Aruba AP and Switch with ClearPass
802.1x WPA-Enterprise (TLS) continue - User Roles
User + Computer Authentication/ BYOD
Fixing some Open-ends - AD over SSL, TLS SAN
Active Directory login for Policy Manager
Guest Access #1 Aruba Instant Wireless Guest (getting
Guest Access #2 Service re-ordering and structure
Guest Access #3 Wireless Guest (finishing up)
AOS-CX Wired #2 Wired User Roles
Troubleshooting #1 ClearPass Packet Capture
AOS-CX Wired #3 Device Profiling
AOS-CX Wired #4 Wired MAC Authentication
AOS-CX Wired #5 Wired MAC Enforcement
AOS-CX Wired #6 AOS-CX Wired Device behind phone - AP with tagged VLANs
Guest Access #4 - Controller and Server initiated guest
Guest Access #5 - Guest Access on AOS-CX
OnGuard #1 - Introduction and Agent Install
OnGuard #2 - Posture Policy and WebAuth service
OnGuard #3 OnGuard Updates, Settings & Enforcement
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
HTTP Certificate Installation
CSQ
IP: 10.8.25.157, DNS: clearpass-a.demo.local, DNS: captiveportal-login.demo.local
Signed CSQ
Server HTTP certificate
Disable ECC certificate
Test
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
802.1x WPA-Enterprise (TLS)
services
Authentication
Save
Certificate CSQ
ROOT cert for EAP
Import EAP certificate:
Aruba central change vlan to dynamic - Native(77), 88, 99
Test
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
802.1x WPA-Enterprise (TLS) continue - User Roles and ClearPass Roles
Central - create roles, deny important server only for contractor
....
Creating profiles for user roles
Result - 5 profiles for user roles
Create policy
Apply policy to services
Test
AP
Creating ClearPass roles:
Role mapping
Demo_NoRole is newly created for default
Policy apply role mapping
Modify policy to Tips mapping
Summary - current services
Test
Demouser2
Visitor1
Knowledge:
Role Mappings: AD groups - Value & Role Name
Profile: Role name - value (Radius:Aruba )
Policy: Rule with profile
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
User + Computer Authentication / BYOD
How-To_82_Deploy_EAP_Chaining.pdf
Unable to change anyconnect with eap-chaining, proceed with byod test
Modify enforcement policy
Manual adding attributes to mac
Add new profile for post authentication
Policies add post authentication to Machine Authenticated rule
Services edit enforcement rule for employee, tips role for machine
Test
BYOD profile
Policy - byod (role admin/employee to RADIUS Demo_Local_BYOD)
Testing
Pc without machine certificate connected as BYOD
Aruba Central add BYOD Role for vlan 99
...
...
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Fixing some Open-ends - AD over SSL, TLS SAN check, service account
#6
AD over SSL
Service account for AD
Aruba ClearPass and AD authentication based on the UPN
From <https://www.youtube.com/watch?v=5HD3-2APAUs&ab_channel=AirheadsBroadcasting>
(&(|(sAMAccountName=%{Authentication:Username})(userPrincipalName=%{Authentication:Username}))(objectClass=user))
EAP-TLS-CN-or-SAN check
Service - use new method and disable strip username rules
Test
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
EAP-TEAP (aka EAP Chaining)
#7
New method for TEAP
Method 1 = Machine
Method 2 = User
Services - authentication method
Test
Machine certificate doesn't start with host/XXXXX
Services - Role mapping
Services - enforcement
Test:
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Active Directory login for Policy Manager
#22
Service
Re-order
Test
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Guest Access #1 Aruba Instant Wireless Guest (getting started)
Save
Creating Guest portal
Configure the Instant AP
...
next
next
/guest/airheads_guest.php
Next
Next
Next & finish
...
Guest portal
Edit - self-reg portal
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Guest Access #2 Service re-ordering and structure
Test
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Guest Access #3 Wireless Guest (finishing up)
AP install certificate
Export as "HTTPSRSAServerCertificate.p12"
Import certificate to AP
lab-AP635-1# show captive-portal-domains
Internal Captive Portal Domain:
securelogin.hpe.com
External Captive Portal Domains:
captiveportal-login.demo.local
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
AOX-CX Wired #1 Wired 802.1X
Aruba Central SW configuration
...
