Interfacing with Aruba ClearPass

Copyright © 2023 Tellabs® All Rights Reserved

 Interfacing with Aruba ClearPass

Tellabs® Information
Copyright
Copyright © 2023 Tellabs Enterprise, Inc. All rights reserved.

The information in this publication is proprietary to Tellabs Enterprise, Inc.

No part of this publication may be used, disclosed, reproduced, adapted, translated, stored in a retrieval system,
or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the written
permission of Tellabs Enterprise, Inc. Although every precaution has been taken in the preparation of this
publication, Tellabs Enterprise, Inc. assumes no (i) responsibility for errors or omissions contained herein or (ii)
liability for any damages resulting from the use of information contained herein. Information in this publication is
subject to change without notice.

Trademarks
The following trademarks and service marks are owned by Tellabs Operations, Inc. or its affiliates in the United
States and/or other countries: TELLABS®, TELLABS and T symbol®, T symbol®.

Any other company or product names may be trademarks of their respective companies.

Proprietary
This document is the property of Tellabs Enterprise, Inc. and contains confidential and proprietary information
owned by Tellabs Enterprise, Inc. Any copying, use, or disclosure of the contents of this document, without the
written permission of Tellabs Enterprise, Inc., is strictly prohibited.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 2 of 70

 Interfacing with Aruba ClearPass

Table of Contents
Interfacing with Aruba ClearPass......................................................................................................................................1

Tellabs® Information..............................................................................................................................2
Copyright............................................................................................................................................................. 2
Trademarks..........................................................................................................................................................2
Proprietary...........................................................................................................................................................2
Interfacing with Aruba ClearPass......................................................................................................... 4

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 3 of 70

 Interfacing with Aruba ClearPass

Interfacing with Aruba ClearPass

· Introduction
· Applies To
· Enforcing Policy on OLAN using Aruba ClearPass
· Aruba ClearPass Configuration for Tellabs OLAN
· Import Tellabs RADIUS Dictionaries
· Set Up Authentication Sources
· Creation of Network Device for Tellabs OLAN
· Creation of Network Device Group for Tellabs OLAN
· Creation of Enforcement Profiles
· Creation of Enforcement Policies
· Creation of Services in ClearPass
· Profiling Using Aruba Clearpass
· Creation of Roles
· Creation of Enforcement Policies
· Creation of Service
· Posturing Using Aruba Clearpass
· Create 802.1x Wired Service
· Creation of Enforcement Profiles
· Creation of Enforcement Policies
· Create 802.1x Wired Posture Check Service
· Creation of Posture Policy
· Creation of Enforcement Profiles
· Creation of Enforcement Policies
· Creation of Service
· Server Initiated Web Auth with Self Registration
· Creation of Self Registration Page
· Configuration of Role Mappings
· Tellabs Guest MAC Auth Service
· Creation of Enforcement Profiles
· Creation of Enforcement Policies
· Creation of Service

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 4 of 70

 Interfacing with Aruba ClearPass

· Tellabs Guest Web Auth Service

· Creation of Enforcement Profiles
· Creation of Enforcement Policies
· Creation of Service
· Setting Up Radius Authentication for CLI Sessions
· Other Applicable AppNotes
· Summary

Introduction
Document Number
ENG-010592

Purpose
Aruba ClearPass is a software package providing policy management to control network access.
The purpose of this document is to explain how to configure and administer the Tellabs OLAN
system to interface with Aruba ClearPass.

Applies To
This document applies to all Tellabs OLAN systems running OLT SR29.2 and EMS SR30.0 or above.
Earlier releases do not fully support Aruba ClearPass and are limited to simple access via 802.1x.
Aruba Clearpass 6.7.3 or above is recommended.

Enforcing Policy on OLAN using Aruba ClearPass

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 5 of 70

 Interfacing with Aruba ClearPass

Aruba ClearPass is an application that can characterize devices that are discovered on the
network and apply policies based on rule sets. This allows more consistent application of policy
across the network. It also allows application of policy based on the user login or device type
which allows for dynamic configuration and allocation of resources in real time.

The OLAN PAE or Port Authentication Entity interfaces with Aruba ClearPass for two different
protocols:

· RADIUS – Remote Authentication Dial In User Service. This interface allows a switch to
transparently forward credentials from a user to the RADIUS server for authentication. The
RADIUS Server will either grant access via an Access Accept or Access Reject. Radius also
supports a mechanism to pass back the name of the policy to apply to the port via the
FILTER-ID attribute.
· COA – Change of Authorization is an extension to the RADIUS protocol to allow additional
updates to a port. RADIUS suffers from only being triggered by authentication requests and
cannot send updates in real time to the port. COA allows updates of the port in real time.

COA which is in SR29.2 and above supports the following messages for additional control:

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 6 of 70

 Interfacing with Aruba ClearPass

· Session Re-authentication – Force re-authentication of a port.

