Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configuring the NFX Series Integrated ClearPass Feature to Allow the Device to Receive User Authentication Data from ClearPass

 

The NFX Series device and the ClearPass Policy Manager (CPPM) collaborate to control access to your protected resources and to the Internet. To carry this out, the NFX Series device must authenticate users in conjunction with applying security policies that match their requests. For the integrated ClearPass authentication and enforcement feature, the NFX Series device relies on ClearPass as its authentication source.

The Web API function, which this example covers, exposes to the CPPM an API that enables it to initiate a secure connection with the NFX Series device. The CPPM uses this connection to post user authentication information to the NFX Series device. In their relationship, the NFX Series device acts as an HTTPS server for the CPPM client.

Requirements

This section defines the software and hardware requirements for the topology for this example. See Figure 2 for the topology design.

The hardware and software components are:

  • Aruba ClearPass Policy Manager (CPPM). The CPPM is configured to use its local authentication source to authenticate users.

    Note

    It is assumed that the CPPM is configured to provide the NFX Series device with user authentication and identity information, including the username, a list of the names of any groups that the user belongs to, the IP addresses of the devices used, and the device posture token.

  • NFX Series device running Junos OS that includes the integrated ClearPass feature.

  • A server farm composed of six servers, all in the servers-zone:

    • marketing-server-protected (203.0.113.23 )

    • human-resources-server (203.0.113.25 )

    • accounting-server (203.0.113.72)

    • public-server (192.0.2.96)

    • corporate-server (203.0.113.71)

    • sales-server (203.0.113.81)

  • AC 7010 Aruba Cloud Services Controller running ArubaOS.

  • Aruba AP wireless access controller running ArubaOS.

    The Aruba AP is connected to the AC7010.

    Wireless users connect to the CPPM through the Aruba AP.

  • Juniper Networks EX4300 switch used as the wired 802.1 access device.

    Wired users connect to the CPPM using the EX4300 switch.

  • Six end-user systems:

    • Three wired network-connected PCs running Microsoft OS

    • Two BYOD devices that access the network through the Aruba AP access device

    • One wireless laptop running Microsoft OS

Overview

You can configure identity-aware security policies on the NFX Series device to control a user’s access to resources based on username or group name, not the IP address of the device. For this feature, the NFX Series device relies on the CPPM for user authentication. The NFX Series device exposes to ClearPass its Web API (webapi) to allow the CPPM to integrate with it. The CCPM posts user authentication information efficiently to the NFX Series device across the connection. You must configure the Web API function to allow the CPPM to initiate and establish a secure connection. There is no separate Routing Engine process required on the NFX Series device to establish a connection between the NFX Series device and the CPPM.

Figure 1 illustrates the communication cycle between the NFX Series device and the CPPM, including user authentication.

Figure 1: ClearPass and NFX Series Device Communication and User Authentication Process
ClearPass and NFX Series Device
Communication and User Authentication Process

As depicted, the following activity takes place:

  1. The CPPM initiates a secure connection with the NFX Series device using Web API.

  2. Three users join the network and are authenticated by the CPPM.

    • A tablet user joins the network across the corporate WAN.

    • A smartphone user joins the network across the corporate WAN.

    • A wireless laptop user joins the network from a wired laptop connected to a Layer 2 switch that is connected to the corporate LAN.

  3. The CPPM sends the user authentication and identity information for the users who are logged in to the network to the NFX Series device in POST request messages using the Web API.

    When traffic from a user arrives at the NFX Series device, the NFX Series device:

    • Identifies a security policy that the traffic matches.

    • Locates an authentication entry for the user in the ClearPass authentication table.

    • Applies the security policy to the traffic after authenticating the user.

  4. Traffic from the smartphone user who is requesting access to an internal, protected resource arrives at the NFX Series device. Because all of the conditions identified in Step 3 are met and the security policy permits it, the NFX Series device allows the user connection to the protected resource.

  5. Traffic from the wired laptop user who is requesting access to a protected resource arrives at the NFX Series device. Because all of the conditions identified in Step 3 are met and the security policy permits it, the NFX Series device allows the user connection to the resource.

  6. Traffic from the tablet user who is requesting access to the Internet arrives at the NFX Series device. Because all of the conditions identified in Step 3 are met and the security policy permits it, the NFX Series device allows the user connection to the Internet.

The Web API daemon is not enabled by default for security reasons. When you start up the Web API daemon, by default it opens either the HTTP (8080) or the HTTPS (8443) service port. You must ensure that one of these ports is configured, depending on which version of the HTTP protocol you want to use. We recommend that you use HTTPS for security reasons. Opening these ports makes the system more vulnerable to service attacks. To protect against service attacks that might use these ports, the Web API daemon will start up only after you enable it.

The Web API is a RESTful Web services implementation. However, it does not fully support the RESTful Web services. Rather, it acts as an HTTP or HTTPS server that responds to requests from the ClearPass client.

Note

The Web API connection is initialized by the CPPM using the HTTP service port (8080) or HTTPS service port (8443). For ClearPass to be able to post messages, you must enable and configure the Web API daemon.

To mitigate abuse and protect against data tampering, the Web API daemon:

  • Requires ClearPass client authentication by HTTP or HTTPS basic user account authentication.

  • Allows data to be posted to it only from the IP address configured as the client source. That is, it allows HTTP or HTTPS POST requests only from the ClearPass client IP address, which in this example is 192.0.2.199.

  • Requires that posted content conforms to the established XML data format. When it processes the data, the Web API daemon ensures that the correct data format was used.

Note

Note that if you deploy Web management and the NFX Series device together, they must run on different HTTP or HTTPS service ports.

See Understanding How ClearPass Communicates with the NFX Series Device Using the Web API for further information on how this feature protects against data tampering.

The NFX Series UserID daemon processes the user authentication and identity information and synchronizes it to the ClearPass authentication table on the Packet Forwarding Engine. The NFX Series device creates the ClearPass authentication table to be used for information received only from the CPPM. The ClearPass authentication table does not contain user authentication information from other authentication sources. The NFX Series device checks the ClearPass authentication table to authenticate users attempting to access protected network resources on the Internet using wired or wireless devices and local network resources.

For the CPPM to connect to the NFX Series device and post authentication information, it must be certified using HTTPS authentication. The Web API daemon supports three methods that can be used to refer to an HTTPS certificate: a default certificate, a PKI local certificate, and a customized certificate implemented through the certificate and certificate-key configuration statements. These certificate methods are mutually exclusive.

This example uses HTTPS for the connection between the CPPM and the NFX Series device. To ensure security, the integrated ClearPass feature default certificate key size is 2084 bits.

Whether you use any method—the default certificate, a PKI-generated certificate, or a custom certificate—for security reasons, you must ensure that the certificate size is 2084 bits or greater.

The following example shows how to generate a certificate and key using PKI:

Topology

Figure 2 shows the topology used for the integrated ClearPass deployment examples.

Figure 2: Integrated ClearPass Authentication and Enforcement Deployment Topology
Integrated ClearPass Authentication
and Enforcement Deployment Topology

Configuration

This section covers how to enable and configure the NFX Series Web API.

Note

You must enable the Web API. It is not enabled by default.

CLI Quick Configuration

To quickly configure this example, copy the following statements, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the statements into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Configuring the NFX Series Web API Daemon

Step-by-Step Procedure

Configuring the Web API allows the CPPM to initialize a connection to the NFX Series device. No separate connection configuration is required.

It is assumed that the CPPM is configured to provide the NFX Series device with authenticated user identity information, including the username, the names of any groups that the user belongs to, the IP addresses of the devices used, and a posture token.

Note that the CPPM might have configured role mappings that map users or user groups to device types. If the CPPM forwards the role mapping information to the NFX Series device, the device treats the role mappings as groups. The NFX Series device does not distinguish them from other groups.

Step-by-Step Procedure

To configure the Web API daemon:

  1. Configure the Web API daemon (webapi) username and password for the account.

    This information is used for the HTTPS certification request.

  2. Configure the Web API client address–that is, the IP address of the ClearPass webserver’s data port.

    The NFX Series device accepts information from this address only.

    Note

    The ClearPass webserver data port whose address is configured here is the same one that is used for the user query function, if you configure that function.

    Note

    The NFX Series device supports both IPv4 and IPv6 addresses to configure the Web API client address.

  3. Configure the Web API daemon HTTPS service port.

    If you enable the Web API service on the default TCP port 8080 or 8443, you must enable host inbound traffic on that port.

    In this example, the secure version of the Web API service is used (webapi-ssl), so you must configure the HTTPS service port, 8443.

  4. Configure the Web API daemon to use the HTTPS default certificate.
  5. Configure the trace level for the Web API daemon.

    The supported trace levels are notice, warn, error, crit, alert, and emerg. The default value is error.

  6. Configure the interface to use for host inbound traffic from the CPPM.
  7. Enable the Web API service over HTTPS host inbound traffic on TCP port 8443.

Results

From configuration mode, confirm your Web API configuration by entering the show system services webapi command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

From configuration mode, confirm the configuration for the interface used for host inbound traffic from the CPPM by entering the show interfaces ge-0/0/3.4 command. If the output does not display the intended configuration, repeat the verification process in this example to correct it.

From configuration mode, confirm your security zone configuration that allows host-inbound traffic from the CPPM using the secure Web API service (web-api-ssl) by entering the show security zones security-zone trust command. If the output does not display the intended configuration, repeat the verification process in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring the ClearPass Authentication Table Entry Timeout and Priority

Step-by-Step Procedure

This procedure configures the following information:

  • The timeout parameter that determines when to age out idle authentication entries in the ClearPass authentication table.

  • The ClearPass authentication table as the first authentication table in the lookup order for the NFX Series device to search for user authentication entries. If no entry is found in the ClearPass authentication table and there are other authentication tables configured, the NFX Series device will search them, based on the order that you set.

  1. Set the timeout value that is used to expire idle authentication entries in the ClearPass authentication table to 20 minutes.

    The first time that you configure the NFX Series device to integrate with an authentication source, you must specify a timeout value to identify when to expire idle entries in the ClearPass authentication table. If you do not specify a timeout value, the default value is assumed.

    • default = 30 minutes

    • range = If set, the timeout value should be within the range [10,1440 minutes]. A value of 0 means that the entry will never expire.

  2. Set the authentication table priority order to direct the NFX Series device to search for user authentication entries in the ClearPass authentication table first. Specify the order in which other authentication tables are searched if an entry for the user is not found in the ClearPass authentication table.Note

    You need to set this value if the ClearPass authentication table is not the only authentication table on the Packet Forwarding Engine.

    The default priority value for the ClearPass authentication table is 110. You must change the local authentication table entry from 100 to 120 to direct the NFX Series device to check the ClearPass authentication table first if there are other authentication tables on the Packet Forwarding Engine. Table 1 shows the new authentication table search priority.

    Table 1: NFX Series Device Authentication Tables Search Priority Assignment

    NFX Series Authentication Tables

    Set Value

    ClearPass authentication table

    110

    Local authentication table

    100

    Active Directory authentication table

    125

Results

From configuration mode, confirm that the timeout value set for aging out ClearPass authentication table entries is correct. Enter the show services user-identification command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.