Aruba ClearPass Workshop - Wired #1 - Wired 802.1X with ArubaOS switch
HTML-код
- Опубликовано: 3 авг 2024
- How to setup ClearPass + Windows 10 + ArubaOS switch to do wired 802.1X. In a next video we will add MACAUTH, and in another wired profiling to automatically put VoIP phones in the voice VLAN.
This video is part of the Aruba ClearPass Workshop series. In this series, I will show all steps that are needed to go from scratch to a pretty standard and representative ClearPass deployment.
Index page for all videos: community.arubanetworks.com/t... 
Хобби
Excellent work Herman. Really knowlwdgeful and help for people who are learning
Thanks for all the views. If you have questions related to these videos, don't hesitate to ask them via the comments or use Airheads community (as I'm active there as well).
Great videos! Which video do you show the creation of the profiles ?
The Best video!
Hi Herman, Is the checked certificate (Arubalab-workshop-CA) the root CA that signed the RADIUS/EAP certificate or the HTTPS certificate on the CPPM you used for this video? I just want to know if it corresponds to HTTPS or RADIUS/EAP certificate on CPPM. Thanks.
David, the Arubalab-workshop-CA is the root CA that issued the radius.arubalab.loc EAP server certificate. In general, you just want to check against the root, otherwise you can't replace expiring or revoked certificates. So the client checks that the radius.arubalab.loc certificate presented by ClearPass is issued by the Arubalab-workshop-CA. In this case the certificate is issued directly by the root, if there were an intermediate CA, then still you would verify against the root in which case the client checks the chain from server to intermediate to root.
Hi, is this setup also applicable to static environment? like workstations with static ip and static vlan per switch port?
Sure, you can configure per port if it is controlled by ClearPass. If you want a static VLAN on the port without any authentication, then you can just do it like you always did before ClearPass. A benefit of doing port authentication is that you don't need to configure your port static, and if you move clients around the port automatically adapts to what you connect (colorless port concept). You can mix&match colorless ports and static configured ports without any issue.
Any plans for a wired 802.1x with ClearPass and Cisco 3850's video? I have already set up windows NPS with Server 2008 R2. 802.1x is already working with my Palo Alto's and Aruba Wireless.
I don't have such switch, however ClearPass works great with this equipment when I worked with customers running that. If you need some guidance, the ClearPass Solution Guide for Wired Policy Enforcement covers this in detail: community.arubanetworks.com/t5/Security/ClearPass-Solution-Guide-Wired-Policy-Enforcement/td-p/298161. As the VLAN enforcement in this video is IEEE standard, if you change the Network Access Device configuration from HPE to Cisco, I think you can get this up and running pretty quick. For more technical questions, you can use the Airheads Community site (community.arubanetworks.com) to find answers and ask your questions.
HI Herman,
I am now creating a new setup for dot1x authentication using aruba clear pass and Alcatel OLT(device ussed in GOPN passive optical LAN)... Before we had free radius server for performing dot1x authentication . Now we need to replace free raius with aruba clear pass...I am very new to both aruba clear pass and free radius...could you please help me in bringion up my setup?
Very likely, if you can configure your switch for RADIUS 802.1X authentication to ClearPass and follow the steps in the workshop where you replace everything Aruba switch with the Alcatel OLT, you should be able to get quite a bit. Alcatel should have ClearPass experience and integration notes, as they resell ClearPass with their products. Probably it is best, if you can't do it yourself, to involve an Aruba partner that knows ClearPass already. If you have most steps done, and authentications getting in, and still get stuck, you can use the Airheads forum (community.arubanetworks.com) to post your questions. Or contact the Aruba TAC (support.arubanetworks.com) to get you helped out. In my experience they are very willing to help you out, even with equipment that they don't know or tested.
ok
Hello,
thank you for the video it helps me, I have a question if I follow the step if work with me no problem but if I send the Group Policy Management from Domain Controller to the PC it gives error:
-----------------------------
EAP-PEAP: fatal alert by client - unknown_ca
TLS Handshake failed in SSL_read with error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
eap-tls: Error in establishing TLS session
-----------------------------
can you help ?
That message means that your client does not trust the ClearPass RADIUS/EAP certificate. I think this is covered in the video's for wireless, and the same applies for wired 802.1X: Client must have the root CA that issued your ClearPass server certificate (RADIUS/EAP) installed and trusted.
@@hermanrobers the root CA that issued in ClearPass server certificate (RADIUS/EAP) installed and trusted in pc
what attributes inside ws_role_admin
In the example, it's an allow-all. But you should put in ACLs that block traffic that admins should not use, or allow what they should do and block everything else. There is no generic content for the role, it's dependent on your environment.
No mention of Aruba OnConnect?? Is this because MAC Auth is better / more reliable?
That is a pretty accurate description. OnConnect should only (in my opinion) be used where you can't use MACAuth/802.1X, which is close to never with these day's switches. 802.1X/MACAuth is pro-active: Access after authentication, where SNMP enforcement is reactive (change access after it has been given). Feature is there just for flexibility, but I have personally not ran into situations where it works better than MAC Auth.
BTW, if you want to deploy OnConnect, it is described in the ClearPass Wired Policy Enforcement Guide, available on www.arubanetworks.com/clearpassdocs