· Session Termination – Allows terminating a user immediately from the network. RADIUS
only can terminate a user when it attempts to re-authenticate after the re-authentication
timeout.
· Session Termination with Port Shutdown – Terminate a session and shut off the port
afterwards. This prevents further access after the session is terminated from that port.
Admin is required to manually admin the port up before it can be used again. This can be
used in highly secure areas to prevent further attempts to access the port.
· Session Termination with Port Bounce – Terminate the session and disable/re-enable the
port to restart authentication and restart with a new session.
· Session Policy Push – COA can push a new policy to a port at any time using the Session
Policy Push. This allows changes to take effect immediately rather than waiting for the next
re-authentication attempt from the Port.
· Session Re-authentication with rerun – Force Re-authentication with the configured
authentication method from the beginning. This is not supported by Tellabs in the current
release.
· Session Re-authentication with last – Force Re-authentication using the last successful
method of authentication. This is not supported by the Tellabs system in the current
release.

Additional general information on RADIUS authentication, support and configuration can be found
in the AppNote ENG-010428 Configuring Policy Via RADIUS Authentication. This document
explains the basic operation of RADIUS and how to use RADIUS to distribute policy via the RADIUS
FILTER-ID attribute.

The following table outlines the Tellabs OLAN product support for Aruba ClearPass Features:

Tellabs
Session Termination √
Session Termination with port bounce √
Session Termination with port shutdown √
Session re-authentication √
Session re-authentication with rerun -
Session re-authentication with last -
Session Policy Push CoA -
URL Redirect (Dynamic) √
802.1x/MAB √
Profiler without CoA √
Profiler with CoA √
Posture √
Guest/BYOD √

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 7 of 70

 Interfacing with Aruba ClearPass

Aruba ClearPass and Wireless End Points

Aruba ClearPass has two authentication models, one is Server based, the other is Controller
based. In the case of Wireless Access Points, the authentication is typically between ClearPass
and the AP. Tellabs simply passes the packets through and is not involved in the authentication
process. The rest of this document addresses Wired Port configurations where Tellabs is involved
in the Port Authentication.

Aruba ClearPass Configuration for Tellabs OLAN

Aruba ClearPass documentation should always be consulted first to get the latest up to date
information about configuration of ClearPass features. This example configuration shows one
example of how to configure ClearPass to interoperate with Tellabs OLAN. This section only
details configuration of components that are unique to Tellabs OLAN. It does not cover full
configuration of Aruba ClearPass and Aruba manuals and documentation should be consulted for
Aruba ClearPass configuration.

Import Tellabs RADIUS Dictionaries

In later versions of Aruba ClearPass, major release 6.8, the Tellabs Dictionary will be included. If
your Aruba ClearPass instance does not include the Tellabs RADIUS Dictionary will need to be
imported.

The RADIUS Dictionary and support files if needed can be downloaded here:

Tellabs Aruba Dictionary and Support Files

You can determine if the Tellabs Dictionary is loaded by looking at:

Administration->Dictionaries->Radius then look for Tellabs

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 8 of 70

 Interfacing with Aruba ClearPass

If the Tellabs entry is missing, then the Tellabs RADIUS Dictionary will need to be added. It can be
downloaded from the link above.

If required Click on the Import button, choose the Tellabs-RadiusDictionary.xml file that was
downloaded and add it to Aruba ClearPass. You should then see the Tellabs dictionary listed.

Import RADIUS CoA Templates

In later versions of Aruba ClearPass, major release 6.8, the Tellabs CoA Templates will be included.
If your Aruba ClearPass instance does not include the Tellabs CoA Templates, they will need to be
imported. You can determine if the Tellabs RADIUS CoA templates are loaded by looking at:
Administration->Dictionaries->Radius CoA Templates

Under the Administration->Dictionaries->Radius CoA Templates, click on Import and then Import
the file:

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 9 of 70

 Interfacing with Aruba ClearPass

You should import the following files:

· RadiusCoATemplate-Tellabs-DisableSwitchPort.zip
· RadiusCoATemplate-Tellabs-BounceSwitchPort.zip
· RadiusCoATemplate-Tellabs-ReauthenticateSession.zip
· RadiusCoATemplate-Tellabs-TerminateSession.zip

Each file, per the Clearpass standard procedures, is password protected and the password can be
found in the file RADIUSCoATemplates-Password.txt. The password is defaulted to Tellabs-1.

Radius CoA Bounce Switch Port

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 10 of 70

 Interfacing with Aruba ClearPass

Radius CoA Disable Switch Port

Radius CoA Reauthenticate Session

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 11 of 70

 Interfacing with Aruba ClearPass

Radius CoA Terminate Session

Set Up Authentication Sources

Consult ClearPass documentation on how to set up Authentication sources and connect them to
active directory. An example is shown below. This menu is reached via:

Configuration->Authentication->Sources->Add

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 12 of 70

 Interfacing with Aruba ClearPass

Creation of Network Device for Tellabs OLAN

A Network Device needs to be created for each Tellabs OLT that will be managed.

