Security

Hi Guys,

 

We are going to deploy a Clearpass enviroment envolved in a project that as a 7210 controller and 100 AP´s.

 

We are going to deploy clearpass policy manager and guest access.

 

 

IS there anyway for you guys to guide me to get familar with clearpass?

 

I already have clearpass trial to Vmware and I´m going to install it soon..

 

Is there any configuration guide to starters on clearpass? Configuration of the controller is not a issue, but clearpass is so Big! ;)

 

Thanks

 

Regards

#7210

 

You can find all the deployment guides on the Aruba support site :

http://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/Command/Core_ViewDetails/Default.aspx?EntryId=6867

Hope this helps

Hi,

 

I would recommend getting a handle on how services work and how they are identified. This can be done by setting up simple tests and then viewing the results in the Access Tracker.

The Access Tracker is really your best friend and will help you solve a lot of the issues you may run into in the beginning.

 

Once you get a good handle on how services work everything else just sort of false into place more or less.

 

Read through the forums as well as there are a ton of really smart people on here who give really detailed responses.

thanks guys for or help

I would recommend to use a few of the service templates and the look at how they were built. It will give you some good starting points to work from. Guest Mac authentication is good one to start with.

Adding to what tarnold suggested an easy way to play with the services is purposely fudge your log in credentials to CPPM. Then login with the correct credentials and check the Access Tracker. You will see the failed attempt and it will help you get a feeling for how the service works and what the different failure messages look like.

Guys need an help here :smileysad:

 

I will need to configure an 7200 controller plus AP´s and then configure clearpass manager and clearpass guest.

 

I have a huge doubt... when I have the controller basic setup done,  I need also to configure the controller to see the clearpass correct? Like configure a Radius "clearpass" server?

 

I never configured clearpass before so I am lite worried...

 

Thanks

 

Regards

Could you be a little more specific as to what you are worried about?

 

Are you looking for how to make the controller and the CPPM talk to one another?

 

Cheers

Hi,

 

let me see if I can explain clear to you, since I never installed ClearPAss:

 

1. after initial controller config we will on phase 2 implement Clearpass for guest mgmt.

 

2. How will ClearPass connect to the controller?

 

3. The guest network should be prior configured on the controller or directly on ClearPass?

 

4. After this we need to integrate clearPass with AD ? How can this be done?

 

Thanks for or help

 

Regards

Hi, 

 

Just want to start off by saying that I am definitely not an expert when it comes to the Controller or CPPM. This is all based on my experience and what I have done to get things going. There could be mistakes and other erros so please test your configuration and read up on anything that isn't clear! Most of what I know I have learned from these forums and through a ton of trial and error.

 

1. after initial controller config we will on phase 2 implement Clearpass for guest mgmt.

2. How will ClearPass connect to the controller?

 

I am assuming you already have the controller configured and running. And that you are familar with the general settings for the SSID's.

On your Controller you need to configure the a Server Group, RADIUS Server, and RFC 3576 Server.

 

1)
This can be done under Security > Authentication > Servers

Create your RADIUS Server, and RFC 3576 Server first, then follow it up by creating your Server Group.

 

 

2)

Once you create your Server Group you will need to add the RADIUS Server you created to the Servers list.

In the new settings for the server you created hit new and select the RADIUS Server from the drop down list.

  

 

Please note: When you configure your RADIUS Server you need to provide the values for 'Host', 'NAS ID', and 'NAS IP'

• Host - The IP of your CPPM
• NAS ID - The ID of your Controller
• NAS IP - The IP of your Controller
• You are asked to create passwords for the RADIUS Server. Make sure you write this down you will need it later.

3)

Next, create your secure SSID.

On the AAA Profile there is the option for 801.X Authentication Server Group and RFC 3576 server. Make sure that for two options you select the appropriate information created in the part above.

 

That pretty much covers getting your Controller to talk to the CPPM. You have to make sure that your Controller can talk to the CPPM (ping) before proceeding. Now you need to setup the CPPM to receive the information.

 

4)

Once you have your Controller setup, head over to your CPPM.

CPPM > Configuration > Network > Devices 

Once there select Add Device 

Fill in the relevant information from the steps above and hit Add   

 

Your CPPM should now be all setup to receive information from your Controller.

When you attempt to connect to your new SSID all the requests received on the Controller should be forwarded to the CPPM for evaluation.

 

The SSID's can be either unencrypted (for guests) or encrypted (production). I found it easier to test with a secure SSID first. Then work my way back to setting up the Guest SSID.

 

3. The guest network should be prior configured on the controller or directly on ClearPass?

 

A pretty common way of setting up the Guest network is to leave it unencrypted and put a Captive Portal on it. This forces users connecting to the Guest SSID to a default page where you can provide them with more details as to what to do next.

