HOW TO CONFIGURE HPE MSM CONTROLLERS WITH ARUBA CLEARPASS VERSION 3, JUNE 2016
CONTENTS Introduction... 5 MSM and AP Deployment Options... 5 MSM User Interfaces... 6 Assumptions... 7 Network Diagram... 7 MSM Limitations... 8 Common MSM Controller Configuration... 8 RADIUS Server Configuration... 8 DHCP Server Configuration... 9 DNS Configuration... 10 802.1X Authentication... 11 ClearPass Configuration... 11 MSM Controller Configuration... 14 Testing... 16 MAC-based Device Authentication... 17 ClearPass Configuration... 17 MSM Controller Configuration... 20 Testing... 21 ClearPass Guest using MSM HTML-based Authentication... 23 ClearPass Configuration... 23 Policy Manager Configuration... 23 ClearPass Guest Configuration... 24 MSM Controller Configuration... 25 Add Attributes... 25 Configure VSC... 27 Testing... 28 ClearPass Guest using an In-Line Aruba Controller... 32 Network Diagram... 32 ClearPass Configuration... 32 Policy Manager Configuration... 32 MSM Controller Configuration... 36 Configure VSC... 37 Aruba Controller Configuration... 38 Port Configuration... 38 Firewall Configuration... 39 Authentication Configuration... 39 Access Control Configuration... 42 VLAN Configuration... 42 Testing... 43 Controller Sizing Considerations... 45 2
FIGURES Figure 1. Distributed Mode... 5 Figure 2. Centralized Mode... 5 Figure 3. Centralized and Controlled Mode... 6 Figure 4. Simplified UI... 6 Figure 5. Advanced UI... 7 Figure 6. Network Diagram... 8 Figure 7. RADIUS Profiles... 9 Figure 8. Add RADIUS Profile... 9 Figure 9. Address Allocation... 10 Figure 10. DHCP Server Configuration... 10 Figure 11. DNS Configuration... 11 Figure 12. 802.1X Wireless Service Template... 11 Figure 13. 802.1X Wireless Service Template (General)... 11 Figure 14. 802.1X Wireless Service Template (Authentication)... 12 Figure 15. 802.1X Wireless Service Template (Wireless Network Settings)... 12 Figure 16. 802.1X Wireless Service Template (Posture Settings)... 12 Figure 17. 802.1X Wireless Service Template (Enforcement Details)... 13 Figure 18. Edit 802.1X Wireless Enforcement Policy (Remove Rule)... 13 Figure 19. Edit 802.1X Wireless Enforcement Policy (Add Rule)... 13 Figure 20. Edit 802.1X Wireless Enforcement Policy (Set Default Profile)... 14 Figure 21. Services... 14 Figure 22. Add Service Rule... 14 Figure 23. VSC Profiles... 15 Figure 24. Add 802.1X VSC Profile... 16 Figure 25. Add Local User Account... 16 Figure 26. 802.1X Authentication Access Tracker Results... 17 Figure 27. Device MAC Authentication Service Template... 17 Figure 28. Device MAC Authentication Service Template (General)... 17 Figure 29. Device MAC Authentication Service Template (Network Settings)... 18 Figure 30. Device MAC Authentication Service Template (Device Access Restrictions)... 18 Figure 31. Services... 18 Figure 32. Change Service Rule... 19 Figure 33. Change Authentication Method... 19 Figure 34. Add Service Rule... 20 Figure 35. VSC Profiles... 20 Figure 36. Add MAC Authentication VSC Profile... 21 Figure 37. Create Guest Device Form... 22 Figure 38. MAC-based Authentication Access Tracker Results... 22 Figure 39. Guest Access Service Template... 23 Figure 40. Guest Access Service Template (General)... 23 Figure 41. Guest Access Service Template (Wireless Network Settings)... 23 Figure 42. Guest Access Service Template (Posture Settings)... 24 Figure 43. Guest Access Service Template (Guest Access Restrictions)... 24 Figure 44. Guest Web Login Page... 25 Figure 45. Attributes... 26 Figure 46. Add ACCESS-LIST... 26 Figure 47. Add LOGIN-URL... 27 Figure 48. VSC Profiles... 27 3
Figure 49. Add HTML-based User Logins VSC Profile... 28 Figure 50. Create Guest Account... 29 Figure 51. Finished Creating Guest Account... 29 Figure 52. Redirect to Guest Web Login Page... 30 Figure 53. Controller Welcome Page... 30 Figure 54. Session Status Popup... 31 Figure 55. Guest Captive Portal Authentication Access Tracker Results... 31 Figure 56. Network Diagram... 32 Figure 57. Guest Authentication with MAC Caching Service Template... 32 Figure 58. Guest Authentication with MAC Caching Service Template (General)... 33 Figure 59. Guest Authentication with MAC Caching Service Template (Wireless Network Settings)... 33 Figure 60. Guest Authentication with MAC Caching Service Template (MAC Caching Settings)... 33 Figure 61. Guest Authentication with MAC Caching Service Template (Posture Settings)... 33 Figure 62. Guest Authentication with MAC Caching Service Template (Access Restrictions)... 34 Figure 63. Edit MAC Authentication Service... 34 Figure 64. Edit User Authentication with MAC Caching Service... 35 Figure 65. Guest Access Web Login Service Template... 35 Figure 66. Guest Access Web Login Service Template (General)... 35 Figure 67. Guest Access Web Login Service Template (Service Rule)... 35 Figure 68. Create Guest Web Login Page... 35 Figure 69. New Guest Web Login Page... 36 Figure 70. Guest Access Web Login Service Template (Guest Login Page Selection)... 36 Figure 71. Guest Access Web Login Service Template (Guest Access Restrictions)... 36 Figure 72. VSC Profiles... 37 Figure 73. Add Open (No Authentication) VSC Profile... 38 Figure 74. Untrusted Port Configuration (Port 1)... 39 Figure 75. Stateful Firewall Destination... 39 Figure 76. Add RADIUS Server... 40 Figure 77. Add Server Group... 40 Figure 78. Add RFC 3576 Server... 40 Figure 79. Add AAA Profile... 41 Figure 80. Add Captive Portal Profile... 42 Figure 81. Enable Captive Portal Profile on guest-logon Role... 42 Figure 82. Enable Wired AAA Profile... 43 Figure 83. Create Guest Account... 43 Figure 84. Finished Creating Guest Account... 44 Figure 85. Redirect to Guest Web Login Page... 44 Figure 86. Authenticated Destination... 45 Figure 87. Guest Captive Portal Authentication Access Tracker Results... 45 Figure 88. Controller Performance Matrix... 46 4