Go to Configuration->Network->Devices and click Add.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 13 of 70

 Interfacing with Aruba ClearPass

Edit the following fields:

· Name: Name for the Tellabs OLAN OLT

· IP or Subnet Address: Enter the IP address of the Tellabs OLT
· Radius Shared Secret: Enter the Shared Secret to be used in when performing RADIUS
authentications. The same shared key must be placed into the the Tellabs OLT
configuration.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 14 of 70

 Interfacing with Aruba ClearPass

· TACACS+: Tellabs does not currently support TACACS+ and so this should be left blank.
· Vendor Name: Select Tellabs from the dropdown. If it does not appear, ensure you have
imported the Tellabs RADIUS Dictionary files as shown above.
· Enable RADIUS CoA: Click this to enable CoA.
· RADIUS CoA Port: Use the default port of 3799
· No Custom Attributes are needed.

Go to the SNMP Read Settings and configure the following settings:

· Allow SNMP Read: Click to enable reading of SNMP Data from the OLT.
· SNMP Read Setting: Set for SNMPv2 with Community Strings, or SNMPv3 with SHA and
Privacy. Tellabs supports both V2 and V3.
· Community String: Enter the community string that you will use to configure SNMP on the
OLT.
· Force Read: Check to always Read information from this device.
· Read ARP Table Info: Leave this unchecked as the OLT currently does not support this
table.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 15 of 70

 Interfacing with Aruba ClearPass

· Allow SNMP Write: Check to Enable Policy Manager to Perform SNMP Write operations.
· Default VLAN: Add the Management VLAN
· SNMP Write Setting: Set for SNMPv2 with Community Strings, or SNMPv3 with SHA and
Privacy. Tellabs supports both V2 and V3.
· Community String: Set the Community String that you will set in the OLT on the SNMP
settings. Ensure they agree to allow SNMP access.

Press the Save button to Save the device and repeat for any other OLTs you wish to add.

Creation of Network Device Group for Tellabs OLAN

A Network Device Group needs to be created for the Tellabs OLAN system. After the Network
Device Group is created, Tellabs OLT OLTs can be added to the Network Device Group.

You can reach this menu vis Configuration->Network->Device Groups

Then Press Add to create the group.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 16 of 70

 Interfacing with Aruba ClearPass

The following fields should be edited:

· Name: Tellabs OLAN

· Description: Tellabs OLAN
· Format: List
o Add the Tellabs OLAN OLTs that appear in the list to the group.

Save and close the dialog.

Creation of Enforcement Profiles

Under the Configuration->Enforcement->Profiles, you need to create CoA enforcements profiles
which define a set of RADIUS attributes which can later be used in Enforcement Policies to
configure or take actions on the port.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 17 of 70

 Interfacing with Aruba ClearPass

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 18 of 70

 Interfacing with Aruba ClearPass

The Profile above gives an example for a Data Service which sets the NAC profile for the data
service and also assigns an ACL List to the port.

Click Add to add a new Profile and add the following Attributes:

· Session-Timeout: This configures the RADIUS re-authentication timeout for this port.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 19 of 70

 Interfacing with Aruba ClearPass

· Termination Action: Set to RADIUS-Request

· Filter-ID(NAC): You can typically set the NAC profile via one of two methods. You can set it
explicitly, or you can use profile MATCH to do a search within the list of service profiles for a
NAC profile associated with the port for a partial match. In this example, it will search the
port for a default vlan service profile which starts with the text “DATA”.
· Filter-Id(ACL): This example also sets an ACL list on the port via the PROFILE-ACL qualifier.
This allows setting ACLS on the port based on current state. In this example, it is
permitting all traffic.
· Filter-Id(IFALIAS): This defines a data tag that will show up on the EMS for that dynamic
connection when viewed. It allows understanding of what has been assigned.

The following example shows how to set up and Enforcement Profile for a Phone:

Click Add to add a new Profile and add the following Attributes:

· Session-Timeout: This configures the RADIUS re-authentication timeout for this port.
· Termination Action: Set to RADIUS-Request
· Filter-ID: You can typically set the NAC profile via one of two methods. You can set it
explicitly, or you can use profile MATCH to do a search within the list of service profiles for a
NAC profile associated with the port for a partial match. In this example, it will search the
port for a default vlan service profile which starts with the text “VOICE”.
· Filter-Id: This example also sets an ACL list on the port via the PROFILE-ACL qualifier. This
allows setting ACLs on the port based on current state. In this example, it is permitting all
traffic.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 20 of 70

 Interfacing with Aruba ClearPass

The following example shows how to set up and Enforcement Profile for a Printer:

Click Add to add a new Profile and add the following Attributes:

· Session-Timeout: This configures the RADIUS re-authentication timeout for this port.
· Termination Action: Set to RADIUS-Request
· Filter-ID: You can typically set the NAC profile via one of two methods. You can set it
explicitly, or you can use profile MATCH to do a search within the list of service profiles for a
NAC profile associated with the port for a partial match. In this example, it will search the
port for a default vlan service profile which starts with the text “PRINTER”.
· Filter-Id: This example also sets an ACL list on the port via the PROFILE-ACL qualifier. This
allows setting ACLs on the port based on current state. In this example, it is permitting all
traffic.