6100# show run int 1/1/1
interface 1/1/1
no shutdown
vlan access 88
exit
6100# show run int 1/1/12
interface 1/1/12
no shutdown
vlan trunk native 1
vlan trunk allowed all
exit
6100# show run int vlan 1
interface vlan 1
ip dhcp
exit
6100# show ip int bri
Interface IP Address Interface Status
link/admin
vlan1 172.77.77.107/24 up/up
Add radius server
...
These configure need to manually configure
!
aaa group server radius clearpass
server clearpass-a.demo.local
!
!
radius dyn-authorization enable
aaa authentication port-access dot1x authenticator
radius server-group clearpass
enable
Reboot
Wired services
New device
Test
6100# show port-access clients
Port Access Clients
Status Codes: d device-mode, c client-mode, m multi-domain
-----------------------------------------------------------------------------------------------------------------
Port MAC-Address Onboarding Status Role Device Type
Method
-----------------------------------------------------------------------------------------------------------------
c 1/1/1 08:00:27:cf:08:2e dot1x Success RADIUS_0
6100# show aaa authentication port-access interface all client-status
Port Access Client Status Details
Client 08:00:27:cf:08:2e, anonymous
===================================
Session Details
---------------
Port : 1/1/1
Session Time : 130s
IPv4 Address :
IPv6 Address :
Device Type :
Authentication Details
----------------------
Status : dot1x Authenticated
Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted
Auth History : dot1x - Authenticated, 112s ago
Authorization Details
----------------------
Role : RADIUS_0
Status : Applied
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
AOS-CX Wired #2 Wired User Roles
Accounting
aaa accounting port-access start-stop interim group clearpass
!
radius dyn-authorization client clearpass-a.demo.local secret-key ciphertext AQBapUAZwTwSRSF5DpWqdcM8u3ZG3yUadu/RSQ7dwNKtlpyJCwAAADkBgN10rb8safl/
IP Tracking
!
client track ip
vlan 1
vlan 77
client track ip
vlan 88
client track ip
vlan 99
client track ip
interface 1/1/12
no shutdown
vlan trunk native 1
vlan trunk allowed all
client track ip disable
6100# show client ip
MAC Address Interface VLAN IP Address
------------------------------------------------------------------------------
08:00:27:cf:08:2e 1/1/1 88 172.88.88.109
Polices
Apply policy to Service - Enforcement
6100# show port-access clients
Port Access Clients
Status Codes: d device-mode, c client-mode, m multi-domain
-----------------------------------------------------------------------------------------------------------------
Port MAC-Address Onboarding Status Role Device Type
Method
-----------------------------------------------------------------------------------------------------------------
c 1/1/1 08:00:27:cf:08:2e dot1x Fail
Roles to VLAN
vlan 88
name Corporate VLAN
client track ip
vlan 99
name Guest VLAN
client track ip
port-access role BYOD
vlan access name Guest VLAN
port-access role admin
vlan access name Corporate VLAN
port-access role employee
vlan access name Corporate VLAN
port-access role helpdesk
vlan access name Corporate VLAN
port-access role machine
vlan access name Corporate VLAN
6100# show port-access clients
Port Access Clients
Status Codes: d device-mode, c client-mode, m multi-domain
-----------------------------------------------------------------------------------------------------------------
Port MAC-Address Onboarding Status Role Device Type
Method
-----------------------------------------------------------------------------------------------------------------
c 1/1/1 08:00:27:cf:08:2e dot1x Success employee
6100# show aaa authentication port-access interface all client-status
Port Access Client Status Details
Client 08:00:27:cf:08:2e, demouser1@demo.local
==============================================
Session Details
---------------
Port : 1/1/1
Session Time : 589s
IPv4 Address : 172.88.88.109
IPv6 Address :
Device Type :
Authentication Details
----------------------
Status : dot1x Authenticated
Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted
Auth History : dot1x - Authenticated, 588s ago
Authorization Details
----------------------
Role : employee
Status : Applied