INTRODUCTION This document describes the procedures to configure Aruba ClearPass in conjunction with HP MSM Wireless Controllers and supported HP Access Points. There are four deployment scenarios described in this document: 1. 802.1X User Authentication (PEAP/MS-CHAPv2) 2. MAC-based Device Authentication 3. ClearPass Guest using MSM HTML-based Authentication 4. ClearPass Guest using an In-line Aruba Controller All of the scenarios in this document were built using the following systems and code versions: Aruba ClearPass Virtual Appliance: v6.5.3 HP MSM760 Controller: v6.6.0.0-22530 HP AP560 Aruba 7210 Controller: v6.4.3.7 (scenario number 4 only) MSM and AP Deployment Options The MSM and APs can be deployed in three different traffic management modes: Distributed, Centralized, and Centralized and Controlled. In the Distributed Mode, authentication traffic is forwarded from the AP to the Controller, but all data traffic is bridged locally at the AP and dropped directly onto the network. NOTE: Distributed mode will be used for the 802.1X and MAC Authentication examples shown in document. Figure 1. Distributed Mode In the Centralized Mode, both authentication traffic and data traffic is forwarded to the controller. However, no policy is applied to the data traffic. The controller bridges the data traffic onto the network through the LAN port. Figure 2. Centralized Mode With the Centralized and Controlled Mode, both authentication and data traffic is forward from the AP to the controller. The controller applies policy to the data traffic and forwards based upon policy. NOTE: this mode will (must) be used for the Guest Captive Portal example in this document. 5
Figure 3. Centralized and Controlled Mode For 802.1X and MAC Authentication, any of these modes can be used. However, for Guest Captive Portal, only the Centralized and Controlled mode is supported because the controller must intercept all unauthenticated HTTP/HTTPS requests and redirect to the external captive portal. In addition, for the Guest Captive Portal capability to function correctly, the controller MUST be the client s default gateway and DNS server. This differs significantly from the requirements for Aruba controllers in a similar configuration. MSM User Interfaces On the MSM platform, there are essentially three user interfaces: Advanced UI, Simplified UI, and the CLI. All of the examples shown in the document will be based on the use of the Advanced UI. While the Simplified UI can be used to configure 802.1X and MAC Authentication, the Guest Captive Portal configuration requires the use of the Advanced UI. Therefore, all configuration will be shown using the Advanced UI. The CLI on MSM is cumbersome to work with and will not be used in any of the examples documented here. The Simplified UI has a modern look and feel, accentuated by a considerable use of HP Blue. To switch to the Advanced UI, click on the Admin user in the upper right and select Switch to Advanced UI. Figure 4. Simplified UI The Advanced UI is the original UI for the MSM and is derived from the UI that was on the Colubris Networks products. To switch to the Simplified UI, click on the Admin user in the upper right and select Switch to Simplified UI. 6
Figure 5. Advanced UI Assumptions Before proceeding with the configurations described in the subsequent sections, it is assumed you have a working network environment with a MSM controller and at least one MSM-compatible AP. In addition, the AP must have discovered the controller and can be seen in the controller s configuration UI. This document does not cover these basics, only the configuration of controller Virtual Service Communities (VSCs) and ClearPass. For those familiar with Aruba controllers, a VSC is equivalent to an Aruba Virtual AP (VAP). For ClearPass, it is assumed that a ClearPass appliance is available on the network and basic configuration has been accomplished. In this document, basic ClearPass configuration includes IP settings, network device definitions, external authentication source (such as Active Directory) configuration, and domain join if necessary. These topics are outside the scope of this document. Network Diagram The following network is used for the three MSM-only configurations shown in this document. A different network configuration is used for the in-line Aruba Controller use case and is described in a separate section later in this document. 7
Figure 6. Network Diagram MSM Limitations The MSM wireless controller has several feature limitations over those available on Aruba wireless controllers and Instant Access Points. These feature limitations restrict the network deployments that can be supported using an MSM controller in conjunction with ClearPass. The limitations that have been identified are shown below: To use the captive portal functionality (referred to as HTML authentication) on MSM, the controller must be the default gateway and DNS server for wireless clients The MSM controller does not support RFC 3576. This includes both Disconnect Message (DM) and Change of Authorization (CoA). HTML authentication and MAC authentication cannot be enabled concurrently within the same VSC. This prohibits the configuration of Guest Captive Portal with MAC Caching. COMMON MSM CONTROLLER CONFIGURATION There are some configuration elements that are common to all of the examples shown in this document, so it s appropriate to cover those elements separately to avoid duplication. RADIUS Server Configuration Log into the MSM controller web UI and make sure you re in the Advanced UI as described earlier. Navigate to Controller in the Network Tree, then click on the Authentication tab, then the RADIUS profiles tab. Click Add New Profile to create a new RADIUS server profile. 8