The following section defines how to configure an Enforcement Profile for CoA Reauthenticate:

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 21 of 70

 Interfacing with Aruba ClearPass

This defines the Tellabs attribute values that are needed to force the Tellabs RADIUS client to re-
authenticate the user. This is used in Enforcement policies to force re-authentication. Re-
authenticate does not bounce the port but just forces user re-authentication.

The following section defines how to configure an Enforcement Profile for CoA Port Bounce:

This defines the Tellabs Attribute values to force a Port Bounce. Port Bounce will cause the
Ethernet port to go link down, then attempt to re-link. As a consequence, the user will also be re-
authenticated.

The following Enforcement Profile defines how to perform a CoA Port Disable:

The CoA Port Disable will shut down the port and the port will remain down unless the
AdminState is re-enabled on the EMS. This is often used to deny access to a port where a security
violation has been detected.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 22 of 70

 Interfacing with Aruba ClearPass

The following Enforcement Profile defines how to perform a CoA Terminate-Session action:

The CoA Disconnect will terminate the session and return the port to an initial state. This is used
to terminate a user’s access and force them to re-authenticate to gain access to the network.

Creation of Enforcement Policies

The Enforcement policies define conditions and actions to be applied to users.

The Enforcement Policies are reached via Configuration->Enforcement->Policies:

One example of a common policy might be to detect the vendor of a particular type of phone via
the MAC address OUI and perform an action on it, in this case to assign an Enforcement Profile
which assigned the VLAN and ACL list.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 23 of 70

 Interfacing with Aruba ClearPass

You might also do the same thing for detection of printers:

The following example demonstrates how to assign an Enforcement Policy based on an

authentication with a Microsoft Active Directory:

Creation of Services in ClearPass

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 24 of 70

 Interfacing with Aruba ClearPass

Services in Clearpass define a set of conditions which when fully satisfied, associate an
Enforcement Policy to the device.

Services are configured vis Configuration->Services->Add.

An example of how to configure a wired MAB Service is shown below. MAB or MAC Authentication
Bypass is used to authenticate devices using the MAC address as the authentication credentials.
RADIUS will then either authorize or deny the port based on whether that MAC address is known.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 25 of 70

 Interfacing with Aruba ClearPass

When it is a MAB authentication, NAS-Port-Type is set to Ethernet, and Service Type is set to Call-
Check. The RADIUS attribute User-Name is being used to get the client-mac-address for use by
Clearpass.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 26 of 70

 Interfacing with Aruba ClearPass

A similar example is shown for wired printers:

The following example shows how to construct a service for authenticating a user on the network
in the Tellabs Domain using Active directory:

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 27 of 70

 Interfacing with Aruba ClearPass

The RADIUS attribute Ethernet defines that it is a wired port, and the Framed-User attribute the
user to be authenticated. The authentication method and source tell where to authenticate the
user. The Enforcement Policy “Tellabs compliant user” is assigned if authentication is successful.

Profiling Using Aruba Clearpass

The Process of Profiling uses information gleaned from DHCP Attributes such as device type, and
additionally verifies the MAC OUI matches the DHCP Attributes that are sent. This allows
ClearPass to identify the device and assign a role so that the appropriate profile can be applied
upon reauthentication. Clearpass will then utilize a Port Bounce to force the device to re-
authenticate and apply the proper policy to the device. On subsequent authentications the device
will be immediately recognized via MAC and immediately assigned to the proper role and policy.

Creation of Roles
Once a device has been profiled, it is assigned a Role. In this example we will be using three Roles,
DHCP to be used during profiling, IP Phone and Printer will be used as the Roles once the type of
device is recognized and it’s role assigned.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 28 of 70

 Interfacing with Aruba ClearPass

Creation of Role Mapping Policy

Once the Roles are created, the Roles need to be mapped using a Role Mapping Policy. Use the
screen below to create the proper conditions and Role Assignments.

· IsProfiled: If an endpoint does not exist in the database, assign the Tellabs DHCP role.
· Category equals VoIP Phone: Once a device has been categorized as a VoIP Phone, then
assign the Role of Tellabs IP Phone.
· Category equals Printer: Once a device has been categorized as a Printer, then assign the
Role of Printers.
Creation of Enforcement Profiles

When a device comes on the network and is unknown due to not being in the Endpoints
repository, it will be assigned the role of DHCP. The device is placed onto a VLAN and allowed to

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 29 of 70

 Interfacing with Aruba ClearPass

DHCP so that ClearPass can Profile based on the Attributes that are sent in the DHCP request
along with the MAC Address. The following example shows how to set up a DHCP Profile:

· Session Timeout: The Session timeout along with the termination action define what to do
after the session times out, and in this case to Re-authenticate.
· Termination Action: Set to RADIUS-Request
· Filter-ID: The PROFILE-MATCH DHCP will select the DHCP Service profile from the matching
NAC profile and assign that VLAN to be used for the device to DHCP on the network. This
VLAN is usually temporary and used just for the profiling action.
· Filter-Id: The ACL-LIMITED-ACCESS Filter-ID will limit the device's access on the network to
just the DHCP server.
· Filter-Id: The IFALIAS being set to DHCP will set the User Label of the Port so that in the
EMS, you can see the devices that are currently attempting to DHCP during the profiling
process.

