equals Radius Username

Authentication = Method Allow All MAC Auth, Source Endpoints Repository

Authorization = Endpoints Repository

Enforcement = Above created Enforcement Policy

See authorized and unauthorized devices:

Configuration -> Identity -> Endpoints

Set Status to Known if a device should be authorized or add new devices

MAC Authentication with Aruba ClearPass is the basis for various use cases. It is possible to further process the result of the authentication with another enforcement profile which is used in the enforcement policy. For example, the enforcement profile could trigger a lamp with different colors to give a visual representation of the authentication result.

Addition: MAC Authentication with VLAN assignment:

VLAN Configuration on Switch Interface:

On Switch Interface go to Layer 2 -> VLAN

Assign Uplink Port statically to a VLAN (VLAN10)

Create new Enforcement Policy:

Configuration -> Enforcement Policies -> Add

Add following parameters:

Name = VLAN Enforcement

Enforcement Type = RADIUS

Default Profile = Deny Access Profile

Add rules for VLAN assignment, for example:

          Authorization successed & Description = COTSPD -> VLAN 30 Enforcement

Exchange this Enforcement Policy with the old one in the Service:

Configuration -> Service -> Edit Service (Siemens MAC Auth) -> Enforcement Tab

Select VLAN Enforcement

Create Enforcement Profiles based on the Actions in the Rule of Enforcement Policy:

Configuration -> Enforcement -> Profiles -> Add

Add following parameters:

Name (VLAN 30 Enforcement)
Type = RADIUS

Action = Accept

Attributes:

          Important to add: Type Radius: Avenda, Name Avenda-Tag-Id, Value 0

Devices are associated to VLAN based on attributes:

See in Endpoints Repository (Configuration -> Identity -> Endpoints -> Edit)