ClearPass Policy Manager

Transcription

1 ClearPass Policy Manager Tech Note: ClearPass Integration with HP s Provision Access Switches Version Date Modified By Comments 0.1 May 2015 Danny Jump Initial Integration Guide V1 1.0 May 2015 Danny Jump Modifications from Bob/Seth/Austin

2 TABLE of CONTENTS Overview... 4 HP Switching Overview... 5 Aruba ClearPass Overview... 5 LAB Software/Hardware Revisions... 5 Captured Configuration... 6 RADIUS/Accounting Setup and Monitoring... 6 Enable DHCP Snooping... 9 Configuring & Monitoring 802.1x Limiting access for unauthenticated clients Monitoring 802.1x RFC 3576 Change of Authorization & Disconnect Message RFC 3576 Change of Authorization Nuances discovered in testing Other CoA Recommendations/Thoughts Working Config for Internal Web Auth Capabilities on top of 802.1x + MAB Configuring & Monitoring MAC Authentication Configuring and Using dacl Dissolvable Agent (DA) OnGuard Interaction Appendix Other Random Items WIP TABLE of FIGURES FIGURE 1 - ADDING A NEW CPPM RADIUS SERVER... 6 FIGURE 'SHOW RADIUS'... 6 FIGURE 3 - CONFIGURING RADIUS ACCOUNTING... 7 FIGURE 4 - ADDING THE NAS/NAD TO CLEARPASS... 7 FIGURE 5 - MONITORING ACTIVITY BETWEEN NAS AND CPPM... 8 FIGURE 6 - MONITORING DETAILED LEVEL ACTIVITY BETWEEN THE NAS AND CPPM... 8 FIGURE 7 ENABLE DHCP SNOOPING GLOBALLY WITHIN THE SWITCH... 9 FIGURE 8 - ENTER THE IP ADDRESS OF A TRUSTED DHCP SERVER... 9 FIGURE 9 DISABLE DHCP- SNOOPING FOR OPTION FIGURE 10 ENABLING DHCP- SPOOPING ON VLANS FIGURE 11 SHOWING STATUS OF DHCP- SNOOPING ON THE SWITCH FIGURE 12 - SHOWING STATUS OF DHCP- SNOOPING STATISTICS ON THE SWITCH FIGURE 13 - CREATING YOUR VLAN'S FIGURE 14 - CONFIGURING AN ENFORCEMENT PROFILE TO SEND VLAN= FIGURE 15 IETF AND HP VSA S SUPPORTED ON PROVISION SWITCHES FIGURE 16 - CPPM GENERIC SERVICE MATCH WITH NAS=IP@ OF THE FIGURE 17 - MATCHING AUTH METHODS AND AUTH SOURCES FIGURE 18 - ASSIGNING A ROLE TO THE USER AUTHENTICATION FIGURE 19 - SETTING ENFORCEMENT PROFILE FIGURE 20 - ENABLE EAP GLOBALLY ON THE SWITCH FIGURE 21 - ENABLE 1X GLOBALLY ON THE SWITCH FIGURE 22 - ENABLING PORTS FOR BASIC 8021.X FIGURE 23 - VIEWING 802.1X DEFAULT PORT CONFIGURATION FIGURE 24 - VIEWING 802.1X ADVANCED PORT CONFIGURATION FIGURE 25 ENABLING UN- AUTHENTICATED VLAN- ID FIGURE 26 FINE TUNING THE UN- AUTHENTICATED VLAN TIMERS FIGURE 27 - SHOWING ACTIVE 802.1X USERS ON THE SWITCH Page 2 of 33

3 FIGURE 28 ENABLE COA AT THE GLOBAL LEVEL FOR EACH RADIUS SERVER DEFINED FIGURE 29 SETTING THE SWITCH TIME- WINDOW TO ACCEPT COA ANY- TIME FIGURE 30 - CHECKING COA/DM IS ENABLED ON THE NAS FIGURE 31 - MONITORING THE COA COMMANDS FROM THE SWITCH FIGURE 32 - MONITORING THE COA COMMANDS FROM THE SWITCH AT A DETAILED LEVEL FIGURE 33 - BUILDING A COA FROM A TEMPLATE FIGURE 34 CHANGE OF VLAN COA TEMPLATE FIGURE 35 HP GENERIC COA TEMPLATE FIGURE 36 CONFIGURING A SINGLE PORT FOR DOT.1X / MAB / WEBAUTH FIGURE 37 - ENABLING PORTS FOR BASIC MAC- AUTH FIGURE 38 - VIEWING MAC- AUTH BASIC PORT CONFIGURATION FIGURE 39 - VIEWING MAC- AUTH PORT ADVANCED CONFIGURATION FIGURE 40 - SHOWING ACTIVE MAC- AUTH USERS ON THE SWITCH FIGURE 41 - FILTER ID BASED ENFORCEMENT FIGURE 42 - CREATING DACL ON CPPM TO BE SET TO HP SWITCH FIGURE 43 MONITORING THE DACL ON THE SWITCH Page 3 of 33