The following example shows how to set up and Enforcement Profile for a Phone, this will be used
in a later step after the device is profiled:

· Termination Action: Set to RADIUS-Request

· Filter-ID: You can typically set the NAC profile via one of two methods. You can set it
explicitly, or you can use profile MATCH to do a search within the list of service profiles for a
NAC profile associated with the port for a partial match. In this example, it will search the
port for a default VLAN service profile which starts with the text “VOICE”.
· Filter-Id: This example also sets an ACL list on the port via the PROFILE-ACL qualifier. This
allows setting ACLs on the port based on current state. In this example, it is permitting all
traffic.

The following example shows how to set up an Enforcement Profile for a Printer, this will be used
in a later step after the device is profiled:

Click Add to add a new Profile and add the following Attributes:

· Session-Timeout: This configures the RADIUS re-authentication timeout for this port.
· Termination Action: Set to RADIUS-Request
· Filter-ID: You can typically set the NAC profile via one of two methods. You can set it
explicitly, or you can use profile MATCH to do a search within the list of service profiles for a
NAC profile associated with the port for a partial match. In this example, it will search the
port for a default vlan service profile which starts with the text “PRINTER”.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 30 of 70

 Interfacing with Aruba ClearPass

· Filter-Id: This example also sets an ACL list on the port via the PROFILE-ACL qualifier. This
allows setting ACLs on the port based on current state. In this example, it is permitting all
traffic.

Creation of Enforcement Policies

The next step will create policies. In this example, a single policy is defined with three roles. The
DHCP role is used during the early stages of profiling to gather the device data from its DHCP
response. After profiling the Printer or IP Phone roles are used for assigning Actions to be taken
on devices with those roles.

Creation of Service
The Service is used to match for endpoints of a certain type and assign Policy.

The following Service defines the service to be use for MAC Authenticated Devices.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 31 of 70

 Interfacing with Aruba ClearPass

· Type: MAC Authentication

· Status: Enabled
· Monitor Mode: Leave unchecked.
· More Options: Select Authorization, and Profile Endpoints

On the Authentication Tab select Allow all MAC Auth in the Select to Add Pulldown.

Under Authentication Sources, select Endpoints Repository Local SQL DB.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 32 of 70

 Interfacing with Aruba ClearPass

The Authorization Tab select the Authentication Source Endpoints repository.

Under the Roles Tab, create a role mapping policy by selecting Profiling in the Role Mapping Policy
Dropdown. Also set the default role to Tellabs MAB which will catch any devices that are not
profiled as phone or printer.

In the Enforcement Tab, select Tellabs – Profiling as the Enforcement Policy.

The default profile will be Deny Access Profile which if the device can’t be profiled, or
authenticated will deny access to the device.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 33 of 70

 Interfacing with Aruba ClearPass

In the Profiler tab, select the VoIP Phone and Printer as endpoint classifications.

Then select a RADIUS CoA action of Bounce Host Port. This will after profiling cause the port to be
bounced and force reauthentication and assignment to the proper working VLAN.

This Access Tracker output shows the Tellabs Wired MAB Services Profiling for Phones and
Printers be used taking the Endpoint from the initial state for an unknown endpoint which is
DHCP to the final Profile selected (in this case Printer) based on the Profile data learned.

Posturing Using Aruba Clearpass

Posturing is the process of checking the endpoint to see if it is healthy using the OnGuard agent
before granting full access to the network. If the device is designated to not be healthy, network
access will be limited.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 34 of 70

 Interfacing with Aruba ClearPass

This screen shows the OnGuard settings that were used for this example:

Installation of the OnGuard Agent onto the computer is out of scope for this document and can be
done in many ways such as manual install, or Windows Group Policy Object (GPO) Push. When
manually installing, the link for the OnGuard agent can be find within ClearPass.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 35 of 70

 Interfacing with Aruba ClearPass

The following section will create the two services used to accomplish posturing:

· 802.1x Wired Service

· 802.1x Wired Posture Check Service

Create 802.1x Wired Service

Creation of Enforcement Profiles

The Enforcement Policy Tellabs Posture is going to be used when an Endpoint is unknown to
ClearPass. This is the Policy that helps ClearPass to begin the Posture Checks to find out whether
the Endpoint is Healthy or Not Healthy.

Create an Enforcement Policy Tellabs Posture as Follows:

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 36 of 70

 Interfacing with Aruba ClearPass

· Session-Timeout: This configures the RADIUS re-authentication timeout for this port.
· Termination Action: Set to RADIUS-Request
· Profile-Match=DATA: Defines this to match the data profile which is typically used for PCs
on the network.
· Profile-ACL=CPPM-POSTURE: Defines an Authorized MAC ACL that will be used during the
posturing sequence.
· TLAB:IFALIAS=POSTURE-UNKNOWN: This will mark the port in the EMS with an UserLabel
of POSTURE-UNKNOWN so that ports in this state can be seen.

