Technical Note ClearPass Policy manager Cisco Switch Setup with CPPM
Copyright © 2012 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System®, Mobile Edge Architecture®, People Move. Networks Must Follow®, RFProtect®, Green Island®. All rights reserved.
Contents Audience ..........................................................................................................................................9 Typographic Conventions ..................................................................................................................9 Contacting Support ......................................................................................................................... 10 1. Introduction ....................................................
| ClearPass Policy manager Cisco Switch Setup with CPPM
Figures Figure 1 CPPM Enforcement Profiles ............................................................................................................. 16 Figure 2 Adding a new 802.1x Enforcement Profile......................................................................................... 17 Figure 3 802.1x Enforcement Profile Attributes tab ......................................................................................... 17 Figure 4 Configuring the VLAN as Value 999 ...........................
| ClearPass Policy manager Cisco Switch Setup with CPPM
Tables Table 1 VLAN numbers .................................................................................................................................
| ClearPass Policy manager Cisco Switch Setup with CPPM
Preface Audience This ClearPass Po licy manager Cis co Swit ch Set up wit h CPPM is intended for system administrators and people who are integrating Aruba Networks Wireless Hardware with ClearPass 6.0.1. Typographic Conventions The following conventions are used throughout this manual to emphasize important concepts. Type Style Description Italics Used to emphasize important items and for the titles of books.
Contacting Support Main Site arubanetworks.com Support Site support.arubanetworks.com Airheads Social Forums and Knowledge Base and Knowledge Base community.arubanetworks.com North American Telephone 1-800-943-4526 (Toll Free) 1-408-754-1200 International Telephones http://www.arubanetworks.com/support-services/arubasupport-program/contact-support/ Software Licensing Site https://licensing.arubanetworks.com/ End of Support information www.arubanetworks.
1. Introduction The purpose of this document is to provide setup instructions for the Cisco 3750 12.2 (58) switch with the ClearPass Policy Manager (CPPM). This includes 802.1x, MAC, and Downloadable Access Control Lists (DACLs) authentications. Voice services will not be covered in this document. Assumptions Verify that a basic configuration of CPPM has been completed (setup and a generic catch-all radius service). This document discussion uses an Aruba 3200 controller (192.168.99.5) as the DHCP server.
2. Switch Configuration The first step is to perform the switch configuration. It is assumed that VLAN1 has been created for the switch with a correlating network-accessible IP address. This IP address must communicate with the CPPM Data IP address (unless a single IP address is configured in CPPM, in which case it is the management IP address). Verify the switch can ping CPPM: CPPM-Demo-3750# ping 192.168.99.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.99.
Table 1 VLAN numbers VLAN Number Purpose 999 Users and Access Points 333 Untrusted Devices 200 VoIP Phones 60 Printers 50 Security Network Use best practices to create standardized naming conventions that describe VLAN purposes and locations as displayed below: CPPM-Demo-3750(config)# vlan CPPM-Demo-3750(config-vlan)# CPPM-Demo-3750(config-vlan)# CPPM-Demo-3750(config)# vlan CPPM-Demo-3750(config-vlan)# CPPM-Demo-3750(config-vlan)# CPPM-Demo-3750(config)# vlan CPPM-Demo-3750(config-vlan)# CPPM-
CPPM-Demo-3750(config-if)# exit CPPM-Demo-3750(config)#interface vlan 50 CPPM-Demo-3750(config-if)# ip address 192.168.50.1 255.255.255.0 CPPM-Demo-3750(config-if)# ip helper-address 192.168.99.10 CPPM-Demo-3750(config-if)# ip helper-address 192.168.99.5 CPPM-Demo-3750(config-if)# exit Notes: 192.168.99.5 is the DHCP server and will vary based on the local configuration. 192.168.99.10 refers to CPPM for the DHCP request in order for the device to be profiled.
Note: If CPPM goes offline, all users will gain access to VLAN Number 333. In some circumstances, it may be necessary to set the default VLAN to 999.
3. 802.1x Service Setup The CPPM profiles are applied globally but they must be referenced in an enforcement policy that is associated with a Service to be evaluated. Each Enforcement Profile can have an associated group of Network Access Devices (NADs). Service setup requires a set of rules known as Enforcement Profiles. One profile will return VLAN 999 and one will return a Cisco DACL. Adding Enforcement Profiles VLAN 999 Navigate to Configuration->Enforcement->Profiles.
Figure 2 Adding a new 802.1x Enforcement Profile Click Next to display the Attributes tab. Figure 3 802.1x Enforcement Profile Attributes tab Click Select the RED value and enter the VLAN as number 999. Figure 4 Configuring the VLAN as Value 999 Click the Save Disk at the end of the line. Click Next to review the settings and display the Profile Summary. Note: Verify that the Tunnel-Private-Group-Id value is set to 999.