 

Your Guest SSID could have it's own VLAN so that it is separate from your production network.

 

When you configure the AAA Profile for your Guest SSID under the option Initial role set this to User Role that has restricted access. I believe there should be an example of this called guest-logon. Take a look at this User Role to get an idea of what the Inital Role for your Guest SSID could look like. It basically gives the users DHCP and DNS access, HTTP access to the CPPM and a few other things.

 

What this will do is put anyone connecting to the Guest SSID immediately into the User Role guest-logon.

This is how we get users connecting to the Guest SSID to hit our Captive Portal.

 

To configure your Captive Portal you must first create a Captive Portal on the CPPM. I won't go into a lot of detail with this because this post will be bigger then it already is. 

1. Go to ClearPass Guest > Configuration > Guest Self-Registration
2. Create your registration page and test it.
3. Copy the URL for the Guest Self-Registration page
4. Back on your Controller create a new Captive Portal Profile. Controller > Congiruation > All Profiles > Wireless LAN > Captive Portal Authentication Profile. 

Configure the Captive Portal profile, you will see a parameter for Login Page and this is where you paste the URL copied in Step 3. This will be the Captive Portal page that users see once they connect to the Guest SSID and attempt to browse the web.

 

Now that you have configured your Captive Portal profile you need to have your User Role guest-logon use it.

1. Log into your controller
2. Configuration > SECURITY > Access Control
3. Edit guest-logon (or whatever User Role you are using for the Initial Role)
4. Scroll down to the option Captive Portal Profile
5. Select your Captive Portal Profile from the drop down list and hit Change
6. Then scroll down and hit Apply

 

This will get you setup so that your Guest SSID will redirect users to your Captive Portal page as soon as they attempt to browse to any website after connecting to your Guest SSID.

 

4. After this we need to integrate clearPass with AD ? How can this be done?

We are not using AD so I cannot comment to much on this. I did just do a test with a AD by adding it as a Authentication Source.

That is about the extent of my experience with AD

 

1. Log into the CPPM
2. Confgiruation > Authentication > Sources
3. Hit Add Authentication Source
4. Select Type: Active Directory
5. File out the necessary information
6. Hit Save

More then likely your setup to use your AD would look something like this...

• You have a secure SSID setup to use WPA2-Enterprise
• It will send it's requests back the CPPM
• You will have a Service that will be setup to use your AD as an Authentication Source
• Your Service will evaluate your users and apply rules based on your requirements.

As mentioned previously be sure to get a handle on the Services and how the other components (Authentication Methods and Sources, Endpoints, Enforment Policies and Profiles) come together to form your Service. If you can get a good handle on this then the CPPM because easier to understand.

 

If you can get through the inital configuration start by just doing small tests to see how your services react.
If you look in your Event Viewer and see the Service Name column empty it means that there are no Services that have been configured that meet the criteria of the user request.

 

Hope this helps. I tried to address your questions are directly as possible. If anything isn't clear I'll try my best to clarify.

 

Cheers

 

Bourne,

 

Thanks for or kindly explanations.

 

 I have deployed already several Controllers, but not in Clearpass.

 

I am not also an expert. I am with you : Experience is the thing :))

 

I will try to explore all or info and then get back to you

 

Thanks so much for your help.

 

Regards

Bourne,

 

another simple questions.

 

IS it ok to have AP´s and clients on the same VLAN?

I have read on the VRD that AP`S should not have a dedicated Vlan..

 

I am a little confused since I will connect the 7210 to a core switch and will allow several Vlans to the internal Network .

 

I was assuming that I will connect the AP´s to the Client DHCP scopes and also create a large scope for the devices that are wilreless connected

 

Something like this :

 

100 Ap´s Dhcp 

Controller IP MGMT

Vlans for users ( agregated on a Vlan Pool)

 

Then second fase ClearPass... same vlan of  the Controller.

 

IS this good config startup ?

Regards

#7210

Someone with a little more expertise might be able to answer you with a more definite answer.

 

Our subnet is rather a large one (a /20) and part a small chunk of it has a DHCP for our users. So we selected another range inside our existing subnet and statically set the IP's on the AP's. We have a very small number of AP's so it isn't to tough for us to do this.

 

So having said that our setup in similar to what you have going on so I don't think it will be a big deal.

The AP's will establish their GRE Tunnels with the Controller and then you can add even more VLAN's (assuming you are using GRE, I don't think you have to).

 

I don't think there will be any major issues. I think it will really come down to what your requirements are in terms of security. 

Maybe someone else could offer you some better advice though. Sorry I can't give you more of an definite answer.

 

Cheers