Security

Upcoming community maintenance Oct. 27th through Oct. 29th
For more info click here

Who Me Too'd this topic

All-Decade MVP 2020

Howto: Airwave authentication via Clearpass

The one thing that I really dig about Clearpass is the flexibility - the one thing that drives me up the wall is the lack of something akin to the VRDs. I figure, if I can't find it in the docs, I might as well create it and share it. I have a couple of solutions that I've put together that I will be sharing in the upcoming weeks.

 

The first one is how to authenticate Airwave via Clearpass. My lab is running Clearpass 6.2 and Airwave 7.7.3. I have a Windows 2012 server with defined users and groups and I've built the necessary role mappings under Configuration > Identity > Role Mappings in Clearpass. I've also created Clearpass / Tips roles that are mapped to my Windows 2012 groups.

 

Here's the steps necessary for Airwave to authenticate to Clearpass via RADIUS.

 

Airwave:

 

Setup the Radius Configuration in Airwave:

 

1. AMP Setup > Authentication > Enable RADIUS Authentication and Authorization > "Yes"
2. Add the Clearpass information to "Primary Server Hostname/IP Address"
3. Add the Clearpass shared secret to "Primary Server Secret" and confirm that secret
4. Click "Save"

 

Add a new Airwave user role:

 

1. AMP Setup > Roles > Add
2. Create a role called AMP-Administrator
3. Select a type of "AMP Administrator"
4. Check "Enabled" as Yes
5. Click "Add"

 

Clearpass:

 

Add the Airwave network device to Clearpass:

 

1. Configuration > Network > Devices
2. Add the Airwave "IP or Subnet Address"
3. Enter the "RADIUS Shared Secret" that was defined above.
4. Select "Vendor Name:" of "Aruba"
5. Click "Save"

 

Add the Airwave network device to a Device Group:

 

I use device groups for everything in Clearpass. This step can be optional, it's just my personal preference.

1. Configuration > Network > Device groups
2. Select "Add Device Group"
3. Fill in the "Name" field
4. Select "List" under "Format"
5. Under the "List", move the Airwave Server IP from the "Available Devices" to "Selected Devices"
6. Click "Save"

 

Create an Airwave Enforcement Profile:

 

1. Configuration > Enforcement > Profiles
2. Click "Add Enforcement Profile"
3. Select "Aruba RADIUS Enforcement" as the Template
4. Provide a name, "Aruba Airwave"
5. Make sure that "Accept" is set under "Action"
6. Under Attributes:
i. Type - "Radius:Aruba"
ii. Name - "Aruba-Admin-Role (4)",
iii. Value - "AMP-Administrator"
7. Finally, click "Save"

 

Create an Airwave Enforcement Policy:

 

1. Configuration > Enforcement > Policies
2. Click "Add Enforcement Policy"
3. Under "Enforcement", provide a name, "Aruba Airwave Login Enforcement Policy"
4. Verify that RADIUS is the "Enforcement Type"
5. Select "[Deny Access Profile] for the "Default Profile
6. Select "Rules" and click "Add Rule"
7. Mine looks like this:
   i. Type - Tips
   ii. Name - Role
   iii. Operator - EQUALS
   iv. Airwave-Admins
8. Enforcement Profiles > "Profile Names" > "[RADIUS] Aruba Airwave"
9. Click "Save"

 

Create an Airwave Login Service:

 

1. Configuration > Services
2. Click "Add Service"
3. Select "Type" of "RADIUS Enforcement ( Generic )"

4. Provide a name for the service, "Aruba Airwave Logins"
5. Under "Service Rule" enter the following:
   i. Type - Connection
   ii. Name - "NAD-IP-Address"
   iii. Operator - "BELONGS_TO_GROUP"
   iv. Value - "Aruba Airwave"
6. Under Authentication:
   i. Authentication Methods - PAP
   ii. Authentication Sources - <your AD>
7. Under Roles select the "Role Mapping Policy" for your domain. Here's what mine looks like by clicking "Modify."
   i. Type - Authorization:Windows-2012
   ii. Name - memberOf
   iii. Operator - EQUALS
   iv. Value - CN=Airwave-Admins,CN=Users,DC=top,DC=local
   v. Actions > "Role Name" > "Airwave Admins"
8. Under "Enforcement" > "Enforcement Policy" select the enforcement policy that we created > "Aruba Airwave Login Enforcement Policy"
9. Click "Save"

 

That should be it. You now should be able to log into Airwave with your AD credentials via RADIUS. You can verify that things are working by attempting to login to Airwave and viewing the results in Clearpass at the Access Tracker found under Monitoring.

 

Also, the above steps can also be extended to map AD users to other Airwave roles, such as a Help Desk account. 

 

Let me know what you think and if it works out for you.

 

-Mike

Who Me Too'd this topic