4 Overview This document is intended to help field engineering, customers, and channel partners integrate Aruba Networks ClearPass 6.X with HP s range of Provision switches. Initially this document is focused on the L2/L3 access switches. Customers can leverage the feature rich Enterprise functionality of ClearPass with the Industry leading open- standard Ethernet access switches from HP. This document is focused on and references ONLY Provision Switches, sometimes referred to as HP ProCurve. A separate document will be released for Comware switches, sometimes referred to as H3C switches at a later date. We do not intend at this stage to cover HP s Data- Center switches or HP s Wireless products. Below starting on Page 6 we have captured the ClearPass Policy Manager and HP Switch configuration covering 802.1x, MAC Authentication dacl and other integration solutions. At this time within this document we have NOT captured the WEB Authentication functionality as at the time of publication we re still working through some of the nuances of this feature and its interoperability with ClearPass Policy Manager. Check back regularly for updates. Note: Where you see a red- chili this is to signify a hot important point and highlights that this point is to be taken as a best- practice recommendation. This document is expected to go through multiple revisions so check back frequently to ensure you have the latest published version. This document will, I suspect, be read and digested by Aruba engineers not familiar with HP switching solutions and HP engineers not that familiar with the working and nuances of Aruba s ClearPass Policy Manager. Therefore, initially there is a 20,000ft overview of both product lines. Throughout the document I have, where I feel it appropriate, dumbed down the technology and where possible provided an explanation in easy to understand day- to- day terms. Any comment, queries or suggestions regarding the content within this document can be sent directly to danny@arubanetworks.com. Page 4 of 33

5 HP Switching Overview HP provides the industry s most versatile and flexible range of Ethernet switches that cover Access through to Data- Center. HP FlexNetwork architecture brings consistent and open standards based networking to enterprise networks in the data center, campus and branches. HP networking switches offer high performance, scalability, and a wide range of features for core to edge connectivity that dramatically reduces network complexity and lowers cost of ownership. Campus and Branch - Extending SDN simplicity with Campus Networking and FlexBranch. Data Center - Virtualized with the power of FlexFabric and SDN. Small Business - Your own affordable, scalable SMB solutions. Aruba ClearPass Overview The Aruba ClearPass Policy Manager platform makes it easy to secure next- generation mobility services, enhance network access security and compliance, and streamline network operations for wired, wireless and VPN A comprehensive policy management solution, the ClearPass Policy Manager platform includes ClearPass Guest, ClearPass Onboard and ClearPass OnGuard applications. It also provides role- based policy management, detailed endpoint profiling, enterprise- grade RADIUS/TACACS+, BYOD, SSO via an integrated SAML framework, mobile device management (MDM) and administrative web access. Integration with many 3 rd party systems such as Pal- Alto Networks firewall, Fortinet, CheckPoint, iboss and many others through an integration eco- system called ClearPass Exchange. Whether local or remote, ClearPass makes it effortless to centrally manage and enforce user- and device- based access policies across multivendor campus and distributed network infrastructures, regardless of device ownership or connection method. The ClearPass Policy Manager platform makes it easy to secure next- generation mobility services, enhance network access security and compliance, and streamline network operations for wired, wireless and VPNs. The result is consistent, automated and secure network access that meets today s evolving BYOD and IT- managed mobile device requirements delivered from a single, extensible platform with capabilities that grow and adapt to changing business needs. LAB Software/Hardware Revisions The below configuration has been produced using the latest GA versions of ClearPass Policy Manager 6.5 patch1 and a HP 2920 (J9727A) running a s/w image of WB Page 5 of 33

6 Captured Configuration RADIUS/Accounting Setup and Monitoring Before any feature- specific configuration can be completed there are a few basic interoperability configuration settings that must be completed. Configure a RADIUS server (CPPM) on the switch. After signing into the switch, follow the below. conf t CPPM-2920(config)# radius-server host key my_shared_secret CPPM-2920(config)# radius-server host dyn-authorization Figure 1 - Adding a new CPPM RADIUS server The above two commands add a CPPM node. Note the key optional parameter; this needs to match the PSK you set within CPPM for this NAS. The second command above enables CoA support, which we will discuss later in the document. Figure 'show radius' Above you can see we have defined TWO CPPM nodes to this NAS. You can see that Auth and Accounting are running on their default UDP ports 1812/1813 and that the NAS is listening for inbound CoA commands again on the default UDP port of Setting up RADIUS Accounting is fairly simple. You can enable it for multiple features within the 2920 Accounting configuration. Below we have enabled in the first command start- stop accounting for the network. Additionally you can configure accounting start- stop for other components as shown below. Finally we configure the interval update timer, in our case to 2 minutes. Page 6 of 33

7 CPPM-2920(config)# aaa accounting network start-stop radius server-group radius CPPM-2920(config)# aaa accounting commands Configure 'commands' type of accounting. exec Configure 'exec' type of accounting. network Configure 'network' type of accounting. session-id Configure accounting sessions identification scheme. suppress Do not generate accounting records for a specific type of user. system Configure 'system' type of accounting. update Configure update accounting records mechanism. CPPM-2920(config)# aaa accounting update periodic 2 CPPM-2920(config)# show accounting Status and Counters - Accounting Information Interval(min) : 2 Suppress Empty User : No Sessions Identification : Unique Type Method Mode Server Group Network Radius Start-Stop radius Exec None System None Commands None Figure 3 - Configuring RADIUS Accounting Configure a NAS/NAD endpoint on CPPM. Go to Configuration- >Network- > [Add] Figure 4 - Adding the NAS/NAD to ClearPass Page 7 of 33