Figure 5 Tunnel-Private-Group-Id value is set to 999.
4. Cisco Downloadable ACL (DACL) Navigate to Configuration->Enforcement->Profiles. Click Add Enforcement Profile. Click Add Enforcement Profile in the top right corner of the page. Enter the profile properties from Figure 5 Adding a Cisco ACL (DACL) Enforcement Profile below. Figure 6 Adding a Cisco ACL (DACL) Enforcement Profile Click Next. Note the displayed screen has been auto-populated. Click Next to accept the default attributes. Select Click to add. Add additional profiles as applicable.
Figure 8 Adding Enforcement Policy profile properties Click Save. Click Next. Click Save. Creating the Service Navigate to Configuration->Services. Click 802.1X Wired. Enter the profile properties to reflect the options as displayed below: Figure 9 Creating the 802.1x Wired Service Click Next.
Figure 10 Selecting the Authentication Sources: [ Local User Repository] Click Next. Note: Role Mapping will not be set up at this time. Click Next. Enter the profile properties to reflect the options as displayed below: Figure 11 802.1x Wired Service Enforcement properties Click Next. Click Save. Reorder Services Reordering is important as CPPM evaluates requests against the service rules of each service configured in the order in which these services are defined.
Figure 12 Reorder Services list 22 | ClearPass Policy manager Cisco Switch Setup with CPPM
5. MAC Authentication Service Setup Previously, the MAC Authentication Bypass was physically enabled via the switch. This configuration setup permits non-802.1x devices to authenticate via their MAC address. Note: MAC addresses are easily falsified and it recommended that a profiler service is used to verify the MAC address. Profilers inspect the DHCP request for an added level of security. Navigate to Configuration->Services. Click Add Service.
At the Configuration->Services tab, navigate to the newly created service and click Reorder to the profile properties to reflect as displayed below: Note: When working with multiple 802.1x services, it is important to order them from most specific to least specific with the generic RADIUS catch all service being last. Figure 15 Reordering a non-802.1x MAC authentication Service Click Save.
6. Adding a Network Device (Switch) To connect with CPPM using the supported protocols, a Network Access Device (NAD) must belong to the global list of devices in the Policy Manager database. The switch to be used must be set up as a Network Device in CPPM prior to testing the services. Navigate to Configuration->Network->Devices. Click Add Device.
7. Adding a Test User Account CPPM requires a local user account to test the 802.1x service. All local accounts in CPPM must have a Role. Navigate to Configuration->Identity->Roles. Click Add Roles. Enter the profile properties to reflect the options as displayed below: Figure 16 Adding a TestRole user Click Save. To create a user account, navigate to Configuration->Identity->Local Users. Click Add User.
Figure 17 Adding Local User properties Click Add. Setup is now complete.
8. Testing the 802.1x Service with Access Tracker Access Tracker provides a real-time display of system activity. It logs authentication attempts received from a list of network devices. Navigate to Monitoring & Reporting->Access Tracker. Figure 18 Testing a 802.1x Service Access Tracker Verify the Auto Refresh is enabled (green) and filters are cleared. Click the AutoRefresh icon/text to change the status as applicable.
9. Testing the MAC Authentication Service with Access Tracker Note: Use a network device that does not support 802.1x. Navigate to Monitoring & Reporting->Access Tracker. Figure 20 Access Tracker window Verify the Auto Refresh is enabled (green) and filters are cleared. Click the AutoRefresh icon/text to change the status as applicable. Plug in the non-802.1x network device to port 24. Note: the MAC Authentication service request failed. Figure 21 A non-802.
Figure 22 Configuring the Endpoints of a non-802.1x network device Select the status of a device, by checking the box of the desired device, e.g. ‘d8c7c7cdb35c’ in the screen shot below, to display the Edit Endpoint dialog box. Change the ‘Status’ to ‘Known client’ as displayed below: Figure 23 Editing the Endpoint properties of a non-802.1x network device Click Save. Plug in the non-802.1x network device to port 24. Navigate to Monitoring & Reporting->Access Tracker.
10. Troubleshooting Problem: I see the Downloadable ACL request is successful, but when I check the ACL for the device on the Cisco switch, it is empty. Solution: Verify the syntax of the DACL list in CPPM. If there is one ACL in the list that does not match the proper Cisco ACL syntax, then the entire list will be ignored. Problem: I do not see any incoming requests in Access Tracker. Solution: Navigate to Monitoring & Reporting->Event Viewer. Look for a Yellow entry.