The following Enforcement Profile is used when an Endpoint is found to be NONCOMPLIANT and
should only have limited access to the network.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 37 of 70

 Interfacing with Aruba ClearPass

· Session-Timeout: This configures the RADIUS re-authentication timeout for this port.
· Termination Action: Set to RADIUS-Request
· Profile-Match=DATA: Defines this to match the data profile which is typically used for PCs
on the network.
· Profile-ACL=LIMITED-ACCESS: Defines an ACL that limits access a very few addresses in the
network until the device reaches a Compliant state.
· TLAB:IFALIAS=POSTURE-UNKNOWN: This will mark the port in the EMS with an UserLabel
of POSTURE-NONCOMPLIANT so that ports in this state can be seen.

This Enforcement Profile will be used when a device is found compliant with all health checks by
the OnGuard Endpoint Agent Posture Check.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 38 of 70

 Interfacing with Aruba ClearPass

· Session-Timeout: This configures the RADIUS re-authentication timeout for this port.
· Termination Action: Set to RADIUS-Request
· Profile-Match=DATA: Defines this to match the data profile which is typically used for PCs
on the network.
· Profile-ACL=PERMIT-ALL-TRAFFIC: Defines an ACL that permits access to all the resources
on the network.
· TLAB:IFALIAS=DATA: This will mark the port in the EMS with an UserLabel of DATA
indicating the user is on the DATA VLAN and is Compliant.
Creation of Enforcement Policies

The Enforcement Policy has three states where the Posture is either Unknown, UnHealthy, or
Healthy. Based on those conditions, the appropriate action or Enforcement Profile is applied to
the port. The example below shows these conditions:

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 39 of 70

 Interfacing with Aruba ClearPass

Creation of Service

The Service is used to match for endpoints of a certain type and assign Policy based on the result
of health checks.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 40 of 70

 Interfacing with Aruba ClearPass

· Type: Select a type of 802.1x Wired.

· NAS-Port-Type: Add a match on type of Ethernet.
· Service-Type: Set to Framed User.
· User-Name: Add a condition on the User-Name that tests for the domain so that domain
specific rules can be applied. Typically, the domain name is appended to the username
when authenticating in windows.
· Authentication Sources: Add your Active Directory Authentication Sources.
· Enforcement Policy: Select the 802.1x Wired Enforcement Policy created above.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 41 of 70

 Interfacing with Aruba ClearPass

The default settings for the Service Tab should be accepted.

The default Authentication methods are typically fine, select from the list those used in your
organization.

The Authentication Sources should be defined as appropriate for your network.

No Roles are needed in this example.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 42 of 70

 Interfacing with Aruba ClearPass

· Use Cached Results: Select Use cached Roles and Posture attributes from previous
sessions.
· Enforcement Policy: Select the Tellabs – 802.1X Wired Enforcement Policy created in the
setps above.
· Default Profile: Select Deny Access Profile so that devices failing authentication will be
denied access.
· Rules Evaluation Algorithm: select first-applicable.

Create 802.1x Wired Posture Check Service

Creation of Posture Policy

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 43 of 70

 Interfacing with Aruba ClearPass

Posture Policies should be created based on local network policies. This particular example uses
OnGuard as the Posture agent and applies to Windows Machines.

Configure the Posture Plugins per your network policy.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 44 of 70

 Interfacing with Aruba ClearPass

This example has two Rules, one for Healthy, one for Quarantine. Roles should be defined per
Network Policy.

Creation of Enforcement Profiles

Create an Enforcement Profile for Endpoints in the Healthy state.

· Message: Give the message to be given to the user when OnGuard agent prompts the user
when the computer is in the Healthy state.

Create an Enforcement Profile to be used when the client’s computer is not healthy.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 45 of 70

 Interfacing with Aruba ClearPass

· Message: Give the message to be given to the user when OnGuard agent prompts the user
when the user is in the UnHealthy or Quarantined State.
Creation of Enforcement Policies

The 802.1x Wired OnGuard Agent Enforcement Policy that will utilize the profiles for Healthy or
Not Healthy. This sends a message to the user to indicate the user the current state of their
machine and apply the new enforcement profile.

· Enforcement Type: Select WebAuth

· Default Profile: Select Tellabs – Bounce-Host-Port
· Posture: Create two postures one for Healthy, and one for Not Healthy.
Creation of Service

The Service Tellabs 802.1x Wired Posture Check is a Web Based Health Check through posturing
with OnGuard.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 46 of 70

 Interfacing with Aruba ClearPass

· Type: Select Web-based health Check Only when creating the service.

