RADIUS - Aruba Clearpass

introduction this document provides a validated step by step configuration of a wireless dot1x ssid on the nile service block (nsb) with aruba clearpass the configuration was tested in a lab environment with a nile nsb (22 1 5) and clearpass 6 9 4 prerequisites it is assumed that a public/private digital server certificate, trusted by the dot1x clients, along with its ca has been uploaded to the clearpass policy manager certificate store for radius/eap usage it is also assumed that clearpass has joined an active directory domain for the purpose of authentication and authorization against ad configuration this document covers two components of 802 1x authentication a nile portal, the authenticator (nile nsb) b the authentication server (clearpass policy manager) a nile portal it is assumed that the nile portal ‘service areas’ and ‘dhcp’ are already configured the following will illustrate the configuration of clearpass as the radius server the nile segments the 802 1x ssid 1\ clearpass as an authentication server a login to the nile portal and navigate to the ‘authentication’ tab b click on the ‘+’ sign to add a new authentication server c fill up the form with the name, ip address, port, secret, and geo scope as illustrated below 2\ segments a navigate to the ‘segments’ tab b add the desired segments as illustrated below 3\ the 802 1x ssid a navigate to the ‘wireless’ tab b click on the ‘+’ sign to add a new ssid as illustrated below note important note adding two or more segments requires the radius server to return with the access accept the nile vsa ‘netseg’ with the appropriate segment name \[clarify] b clearpass policy manager 1\ import the nile dictionary xml nile dictionary using a text editor, copy the following nile dictionary in xml format and paste it to a file in this example, the file is called cppm nile dictionary xml the file is also available from the support site at import the nile dictionary in xml format is imported into clearpass policy manager as follows a go to administration > dictionaries > radius b click the ‘ import ’ button to open the ‘import from file’ window once imported, the nile dictionary attributes could be displayed by clicking the nile dictionary c select the nile dictionary xml file, and click on the ‘ import ’ button here is the content of an xml file you can create an xml file with this content and import \<?xml version="1 0" encoding="utf 8" standalone="yes"?> \<tipscontents xmlns=http //www avendasys com/tipsapidefs/1 0> \<tipsheader exporttime="thu feb 20 11 15 40 cst 2025" version="6 10"/> \<dictionaries> \<vendor vendorenabled="false" prefix="nile" name="radius\ nile" id="58313"> \<radiusattributes> \<attribute profile="in out" type="string" name="netseg" id="2"/> \<attribute profile="in out" type="string" name="nile avpair" id="3"/> \<attribute profile="in out" type="string" name="redirect url" id="1"/> \</radiusattributes> \</vendor> \</dictionaries> \</tipscontents> 2\ add the nile nsb as a network device the nsb ip address communicating with clearpass is typically of the format aa bb cc 6 if we assume the nsb subnet is aa bb cc 0/24 in clearpass policy manager a go to configuration > network > devices b click on ‘ ad d’ to open the ‘add device’ popup c enter the following information, and click ‘ add ’ c 1 name c 2 ip address c 3 radius secret 3\ create the 802 1x wireless service in this document, the 802 1x wireless service will leverage the active directory server for authentication and authorization of the nile dot1x wireless clients navigate to configuration > services click on the ‘ add ’ button, to add a new service select the type as ‘ 1x wireless ’ type a name for the new dot1x service example nile 802 1x wireless fill up the new enforcement policy form click ‘ next ’ twice to go to the ‘ enforcement ‘ tab, and click on ‘ add new enforcement policy ’ click ‘ next ’ to move to the ‘ authorization ‘ tab and validate that the ad entry is present validate that the correct ad entry is present click ‘ next ’ to move to the ‘ authentication ’ tab to select the authentication methods and sources add a third service rule to the existing two rules to leverage the nile ssid sent as part of the ‘called station id’ attribute, where the string could be either the full ssid name or a subset as illustrated below type a ‘name’ nile 802 1x enforcement policy select a ‘default profile’ \[deny access profile] keep the ‘enforcement type’ as radius click ‘add new enforcement profile’ fill up the form to create a new enforcement profile select the ‘template’ radius based enforcement type a ‘name’ nile 802 1x employee profile leave the ‘action’ as accept click ‘next’ fill up the attributes form as follows type radius\ nile (the example shows nilesecure dictionary) name netseg value type a string matching the desired nile portal segment click ‘next’ to display the summary, and then press ‘save’ to save the first of two enforcement profiles needed in this document repeat steps i to k to create the second enforcement profile, where an illustration of the summary is as shown below fill up the conditions by selecting the following, and press ‘save’ when done the next step is to add two rules to complete the ‘nile 802 1x enforcement policy’ by pressing the ‘add rule’ button type authorization name memberof operator contains value (‘employee’ in this example) profile names nile 802 1x employee profile press the ‘next’ button to review the summary of the new service ‘nile 802 1x wireless’ once back to the services > enforcement page, press the ‘modify’ button to select the enforcement policy completed in the previous step ‘nile 802 1x enforcement policy’ repeat the previous step to add a second rule for ‘contractors’ once both rules are in place, press ‘next’ to display the summary, and then press ‘save’ to complete the creation of the “nile 802 1x enforcement policy’ press the ‘save’ button to complete the creation of the ‘nile 802 1x wireless’ service it is recommended to reorder this service and move it up the list of clearpass services as needed 4\ create the 802 1x wired service the 802 1x wired service configure is very similar to the wireless dot1x service and will also leverage the active directory server for the purpose of authentication and authorization of the nile dot1x wired clients navigate to configuration > services follow the guidance in the previous section to configure the rest of the tabs and create the service click on the ‘ add ’ button, to add a new service select the type as ‘ 1x wired ’ type a name for the new dot1x service example nile 802 1x wired add a third service rule to the existing two rules to leverage the nile string sent as part of the ‘called station id’ attribute, where the string should contain “wireddot1x” as shown below note note unlike the 802 1x wireless service, it is imperative that the enforcement policy returns the nile ‘netseg’ attribute with a value that reflects the nile segment where the dot1x wired user would acquire a dhcp ip address from, as illustrated below c validation tests two test users are created in active directory ‘se1’ is a domain user that belongs to the ‘employee’ group ‘se2’ is another domain user belonging to the ‘contractor’ group 1\ se1 connection test a connection of a client machine to the nile ‘se hq2 dot1x’ ssid with the se1 user credentials results in the client receiving an ip address from the ‘ hq2 dot1x employees ’ segment, when clearpass policy manager returns the nile attribute ‘netseg’ with the segment name as illustrated by clearpass access tracker 2\ se2 connection test a connection of a client machine to the nile ‘se hq2 dot1x’ ssid with the se2 user credentials results in the client receiving an ip address from the ‘ hq2 dot1x contractors ’ segment, when clearpass policy manager returns the nile attribute ‘netseg’ with the segment name as illustrated by clearpass access tracker