8 Pay special attention to the RADIUS Shared Secret, this must match the PSK configured in the HP switch. Notice that we have set the Vendor Name = HP and that we have enabled the use of CoA over the default port To monitor the RADIUS messages between the Switch and CPPM, the following command we have found most useful. CPPM-2920# show radius authentication Status and Counters - RADIUS Authentication Information NAS Identifier : CPPM-2920 Invalid Server Addresses : 0 UDP Server IP Addr Port Timeouts Requests Challenges Accepts Rejects Figure 5 - Monitoring activity between NAS and CPPM For a more detailed view of the interaction between the NAS and ClearPass, the following command provides a low- level insight to the activity at the RADIUS level. I specifically like the breakout of 1812/1813 message information for Authentication & Accounting. CPPM-2920# show radius host Status and Counters - RADIUS Server Information Server IP Addr : Authentication UDP Port : 1812 Accounting UDP Port : 1813 Round Trip Time : 4 Round Trip Time : 0 Pending Requests : 0 Pending Requests : 0 Retransmissions : 4 Retransmissions : 1 Timeouts : 4 Timeouts : 1 Malformed Responses : 0 Malformed Responses : 0 Bad Authenticators : 0 Bad Authenticators : 0 Unknown Types : 0 Unknown Types : 0 Packets Dropped : 0 Packets Dropped : 0 Access Requests : 2024 Accounting Requests : 3058 Access Challenges : 1475 Accounting Responses : 3058 Access Accepts : 548 Access Rejects : 1 Figure 6 - Monitoring detailed level activity between the NAS and CPPM Page 8 of 33

9 Enable DHCP Snooping Enabling DHCP snooping on the switch is not a requirement, but we found it most helpful in assisting with debugging the switch. DHCP snooping to help avoid unauthorized users adding a DHCP server to the network that then provides invalid configuration data to other DHCP clients on the network. DHCP snooping accomplishes this by allowing you to distinguish between trusted ports connected to a DHCP server or switch and untrusted ports connected to end- users. DHCP packets are forwarded between trusted ports without inspection. DHCP packets received on other switch ports are inspected before being forwarded. Packets from untrusted sources are dropped. CPPM-2920#(config)# dhcp-snooping Figure 7 Enable DHCP snooping globally within the switch If authorized server addresses are configured, a packet from a DHCP server must be received on a trusted port AND have a source address in the authorized server list in order to be considered valid. If no authorized servers are configured, all servers are considered valid. You can configure a maximum of 20 authorized servers. CPPM-2920#(config)# dhcp-snooping authorized-server x.x.x.x CPPM-2920#(config)# dhcp-snooping authorized-server y.y.y.y Figure 8 - Enter the IP address of a trusted DHCP server DHCP adds Option 82 (relay information option) to DHCP request packets received on untrusted ports by default. When DHCP is enabled globally and also enabled on a VLAN, and the switch is acting as a DHCP relay, the settings for the DHCP relay Option 82 command are ignored when snooping is controlling Option 82 insertion. Option 82 inserted in this manner allows the association of the client s lease with the correct port, even when another device is acting as a DHCP relay or when the server is on the same subnet as the client. Adding the below will allow the switch to approve the relaying of DHCP request. This is an advanced topic of discussion with a customer and is beyond the role and responsibility of a CPPM deployment. It has been added here to assist you in the debugging with running PoC/Home- Labs. CPPM-2920#(config)# no dhcp-snooping option 82 Figure 9 Disable dhcp- snooping for option 82 Page 9 of 33

10 To enable DHCP snooping on a VLAN, enter the dhcp- snooping vlan [vlan- id- range ] command at the global configuration level or the dhcp- snooping command at the VLAN configuration level. DHCP snooping on VLANs is disabled by default. Below we enable CPPM-2920#(config)# dhcp-snooping vlan Figure 10 Enabling dhcp- spooping on vlans By default, all ports are untrusted. To configure a port or range of ports as trusted, enter one of the following commands. You can also use these command in the interface context, in which case you are not able to enter a list of ports. Both options are shown below. CPPM-2920#(config)# dhcp-snooping trust <port-list> CPPM-2920#(config)# interface 15 <---E.g. Interface facing internal network CPPM-2920#(eth-15)# dhcp-snooping trust To monitor the dhcp- snooping/ display the DHCP snooping configuration, enter this command CPPM-2920# show dhcp-snooping DHCP Snooping Information DHCP Snooping : Yes Enabled VLANs : Verify MAC address : Yes Option 82 untrusted policy : drop Option 82 insertion : No Store lease database : Not configured Authorized Servers x.x.x.x y.y.y.y Max Current Bindings Port Trust Bindings Static Dynamic No No Yes Ports 2-12,14-25,27-28 are untrusted Figure 11 Showing status of dhcp- snooping on the switch Page 10 of 33

11 CPPM-2920# show dhcp-snooping stats Packet type Action Reason Count server forward from trusted port 81 client forward to trusted port server drop received on untrusted port 0 server drop unauthorized server 14 client drop destination on untrusted port 0 client drop untrusted option 82 field 0 client drop bad DHCP release request 0 client drop failed verify MAC check 0 client drop failed on max-binding limit 0 Figure 12 - Showing status of dhcp- snooping statistics on the switch Page 11 of 33