· More Options: Select Posture Compliance

· Service Rules

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 47 of 70

 Interfacing with Aruba ClearPass

o Create a Host Rule, named CheckType with Operator Matches all and Value equal to
Health.
o Create a Host rule, named InterfaceType, with Operator Equals WIRED.

· Posture Policies: Select the Posture Policy Tellabs – 802.1X Wired Windows Posture Checks
created previously.
· Default Posture Token: Select Quarantine
· Remediate End-Hosts: Select Enable auto-remediation of non-compliant end-hosts.

· Enforcement Policy: Select Tellabs – 802.1X Wired OnGuard Agent Enforcement Policy

The following screen shows the service transitions that occur when an unknown endpoint enters
ClearPass, it will first hit the 802.1x Wired Service, then transition to the 802.1x Wired Posture
Checks Service, then reauthenticate using 802.1x Wired Service where it will have the Healthy
Enforcement policy applied and be given full access to the network.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 48 of 70

 Interfacing with Aruba ClearPass

Server Initiated Web Auth with Self Registration

Creation of Self Registration Page
The following page shows the workflow of authenticating a user via the Self Service Web Portal
using Self Registration. The Tellabs OLT supports Web Redirection which allows redirecting all of
the users web session requests to a specified URL. This allows forcing the user to perform a Web
Login prior to gaining access.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 49 of 70

 Interfacing with Aruba ClearPass

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 50 of 70

 Interfacing with Aruba ClearPass

· Name: Enter the Name to be used for the Self Registration page, Tellabs-Guest in this
example.
· Register Page: Enter the name of the web page name for the self-registration page. This
will be a part of the page URL.
· User Database: Select ClearPass Policy Manager.
· All other selections take the defaults.

· Enabled: Select Enable guest login to a Network Access Server

· Vendor Settings: Select Captive Portal with ClearPass Web Auth under Vendor Settings.
· Default URL: The URL the user will be redirected to after completion of the web login.

· Pre-Auth Check: Select None – no extra checks will be made.

· Terms: If desired, select Require a Terms and Conditions Confirmation to force the user to
agree to Terms and Conditions before gaining access to the network.

· Login Delay: Set the Login Delay to 15 seconds.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 51 of 70

 Interfacing with Aruba ClearPass

· CoA Delay: The CoA Delay needs to be set to 5 seconds.

Setting the CoA Delay to 5 seconds and Login Delay to 15 seconds ensure that there is enough
time for attributes to be added to the endpoint repository before the next MAC Auth request
comes in.

The settings in the Customize Form Field should be set based on network policy. As an example
the Validator NwalsValidExpireAfter defines the number of hours the Guest Account is valid.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 52 of 70

 Interfacing with Aruba ClearPass

This example generates the following Web Login page:

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 53 of 70

 Interfacing with Aruba ClearPass

Configuration of Role Mappings

The Role Mappings will utilize a number of built-in roles such as Contractor, Employee, Guest, and
MAC Caching. One new role will be need the Tellabs – Captive Portal Role.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 54 of 70

 Interfacing with Aruba ClearPass

This role mapping is used to evaluate what the guest role id is and assign the correct access
policy.

The following section will create the two services used to accomplish Web Authorization with Self
Registration:

· Tellabs Guest MAC Auth Service

· Tellabs Guest Web Auth Service

Tellabs Guest MAC Auth Service

This service will define how to handle endpoints for WebAuthenticated endpoints.

Creation of Enforcement Profiles

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 55 of 70

 Interfacing with Aruba ClearPass

This Enforcement profile is allowing the guest to access the network with limited access rights.

The following RADIUS attributes should be created:

· Session-Timeout: This configures the RADIUS re-authentication timeout for this port.
· Termination Action: Set to RADIUS-Request
· FilterID: PROFILE-MATCH=GUEST, this will match against the Service Profile within the NAC
profile that includes the prefix GUEST.
· FilterID: Profile-ACL=CPPM-GUEST-REDIRECT, this should be a simple Authorized MAC ACL.
· Tellabs-AVPair: This string will define the URL that the user should be re-directed to and in
this example is url-
rdirect=https://172.28.6.82/guest/Tellabsguest.php?mac=%{Connection:Client-Mac-

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 56 of 70

 Interfacing with Aruba ClearPass

Address-NoDelim}. This is the URL that redirects to the self registration portal on ClearPass
and Passes the MAC address that is to be authorized. This ties the request with the
endpoint. The highlighted text needs to match what was entered on the Self Registration
Configuration page.
Creation of Enforcement Policies

This Enforcement Policy has a set of states to apply the appropriate action based on the roles
assigned.

· Rule: MATCHES_ALL [MAC Caching] This is for MAB clients whose MAC is stored in the
database. They are allowed Access via the Tellabs Allow Access Profile
· Rule: MATCHES_ANY [Guest] If the role is determined to be Guest, they will be sent to the
Captive Portal.
· Rule: EQUALS [User Authenticated] If the role is determined to be User Authenticated the
user will be sent to the Captive Portal.
Creation of Service

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 57 of 70

 Interfacing with Aruba ClearPass

· Name: Enter Tellabs – MAC Auth Service.

