Wireless Access

Can anyone point me in the direction of a definitive guide on how to connect a Cisco Wireless Controller to CPPM so I can test a wireless SSID using CPPM for authentication?  I have the controller pointing to CPPM (aaa radius server ip, port, secret key) but dont' see anyting in the CPPM logs that indicate an attempt is being made.

 

I've seen various docs showing how to do this for older 44xx models but nothing for 5000 series so that may have something to do with it.  Mainly I'm looking for evidence the two are communicating with one another and telling me why the setup isn't work.  Any help appreciated.  CPPM 6.7.10 and joined to AD domain. Cisco WLC 5508.  Routing enabled.

See here:
https://community.arubanetworks.com/t5/Education-Australia-New-Zealand/Aruba-ClearPass-with-Cisco-WLC-802-1X-Role-Based-Access/gpm-p/455879

Take a look at the event viewer in ClearPass to see if there’s any errors



Thank you

Victor Fabian

Pardon typos sent from Mobile

1. I see nothing in the event viewer which I'm guessing means the controller isn't talking to CPPM
2. Is a layer 3 interface necessary on the controller? Can I not just use an SSID?
3. I don't have the option for "Support for RFC 3576" in my Radius servers

Hi,

 

Essentially, CPPM needs to know of a "device" (WLC L3 Interface IP address) you created on controller and your telling CPPM to except EAP and CHAP protocol requests from that WLC IP. this communication is secured with the Shared Secret.

 

Use Case I

If you have just 1 interface (management interface) and you assigned that in the WLAN, then your using the Management interface range for the users as well as the controller portal management. (which isn't best practice.) if this is true, then the management IP address of your WLC is the IP Address device sending authentication requests to CPPM.  

 

Use Case II

If you kept the management interface segmented and you have other L3 interfaces (Dynamic interfaces with VLAN assignements) and you are assigning those interfaces to the WLAN for users, Whatever is listed there is the interface that needs to talk to CPPM and created in CPPM as a Device.

 

Make sense?

 

Yes makes sense.  An interesthing thing happened. Never saw this in the event viewer but came back the next day and guest self-registration started working.  Left for the day day again and CPPM appears to be unable to keep an connection to the AD.  Also now I get an invalid usn/psw when I try searching Base DN under Authentication > Sources.

Thanks.  When I try joining the ssid I get an error "WARN RadiusServer.Radius - domainname.com: Password Attribute "userPassword" not available" and am not sure where to go from here.

can you send a screen shot of the tracker and the service setup?

Hi s1nsp4wn,

 

WLC Interfaces

The cisco controller has many interfaces depending on how many VLAN's you segment users on. (IE: Management and Dynamic interfaces) those can be overriden depending on how you set it up the WLANs or/and use AP groups. CPPM needs to know of those interfaces that users will be requesting authentication from. (Management interface shouldn't be one unless your using CPPM to authenticate management login user)

• WLAN - interface assignment. (Default interface for WLAN users)
• AP Groups - Interfaces assigned here, overrides the WLAN interface assignment

WLC - AAA

Under the Security Tab - AAA - RADIUS. Add your CPPM as a Radius Authenticator and Accounting. NOTE: if your not using CPPM to authenticate Management Login to WLC, uncheck the "management" option box. (NOTE: make sure you match the Shared Secret on both WLC and CPPM) - or nothing will talk.

 

WLC - WLAN setup

1. under the WLAN Setup. You have options for RADIUS server Overwrite interface. - if checked, you can pick which interfaces that will be the authenticating interface. you can choose WLAN (Interface set in the WLAN default) or AP Group. (if you use AP Groups, those interfaces will the authentication interfaces and need to be "devices" in CPPM)

Then, choose your CPPM from the pull down under Authentication servers and Accounting Servers. I use "AP Groups" so that is my choice here for Interfaces I want sending authenticaitons.

I like to remove Local and LDAP out of the "Order Used for Auth" section as well.

2. Under the WLAN Advanced Tab - Check Allow AAA Override.

 

CPPM

You need to add all interfaces listed in the WLC side that user authentication requests will be generated. this will be under Configuration - Network - Devices. 

If the Controller is sending requests from unknown interfaces in CPPM, check your CPPM Event viewer and you'll have see errors from that interface an unknown device. 

I hope that helps.

 

 

Thanks.  Will anything further be needed for testing?  I've seen mention of enforcement policies etc. but can't seem to join the SSID.

Enforcement profile determines what is returned by ClearPass to the WLC. Access Tracker (on CPPM) will show you if ClearPass is responsing Accept or Reject, and what attributes are included if an Accept is sent. The enforcement profile determines what gets sent.

When I attempt to join the domain after integrating with the controller, I get the message below and don't know how to fix:

WARN RadiusServer.Radius - servername.com: Password Attribute "userPassword" not available.