On the “Authentication” tab select only “” as the “Authentication Method” and add your “Authentication Source”. The last “Service Rule” is just for my lab, to make sure it will not interfere with other services I have.
Make sure, the “Service Rules” will cover all possible request types, belonging to this service. “Authorization” is not needed at the moment. The new service should be a “MAC Authentication” “Type”.
#Aruba setup peap connection for mac mac#
Just go to “Configuration–>Services” and add a new service: Campus AP Authentication – Add MAC Auth Service The final step in ClearPass is to create a service. If you don’t have such a database, you can use the endpoint database as well, together with device profiling. In a real production environment, this should come from some kind of asset database. I derive the role from the endpoint database in ClearPass. I created a very simple policy that assigns the AP VLAN to all devices (MAC addresses) which belongs to the role “Aruba AP”. Click the “Rules” tab to get to the important part: Campus AP Authentication – Add Enforcement Policy Rules Just enter a “Name” and select the “Default Profile”. Go to “Configuration–>Enforcement–>Policies” and create a new policy: Campus AP Authentication – Add Enforcement Policy We also create a simple policy to assign the created profile. Save the new profile with a click on the “Save” button. Using the VLAN name makes life easier when you support multiple sites or buildings with different VLANs but the same names. For the last attribute, in line 3, you can either use the VLAN ID, would be 202 in my case or the VLAN name which is “LAB_CAP_Management” in my case. Now click “Next” to get to the “Attributes” tab: Campus AP Authentication – Add VLAN Enforcement Profile Attributesīecause of the “VLAN Enforcement” “Template” there are already some attributes available. I also use the “Device Group List” to send the profile only to supported devices. Select “VLAN Enforcement” as the “Template”. The important part here is the “Template”.
To create the profile go to “Configuration–>Enforcement–>Profiles” and create a new profile: Campus AP Authentication – Add VLAN Enforcement Profile First, we need to create a profile to return the CAP VLAN back to the switch. Please insert here “Hewlett-Packard-Enterprise” The rest should be adopted to meet your requirements.
The important part here is the “Vendor Name”. The Switch is an ArubaOS switch, running the latest OS, which is currently. Go to “Configuration–>Network–>Devices” and add a new device: Campus AP Authentication – Add Switch to ClearPass On ClearPass, add the switch to “Devices”. That’s already everything we need on the switch. Radius-server host 10.104.104.42 dyn-authorizationįrom those radius servers, create a server group: aaa server-group radius "CPPM" host 10.104.104.41Īaa server-group radius "CPPM" host 10.104.104.42Īnd finally configure a port, in my case port 5, to use mac authentication: aaa port-access mac-based 5Īaa port-access mac-based 5 server-group "CPPM" Radius-server host 10.104.104.41 dyn-authorization Below are the config items, needed on the switch.įirst, the radius server: radius-server host 10.104.104.41 key "aruba123" This is essential for authentication to work.Īfterward, let’s start with the switch configuration. Make sure, the switch is running the same time as the radius server. But it is really good to separate your devices from each other and to simplify the access switch configuration as the port config (like VLANs) can be assigned dynamically. This is very simple and honestly not really an authentication. Let’s start with MAC-based authentication. But this creates the baseline for the more sophisticated authentication for IAP’s. The reason is that you tunnel all the traffic to the Controller and that the switch only sees the CAP on the port.
If not, you can go with ClearPass profiling. For the MAC Based part, I also assume, that you have a complete list of all MAC addresses accessing the network. Let’s try to walk through the different scenarios beginning with the Campus AP and afterward continue with the IAP.ĭuring the whole post, I assume that you do authentication on each port in your network and that a device only gets access after successful authentication. The more interesting part is the IAP, as the IAP will connect to the switch port and we will see all the connected clients to that IAP on the same port but in different VLANs. But this is the easy part as all traffic is tunneled to the controller and we just see the AP on the port. First, the Campus AP, which needs to connect to a controller. There are two types of AP that might be considered. This could lead to problems when we try to connect an AP to a network port as AP authentication is more than just an accept. Most organizations are moving to a network where all ports are authenticated.
0 kommentar(er)
