Authenticate ClearPass Admin Against AD

Tutorial on how to Authenticate ClearPass admin against AD (Active Directory) using the TACACs protocol

Prepare a Aruba ClearPass VM by refering to How To Setup Aruba ClearPass VM Appliance prior continue the lab below

Roles & Role Mappings

Create the following Roles in Configuration > Identify > Roles

  • LAB-Admin
  • LAB-HelpDesk

Create a new Role Mappings called LAB-RoleMap-Admin with the following conditions

  • (Authorization:AD-AventisLab.com:Groups EQUALS ArubaAdmin) – Role Name = LAB-Admin
  • (Authorization:AD-AventisLab.com:Groups EQUALS HelpDesk) – Role Name = LAB-HelpDesk

Authenticate Aruba ClearPass Admin Against AD

Enforcement Policy

Create a new Enforcement Policy called LAB-EnformentPolicy-Admin with

  • Enforcement Type : TACACS+
  • Default Profile : [TACACS Deny Profile]

Assign the default TACACS profile based on the role assigned

  • Assign [TACACS Super Admin] for LAB-Admin role
  • Assign [TACACS Help Desk] to LAB-HelpDesk role

New Service for Admin Network Login

Create a new service from default [Policy Manager Admin Network Login Service]

Rename it to LAB-Policy Manager Admin Network Login Service

Remove existing Authentication Sources and add AD-AventisLab [Active Directory] to authenticate against AD Domain Controller

Select LAB-RoleMap-Admin

Select LAB-EnformentPolicy-Admin

Save and Reorder the new LAB-Policy Manager Admin Network Login Service to the top

Testing for Authenticate ClearPass Admin Against AD

Login as NetAdmin who is member of ArubaAdmin Group in AD will have full access to Aruba Policy Manager

Login as Help who is member of HelpDesk Group in AD will only have limited access to Aruba Policy Manager

Authenticate Aruba AP Admin Against AD

RADIUS Authentication

Create a new service in Aruba ClearPass Policy Manager

  • Type = RADIUS Enforcement (Generic)
  • Name = LAB-ArubaIAP-Admin
  • Service Rule
TypeNameOperatorValue
Radius:IETFNAS-Port-TypeEQUALSVirtual (5)
Radius:IETFService-TypeEQUALSAdministrative-User (6)

Select Authentication Methods = [PAP] & [CHAP] and Authentication Sources = AD-AventisLab.com [Active Directory]

Select LAB-RoleMap-Admin Role Mapping Policy created previously

Create a new Enforcement Policy called LAB-IAP-Admin-Enforcement with

  • Default Profile = [Deny Access Profile]
  • Conditions = Tips:Role EQUALS LAB-Admin – [Allow Access Profile]

Save and move the LAB-ArubaIAP-Admin to the top

Login to Aruba AP, and Change the Admin Authentication to Authentication Server w/failback to Internal with the Auth Server 1 = ClearPass in Configuration > System > Admin > Local

Login to Aruba AP with NetAdmin who is is member of ArubaAdmin Group in AD successfully

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top