Figure 7. RADIUS Profiles Fill in the highlighted fields and click Save. The remaining fields can be left at their default values. You can make additional changes to this form, but they are not necessary to support the examples shown in this document. Figure 8. Add RADIUS Profile DHCP Server Configuration For the Guest Captive Portal example, the MSM controller must be the DNS server and the Default Gateway for all Guest clients. The easiest way to achieve this is to have the controller be the DHCP server for those access-controlled clients. To configure the DHCP server on the controller, navigate to Controller in the Network Tree, then click on the Network tab, then on the Address Allocation tab. Select the DHCP server radio button and click Configure 9
Figure 9. Address Allocation Fill in the highlighted fields to match your network configuration and click Save. Figure 10. DHCP Server Configuration DNS Configuration To configure the DNS on the controller, navigate to Controller in the Network Tree, then click on the Network tab, then on the DNS tab. Fill in the highlighted fields to match your network configuration and click Save. 10
Figure 11. DNS Configuration 802.1X AUTHENTICATION ClearPass Configuration To configure ClearPass to support 802.1X authentication from the MSM, use the 802.1X Wireless Service Template. Go to Configuration > Start Here and click on 802.1X Wireless. Figure 12. 802.1X Wireless Service Template Enter a Name Prefix and click Next. Figure 13. 802.1X Wireless Service Template (General) Select a previously added Authentication Source, or enter the details for a new AD authentication source. Click Next. 11
Figure 14. 802.1X Wireless Service Template (Authentication) Select a previously added Wireless Controller, or enter the details for a new wireless controller. Click Next. Figure 15. 802.1X Wireless Service Template (Wireless Network Settings) No need for Posture Checks. Click Next. Figure 16. 802.1X Wireless Service Template (Posture Settings) For Enforcement Details, select at least one Attribute Name and Attribute Value, and assign a VLAN. Also assign a Default VLAN. The values you enter on this form are unimportant for the purposes of this demo configuration as they will not be used. For other deployments, enter values appropriate for your installation. Click Add Service. 12
Figure 17. 802.1X Wireless Service Template (Enforcement Details) You should observe the creation of two Enforcement Profiles, two Enforcement Policies, and one Service. For the purposes of this demo, you will need to modify one of the Enforcement Policies, and optionally the Service. Go to Configuration > Enforcement > Policies and click on the MSM 802.1X Wireless Enforcement Policy, then click on the Rules tab. Click on the existing Rule and then click Remove Rule. Figure 18. Edit 802.1X Wireless Enforcement Policy (Remove Rule) Click on Add Rule. In the pop up window, click Click to add. Add a rule with the conditions shown below. Set the Enforcement Profile to [RADIUS][Allow Access Profile], then click Save. Figure 19. Edit 802.1X Wireless Enforcement Policy (Add Rule) Click on the Enforcement tab. Set the Default Profile to [Deny Access Profile]. Click Save. 13
Figure 20. Edit 802.1X Wireless Enforcement Policy (Set Default Profile) This step is optional, but can assist with testing if you have multiple SSIDs. In this step you will change the Service definition to only match on a specific SSID. Go to Configuration > Services and click on the newly-created service MSM 802.1X Wireless. Figure 21. Services Click on the Services tab, then click Click to add. Add an additional service rule as shown below. This service rule should match Radius:IETF:Called-Station-Id CONTAINS SSID where SSID is the name of your 802.1X SSID. Click Save after adding the service rule. Figure 22. Add Service Rule That completes the ClearPass configuration for 802.1X authentication. Now onto the controller configuration. MSM Controller Configuration Log into the MSM controller web UI and make sure you re in the Advanced UI as described earlier. Navigate to Controller > VSCs in the Network Tree. Click on Add New VSC Profile NOTE: In the screenshots shown, some prior configuration may exist. Just follow the step-by-step instructions to complete the configuration. 14
Figure 23. VSC Profiles The VSC Profile page is where the majority of the configuration takes place. There are several sections that must be completed to build a successful configuration. Global Section o Enter a Profile Name o Uncheck Access Control. Virtual AP Section o Enter a Name (SSID) Wireless Protection Section o o o Check the checkbox to enable the section Select the Mode as WPA or WPA2 Select the Key Source as Dynamic 802.1X Section o Uncheck the Local checkbox o Check the Remote checkbox o o o Click the RADIUS radio button and select your configured RADIUS server Check the RADIUS Accounting checkbox and select your configured RADIUS server Select macaddress:ssid from the Called-Station-Id Content pulldown When you re done, the configuration should look like this: 15
Figure 24. Add 802.1X VSC Profile That completes the configuration for 802.1X Authentication. Testing To test 802.1X authentication, you need to create a test user account. You can, of course, use an account from an external directory such as Active Directory if you added that configuration when using the configuration template. If instead, you used the Local Authentication source, you will need to create a test account. Navigate to Configuration > Identity > Local Users and click Add. Complete the form and click Add. You re now ready to test. Figure 25. Add Local User Account Associate your test machine/device to your 802.1X-enabled SSID (TME-MSM-SECURE in this example). You should be prompted for a username and password. If the credentials you provide are correct, you will be granted network access. To check the results of your authentication, navigate to Monitoring > Live Monitoring > Access Tracker within the ClearPass Policy Manager Administration UI. Look for an Access Tracker entry matching your authentication attempt. An example of a successful 16
