Authentication Integration With Aruba Clearpass
Authentication Integration With Aruba Clearpass
Clearpass
Introduction to Clearpass
ClearPass is a network access management solution developed by Aruba Networks. It provides
secure network access control and policy enforcement for wired, wireless, and remote devices.
ClearPass allows organizations to authenticate, authorize, and manage user and device access
to their network resources. It supports various authentication methods, such as 802.1X and
captive portal, and integrates with other security solutions to provide comprehensive network
security. ClearPass also offers capabilities for guest access management, device profiling, and
policy enforcement, helping organizations ensure secure and compliant network access for their
users and devices.
Basic Authentication Logic of Clearpass
PoC Test Guide
Test Requirement
1. 802.1x Authenticaiton
2. 802.1x Authentication with Dynamic VLAN
3. Captive Portal Authentication
Test Device
Model Quantity Firmware Version
WS6008 1 AC_RGOS 11.9(6)W1B1
S5310-24GT4XS-P-E 1 S5310E_RGOS 12.6(2)B0204
AP730(TR) 1 AP_RGOS 11.1(9)B1P30
❗ Notice:
Please confirm the Model and Firmware Version with the Industry Service
Representative (Enterprise/Carrier: Nick & Kim; SMB: Henry; Strategy: Beni) before
performing the PoC test.
Test Topology
Test Content
1. 802.1x Authenticaiton
1.1 Configuration on AC
(1) Configure the RADIUS authentication server
ip radius source-interface VLAN 10
radius-server host 10.10.100.10 key Ruijie@123
(2) Configure an AAA method list
aaa new-model
aaa group server radius aruba_radius
server 10.10.100.10
exit
aaa accounting network aruba start-stop group aruba_radius
aaa authentication dot1x aruba group aruba_radius
aaa authentication login default local
(3) Enable 802.1x authentication.
wlan-config 1 clearpass_1x
ap-group default
interface-mapping 1 100 ap-wlan-id 1
wlansec 1
security rsn enable
security rsn ciphers aes enable
security rsn akm 802.1x enable
dot1x authentication aruba
dot1x accounting aruba
1.2 Configuration on Clearpass
(1) Add an Access Device
(2) Create User Accounts and Role (Optional)
(3) Configure the Serivces
2. 802.1x Authentication with Dynamic VLAN
2.1 Configuration on AC
(1) Configure the RADIUS authentication server
ip radius source-interface VLAN 10
radius-server host 10.10.100.10 key Ruijie@123
(2) Configure an AAA method list
aaa new-model
aaa group server radius aruba_radius
server 10.10.100.10
exit
aaa accounting network aruba start-stop group aruba_radius
aaa authentication dot1x aruba group aruba_radius
aaa authentication login default local
(3) Configure a VLAN group
vlan-group 1
vlan-list 100,200
default-vlan 100
vlan-assign-mode dot1x
(4) Enable 802.1x authentication.
wlan-config 2 clearpass_1x_dynamicvlan
ap-group default
interface-mapping 2 group 1
wlansec 2
security rsn enable
security rsn ciphers aes enable
security rsn akm 802.1x enable
dot1x authentication aruba
dot1x accounting aruba
2.2 Configuration on Clearpass
(1) Create profiles "VLAN100" and "VLAN200"
(2) Create a Policy "wireless_1x_dynamicvlan"
(3) Create a Service "wireless dot1x with dynamic vlan" and apply the
"wireless_1x_dynamicvlan" policy
3. Captive Portal Authentication
3.1 Configuration on AC
(1) Configure the RADIUS authentication server
ip radius source-interface VLAN 10
radius-server host 10.10.100.10 key Ruijie@123
(2) Configure an AAA method list
aaa new-model
aaa group server radius aruba_radius
server 10.10.100.10
exit
ap-group default
interface-mapping 3 100
wlansec 3
web-auth accounting cpweb aruba
web-auth authentication cpweb aruba
web-auth portal cpweb
webauth
3.2 Configuration on Clearpass
(1) Create a web login page
(2) Create a service for captive portal authentication
❗ Notice:
Ruijie Device does not support pre-defining the "user profile" on devices like HUAWEI
or ARUBA.
Troubleshooting
Clearpass provides a useful troubleshooting tool: "Access Tracer" to troubleshoot authentication
issues.
(1) Check whether the right authentication source is added to the service
(2) Check whether the user account is added to the authentication source
2. Cannot select the appropriate authentication method
Check whether the authentication method is correctly configured on Service