Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring Aruba ClearPass for Security Devices

 

Use the Aruba Clear Pass page to configure the Aruba ClearPass as the authentication source for the integrated ClearPass authentication and enforcement feature. The SRX Series device and Aruba ClearPass collaborate to protect your network resources by enforcing security at the user identity level and controlling user access to the Internet.

The ClearPass Policy Manager (CPPM) can authenticate users across wired, wireless, and VPN infrastructures. The integrated ClearPass feature allows the CPPM and the SRX Series device to collaborate in multiple environments in which they are deployed together.

To configure Aruba ClearPass:

  1. Select Devices > Security Devices.

    The Security Devices page appears.

  2. Select the devices whose configuration you want to modify.
  3. From the More or right-click menu, select Configuration > Modify Configuration.

    The Modify Configuration page appears.

  4. Click ArubaClearPass in the left-navigation menu.

    The Aruba Clear Pass section on the Modify Configuration page is displayed.

  5. Specify the parameters for configuring Aruba ClearPass according to the guidelines provided in Table 1.
  6. After modifying the configuration, you can cancel the changes, save the changes, preview the changes, or save the changes and deploy the configuration on the device. See Modifying the Configuration of Security Devices.

Table 1: Fields on the Aruba Clear Pass Page

Field

Description

Name

Select the name of the Aruba ClearPass from the list.

Authentication Entry Timeout

Set the timeout interval after which the idle entries in the ClearPass authentication table expire.

The timout interval begins from when the user authentication entry is added to the ClearPass authentication table. If a value of 0 is specified, the entries will never expire. Range is 10 through 1440 minutes.

Invalid Authentication Entry Timeout

Enter the expiry time in minutes to apply to invalid authentication entries in the SRX Series authentication table for Windows active directory or Aruba ClearPass authentication sources. Range is 0 through 1440 minutes.

The invalid authentication entry timeout setting is different from the general authentication entry timeout setting. It allows you to protect invalid user authentication entries in an authentication table from expiring before the user can be validated.

No User Query

Enable this option to turn off the user query function without deleting the user query configuration.

User Query

Enable this option to allow the SRX Series device to query the ClearPass webserver for authentication and identity information for an individual user, whose information was not posted to the SRX Series device by ClearPass.

Client ID

Enter the client ID that the SRX Series device requires to obtain an access token for the Integrated ClearPass Authentication and Enforcement user query function. Range is 1 through 64.

If it is configured, the user query function allows the SRX Series device to query the CPPM for authentication and identity information about individual users when it does not receive this information from the CPPM through the SRX Series Web API daemon (webapi).

CA Certificate

Specify the certificate file that the SRX Series device uses to verify the Clearpass server’s certificate for the SSL connection that is used for the user query function. As the ClearPass administrator, you must export the certificate of the server from the CPPM and import it to the SRX Series device. Later, you must configure the ca-certificate path and the certificate filename on the SRX Series device. For example, /var/tmp/RADIUSServerCertificate.crt.

Client Secret

Specify the client secret used with the client ID that the SRX Series device requires to obtain an access token for the Integrated ClearPass Authentication and Enforcement user query function. The client secret must be consistent with the client secret configured on the CPPM. Range is 1 through 128.

Delay Query Time

Enter the amount of time for the SRX Series device to delay before sending queries to the Aruba ClearPass Policy Manager (CPPM) for authentication and identity information for individual users. Range: 0 through 60 seconds.

After the delay timeout expires, the SRX Series device sends the query to the CPPM and creates a pending entry for the user in the Routing Engine authentication table. During this period, any arriving traffic matches the default policy whose action on the traffic you can configure.

Query API

Enter the query-api to specify the path of the URL that the SRX Series device uses to query the ClearPass Policy Manager (CPPM) webserver for authentication and identity information for an individual user.

Consider the following query-api example: api/v1/insight/endpoint/ip/$IP$.

The SRX Series device generates the complete URL for the user query request by combining the query-api string with the connection method (HTTPS) and the CPPM webserver IP address ({$server}).

https://{$server}/api/v1/insight/endpoint/ip/$IP$

In this example, the SRX Series device replaces the variables with the following values resulting in a specific URL request for the individual user: https://203.0.113.76/api/v1/insight/endpoint/ip/192.0.2.98.

Token API

Enter the token API that is used in generating the URL for acquiring an access token. The token API is combined with the connection method and the IP address of the ClearPass webserver to produce the complete URL used for acquiring an access token.

For example, if the token API is oauth, the connection method is HTTPS, and the IP address of the ClearPass webserver is 192.0.2.199, the complete URL for acquiring an access token would be https://192.0.2.199/api/oauth. This is a required parameter. There is no default value.

Web Server

Address

Enter the IPv4 address of the ClearPass webserver to communicate with the SRX Series device.

The SRX Series device requests user authentication and identity information for an individual user from the ClearPass webserver whose address is configured. If you configure the user query function, the SRX Series device can obtain this information for a specific user when it does not receive it from the ClearPass Policy Manager through Web API POST requests.

Server Name

Enter the server name of the ClearPass webserver to communicate with the SRX Series device.

Port

Select the TCP port of the SRX Series device to use for incoming HTTP or HTTPS connection requests initiated by the ClearPass Policy Manager (CPPM).

Connect Method

Select the application protocol used for the SRX Series device connection to the ClearPass Policy Manager (CPPM) for user query requests. Default is HTTPS.

You identify the connection protocol as part of the configuration that identifies the CPPM server. The user query function allows the SRX Series device to request from the CPPM user authentication and identity information for an individual user.

  • HTTP—Protocol that the CPPM uses to connect to the SRX Series device.

  • HTTPS—Secure version of the protocol that the CPPM uses to connect to the SRX Series device.