12 Configuring & Monitoring 802.1x This section is focused on the configuration required to enable standards based 802.1x between CPPM and the Specifically in this section we will cover dynamic VLAN assignment. The switch port acts as an 802.1X authenticator, encapsulating/de- encapsulating EAP- Messages as required, and forwarding them between the supplicant and RADIUS server. When a supplicant connects, the switch will send an EAP Identity- Request packet to the suppliant, to prompt an authentication attempt. Alternatively the supplicant can initiate authentication by sending an EAP Start packet to the switch. Create the VLAN s required within your switches. In our example we ve created vlan100, added a L3 IP address [you might want a L2 VLAN] and we ve added two IP helpers to forward DHCP requests. Add the VLAN s you require for your network deployment, if required add the L3 IP details and IP helpers. CPPM-2920(vlan-100)# vlan 100 CPPM-2920(vlan-100)# ip address CPPM-2920(vlan-100)# ip helper-address CPPM-2920(vlan-100)# ip helper-address CPPM-2920(vlan-100)# show vlans Status and Counters - VLAN Information Maximum VLANs to support : 256 Primary VLAN : DEFAULT_VLAN Management VLAN : VLAN ID Name Status Voice Jumbo DEFAULT_VLAN Port-based No No 100 VLAN100 Port-based No No 200 VLAN200 Port-based No No 300 VLAN300 Port-based No No 400 VLAN400 Port-based No No 500 VLAN500 Port-based No No 600 VLAN600 Port-based No No 700 eap Port-based No No 710 mac-auth Port-based No No 900 quarantine Port-based No No Figure 13 - Creating your VLAN's Note: Port- based access is shown above for the vlans. Port based mode is used when the 'client- limit' parameter of the 802.1X authenticator is not set. In port based mode if a single authentication attempt on the port is successful, the port is fully opened and all packets are allowed to ingress. Page 12 of 33

13 Client based mode is a HP proprietary extension to the 802.1X standard, and is used when a 'client- limit' of 1 or more is configured for the 802.1X authenticator. In client based mode a filtering table is maintained for each authenticated port. Only devices which have successfully completed 802.1X authentication have their Mac- Addresses added to the filtering table, so only packets from authenticated devices are allowed to ingress into the network. Multiple authentication sessions for different devices may run concurrently, and accounting information will be provided for each individual session. Once the VLAN s have been created on the switch you need to provide the orchestration within CPPM to dynamically allocate users/devices to the correct vlan. The process of VLAN assignment is orchestrated via the use of ClearPass Policy Manager Enforcement Profiles. An Enforcement Profile is where multiple connection attributes can be configured such as the VLAN- ID, better know in the RADIUS world as the Tunnel- Private- Group- Id. Below is an example of such a Profile setting the VLAN=100. Figure 14 - Configuring an Enforcement Profile to send VLAN=100 Above you see multiple other RADIUS:IETF attributes. Attributes 1 thru 3 are mandated in this profile when enforcing TPG- ID on an Ethernet switch. Enforcement Profiles within CPPM are a very powerful method of controlling the activity of users/devices at authentication time; they can also be used post_authentication. Another example of the use of an Enforcement Profile is to control the number of devices a user can have on the network, or to send a role or a role- change with a downloadable ACL (dacl) to the switch- port, or set the Session- Timeout for the user s active duration. In addition to the profile examples in this tech note, HP Provision based switches support other IETF and HP specific VSAs as shown below. These attributes can be used with Clearpass Enforcement Profiles in addition to sending back a VLAN ID. Page 13 of 33

14 Figure 15 IETF and HP VSA s supported on Provision Switches Now, the COMPLETE configuration of a CPPM service, with enforcement, role- mapping etc. is way beyond the scope of this document. As a quick example, below are some screen shots and simple verbiage. The workflow below should provide a brief view on how to set a VLAN on a port to 100. Below is the overview of the Service profile, where we match global attributes that are present within the RADIUS Access- Request message we receive from the NAS (switch). Look below specifically at line- 4 where we are matching this request with other generic attributes to make it specific to the source NAS, i.e. the IP address of the HP 2920 switch. Figure 16 - CPPM Generic Service match with NAS=IP@ of the 2920 Page 14 of 33

15 The below is looking again at the incoming RADIUS Access- Request to match on the Authentication Method being presented by the.1x Supplicant. Then, following this, we re telling CPPM to go look in the Active- Directory (AD) repository (Aberlour) configured below to check the users credentials. Figure 17 - Matching Auth methods and Auth sources The below screen shot provides a deeper insight to the service processing of the RADIUS request. Here we extract and match the username against the AD memberof attributes and then assign an internal label called a TIPS:Role to this user- authentication. Figure 18 - Assigning a ROLE to the user authentication Page 15 of 33

16 The final step in the workflow is to apply the Enforcement- Profile from above to this session. This will in effect send a RADIUS Access- Accept with the Enforcement- Profile to the switch, the switch dynamically would set VLAN=100 on the port for this user. Figure 19 - Setting Enforcement Profile Page 16 of 33