authentication is show below: Figure 26. 802.1X Authentication Access Tracker Results MAC-BASED DEVICE AUTHENTICATION ClearPass Configuration To configure ClearPass to support MAC-based device authentication from the MSM, use the 802.1X Wireless Service Template. Go to Configuration > Start Here and click on 802.1X Wireless. Figure 27. Device MAC Authentication Service Template Enter a Name Prefix and click Next. Figure 28. Device MAC Authentication Service Template (General) Select a previously added Network Access Device, or enter the details for a new one. Click Next. 17
Figure 29. Device MAC Authentication Service Template (Network Settings) For Device Access Restrictions, select the days of the week to permit access, along with the maximum bandwidth allowed per device. For most situations, you can use the default values. Click Add Service. Figure 30. Device MAC Authentication Service Template (Device Access Restrictions) You should observe the creation of four Enforcement Profiles, one Enforcement Policy, and one Service. For the purposes of this demo, you should modify the Service that was created as shown below. One of the modifications is mandatory for the solution to work. The other modifications are optional, but will assist you during testing. For a production environment, you may want to adjust these optional modifications. Go to Configuration > Services and click on the newly-created service MSM Device MAC Authentication. Figure 31. Services MANDATORY CHANGE. The MSM sends the device MAC address as a string of lower case alphanumeric characters with no delimiters. However, the rule to match the MAC address in the Service looks for upper case alphanumeric characters with colon delimiters. This rule needs to be adjusted. Click on the Services tab, then click on rule number 3. Change the Name field from Client- Mac-Address to Client-Mac-Address-NoDelim. Click Save. 18
Figure 32. Change Service Rule OPTIONAL. Now click on the Authentication tab. In the Authentication Methods box, click [MAC AUTH], then click Remove. Next, select [Allow All MAC AUTH] from the --Select to Add-- pulldown. Changing this to allow all MAC authentications lets you avoid having to add your test devices into the Guest Device Repository. Click Save after changing the authentication method. Figure 33. Change Authentication Method OPTIONAL MAY BREAK YOUR CONFIGURATION. For testing, you will ideally want a service rule that restricts matches to the specific SSID (TME-MSM-MACAUTH in this case). However, the particular version of MSM shown in these examples appears to have a bug and does not supply the SSID in the Called-Station-Id even though it s configured that way. Should your MSM work correctly, you can use the following procedure to restrict the service match to a specific SSID. Click on the Services tab, then click Click to add. Add an additional service rule as shown below. This service rule should match Radius:IETF:Called-Station-Id CONTAINS SSID where SSID is the name of your MAC-based Authentication SSID. 19
Figure 34. Add Service Rule That completes the ClearPass configuration for MAC-based Device Authentication. Now onto the controller configuration. MSM Controller Configuration Log into the MSM controller web UI and make sure you re in the Advanced UI as described earlier. Navigate to Controller > VSCs in the Network Tree. Click on Add New VSC Profile NOTE: In the screenshots shown, some prior configuration may exist. Just follow the step-by-step instructions to complete the configuration. Figure 35. VSC Profiles The VSC Profile page is where the majority of the configuration takes place. There are several sections that must be completed to build a successful configuration. Global Section o Enter a Profile Name o Uncheck Access Control. Virtual AP Section o Enter a Name (SSID) 20
MAC-based Authentication Section o Check the checkbox to enable the section o o o o o Uncheck the Local checkbox Check the Remote checkbox Click the RADIUS radio button and select your configured RADIUS server Check the RADIUS Accounting checkbox and select your configured RADIUS server Select macaddress:ssid from the Called-Station-Id Content pulldown When you re done, the configuration should look like this: Figure 36. Add MAC Authentication VSC Profile That completes the MSM controller configuration for MAC-based Device Authentication. You can proceed with testing. Testing To test MAC-based authentication, you need to add your test device into the Guest Device Repository (unless you enabled [Allow All MAC Auth] as described above). Within ClearPass Guest, navigate to Guest > Create Device. Complete the form and click Create. You re now ready to test. 21
Figure 37. Create Guest Device Form Testing for MAC-based Authentication is trivial. Associate your test machine/device to your MAC-based Authentication SSID (TME- MSM-MACAUTH in this example). Your device should automatically connect. To check the results of your authentication, navigate to Monitoring > Live Monitoring > Access Tracker within the ClearPass Policy Manager Administration UI. Look for an Access Tracker entry matching your authentication attempt. An example of a successful authentication is show below: Figure 38. MAC-based Authentication Access Tracker Results 22
