Authenticate Aruba Devices Against ClearPass with RADIUS

Tutorial on how to Authenticate Aruba Devices Against ClearPass with RADIUS

Aruba Instant AP

Enable Dynamic Radius Proxy (DRP) to allow RADIUS packets to originate from Aruba Virtual Controller instead of it own IP Address

dynamic-radius-proxy

Create a RADIUS Auth-Server called ClearPass with the following

  • IP Address of ClearPass Server
  • Pre Share Key must be the same in Aruba AP & ClearPass
  • RFC 5997 & RFC 3576 enabled
  • DRP-IP to be used as source IP for RADIUS packets
wlan auth-server ClearPass
 ip 192.168.1.236
 port 1812
 acctport 1813
 key xxxxxxxxxxxxxxxxxxxxxxxx
 rfc5997
 rfc3576
 cppm-rfc3576-port 5999
 drp-ip 192.168.1.228 255.255.255.0 vlan 1 gateway 192.168.1.1
 service-type-framed-user 1x
 service-type-framed-user cp
 service-type-framed-user mac

Configure Aruba AP to use RADIUS as primary Authentication Server, and fall back to local internal if Radius is NOT available

mgmt-auth-server ClearPass
mgmt-auth-server-local-backup

The dynamic RADIUS proxy (DRP) feature of Aruba Instant provides an alternative to adding all APs as NAS clients. When DRP is enabled, the master AP becomes a single anchor for RADIUS requests for all users on an Aruba Instant cluster, regardless of the AP to which a user connects. The master AP acts as the RADIUS proxy for all RADIUS transactions in an Aruba Instant cluster. When DRP is enabled, all RADIUS packets that originate form an Aruba Instant cluster are sourced with the virtual controller (VC) IP address that is assigned to the cluster. The advantage with this model, is you only need to add the VC IP address to the RADIUS client list on the authentication server.

Select Enabled to allow the Instant APs to process RFC 3576-compliant CoA and disconnect messages from the RADIUS server. Disconnect messages cause a user session to be terminated immediately, whereas the CoA messages modify session authorization attributes such as data filters.

Every time there is an authentication or accounting request timeout, the Instant AP will send a status request enquiry to get the actual status of the RADIUS server before confirming the status of the server to be DOWN.

You can choose to select either the Authentication or Accounting check-boxes or select both check-boxes to support RFC5997.

Aruba AOS Switch

Please refer to the following notes for Aruba AOS with RADIUS Authentication

  1. There is no configuration which allows the local user database to be used when the RADIUS server is available
  2. TACACS Authentication only support SSH, Telnet & Console but NOT Web

Set Password for Manager as BLANK password is assigned for manager by default

password manager

Define RADIUS Server with pre share key and timeout (default is 3 seconds)

radius-server host 192.168.1.236 key "xxxxxxxx"
radius-server timeout 15

When enabled, the switch reads the Service-Type field in the client authentication received from a RADIUS server. (Service Type = Administrative-user, value = 6)

aaa authentication login privilege-mode

Configure RADIUS authentication for SSH & Web with access to privileged (manager) access:

aaa authentication web enable radius local
aaa authentication ssh enable radius local

Configure RADIUS authentication for SSH & Web with access to READ ONLY access:

aaa authentication web login radius local
aaa authentication ssh login radius local

Verify SSH & Web are configured for RADIUS Authentication

HP-2530-24(config)# show authentication

 Status and Counters - Authentication Information

  Login Attempts : 3
  Lockout Delay : 0
  Respect Privilege : Enabled
  Bypass Username For Operator and Manager Access : Disabled

                 | Login       Login        Login
  Access Task    | Primary     Server Group Secondary
  -------------- + ----------- ------------ ----------
  Console        | Local                    None
  Telnet         | Local                    None
  Port-Access    | Local                    None
  Webui          | Radius      radius       Local
  SSH            | Radius      radius       Local
  Web-Auth       | ChapRadius  radius       None
  MAC-Auth       | ChapRadius  radius       None
  SNMP           | Local                    None
  Local-MAC-Auth | Local       radius       None

                 | Enable      Enable       Enable
  Access Task    | Primary     Server Group Secondary
  -------------- + ----------- ------------ ----------
  Console        | Local                    None
  Telnet         | Local                    None
  Webui          | Radius      radius       Local
  SSH            | Radius      radius       Local

Show Radius Authentication

HP-2530-24(config)# sh radius authentication

 Status and Counters - RADIUS Authentication Information

  NAS Identifier           : HP-2530-24
  Invalid Server Addresses : 0
                  UDP
  Server IP Addr  Port  Timeouts   Requests   Challenges Accepts    Rejects
  --------------- ----- ---------- ---------- ---------- ---------- ----------
  192.168.1.236   1812  2          18         0          16         2