17 Remember that we have already configured the HP Provision switch to talk to ClearPass. Now, we must continue that configuration by enabling dot1x and configuring it on the ports you wish to process authentication. First, configure the switch to use EAP for 802.1X authentication: CPPM-2920(config)# aaa authentication port-access eap-radius Figure 20 - Enable EAP globally on the switch Next, enable 802.1x globally CPPM-2920(config)# aaa port-access authenticator active Figure 21 - Enable 1x globally on the switch Lastly, you must enable the authentication process for 802.1x at the port level. This can be performed for a single port or multiple ports. In our example below we enable ports 6- >12 and then set a maximum of 1 authenticated client per port. CPPM-2920(config)# aaa port-access authenticator 6-12 client-limit 1 Figure 22 - Enabling ports for basic 8021.x Note: Port- based control is used when the 'client- limit' parameter of the 802.1X authenticator is not set. In port based control, applies a single authentication session. If a single authentication attempt on the port is successful, the port is fully opened and all packets are allowed to ingress. User based control (as configured above) is a HP proprietary extension to the 802.1X standard, and is used when a 'client- limit' of 1 or more is configured for the 802.1X authenticator. User based control creates different authentication sessions for each connected device. A filtering table is maintained for each authenticated port. Only devices that have successfully completed 802.1X authentication have their Mac- Addresses added to the filtering table, so only packets from authenticated devices are allowed to ingress into the network. Multiple authentication sessions for different devices may run concurrently, and accounting information will be provided for each individual session. Generally, user- based/mac- based control is recommended for scenarios in which you want the switch port itself to authenticate and control multiple clients. In particular, it is recommended for cases in which ClearPass might implement different enforcement profiles for different clients. Page 17 of 33

18 Below is the default setting for an authenticator port. These setting do not show up in the running configuration unless they have been changed. CPPM-2920# show port-access authenticator 6-12 config Port Access Authenticator Configuration Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Re-auth Access Max Quiet TX Supplicant Server Cntrl Port Period Control Reqs Period Timeout Timeout Timeout Dir No Auto both 7 No Auto both 8 No Auto both 9 No Auto both 10 No Auto both 11 No Auto both 12 No Auto both Figure 23 - Viewing 802.1x default port configuration Page 18 of 33

19 Beyond the basics above, lots of additional parameters can be configured across the ports; a complete list is shown below. Specifically you may want to adjust some of the following attributes, auth- vid, unauth- vid, quiet- period, reauth- period, and supplicant and server timeouts. However initially we suggest you work with the supplied defaults before making any changes. CPPM-2920(config)# aaa port-access authenticator 6-12 auth-vid Configures VLAN where to move port after successful authentication (not configured by default). cached-reauth-period Time in seconds, during which cached reauthentication is allowed on the port. The minimum reauthentication period should be greater than 30 seconds. clear-statistics Clear the authenticator statistics. client-limit Set the maximum number of clients to allow on the port. With no client limit, authentication happens in port-based mode, otherwise in client-based mode. control Set the authenticator to Force Authorized, Force Unauthorized or Auto state (default Auto). initialize Reinitialize the authenticator state machine. logoff-period Set period of time after which a client will be considered removed from the port for a lack of activity. max-requests Set maximum number of times the switch retransmits authentication requests (default 2). quiet-period Set the period of time the switch does not try to acquire a supplicant (default 60 sec.). reauth-period Set the re-authentication timeout (in seconds, default 0); set to '0' to disable re-authentication. reauthenticate Force re-authentication to happen. server-timeout Set the authentication server response timeout (default 300 sec.). supplicant-timeout Set the supplicant response timeout on an EAP request (default 30 sec.). tx-period Set the period of time the switch waits until retransmission of EAPOL PDU (default 30 sec.). unauth-period Set period of time the switch waits for authentication before moving the port to the VLAN for unauthenticated clients. unauth-vid Configures VLAN where to keep port while there is an unauthenticated client connected (not configured by default). Figure 24 - Viewing 802.1x advanced port configuration Page 19 of 33

20 Limiting access for unauthenticated clients One of the additional parameters mentioned above is the unauth- vid option. On the HP switches, a switch port with a static VLAN ID and an unauthenticated- client VLAN ID is automatically part of the Unauthenticated- client VLAN as soon as a device connects. If the device passes authentication, the port becomes an untagged member of the static VLAN. This behavior helps guest and other devices without 1X supplicants connect more quickly. To set an unauthenticated- client VLAN for one or more interfaces, use this command: CPPM-2920(config)# aaa port-access authenticator <port ID list> unauth-vid <VLAN ID> Figure 25 Enabling un- authenticated vlan- ID This setting might cause issues for users who do use 802.1X to log in. If the user s device allows non- EAP traffic before authentication, it might receive a DHCP address in the unauthenticated- client VLAN, causing it to lose connectivity after the port moves to the VLAN for the authenticated user. You can use the unauth- period to prevent these connectivity delays for 802.1X devices. CPPM-2920(config)# aaa port-access authenticator <port ID list> unauth-period <seconds> Figure 26 Fine tuning the un- authenticated vlan timers When you set this period, the switch port delays placing a connected device in the Unauthenticated- client VLAN until the client has failed to authenticate during that period. During this time, all traffic except EAP messages are blocked, giving the 802.1X device time to log in. Monitoring 802.1x To examine any active 802.1x sessions running, the below command is very useful and informative capturing the users DOMAIN/userid and MAC Address of the endpoint. CPPM-2920# show port-access authenticator clients Port Access Authenticator Client Status Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Port Client Name MAC Address IP Address Client Status SOCIALWIFILOGIN\danny 3c970e-133bf5 n/a Authenticated Figure 27 - Showing active 802.1x users on the switch Page 20 of 33