CLEARPASS GUEST USING MSM HTML-BASED AUTHENTICATION ClearPass Configuration As previously explained, the MSM controller does not allow simultaneous configuration of captive portal authentication and MACbased authentication. This means you cannot implement Guest access with MAC caching. You should, therefore, avoid using the Guest Authentication with MAC Caching Service Template, and instead use the more basic Guest Access Service Template. The example configuration below is for a simple Guest Web Login. While the same series of configuration steps could most likely be used to support Guest Self-Registration, that particular portion of the configuration is left as an exercise for the reader. Policy Manager Configuration To configure ClearPass to support Guest authentication from the MSM, use the Guest Access Service Template. Go to Configuration > Start Here and click on Guest Access. Figure 39. Guest Access Service Template Enter a Name Prefix and click Next. Figure 40. Guest Access Service Template (General) Enter the name of the Wireless SSID for Guest Access. This is the SSID you will define on the MSM for Guest access. Next select a previously added Wireless Controller, or enter the details for a new wireless controller. Click Next. Figure 41. Guest Access Service Template (Wireless Network Settings) No need for Posture Checks. Click Next. 23
Figure 42. Guest Access Service Template (Posture Settings) For Device Access Restrictions, select the days of the week to permit access, along with the maximum bandwidth allowed per device. For most situations, you can use the default values. Click Add Service. Figure 43. Guest Access Service Template (Guest Access Restrictions) You should observe the creation of six Enforcement Profiles, one Enforcement Policy, and one Service. That completes the ClearPass Policy Manager configuration. Now onto the ClearPass Guest configuration. ClearPass Guest Configuration In ClearPass Guest, navigate to Configuration > Pages > Web Logins and click Create a new web login page. There are several fields that need to be modified from their default values on this form in order to support web logins with the MSM. These fields are: Name: name for the page Page Name: the name used within the Web Login URL (i.e. https://<cppm>/guest/<page_name>.php) Vendor Settings: select Custom Settings Submit URL: enter https://{$extra_fields.switchip}:{$extra_fields.loginport}/goform/htmlloginrequest Username Field: enter username Password Field: enter password Pre-Auth Check: select None no extra checks will be made Extra Fields: enter ipaddress={$extra_fields.ipaddress} After changing the fields shown, click Save Changes. 24
Figure 44. Guest Web Login Page That completes the ClearPass configuration for Guest Captive Portal Authentication. Now onto the controller configuration. MSM Controller Configuration Log into the MSM controller web UI and make sure you re in the Advanced UI as described earlier. Add Attributes Navigate to Controller in the Network Tree, then click on the Public Access tab, then click on the Attributes tab. You need to add one 25
additional attribute (LOGIN-URL) and add an additional value to the pre-defined ACCESS-LIST attribute. The LOGIN-URL attribute defines the external redirect URL used for unauthenticated devices. The ACCESS-LIST attributes define a set of access controls (firewall rules) that are used in the pre-authentication state (while the captive portal is active). Note: ACCESS-LISTs can be defined by either IP Address or FQDN. If you use a FQDN, ensure that your controller configuration includes correct DNS settings. Figure 45. Attributes Click on Add New Attribute Select ACCESS-LIST from the Name pulldown and enter factory,accept,all,10.2.100.155,all as the Value. Substitute the IP address of your ClearPass appliance for the IP shown in the example. Click Add. You can add as many ACCESS-LISTs as needed to handle your pre-authentication needs. For instance, if you have enabled Social Logins in ClearPass Guest, you will need to permit access to numerous internet locations in the pre-authentication state in order for the social login to work correctly. Figure 46. Add ACCESS-LIST As an example, the following ACCESS-LISTs would be required to use LinkedIn as a social login provider: factory,accept,all,linkedin.com,all factory,accept,all,*.linkedin.com,all factory,accept,all,*.licdn.com,all Click on Add New Attribute again. Select LOGIN-URL from the Name pulldown and enter 26
https://techpg.socialwifilogin.net/guest/msm_guest.php?switchip=%i&loginport=8090&ipaddress=%c&mac=%m&url=%o as the Value. Substitute the hostname or IP address and Guest Web Login page name from your ClearPass server for the string in the example. Click Add. Figure 47. Add LOGIN-URL Configure VSC Navigate to Controller > VSCs in the Network Tree. Click on Add New VSC Profile NOTE: In the screenshots shown, some prior configuration may exist. Just follow the step-by-step instructions to complete the configuration. Figure 48. VSC Profiles The VSC Profile page is where the majority of the configuration takes place. There are several sections that must be completed to 27
build a successful configuration. Global Section o Enter a Profile Name o Check the Access Control checkbox Virtual AP Section o Enter a Name (SSID) HMTL-based User Logins Section o Check the checkbox to enable the section o Uncheck the Local checkbox o o o Check the Remote checkbox Click the RADIUS radio button and select your configured RADIUS server Check the RADIUS Accounting checkbox and select your configured RADIUS server When you re done, the configuration should look like this: Figure 49. Add HTML-based User Logins VSC Profile Testing To test Guest Captive Portal authentication, you need to create a guest user account. Within ClearPass Guest, navigate to Guest > Create Account and click Add. Complete the form and click Create. 28