· Service Rules:
o NAS-Port-Type: Add an attribute for NAS-Port-Type EQUALS Ethernet(15).
o Service-Type: Add an attribute for Service-Type EQUALs Call-Check(10).
o Client-Mac-Address: Add an attribute for Client Mac Address equal to
%{Radius:IETF:User-Name}.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 58 of 70

 Interfacing with Aruba ClearPass

· Name: Enter the name Tellabs – MAC Auth Service

· More Options: Ensure Authorization is selected.

· Authentication Methods: Select Allow All MAC AUTH.

· Authentication Sources: Select Endpoints Repository.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 59 of 70

 Interfacing with Aruba ClearPass

· Additional Authorization Sources: Add Time Source and Guest User Repository.

· Role Mapping Policy: Select Tellabs Guest Authentication Role Mapping – MAC Bypass that
was created earlier.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 60 of 70

 Interfacing with Aruba ClearPass

· Enforcement Policy: Select the Tellabs – Unknown Endpoint which will populate all the
rules.

Tellabs Guest Web Auth Service

This service will define how to handle endpoints for WebAuthenticated endpoints. This service
uses Web Authentication to either authenticate users who already exist in the database of users,
or to allow new Guest user to create an account and authenticated for a configured duration.

This is an example Guest authentication.

Existing users would use the Sign In option to authenticate and gain access.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 61 of 70

 Interfacing with Aruba ClearPass

Guest users would be given a Guest Password that would expire after the configured access
interval configured in ClearPass.

Creation of Enforcement Profiles

This is an action to update the status of an Unknown endpoint to a Known endpoint.

This Profile provides ClearPass internal attributes to ClearPass to be used in a later step for
properly evaluating the user.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 62 of 70

 Interfacing with Aruba ClearPass

The Enforcement profile below is used to terminate the user and re-direct them in a later step to
the default configured URL.

Creation of Enforcement Policies

For those users that are successfully authorized via web authentication, it will update the
endpoint to a known endpoint, Update the username, guest role and expiry time in the ClearPass
database, then terminate the session. The endpoint will be immediately re-authenticated via MAB
and given full access to the appropriate VLAN.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 63 of 70

 Interfacing with Aruba ClearPass

Creation of Service

The following service is used to set up the Web based authentication for Tellabs OLTs.

· Type: Web-based Authentication should be selected for this Service.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 64 of 70

 Interfacing with Aruba ClearPass

· Authorization: Select Authorization.

· CheckType: Ensure that CheckType Matches_ANY Authentication. Remove any other
attributes from the default record.

· Authentication Source: Select Guest User Repository as the Authentication Source.

Select Additional Authorization sources from which to fetch role-mapping attributes:

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 65 of 70

 Interfacing with Aruba ClearPass

· Endpoints Repository: Add Endpoints Repository to the list.

· Time Source: Add Time Source to the list.

Select the ClearPass Role Mapping Guest Roles and it will populate the conditions at the bottom of
the screen.

Chose the Enforcement Policy Tellabs – WebAuth Enf Policy created above.

The Access Tracker can be used to view this configuration:

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 66 of 70

 Interfacing with Aruba ClearPass

Setting Up Radius Authentication for CLI Sessions

Since Aruba ClearPass is also a RADIUS server, you can set up ClearPass to perform the RADIUS
authentication of CLI users coming in via the Serial or ssh interfaces. To do this, you must set up
ClearPass to do the back-end authentication via Active Directory. This gives single sign on that is
authenticated via Active Directory.

As noted above, you must have previously set up Authentication Sources to point to Active
Directory. See section above on Setting Up Authentication Sources for more information.

An enforcement profile needs to be created to allow authorization against Active Directory:

An Enforcement Policy needs to be created that performs authorization against the Active
Directory Source:

A Service needs to be created that relates the Administrative user to the Enforcement Profile.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 67 of 70

 Interfacing with Aruba ClearPass

On the OLT, you need to also set up the CLI authentication to point to the ClearPass IP address.
The menu is reached via OLT->Right Click->Properties->Security Tab:

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 68 of 70

 Interfacing with Aruba ClearPass

Enter the following attributes in the top portion of the dialog(RADIUS Server for Craft User
Authentication):

· Authentication Protocol Type: Select any method supported by ClearPass.

· Shared Key/Confirm Key: Enter the same shared key that was entered in ClearPass to
secure the RADIUS interface.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 69 of 70

 Interfacing with Aruba ClearPass

Then press Apply and you should be able to login using your Active Directory credentials.

Other Applicable AppNotes

The following application notes should be consulted for further information relevant to RADIUS
implementation on the Tellabs OLAN OLT:

· ENG-010428 Configuring Policy via Radius Authentication

· ENG-010466 Multiple Radius Authentication Domains

Summary
The above configuration outlines Tellabs specific configuration. Outside of those elements the
configuration should follow typical Aruba ClearPass configuration rules.

© 2023,Tellabs Enterprise, Inc. All rights reserved. Page 70 of 70