6100# show port-access clients detail
Port Access Client Status Details:
Client 08:00:27:cf:08:2e, demouser1@demo.local
==============================================
Session Details
---------------
Port : 1/1/1
Session Time : 884s
IPv4 Address : 172.88.88.109
IPv6 Address :
Device Type :
VLAN Details
------------
VLAN Group Name :
VLANs Assigned : 88
Access : 88
Native Untagged :
Allowed Trunk :
Authentication Details
----------------------
Status : dot1x Authenticated
Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted
Auth History : dot1x - Authenticated, 244s ago
dot1x - Authenticated, 883s ago
Authorization Details
----------------------
Role : employee
Status : Applied
Role Information:
Name : employee
Type : local
----------------------------------------------
Reauthentication Period :
Cached Reauthentication Period :
Authentication Mode :
Session Timeout :
Client Inactivity Timeout :
Description :
Access VLAN :
Native VLAN :
Allowed Trunk VLANs :
Access VLAN Name : Corporate VLAN
Native VLAN Name :
Allowed Trunk VLAN Names :
VLAN Group Name :
MTU :
QOS Trust Mode :
STP Administrative Edge Port :
PoE Priority :
Captive Portal Profile :
Policy :
Device Type :
Return username in case of EAP anonymous identity
Profile
policy
Test
6100# show port-access clients detail
Port Access Client Status Details:
Client 08:00:27:cf:08:2e, demouser1@demo.local
==============================================
Session Details
Test unsuccessful with computer name
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Troubleshooting #1 ClearPass Packet Capture
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
AOS-CX Wired #3 Device Profiling
lab-router(config-subif)# interface GigabitEthernet0/1.77
lab-router(config-subif)#ip helper-address 10.8.25.157
lab-router(config-subif)# interface GigabitEthernet0/1.88
lab-router(config-subif)#ip helper-address 10.8.25.157
lab-router(config-subif)# interface GigabitEthernet0/1.99
lab-router(config-subif)#ip helper-address 10.8.25.157
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
AOS-CX Wired #4 Wired MAC Authentication
aaa authentication port-access mac-auth
radius server-group clearpass
enable
6100# show run int 1/1/1
interface 1/1/1
no shutdown
vlan access 1
port-access onboarding-method concurrent enable // try both at the same, if there is dot1x, will take over mac-auth
aaa authentication port-access client-limit 4
aaa authentication port-access dot1x authenticator
enable
aaa authentication port-access mac-auth
enable
exit
Services
6100# show port-access clients
Port Access Clients
Status Codes: d device-mode, c client-mode, m multi-domain
-----------------------------------------------------------------------------------------------------------------
Port MAC-Address Onboarding Status Role Device Type
Method
-----------------------------------------------------------------------------------------------------------------
c 1/1/1 9c:53:22:21:1c:2e mac-auth Success RADIUS_0
c 1/1/1 08:00:27:cf:08:2e dot1x Success employee
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
AOS-CX Wired #5 Wired MAC Enforcement
class ip class-any
10 match any any any
class ip class-dhcp
10 match udp any any eq dhcp-server
class ip class-dns
10 match udp any 10.8.25.190 eq dns
20 match tcp any 10.8.25.190 eq dns
30 match udp any 10.61.91.175 eq dns
40 match tcp any 10.61.91.175 eq dns
class ip class-pbx
20 match any any 8.8.8.8
class ip class-private
10 match any 10.0.0.0/255.0.0.0 any
20 match any 172.16.0.0/255.240.0.0 any
30 match any 192.168.0.0/255.255.0.0 any
vlan 1
vlan 77
client track ip
vlan 88
name Corporate VLAN
client track ip
vlan 99
name Guest VLAN
client track ip
port-access policy pol-internet
10 class ip class-dhcp
20 class ip class-dns
30 class ip class-private action drop
40 class ip class-any
port-access policy pol-local
10 class ip class-dhcp
20 class ip class-dns
30 class ip class-private
40 class ip class-any action drop
port-access policy pol-profile
10 class ip class-dhcp
20 class ip class-any action drop
port-access policy pol-voip
10 class ip class-dhcp
20 class ip class-dns
30 class ip class-pbx
40 class ip class-any action drop
port-access role BYOD