Figure 50. Create Guest Account Make a note of the Guest Password as you ll need it to login. You re now ready to test. Figure 51. Finished Creating Guest Account Associate your test machine/device to your Guest Captive Portal SSID (TME-MSM-GUEST in this example). Open a web browser and browse to your favorite web site. Since you have not yet authenticated, you will be redirected to ClearPass in order to login. 29
Figure 52. Redirect to Guest Web Login Page Enter you Guest Username and Password and click Login. If your authentication is successful, you will be presented with an intermediate welcome page on the MSM controller. From here, you have various links you can access, including continuing on to your original destination. NOTE: there are configuration options on the MSM to alter this workflow, but those are beyond the scope of this introductory document. Figure 53. Controller Welcome Page 30
Clicking one of the links on the Welcome page will continue browsing to the selected destination. In addition, a popup window with connection information will appear. This popup window provides information such as session duration, idle time, and bytes transferred. Figure 54. Session Status Popup To check the results of your Guest authentication, navigate to Monitoring > Live Monitoring > Access Tracker within the ClearPass Policy Manager Administration UI. Look for an Access Tracker entry matching your authentication attempt. An example of a successful authentication is show below: Figure 55. Guest Captive Portal Authentication Access Tracker Results 31
CLEARPASS GUEST USING AN IN-LINE ARUBA CONTROLLER As noted earlier in the MSM Limitations paragraph on page 8, there are some limitations that come with deploying MSM Wireless Controllers and APs with Aruba ClearPass. The section describes an alternative implementation, specifically for the ClearPass Guest deployment, that makes use of an in-line Aruba Controller. This in-line deployment of Aruba gear is used to overcome the inherent limitations of the MSM/ClearPass integration. Using an in-line Aruba Controller permits the simultaneous configuration of Web-based authentication and MAC-based authentication so that the Guest Access with MAC Caching use case can be deployed. In addition, use of the Aruba Controller opens up additional capabilities such as Role-based Access Control and bandwidth utilization enforcement. NOTE: In order for this solution using an in-line Aruba Controller to work, the Aruba Controller must have visibility to the wireless client s MAC address. The MAC address is required to properly perform Change of Authorization requests against the controller. Also, if multiple devices are hidden behind a router or NAT device, one successful authentication to the controller will fulfill the authentication requirements for all devices behind the same router or NAT device. Network Diagram The following network is used for all the configurations in this section. Figure 56. Network Diagram ClearPass Configuration The example configuration below is for a simple Guest Web Login. While the same series of configuration steps could be used to support Guest Self-Registration, that particular portion of the configuration is left as an exercise for the reader. Policy Manager Configuration To configure ClearPass to support Guest authentication using an In-line Aruba Controller, first use the Guest Authentication with MAC Caching Service Template. Go to Configuration > Start Here and click on Guest Authentication with MAC Caching. Figure 57. Guest Authentication with MAC Caching Service Template Enter a Name Prefix and click Next. 32
Figure 58. Guest Authentication with MAC Caching Service Template (General) Enter ANY name for the Wireless SSID. This is just a placeholder to get through this template. You will modify the services created by this template later to eliminate the check for this SSID. Next select a previously added Wireless Controller, or enter the details for a new wireless controller. NOTE: this should be the device information for the in-line Aruba Controller. Click Next. Figure 59. Guest Authentication with MAC Caching Service Template (Wireless Network Settings) Modify the cache duration for Guests if desired, then click Next. Figure 60. Guest Authentication with MAC Caching Service Template (MAC Caching Settings) No need for Posture Checks. Click Next. Figure 61. Guest Authentication with MAC Caching Service Template (Posture Settings) 33
For Access Restrictions, leave the default setting for Enforcement Type set to Aruba Role Enforcement. Set the value of Captive Portal Access to the Role on the in-line Aruba Controller that in configured with the guest captive portal profile. In this example, the default guest-logon role is used. Modify the Maximum number of devices allowed per user and the Maximum bandwidth allowed per user to suit your environment. Set the value of Guest Access to the Role on the in-line Aruba Controller that guest users should be placed into after successful authentication. In this example, the default guest role is used. Click Add Service. Figure 62. Guest Authentication with MAC Caching Service Template (Access Restrictions) You should observe the creation of eight Enforcement Profiles, two Enforcement Policies, two Role Mapping Policies, and two Services. Since this template is designed for a wireless deployment, you need to modify the two services that were created to eliminate the SSID check. Go to Configuration > Services and click on the MAC Authentication service, then on the Service tab. Delete the second line in the service rule. Click Save. Figure 63. Edit MAC Authentication Service Now click on the User Authentication with MAC Caching service, then on the Service tab. Delete the third line in the service rule. Click Save. 34