ClearPass Services For RADIUS Authentication

Enforcement Profile

Create two Enforcement Profile called LAB-ArubaAdmin-Profile & LAB-ArubaROAdmin-Profile with

  • Type = RADIUS
  • Action = Accept
  • Attributes – Deny-List (1) for LAB-ArubaAdmin-Profile & Permit-List (0) for LAB-ArubaROAdmin-Profile
TypeNameValue
Radius:IETFService-TypeAdministrative-User (6)
Radius:Kewlett-Packard-EnterpriseHPE-Command-ExceptionDeny-List (1)
Attributes for LAB-ArubaAdmin-Profile
TypeNameValue
Radius:IETFService-TypeNAS-Prompt-User (7)
Radius:Kewlett-Packard-EnterpriseHPE-Command-ExceptionPermit-List (0)
Attributes for LAB-ArubaORAdmin-Profile

HPE-Command-Exception is a flag that specifies whether the commands indicated by the HPE-Command-String attribute are permitted or denied to the user. A zero (0) means permit all listed commands and deny all others; a one (1) means deny all listed commands and permit all others. By adding a value of 1 with no corresponding HPE-Command-String VSA, the user can run all commands

Authenticate Aruba Devices Against ClearPass

Enforcement Policy

Reuse the Roles & Role Mappings created in my previous post to create a new enforcement policy called LAB-RADIUS-Policy

  • Enforcement Type = RADIUS
  • Default Profile = [Deny Access Profile]
  • Rules – 1. Role = LAB-Admin, then assign LAB-ArubaAdmin-Profile 2. Role = LAB-HelpDesk, then assign LAB-ArubaROAdmin-Profile

Device

Create a new Devices called LAB-RADIUS-192.168.1.0 to include all the Aruba Devices in Management VLAN (192.168.1.0/24) with RADIUS Shared Secret

RADIUS Enforcement Service

Create a new Service called LAB-Aruba-Devices-RADIUS

  • Type = RADIUS Enforcement (Generic)
  • Conditions
TypeNameOperatorValue
Radius:IETFNAS-Port-TypeEQUALSVirtual (5)
Radius:IETFService-TypeEQUALSAdministrative-User (6)
Radius:IETFService-TypeEQUALSNAS-Prompt-User (7)
  • Authentication = [PAP] and Authentication Source = AD-AventisLab.com [Active Directory]
  • Roles Maping Policy = LAB-RoleMap-Admin
  • Enforcement = LAB-RADIUS-Policy

Verify Authenticate Aruba Devices Against ClearPass

Login to Aruba 2540 Switch with username = help to verify read only right is assigned

HP-2530-24> en                                                                                                      
Please Enter Login Name:   

Login to Aruba 2540 switch with username = netadmin to verify full access right is assigned

HP-2530-24# 

RADIUS Accounting for Aruba Switch

RADIUS accounting collects data about user activity and system events and sends it to a RADIUS server when specified events occur on the switch, such as a logoff or a reboot.

Login to Aruba Solution Exchange to search for the configuration template

Login to Aruba Switch to enable RADIUS Accounting

aaa accounting commands stop-only radius
aaa accounting exec start-stop radius
aaa accounting system stop-only radius
  • Exec: Use exec if you want to collect accounting information on login sessions on the switch via the console, Telnet, or SSH
  • System: Use system if you want to collect accounting data when system is boot or reload occurs or System Accounting is turned on or off
  • Commands: When commands accounting is enabled, an accounting notice record is sent after the execution of each command.
  • Network: Use network if you want to collect accounting information on 802.1X port-based-access to the network by users connected to the physical ports on the switch

Start-Stop: Applies to the exec, network, and system accounting service types:

Stop-Only: Send a stop record accounting notice at the end of the accounting session. The notice includes the latest data the switch has collected for the requested accounting type (network, exec, or system service types).

Verify RADIUS Accounting is configured successfully

HP-2530-24# show accounting

 Status and Counters - Accounting Information

  Interval(min) : 0
  Suppress Empty User : No
  Sessions Identification : Unique
  Session ID includes switch-identity : Disabled

  Type     | Method Mode           Server Group
  -------- + ------ -------------- ------------
  Network  | None
  Exec     | Radius Start-Stop     radius
  System   | Radius Stop-Only      radius
  Commands | Radius Stop-Only      radius

Login to ClearPass and go to Monitoring > Live Monitoring > Accounting to view all the RADIUS Accounting send from Aruba Switch

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top