Security

Reply
Highlighted

Re: Switch authentication

Got it...so...in the Configuration --> Start here screen, click RADIUS Enforcement Generic towards the bottom of the list.

 

For the services tab, here is my output:

 

Screen Shot 2013-12-02 at 1.46.05 PM.png

 

Then, on the Authentication Tab, here is a screen shot:

 

Screen Shot 2013-12-02 at 1.46.12 PM.png

 

You can add AD as the auth source here.

 

Finally, on the Enforcement Tab (skip Roles), choose the one called Sample Allow Access Policy.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Highlighted

Re: Switch authentication

Chris -- Did a web search and I guess below link may help you with regads to Cisco configuration explains you the best practices of aaa.

 

http://www.routerfreak.com/aaa-best-practices/

 

Thank you

Highlighted
Occasional Contributor II

Re: Switch authentication

Seth,

Thank you for the great information!!! Can you tell me where in CPPM I would add the network switches I want to have authenticate using CPPM?

Highlighted
Moderator

Re: Switch authentication

Configuration > Network > Devices

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted

Re: Switch authentication

Right!  Forgot that step.  Make sure the shared secret matches on both ends.  You can also define an entire subnet as well...this will cut down on the entries here as you can define a management subnet for all switches.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Highlighted
Occasional Contributor II

Re: Switch authentication

Ok... I have this working now. Last two questions, how would I configure CPPM to allow certain user accounts to only have Read Only access?

And, how would I limit only users in a certain AD group to have access to logon to the switches?

Thank you!!!!

Highlighted

Re: Switch authentication

For that, you need to configure a role map.  See this example.  Using a role map, you can use memberof as an attribute and say if it CONTAINS a certain value like "IT administrator" then assign a role.  This role is INTERNAL TO CLEARPASS!!!  That is important to remember.  It has nothing to do with what is sent back to the NAS device.  Using these internally derived roles, you can then assign appropriate enforcement profiles to the NAS switches.  In order to tell you what to send back as an enforcement profile (action), we would need to know what format they need the reply to be sent as.  

 

Now...here is a screen shot of a sample role map.  These are for TACACS but you can easily see the logic and use RADIUS enforcement instead.

 

Screen Shot 2013-12-03 at 4.45.56 PM.png

 

Then in your enforcement policy, you use the roles here and assign the profiles needed.  

 

For example:

 

Screen Shot 2013-12-03 at 4.49.16 PM.png

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Highlighted
Occasional Contributor II

Re: Switch authentication

In my Enforcement Policy, if I use Default Profile of Deny Access Profile, my authentication fails. If I use Allow Access Profile, my authentication is successful but my Roll Mappings never seem to be used.

It is using the Default Profile in the Enforcement Policy and stopping there...

Highlighted
Moderator

Re: Switch authentication

Remember that the roll mapping is only "tagging" accounts with internal
ClearPass roles. Are you mapping the ClearPass roles to an action in the
enforcement policy?

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted
Occasional Contributor II

Re: Switch authentication

Here's a screen shot...

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: