Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
ContentIndex
  
[+] Expand All
[-] Collapse All

No index entries found.

Example: Configuring the Integrated ClearPass Authentication and Enforcement User Query Function

This example covers how to configure the SRX Series device to enable it to query Aruba ClearPass automatically for user authentication and identity information for an individual user when that information is not available.

Note: The user query function is supplementary to the Web API method of obtaining user authentication and identity information, and it is optional.

Requirements

This section defines the software and hardware requirements for the overall topology that includes user query requirements. See Figure 8 for the topology. For details on the user query process, see Figure 7.

The hardware and software components are:

  • Aruba ClearPass (CPPM). The CPPM is configured to use its local authentication source to authenticate users.

    Note: It is assumed that the CPPM is configured to provide the SRX Series device with user authentication and identity information, including the username, a list of the names of any groups that the user belongs to, the IP addresses of the devices used, and the device posture token.

  • SRX Series device running Junos OS that includes the integrated ClearPass feature.

    See SRX Series Supported Platforms for the Integrated ClearPass Authentication and Enforcement Feature.

  • A server farm composed of six servers, all in the servers-zone:
    • marketing-server-protected (1.2.3.4)
    • human-resources-server (1.3.4.5)
    • accounting-server (1.4.5.6)
    • public-server (1.5.6.7)
    • corporate-server (1.6.7.8)
    • sales-server (1.7.8.9)
  • AC 7010 Aruba Cloud Services Controller running ArubaOS.
  • Aruba AP wireless access controller running ArubaOS.

    The Aruba AP is connected to the AC7010.

    Wireless users connect to the CPPM through the Aruba AP.

  • Juniper Networks EX4300 switch used as the wired 802.1 access device.

    Wired users connect to the CPPM using the EX4300 switch.

  • Six end-user systems:
    • Three wired network-connected PCs running Microsoft OS
    • Two BYOD devices that access the network through the Aruba AP access device
    • One wireless laptop running Microsoft OS

Overview

You can configure the user query function to enable the SRX Series device to obtain authenticated user identity information from the CPPM for an individual user when the SRX Series device’s ClearPass authentication table does not contain an entry for that user. The SRX Series device bases the query on the IP address of the user’s device that generated the traffic issuing from the access request.

There are a number of reasons why the SRX Series device might not already have authentication information from the CPPM for a particular user. For example, it can happen that a user has not already been authenticated by the CPPM. This condition could occur if a user joined the network through an access layer that is not on a managed switch or WLAN.

The user query function provides a means for the SRX Series device to obtain user authentication and identity information from the CPPM for a user for whom the CPPM did not post that information to the SRX Series device using the Web API. When the SRX Series device receives an access request from a user for which there is not an entry in its ClearPass authentication table, it will automatically query the CPPM for it if this function is configured.

Figure 7 shows the user query flow process, which encompasses the following steps:

  1. A user attempts to access a resource. The SRX Series device receives the traffic requesting access. The SRX Series device searches for an entry for the user in its ClearPass authentication table, but none is found.
  2. The SRX Series device requests authentication for the user from the CPPM.
  3. The CPPM authenticates the user and returns the user authentication and identity information to the SRX Series device.
  4. The SRX Series device creates an entry for the user in its ClearPass authentication table, and grants the user access to the Internet.

Figure 7: User Query Function Process

User Query Function Process

For details on the parameters that you can use to control when the SRX Series device issues the query, see Understanding the Integrated ClearPass Authentication and Enforcement User Query Function.

Note: You can also manually query the CPPM for authentication information for an individual user when this feature is configured.

The ClearPass endpoint API requires use of OAuth (RFC 6749) to authenticate and authorize access to it. For the SRX Series device to be able to query the CPPM for individual user authentication and authorization information, it must acquire an access token. For this purpose, the SRX Series device uses the Client Credentials access token grant type, which is one of the two types that ClearPass supports.

As administrator of the ClearPass Policy Manager (CPPM), you must create an API client on the CPPM with the grant_type set to “client_credentials”. You can then configure the SRX Series device to use that information to obtain an access token. Here is an example of the message format for doing this:

curl https://{$Server}/api/oauth – – insecure – – data“grant_type=client_credentials&client_id=Client2&client_secret= m2Tvcklsi9je0kH9UTwuXQwIutKLC2obaDL54/fC2DzC"

A successful request from the SRX Series device to obtain an access token results in a response that is similar to the following example:

{“access_token”:”ae79d980adf83ecb8e0eaca6516a50a784e81a4e”,“expires_in”:2880,“token_type”:”Bearer”,“scope”=nu;}

Before the access token expires, the SRX Series device can obtain a new token using the same message.

Topology

Figure 8 shows the overall topology for this deployment, which encompasses the user query environment.

Figure 8: Topology for the Overall Deployment that Includes User Query

Topology for the Overall Deployment that
Includes User Query

Configuration

To enable and configure the user query function, perform these tasks:

CLI Quick Configuration

To quickly configure this example, copy the following statements, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the statements into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

set services user-identification authentication-source aruba-clearpass user-query web-server cp-webserver address 10.208.111.177set services user-identification authentication-source aruba_clearpass user-query ca-certificate RADUISServerCertificate.crtset services user-identification authentication-source aruba-clearpass user-query client-id client-1set services user-identification authentication-source aruba-clearpass user-query client-secret 7cTr13# set services user-identification authentication-source aruba-clearpass user-query token-api “api/aouth”set services user-identification authentication-source aruba-clearpass user-query IP addres“api/vi/insight/endpoint/ip/$IP$”

Configure the User Query Function (Optional)

Step-by-Step Procedure

Configure the user query function to allow the SRX Series device to connect automatically to the ClearPass client to make requests for authentication information for individual users.

