Overview
Configuring switch ports can be a real hassle, and with more and more devices moving to WiFi; why do we need to spend time manually configure the edge. A network should be smart enough to see what is connecting and apply the policy required. In this post we will see how to configure and test the OnConnect feature of Aruba ClearPass.
OnConnect is a way for you to secure your wired network edge by being able to profile devices i.e. is it a Windows device or an Apple device and then program the port with the correct VLAN ID through SNMP.
Note: OnConnect is not a replacement for wired 802.1X, however it does provide an elevated level of network security as you are enforcing policy based on device type.
Lab Setup
ClearPass 6.7
Aruba 2930F WC.16.05.0007
Windows 10 client
Apple Time Capsule
Switch Configuration
First I am going to configure the VLAN's required. I am using VLAN 99 as a null VLAN for my interfaces to initially be configured with. VLAN 100 will be used for profiled Windows devices, and VLAN 200 will be used for profiled Apple devices.
2930F(config)# conf t
2930F(config)# vlan 99
2930F(vlan-99)# name null
2930F(vlan-99)# vlan 100
2930F(vlan-100)# name WINDOWS-PC
2930F(vlan-100)# vlan 200
2930F(vlan-200)# name APPLE-DEVICE
Now I need to configure the global SNMP configuration for the switch.
Note: While i am doing all of this through the CLI, it could be templated and done as part of a ZTP through Aruba AirWave.
2930F(config)# snmp-server community ClearPassRO operator
2930F(config)# snmp-server community ClearPassRW operator unrestricted
2930F(config)# snmp-server host <IP-OF-CLEARPASS> community ClearPass trap-level all
2930F(config)# snmp-server trap-source <MGMT-IP-OF-SWITCH>
2930F(config)# snmp-server enable traps mac-notify
I can now configure the interface specific configuration.
Note: I am only using ports 3 and 4 for this lab.
2930F(config)# snmp-server enable traps link-change 3-4
2930F(config)# interface 3-4 mac-notify traps learned
2930F(config)# interface 3-4 mac-notify traps removed
2930F(config)# interface 3-4 untagged vlan 99
That's it, i don't need to configure anything else on the switch at this time.
Note: You could tie ACL's to the VLAN's as well if you wanted to restrict traffic i.e. Apple devices can only access public IP addresses etc.
Lets check ports 3 and 4 to see what VLAN they now have to ensure that it is set to VLAN 99.
2930F(config)# sh vlan port 3 detail
Status and Counters - VLAN Information - for ports 3
VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
99 null | Port-based No No Untagged
2930F(config)# sh vlan port 4 detail
Status and Counters - VLAN Information - for ports 4
VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
99 null | Port-based No No Untagged
ClearPass Configuration
1. Configure the SNMP v2c trap community, for my configuration this is "ClearPass".
2. Make sure to stop and then start the ClearPass server's "System Auxiliary Services".
3. Update the NAD's SNMP Read settings with the community string "ClearPassRO".
4. Update the NAD's SNMP Write settings with the community string "ClearPassRW". Also, ensure to set the default VLAN for the port so that once a session expires the port is returned to the null VLAN.
5. If SNMP has been configured correctly we should now be able to query the switch ports. From the ports available select the ports that you want to use for OnConnect. (We may not want all ports i.e. uplinks).
6. (Optional) If you would like to integrate with Windows AD for WMI ensure to configure the WMI settings for the allowed subnets and username for the query.
7. Next up we are going to create the two enforcement profile that will configure the required VLAN's.
8. To bring it all together we are going to create a new service for OnConnect. (Note: for this lab I am using the NAD IP address to select the service, you could use a NAD-Group or other means).
9. (Optional) If you are going to be using WMI, then you will most likely need to configure a strip username rule.
10. In order to provide authorisation on the connecting endpoints we will configure the endpoints repository as a source. (Note: if using WMI you can add Active Directoy as a source as well).
11. For role mapping i have created two roles one for the windows devices and one for the apple devices. The role mapping is being done based on the OS Family of the endpoint.
12. Finally we are going to tie the enforcement profiles created before that will assign the VLAN with the role mapping policy.
Testing
Now that we have both the Switch and ClearPass configured we can now test the endpoints. (You can't see it but i'm connecting the two device types now to the switch).
2930F# sh vlan ports 3 det
Status and Counters - VLAN Information - for ports 3
VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
200 APPLE-DEVICE | Port-based No No Untagged
2930F# sh vlan ports 4 det
Status and Counters - VLAN Information - for ports 4
VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
100 WINDOWS-PC | Port-based No No Untagged
And there we have it ClearPass has profiles the two device types and assigned the correct VLAN ID's through SNMP.
Things to Note
While this was demonstrated with an Aruba Switch; Aruba ClearPass is multi-vendor, i.e. we could acheive the same function on a Cisco switch.
Prior to ClearPass 6.7, you will need to enable to OnConnect service from Administration > Server Manager > Server Configuration > ClearPass-Server.