Security

So the next step on our deployment I'm working on is wired authentication.  Currently I have 2 SSIDs that broadcast our network and a guest network.  Both hit our ClearPass server for either 802.1x or the Captive Portal.

 

Now we want to get things setup for the same features on the wired network.  Here is what I'm hoping to do:

1. User plugs in device

2. If the device is a gaming system they are put into a vlan for gaming systems

3. Try to authenticate via 802.1x and put them into their respected vlan

4. If that doesn't work show the captive portal and put them into the guest vlan.

 

We have a full Aruba hardware line up (7210, S2500 stack, ClearPass) - so I've heard this is all do-able, but I just need some guidance on how to get things started on this.  I've setup the switch to do a tunneled node to the controller, and I can get to a Captive portal login, but that is all I've been able to get to.

 

I'm guessing I need to define a MAC policy on ClearPass to handle the gaming systems, but maybe I'm barking up the wrong tree.

 

Any advice would be great.

 

Thanks!

#7210

There are two ways you can set this up.

Tunnel mode
standard .1x

First question would be how many switches/users?

We have under 500 users, and 2 Aruba stack switches (total of 9 physical switches).  Is there a benefit to having the traffic tunneled to the controller?  I was picking that route so the switches have as little configuration on them as possible...

 

Also most of the users are wireless.  The wired user count is about under 100 users.  Also we do have IP phones so I guess that needs to be included in the consideration too.

 

Thanks for the help!

You will get stateful firewall by using tunneled node whereas if you use it as a traditional switch, it will use stateless ACLs. You can still configure the same access policies, but you'd be using a stateless ACL on the switch.

 

We use stateless ACLs on our entire edge deployment that map back to user-roles returned from ClearPass.

 

Here are some examples from a previous post:

 

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Wired-Access-Point/m-p/114721#M24547

Thanks Tim, sounds like passing it to the controller would be best for us. But not set in stone on that.

You are not limited to ACL in .1x mode. I asked the switch SE to chime in.

Check out the following solutions on Aruba Solution Exchange:

 

Mobility Access Switch Tunnel Node

Mobility Access Switch MAC/802.1X Authentication

 

To me, it sounds like you could do this config without tunnel node.  Go through the MAC/802.1X solution and configure MAC auth + 802.1X auth + L2 auth fail through.  This will allow the game consoles to get on the MAC auth user role if they pass MAC auth but don't attempt 802.1X (which they won't since they don't support it over wired).

 

Also, check out the MACTrac section in the latest ClearPass Guest Deployment Guide.  MACTrac is a captive portal page where end users can log in and register the MAC address of their personal devices such as game consoles.  You could configure this captive portal on the wireless network.  Then, you would just need a MAC auth service on ClearPass to authenticate against the registered MAC addresses.