The user query function supplements input from the CPPM sent using the Web API. The Web API daemon does not need to be enabled for the user query function to work. For the user query function, the SRX Series device is the HTTP client. By default it sends HTTPS requests to the CPPM on port 443.

To enable the SRX Series device to make individual user queries automatically:

  1. Configure Aruba ClearPass as the authentication source for user query requests, and configure the ClearPass webserver name and its IP address. The SRX Series device requires this information to contact the ClearPass webserver.

    Note: You must specify aruba-clearpass as the authentication source.

    [edit services user-identification] user@host# set authentication-source aruba-clearpass user-query web-server cp-webserver address 10.208.111.177

    Note: You can configure only one ClearPass webserver.

    Optionally, configure the port number and connection method, or accept the following default values for these parameters. This example assumes the default values.

    • connect-method (default is HTTPS)
    • port (by default, the SRX Series device sends HTTPS requests to the CPPM on port 443

    However, if you were to explicitly configure the connection method and port, you would use these statements:

    set services user-identification authentication-source aruba-clearpass user-query web-server cp-webserver connect method <https/http>set services user-identification authentication-source aruba-clearpass user-query web-server cp-webserver port port-number
  2. (Optional) Configure the ClearPass CA certificate file for the SRX Series device to use to verify the ClearPass webserver. (The default certificate is assumed if none is configured.)
    [edit services user-identification]user@host# set authentication-source aruba_clearpass user-query ca-certificate RADUISServerCertificate.crt

    The ca-certificate enables the SRX Series device to verify the authenticity of the ClearPass webserver and that it is trusted.

    Before you configure the certificate, as administrator of the ClearPass device you must take the following actions:

    • Export the ClearPass webserver’s certificate from CPPM and import the certificate to the SRX Series device.
    • Configure the ca-certificate as the path, including its CA filename, as located on the SRX Series device. In this example, the following path is used:
      /var/tmp/RADUISServerCertificate.crt
  3. Configure the client ID and the secret that the SRX Series device requires to obtain an access token required for user queries.
    [edit services user-identification]user@host# set authentication-source aruba-clearpass user-query client-id client-1 user@host# set authentication-source aruba-clearpass user-query client-secret 7cTr13#

    The client ID and the client secret are required values. They must be consistent with the client configuration on the CPPM.

    Tip: When you configure the client on the CPPM, copy the client ID and secret to use in the SRX Series device configuration.

  4. Configure the token API that is used in generating the URL for acquiring an access token.

    Note: You must specify the token API. It does not have a default value.

    [edit services user-identification]user@host# set authentication-source aruba-clearpass user-query token-api “api/aouth”

    In this example, the token API is api/oauth. It is combined with the following information to generate the complete URL for acquiring an access token https://10.208.111.177/api/oauth

    • The connection method is HTTPS.
    • In this example, the IP address of the ClearPass webserver is 10.208.111.177.
  5. Configure the query API to use for querying individual user authentication and identity information.
    [edit services user-identification] user@host# set authentication-source aruba-clearpass user-query query-api ’api/vi/insight/endpoint/ip/$IP$’

    In this example, the query-api is api/vi/insight/endpoint/ip/$IP$. It is combined with the URL https://10.208.111.177/api/oauth resulting in https://10.208.111.177/api/oauth/api/vi/insight/endpoint/ip/$IP$.

    The $IP variable is replaced with the IP address of the end-user’s device for the user whose authentication information the SRX Series is requesting.

  6. Configure the amount of time in seconds to delay before the SRX Series device sends the individual user query.
    [edit services user-identification] user@host# set authentication-source aruba-clearpass user-query delay-query-time 10

Manually Issuing a Query to the CPPM for Individual User Authentication Information (Optional)

Step-by-Step Procedure

  • Configure the following statement to manually request authentication information for the user whose device’s IP address is 1.2.3.6.
    root@device>request service user-identification authentication-source aruba-clearpass user-query address 1.2.3.6

Verification

Use the following procedures to verify that the user query function is behaving as expected:

Verifying That the ClearPass Webserver Is Online

Purpose

Ensure that the ClearPass webserver is online, which is the first mean of verifying that the user query request can complete successfully.

Action

Enter the show service user-identification authentication-source authentication-source user-query status command to verify that ClearPass is online.

show service user-identification authentication-source aruba-clearpass user-query status
Authentication source: aruba-clearpass
Web server Address: 10.208.111.177
Status: Online
Current connections: 0

Enabling Trace and Checking the Output

Purpose

Display in the trace log any error messages generated by the user query function.

Action

Set the trace log file name and enable trace using the following commands:

set system services webapi debug-log trace-log-1
set services user-identification authentication-source aruba-clearpass traceoptions flag user-query

Determining If the User Query Function Is Executing Normally

Purpose

Determine if there is a problem with user query function behavior.

Action

Check syslog messages to determine if the user query request failed.

If it failed, the following error message is reported:

LOG1: sending user query for IP <ip-address> to ClearPass web server failed. 
:reason

The reason might be “server unconnected” or “socket error”.

Determining If a Problem Exists by Relying on User Query Counters

Purpose

Display the user query counters to home in on the problem, if one exists, by entering the show service user-identification authentication-source authentication-source user-query counters command.

Action

show service user-identification authentication-source aruba-clearpass user-query counters
Authentication source: aruba-clearpass

    Web server Address: Address: ip-address
    Access token: token-string
    RE quest sent number: counter 
    Routing received number: counter
    Time of last response: timestamp

Related Documentation

Modified: 2016-05-01