Figure 64. Edit User Authentication with MAC Caching Service Now use the Guest Access Web Login Service Template. Go to Configuration > Start Here and click on Guest Access Web Login. Figure 65. Guest Access Web Login Service Template Enter a Name Prefix and click Next. Figure 66. Guest Access Web Login Service Template (General) If you have an existing Guest Web Login, you can select it from the Page Name pulldown. Otherwise, click on the Add new Guest Web Login page link to create a new Guest Web Login page. Figure 67. Guest Access Web Login Service Template (Service Rule) The Web Login configuration page will open in a new tab/window. On the new page page, click the Create a new web login page link. Figure 68. Create Guest Web Login Page 35
For now, you can enter the minimum amount of information to complete the form. You can modify the Guest Web Login page further at a later time. Enter a Name for the page (this is just a reference), then enter a Page Name. The Page Name will form a portion of the redirect URL as in http://cppm/guest/page_name.php. Make any other changes you want to this page, then click Save Changes. You can now close this tab/window. Figure 69. New Guest Web Login Page Back in the Web Login Template, click the refresh button next to the Page Name pulldown menu. The Web Login Page you just created should now appear in the list. Select it and then click Next. Figure 70. Guest Access Web Login Service Template (Guest Login Page Selection) Apply any daily guest access restrictions, then click Add Service. Figure 71. Guest Access Web Login Service Template (Guest Access Restrictions) You should observe the creation of one Enforcement Policy and one Service. That completes the ClearPass Policy Manager configuration. Now onto the MSM controller configuration. MSM Controller Configuration Log into the MSM controller web UI and make sure you re in the Advanced UI as described earlier. Your goal for the MSM 36
configuration is to minimize the configuration as much as possible. You should not enable any authentication, unless perhaps you want to configure a pre-shared key for the guest network. Remember, the MSM configuration only needs to get the user onto the wireless network. All policy enforcement will be handled by the in-line Aruba Controller. Configure VSC Navigate to Controller > VSCs in the Network Tree. Click on Add New VSC Profile NOTE: In the screenshots shown, some prior configuration may exist. Just follow the step-by-step instructions to complete the configuration. Figure 72. VSC Profiles The VSC Profile page is where the majority of the configuration takes place. For this deployment, there are only a two sections that must be completed to build a successful configuration. Global Section o Enter a Profile Name Virtual AP Section o Enter a Name (SSID) Accept all other defaults When you re done, the configuration should look like this: 37
Figure 73. Add Open (No Authentication) VSC Profile Now onto the in-line Aruba Controller configuration. Aruba Controller Configuration The in-line Aruba Controller is deployed as a layer 2 bridge (bump in the wire). In the example described below, Port 0 on the controller is configured as a Trusted port and faces the resource(s) that guest users will want to access (most likely the internet). Port 1 on the controller is configured as an Untrusted port and faces the MSM controller and APs that are providing the wireless service to the guest users. Deploying the in-line Aruba Controller as a layer 2 bridge eases the deployment burden imposed by additional device and does not affect VLAN segmentation, subnetting, or routing. NOTE: The following paragraphs describe the configuration necessary to implement the policy for guest users on the in-line Aruba Controller. The complete configuration of the Aruba Controller is not provided. It is assumed that the Aruba Controller has been configured for basic networking such as VLANs, Management IP Address, etc. Port Configuration The first step in the in-line Aruba Controller configuration is to define the personality of the physical ports used for the layer 2 bridge. By default, all ports on the Aruba Controller are Trusted. You will need to configure the port facing the MSM Controller and APs to be Untrusted. Any port configured as Untrusted will have the configured AAA Profile (defined later in this section) applied to the traffic entering that port. To change a port to Untrusted, go to Configuration > Network > Ports, and click on the appropriate Port. Uncheck the Make Port Trusted checkbox. Click Apply. 38
Figure 74. Untrusted Port Configuration (Port 1) Firewall Configuration You need to whitelist the ClearPass server(s) so that the guest captive portal will be bypassed for traffic directed to ClearPass. Go to Configuration > Advanced Services > Stateful Firewall and click on the Destinations tab. Click Add. Enter a Destination Name for the ClearPass server, then Add two destination Types: (1) a host type with the ClearPass IP address, and (2) a name type with the FQDN of the ClearPass server. The FQDN is suggested, though not required. Click Apply. Figure 75. Stateful Firewall Destination Authentication Configuration There are several steps to configure the Authentication settings required to successfully implement a guest captive portal with ClearPass. To get started, go to Configuration > Security > Authentication and click on the Servers tab. 1. Add RADIUS Server. Click on RADIUS Server, type a Name for your RADIUS Server in the box and click Add. a. Click on the Name of the server you just added. For this configuration, you only need to make two modifications to this page. b. In the Host box, enter the IP Address of the ClearPass server. c. In the Key boxes, enter the RADIUS shared secret. Click Apply. 39