vlan access name Guest VLAN
port-access role admin
vlan access name Corporate VLAN
port-access role employee
vlan access name Corporate VLAN
port-access role helpdesk
vlan access name Corporate VLAN
port-access role iot-internet
associate policy pol-internet
vlan access name Guest VLAN
port-access role iot-local
associate policy pol-internet
vlan access name Guest VLAN
port-access role machine
vlan access name Corporate VLAN
port-access role profiler
associate policy pol-profile
vlan access name Guest VLAN
port-access role voip
associate policy pol-voip
vlan access name Corporate VLAN
interface 1/1/1
no shutdown
vlan access 1
aaa authentication port-access client-limit 4
aaa authentication port-access mac-auth
enable
Roles
Role mapping
Role mapping
Assign role mapping to services
Test role mapping
Profilers to RAIDUS role
Each creates
Policies
Assign policy to services - enforcement
Test role and enforcement
6100# show port-access clients
Port Access Clients
Status Codes: d device-mode, c client-mode, m multi-domain
-----------------------------------------------------------------------------------------------------------------
Port MAC-Address Onboarding Status Role Device Type
Method
-----------------------------------------------------------------------------------------------------------------
c 1/1/1 08:00:27:cf:08:2e mac-auth Success profiler
6100# show port-access clients detail
Port Access Client Status Details:
Client 08:00:27:cf:08:2e, 080027cf082e
======================================
Session Details
---------------
Port : 1/1/1
Session Time : 138s
IPv4 Address :
IPv6 Address :
Device Type :
VLAN Details
------------
VLAN Group Name :
VLANs Assigned : 99
Access : 99
Native Untagged :
Allowed Trunk :
Authentication Details
----------------------
Status : mac-auth Authenticated
Auth Precedence : dot1x - Not attempted, mac-auth - Authenticated
Auth History : mac-auth - Authenticated, 138s ago
Authorization Details
----------------------
Role : profiler
Status : Applied
Role Information:
Name : profiler
Type : local
----------------------------------------------
Reauthentication Period :
Cached Reauthentication Period :
Authentication Mode :
Session Timeout :
Client Inactivity Timeout :
Description :
Access VLAN :
Native VLAN :
Allowed Trunk VLANs :
Access VLAN Name : Guest VLAN
Native VLAN Name :
Allowed Trunk VLAN Names :
VLAN Group Name :
MTU :
QOS Trust Mode :
STP Administrative Edge Port :
PoE Priority :
Captive Portal Profile :
Policy : pol-profile
Device Type :
Access Policy Details:
Policy Name : pol-profile
Policy Type : Local
Policy Status : Applied
SEQUENCE CLASS TYPE ACTION
----------- ---------------------------- ---- ----------------------------------
10 class-dhcp ipv4 permit
20 class-any ipv4 drop
Class Details:
class ip class-dhcp
10 match udp any any eq dhcp-server
class ip class-any
10 match any any any
6100# show client ip
MAC Address Interface VLAN IP Address
------------------------------------------------------------------------------
08:00:27:cf:08:2e 1/1/1 99 172.99.99.103
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
AOS-CX Wired #6 AOS-CX Wired #6 Wired Device behind phone - AP with tagged VLANs
interface 1/1/2
no shutdown
vlan access 1
port-access onboarding-method concurrent enable
aaa authentication port-access client-limit 3
aaa authentication port-access dot1x authenticator
enable
aaa authentication port-access mac-auth
enable
exit
port-access role cisco-ap
vlan trunk native 1
vlan trunk allowed name Corporate VLAN
vlan trunk allowed name Guest VLAN
auth-mode device-mode // authentication on the AP side (cisco ap can't test, need instant AP to test)
Role
Role mapping
Profile
Policies - enforcement
Test
6100# show port-access clients interface 1/1/2
Port Access Clients
Status Codes: d device-mode, c client-mode, m multi-domain
-----------------------------------------------------------------------------------------------------------------
Port MAC-Address Onboarding Status Role Device Type
Method
-----------------------------------------------------------------------------------------------------------------
c 1/1/2 0c:75:bd:b3:de:24 mac-auth Success cisco-ap