21 RFC 3576 Change of Authorization & Disconnect Message Change- of- Authorization (CoA) (RFC 3576: Dynamic Authorization Extensions to RADIUS): A mechanism that allows CPPM to dynamically send disconnect messages (DM) or change the authorization parameters (such as VLAN assignment) used in an active client session on the switch. The switch (NAS) does not have to initiate the exchange. For example, for security reasons you may want to move an authenticated user to a different VLAN as the health/posture of their endpoint has changed [i.e. firewall has been disabled]. In this case CPPM the RADIUS server will send an instruction [CoA] to the switch and have the new authorization settings take effect immediately in the active client session. The Change- of- Authorization attribute provides the mechanism to dynamically update an active client session with a new user policy that is sent in RADIUS packets. A RADIUS request with a Code of either 40 (Disconnect Request) or 43 (CoA Request) is sent to UDP port 3799 (default) on the switch. This request must include attributes that identify the NAS, attributes that identify the session, and in the case of CoA, attributes that form the new authorization profile. RFC 3576 also recommends that an Event- Timestamp attribute be present for replay protection purposes, and that there be a maximum (default) delta of 300 seconds between the NAS time and the Event- Timestamp attribute included in the request. Enabling CoA support within the HP switch is very easy and was covered in the initial RADIUS setup section where we configured the dyn- authorization, but we ve added it again below. First, enable CoA functionality called dynamic authorization in Provision switches CPPM-2920(config)# radius-server host dyn-authorization Figure 28 Enable CoA at the global level for each RADIUS server defined Next, set the time window to 0, which lets the switch accept CoA messages at any time. CPPM-2920(config)# radius-server host time-window 0 Figure 29 Setting the switch time- window to accept CoA any- time.. You can verify that support or CoA is enabled at a global RADIUS level. Look specifically for the Dynamic Authorization UDP Port being set to 3799, and then at the individual Servers defined to see if they have DM/CoA enabled. CPPM-2920# show radius Status and Counters - General RADIUS Information Deadtime (minutes) : 0 Timeout (seconds) : 5 Retransmit Attempts : 3 Global Encryption Key : Page 21 of 33

22 Dynamic Authorization UDP Port : 3799 Source IP Selection : Outgoing Interface Auth Acct DM/ Time Server IP Addr Port Port CoA Window Encryption Key OOBM Yes 300 my_shared_secret No Yes 300 my_shared_secret No Figure 30 - Checking CoA/DM is enabled on the NAS To monitor the CoA commands/messages, use the following commands. CPPM-2920# show radius dyn-authorization Status and Counters - RADIUS Dynamic Authorization Information NAS Identifier : CPPM-2920 Invalid Client Addresses (CoA-Reqs) : 0 Invalid Client Addresses (Disc-Reqs) : 0 Disc Disc Disc CoA CoA CoA IP Address Reqs ACKs NAKs Reqs ACKs NAKs Figure 31 - Monitoring the CoA commands from the switch To monitor at a detailed level the RADIUS CoA/DM messages, use the following command. CPPM-2920# show radius host dyn-authorization Status and Counters - RADIUS Dynamic Authorization Information Authorization Client IP Address : Unknown PKT Types Received : 0 Disc-Reqs : 0 CoA-Reqs : 0 Disc-Reqs Authorize Only : 0 CoA-Reqs Authorize Only : 0 Disc-ACKs : 0 CoA-ACKs : 0 Disc-NAKs : 0 CoA-NAKs : 0 Disc-NAKs Authorize Only : 0 CoA-NAKs Authorize Only : 0 Disc-NAKs No Ses. Found : 0 CoA-NAKs No Ses. Found : 0 Disc-Reqs Ses. Removed : 0 CoA-Reqs Ses. Changed : 0 Disc-Reqs Malformed : 0 CoA-Reqs Malformed : 0 Disc-Reqs Bad Authentic. : 0 CoA-Reqs Bad Authentic. : 0 Disc-Reqs Dropped : 0 CoA-Reqs Dropped : 0 Figure 32 - Monitoring the CoA commands from the switch at a detailed level Page 22 of 33

23 Configuration for CoA within ClearPass already includes a CoA Template that can be used. The Procurve switches support the ability to send a new VLAN along with the CoA message. Sending a VLAN along with the CoA is likely to cause other problems, such as, how does the client know to go get a new IP address? The normal approach we would use is to send a terminate- session with the CoA forcing the client to re- authenticate. This is something that's needs additional investigation. At this time we will likely use a Generic IETF CoA. Create a new Enforcement Profile Configuration - > Enforcement - > Profile {ADD} then from the template chose RADIUS Change of Authorization (CoA) Figure 33 - Building a CoA from a Template Then click on Attributes Tab and select the HP CoA template, both are shown below. Figure 34 Change of VLAN CoA Template Figure 35 HP Generic CoA Template We need to investigate more use- cases with the above templates. Page 23 of 33

24 RFC 3576 Change of Authorization Nuances discovered in testing We wanted to make you aware of some of the nuances that we have also discovered in our testing to make you aware that this integration is an in- progress development as we learn the best way to interoperate with the Provision switches. First, we sometimes lose the capability to send a CoA, CPPM no longer believes the NAD is capable, so, CoA option is not available in Access Tracker entry. We narrowed this down to the fact that HP sends 802.1x request and MAB request at the same time and it appears like this confuses CPPM if we send an ACCEPT to both. It should be noted that on initial auth, their is no issue, but if we send a CoA, we see an 802.1x and MAB request come in and that is where the problem occurs. To fix this, we need to ensure we send a Radius REJECT for the MAB request when the device should be doing 802.1x, i.e., if policy is computers must do 802.1x, then set MAB policy to send REJECT for Category=Computer. This does not sound so bad, but it does limit what we can do for these instances where we MUST send a REJECT to the MacAuth, i.e., cannot signal device into a VLAN for BYOD Portal redirect on Mac Auth. Second, OnGuard is not capable of sending a properly formatted CoA to HP switch. The HP Terminate- Session has an attribute called "event- timestamp" that must be included or the HP switch will drop the request. We noticed in testing that OnGuard DA triggered CoA would send CoA with every other attribute but this one. To get around this, we changed the value for event- timestamp in the CoA to be %{Authorization:[Time Source]:Now} instead of the default %{Radius:IETF:Event- Timestamp}. This worked like a charm. Other CoA Recommendations/Thoughts For timing purposes its very important with a CPPM managed network that a common clock source is used. Please ensure all CPPM and NAS/NAD devices reference the same NTP source. Page 24 of 33