Figure 76. Add RADIUS Server 2. Add Server Group. Click on Server Group, type a Name for the Server Group in the box and click Add. a. Click on the Name of the Server Group you just added. b. Click on New under the Servers section, select the RADIUS Server you added in the previous step, then click Add Server. c. Click Apply. Figure 77. Add Server Group 3. Add RFC 3576 Server. Click on RFC 3576 Server, type the IP Address of the ClearPass server in the box, and click Add. a. Click on the server that you just added. b. In the Key fields, enter the RADIUS shared secret of your ClearPass server. Click Apply. Figure 78. Add RFC 3576 Server 4. Add AAA profile. Click on the AAA Profiles tab, then click Add. Enter a Name for the AAA Profile, then click Add again. There are five sections of the AAA Profile that you have to modify. 40
a. Click on the Name (in the left hand column) of the AAA Profile you just created. Change the Initial Role from logon to guest-logon and click Apply. b. Click on MAC Authentication in the left hand column. Select default from the MAC Authentication Profile pulldown. Click Apply. c. Click on MAC Authentication Server Group in the left hand column. From the MAC Authentication Server Group pulldown, select the Server Group added in step 2 above. Click Apply. d. Click on RADIUS Accounting Server Group in the left hand column. From the RADIUS Account Server Group pulldown, select the Server Group added in step 2 above. Click Apply. e. Click on RFC 3576 Server in the left hand column. From the Add a Profile pulldown, select the RFC 3576 Server you added previously and click Add. Click Apply. Figure 79. Add AAA Profile 5. Add Captive Portal Profile. Click on the L3 Authentication tab, then click on Captive Portal Authentication in the left hand column. Next type a Name for the Captive Portal Profile in the box and click Add. Now click on the Name (in the left hand column) of the Captive Portal Profile you just created. Make the following changes to this page: a. Uncheck the Logout Popup checkbox b. In the Login Page box, replace the default contents with the URL of your Guest Web Login on ClearPass. In this example, the URL is: http://techpg.socialwifilogin.net/guest/msm_passthru_guest.php c. In the White List, select your ClearPass server and click Add. d. Click Apply. Next click on Server Group (under the Profile) in the left hand column. In the Servers section, highlight internal and click Delete. Then click on New, select the RADIUS Server you added previously, then click Add Server. Click Apply. 41
Figure 80. Add Captive Portal Profile Access Control Configuration Now you need to enable the Captive Portal Profile in the guest-logon role. Go to Configuration > Security > Access Control and click Edit next to the guest-logon role. From the Captive Portal Profile pulldown, select the Captive Portal Profile you added in the previous step. Click Apply. Figure 81. Enable Captive Portal Profile on guest-logon Role VLAN Configuration The final step on the in-line Aruba Controller is to enable the AAA Profile for wired users. To do this, go to Configuration > Network > VLANs and click Edit next to the VLAN assigned to the two bridge ports. From the Wired AAA Profile pulldown, select the AAA Profile that you created earlier. Click Apply. NOTE: Once you apply this AAA Profile, all traffic entering an Untrusted port will be subjected to this AAA Profile. What this means in 42
practice is that all unauthenticated devices will be placed into the guest-logon role and their traffic will be redirected to the Login Page defined in the Captive Portal Profile. Figure 82. Enable Wired AAA Profile Save the configuration by clicking in the upper middle of any page. Testing To test Guest Captive Portal authentication, you need to create a guest user account. Within ClearPass Guest, navigate to Guest > Create Account and click Add. Complete the form and click Create. Figure 83. Create Guest Account Make a note of the Guest Password as you ll need it to login. You re now ready to test. 43
Figure 84. Finished Creating Guest Account Associate your test machine/device to your Guest Captive Portal SSID (TME-MSM-OPEN in this example). Open a web browser and browse to your favorite web site. Since you have not yet authenticated, you will be redirected to ClearPass in order to login. Figure 85. Redirect to Guest Web Login Page Enter you Guest Username and Password and click Login. If your authentication is successful, you will be taken to your original destination. 44
TECHNICAL NOTE Figure 86. Authenticated Destination To check the results of your Guest authentication, navigate to Monitoring > Live Monitoring > Access Tracker within the ClearPass Policy Manager Administration UI. Look for the two Access Tracker entries matching your authentication attempt. You should see one of type Application and one of type RADIUS. Figure 87. Guest Captive Portal Authentication Access Tracker Results Controller Sizing Considerations The in-line Aruba Controller must be sized appropriately for your deployment. While there are numerous factors to consider when sizing the controller, the two factors shown in the table below are the most critical and should be considered above all others. Firewall throughput performance might also be considered but it is unlikely that a typical guest deployment would exceed the 45
capacity of even the lowest performing controller. The maximum number of concurrent users/devices shown in the table will dictate the number of concurrent guest users/devices that can be supported The captive portal transactions/sec will dictate the number of simultaneous guest login attempts (redirections to the captive portal page on ClearPass) Controller Model Maximum Concurrent Users/Devices Captive Portal Transactions/Sec 7005 1024 24 7010 2048 30 7024 2048 30 7030 4096 45 7205 8192 55 7210 16384 60 7220 24576 75 7240/XM 32768 120 Figure 88. Controller Performance Matrix 46
DOCUMENT TYPE 1344 CROSSMAN AVE SUNNYVALE, CA 94089 1.866.55.ARUBA T: 1.408.227.4500 FAX: 1.408.227.4550 info@arubanetworks.com www.arubanetworks.com