6100# show port-access clients interface 1/1/2 detail
Port Access Client Status Details:
Client 0c:75:bd:b3:de:24, 0c75bdb3de24
======================================
Session Details
---------------
Port : 1/1/2
Session Time : 152s
IPv4 Address :
IPv6 Address :
Device Type :
VLAN Details
------------
VLAN Group Name :
VLANs Assigned : 1,88,99
Access :
Native Untagged : 1
Allowed Trunk : 88,99
Authentication Details
----------------------
Status : mac-auth Authenticated
Auth Precedence : dot1x - Authenticating, mac-auth - Authenticated
Auth History : mac-auth - Authenticated, 151s ago
Authorization Details
----------------------
Role : cisco-ap
Status : Applied
Role Information:
Name : cisco-ap
Type : local
----------------------------------------------
Reauthentication Period :
Cached Reauthentication Period :
Authentication Mode :
Session Timeout :
Client Inactivity Timeout :
Description :
Access VLAN :
Native VLAN : 1
Allowed Trunk VLANs :
Access VLAN Name :
Native VLAN Name :
Allowed Trunk VLAN Names : Corporate VLAN,
Guest VLAN
VLAN Group Name :
MTU :
QOS Trust Mode :
STP Administrative Edge Port :
PoE Priority :
Captive Portal Profile :
Policy :
Device Type :
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Guest Access #4 - Controller and Server initiated guest workflows
Failed to test
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Guest Access #5 - Guest Access on AOS-CX Wired
Self registration
Server initiated login
Login delay
Services
New enforcement policy - assign to service
Access tracker
New role mapping
Assign role mapping to - Services - DL_AOS_CX_Wired_MAC
Enforcement
class ip class-clearpass-web
10 match tcp any 10.8.25.157 eq https
20 match tcp any 10.8.25.157 eq http
class ip class-dhcp
10 match udp any any eq dhcp-server
class ip class-dns
10 match udp any 10.8.25.190 eq dns
20 match tcp any 10.8.25.190 eq dns
30 match udp any 10.61.91.175 eq dns
40 match tcp any 10.61.91.175 eq dns
class ip class-web-traffic
10 match tcp any any eq http
20 match tcp any any eq https
port-access policy captive-portal
10 class ip class-clearpass-web
20 class ip class-dhcp
30 class ip class-dns
40 class ip class-web-traffic action redirect captive-portal
aaa authentication port-access captive-portal-profile clearpass-guest
url http://captiveportal-login.demo.local/guest/wired-guest.php
port-access role guest-cp
associate captive-portal-profile clearpass-guest
associate policy captive-portal
vlan access name Guest VLAN
port-access role guest
vlan access name Guest VLAN
Test
Automatically redirect
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
OnGuard #1 - Introduction and Agent Install
Install onGuard
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
OnGuard #2 - Posture Policy and WebAuth service (OnGuard)
Services
Posture request
Enable Posture
Posture policies
Posture plugins
Windows defender
Notepad.exe absence
Rules - Posture Token
Add Posture policy to services
Wired 1X enforcement use cache
Final services
Test
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
OnGuard #3 OnGuard Updates, Settings & Enforcement
OnGuard global agent setting
Auto download hotfix and fingerprint
Auto download hotfix and fingerprint -- online
Create additional roles on AOS-CX
https://captiveportal-login.demo.local/guest/quarantined_blocked.php
Configure AOS-AC switch
class ip class-remediation
10 match tcp any 10.8.25.190
20 match tcp any 10.61.91.175
port-access policy quarantine
10 class ip class-clearpass-web
20 class ip class-dhcp
30 class ip class-dns
40 class ip class-remediation
50 class ip class-web-traffic action redirect captive-portal
aaa authentication port-access captive-portal-profile clearpass-quarantine
url https://captiveportal-login.demo.local/guest/quarantined_blocked.php
port-access role conractor-quarantine
associate captive-portal-profile clearpass-quarantine
associate policy quarantine
vlan access name Guest VLAN
port-access role employee-quarantine
associate captive-portal-profile clearpass-quarantine
associate policy quarantine
vlan access name Corporate VLAN
Create Enforcement Profile and adapt policy
Attach to policies
Services
Test
class-remediation can still open
No comments:
Post a Comment