25 Working Config for Internal Web Auth Capabilities on top of 802.1x + MAB Internal Web Auth capabilities of the switch worked, no issues, using CPPM as external Radius server, with accounts in Guest DB. So, here is a configuration for 802.1x+MAB+WebAuth that works. radius-server host key "my-key" radius-server host dyn-authorization aaa server-group radius "CPPM" host aaa accounting update periodic 1 aaa accounting network start-stop radius server-group "CPPM" aaa authentication port-access eap-radius server-group "CPPM" aaa authentication web-based chap-radius server-group "CPPM" aaa authentication mac-based chap-radius server-group "CPPM" aaa port-access authenticator 1 aaa port-access authenticator 1 quiet-period 30 aaa port-access authenticator 1 auth-vid 30 aaa port-access authenticator 1 logoff-period aaa port-access authenticator 1 client-limit 1 aaa port-access authenticator active aaa port-access mac-based 1 aaa port-access mac-based 1 logoff-period aaa port-access mac-based 1 quiet-period 30 aaa port-access mac-based 1 auth-vid 20 aaa port-access web-based 1 aaa port-access web-based 1 auth-vid 400 aaa port-access 1 controlled-direction in Figure 36 Configuring a single port for dot.1x / MAB / WebAuth Page 25 of 33

26 Configuring & Monitoring MAC Authentication When the switch receives an Ethernet frame from a client that has not yet been authenticated, it copies the value of the Ethernet SRC address field into the User- Name attribute of an Access- Request packet. The RADIUS server can then check the User- Name against a list of authorized Mac- Addresses. To configure MAC Auth in a 2920 or a similar HP switch you need to enable the MAC- Auth process on the switch at the port level. This can be performed for a single port or multiple ports. In our example below we enable ports 6- >12, and then set a quiet- period and an authorized- vlan. CPPM-2920(config)# aaa port-access mac-based 6-12 CPPM-2920(config)# aaa port-access mac-based 6-12 quiet-period 30 CPPM-2920(config)# aaa port-access mac-based 6-12 auth-vid 710 Figure 37 - Enabling ports for basic MAC- Auth Below is the default setting for mac- auth ports. These settings do not show up in the running configuration unless they are changed from their below default. CPPM-2920# show port-access mac-based 6-12 config Port Access MAC-Based Configuration MAC Address Format : no-delimiter Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Mac password : Unauth Redirect Configuration URL : Unauth Redirect Client Timeout (sec) : 1800 Unauth Redirect Restrictive Filter : Disabled Total Unauth Redirect Client Count : 0 Client Client Logoff Re-Auth Unauth Auth Cntrl Port Enabled Limit Moves Period Period VLAN ID VLAN ID Dir Yes 1 No both 7 Yes 1 No both 8 Yes 1 No both 9 Yes 1 No both 10 Yes 1 No both 11 Yes 1 No both 12 Yes 1 No both Figure 38 - Viewing MAC- Auth basic port configuration Page 26 of 33

27 Beyond the basics above, lots of additional parameters can be configured; a complete list is shown below. Ones specifically you may want to adjust would be auth- vid, unauth- vid, quiet- period, reauth- period, supplicant and server timeout. However initially we suggest you work with the supplied port defaults. CPPM-2920(config)# aaa port-access mac-based 6-12 addr-limit Set the port's maximum number of authenticated MAC addresses (default 1). addr-moves Set whether the MAC can move between ports (default disabled - no moves). auth-vid Configures VLAN where to move port after successful authentication (not configured by default). cached-reauth-period Time in seconds, during which cached reauthentication is allowed on the port. The minimum reauthentication period should be greater than 30 seconds. logoff-period Set the period of time of inactivity that the switch considers an implicit logoff (default 300 seconds). max-requests Set maximum number of times the switch retransmits authentication requests (default 3). quiet-period Set the period of time the switch does not try to authenticate (default 60 seconds). reauth-period Set the re-authentication timeout in seconds; set to '0' to disable re-authentication (default 0). reauthenticate Force re-authentication to happen. server-timeout Set the authentication server response timeout (default 300 seconds). unauth-period Set period of time the switch waits before moving the port to the VLAN for unauthenticated clients. unauth-vid Configures VLAN where to keep port while there is an unauthorized client connected (not configured by default). Figure 39 - Viewing MAC- Auth port advanced configuration To examine any active MAC- Auth sessions running, the below command is very useful and informative, capturing the MAC Address of the endpoint. CPPM-2920# show port-access mac-based clients Port Access MAC-Based Client Status Port MAC Address IP Address Client Status f2-1ef68a n/a authenticated 12 1c1ac0-b19ffe n/a authenticated Figure 40 - Showing active MAC- Auth users on the switch Page 27 of 33

28 Configuring and Using dacl A RADIUS- assigned ACL is configured on CPPM and dynamically assigned to filter traffic entering the switch through a specific port, after the client is authenticated by CPPM. RADIUS- assigned ACLs enhance network and switch management access security and traffic control by permitting or denying authenticated client access to specific network resources and to the switch management interface. This could include preventing clients from using TCP or UDP applications, such as Telnet, SSH or Web Browser. This feature is designed for use on the network edge to accept RADIUS assigned, per- port ACLs for Layer- 3 filtering of IP traffic entering the switch from authenticated clients. A given RADIUS- assigned ACL is identified by a unique username/password pair or client MAC address and applies only to IP traffic entering the switch from authenticated clients with the unique credentials. The switch allows multiple RADIUS- assigned ACLs on a given port, up to the maximum number of authenticated clients allowed on the port. Below we assigned an PERMIT IN TCP FROM ANY TO ANY rule to demonstrate the process. On ClearPass create an Enforcement Profile [use the template Filter ID Based Enforcement ]. Figure 41 - Filter ID Based Enforcement Ensure you use Radius:IETF, Name=NAS- Filter- Rule (92) and set the Value as required. In our use- case we set the value as permit in tcp from any to any which is fairly explanatory. When we say IN we are refereeing to inbound traffic/packet entering the switch from that client. Page 28 of 33

29 Figure 42 - Creating dacl on CPPM to be set to HP Switch For a multiple line ACL, you would need to configure multiple Radius:IETF, Name=NAS- Filter- Rule (92) attributes in your enforcement profile. This was tested by assigning the enforcement profile in ClearPass to a policy service to force an enforcement match. The following command can be use to show the dacl applied to the switch port. CPPM-2920# show access-list radius 7 Radius-configured Port-based ACL for Port 7, Client -- 3C970E-133BF5 IPv6 ACLs enabled (HP-Nas-Rules-Ipv6): FALSE permit in tcp from any to any Figure 43 Monitoring the dacl on the Switch If you have multiple devices connect to a port, and you sent dacl for one device, you better send dacl for all devices, otherwise traffic will be dropped for the other devices. When the client session ends, the ACL is removed from the port. The switch allows as many dynamic port ACLs on a port as it allows authenticated clients. Best practices likely should be if using dacl for anything on ClearPass/HP, put a "permit ip any any" on ALL enforcement profiles where you do not necessarily need/want a dacl, but need to prevent the below from happening. Multiple clients in a RADIUS- assigned ACL environment Where multiple clients are authenticated on the same port, if any of the clients has a RADIUS- assigned ACL, then all of the authenticated clients on the port must have a RADIUS- assigned ACL. In this case, the switch drops the IP traffic from any authenticated client that does not have a RADIUS- assigned ACL, and de- authenticates that client. It goes without saying, that at the end of the dacl is an implicit deny all. Page 29 of 33

30 Dissolvable Agent (DA) OnGuard Interaction This is one of the items we will add more context and details to in a follow- up release of the document. "BYOD Portal" functionality works for OnGuard DA, with follow- on CoA after health check. Here are the nuts and bolts of the HP configuration. ##Define the external web page: portal web-server "OnGuard" url " ##Define the "whitelist" rules: portal free-rule 10 vlan 100 source any destination any udp 67 portal free-rule 20 vlan 100 source any destination any udp 68 portal free-rule 30 vlan 100 source any destination any udp 53 portal free-rule 40 vlan 100 source any destination any tcp 53 portal free-rule 50 vlan 100 source any destination any tcp 6658 ##Apply portal to VLAN: vlan 100 portal web-server "OnGuard" Now, all you need to do is signal this VLAN on a Radius Accept (Mac Auth, Web Auth, or 802.1x) and user will be redirected to this page. This gives us flexibility to redirect users to different pages. The downside is that it only includes IP in redirect URL. CoA works for OG DA because it learns the mac address in scan of the endpoint. Page 30 of 33

31 Appendix Other Random Items WIP. Forcing the client to re- auth aaa port- authenticator [port#] reauthenticate aaa port- authenticator [port#] clear- statistics Looking into what (actual user) client on a port CPPM-2920# show port-access authenticator 1 clients Port Access Authenticator Client Status Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Port Client Name MAC Address IP Address Client Status SOCIALWIFILOGIN\danny 3c970e-133bf5 n/a Authenticated Checking port 802.1x config CPPM-2920# show port-access authenticator 1 config Port Access Authenticator Configuration Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Re-auth Access Max Quiet TX Supplicant Server Cntrl Port Period Control Reqs Period Timeout Timeout Timeout Dir No Auto both CPPM-2920# Page 31 of 33

32 Detailed Level info about the authenticated- port CPPM-2920# show port-access 1 authenticator clients detailed Port Access Authenticator Client Status Detailed Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Client Base Details : Port : 1 Client Status : Authenticated Session Time : 94 seconds Client name : SOCIALWIFILOGIN\danny Session Timeout : 0 seconds IP : n/a MAC Address : 3c970e- 133bf5 Access Policy Details : COS Map : Not Defined In Limit Kbps : Not Set Untagged VLAN : 100 Out Limit Kbps : Not Set Tagged VLANs : No Tagged VLANs Port Mode : 1000FDx RADIUS ACL List : No Radius ACL List Page 32 of 33

33 Note about HP UAM The specific IETF attributes and HP VSAs are found on this screen. If you are converting from a UAM configuration to Clearpass, see the fields marked in red on this screenshot. Use those values to create your enforcement profiles to ensure a seamless transition. These fields map to the table posted earlier in this document and also below: Page 33 of 33