Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring JIMS and Clearpass Simultaneously on NFX Series

 

You can configure JIMS, ClearPass, and Web API simultaneously on NFX devices.

Understanding How ClearPass and JIMS Function Simultaneously

When a user gets authenticated by Aruba ClearPass Policy Manager (CPPM), the CPPM uses a Web API to push the user or device information to an NFX Series device. The device builds up the authentication entry or device information for the user, and the user traffic can pass through the device based on the security policy. When the Windows Active Directory client logs on to the domain, the device obtains the client’s user or device information from JIMS through a batch query. The authentication table is updated with the entry provided by JIMS.

When both the JIMS IP query and ClearPass user query are enabled, the device always queries ClearPass first. If CPPM returns the IP-user mapping information, then the information is subsequently added to the authentication table. If CPPM does not return the IP-user mapping information or if the device receives a response from CPPM without IP-user mapping, then the device queries JIMS to obtain the IP-user or IP-group mapping.

You can set a delay-query-time parameter, specified in seconds, that allows the device to wait for a period of time before sending the query. The delay time should be the same value for ClearPass and JIMS. Otherwise, an error message is displayed and the commit check fails.

Note

When the IP-user or IP-group mapping is received from both JIMS and CPPM, the device considers the latest authentication entries and overwrites the existing authentication entries.

By configuring ClearPass and JIMS simultaneously, the device can query JIMS to obtain user identity information from Active Directory and the exchange servers, and ClearPass can push the user authentication and identity information to the device through Web API.

Configuring ClearPass and JIMS on NFX Devices

To configure JIMS and ClearPass:

  1. Configure the IP address of the primary JIMS server.
  2. Configure the client ID that the device provides to the JIMS primary server as part of its authentication.
  3. Configure the client secret that the device provides to the JIMS primary server as part of its authentication.
  4. Configure Aruba ClearPass as the authentication source for user query requests, and configure the ClearPass webserver name and its IP address. The device requires this information to contact the ClearPass webserver.
  5. Configure the client ID and the client secret that the device requires for obtaining an access token required for user queries.
  6. Configure the token API that is used in generating the URL for acquiring an access token.
  7. Configure the query API to use for querying individual user authentication and identity information.
  8. Configure the Web API daemon username and password for the account.
  9. Configure the Web API client address, which is the IP address of the ClearPass webserver’s data port.
  10. Configure the Web API process HTTPS service port.
  11. Configure an authentication entry timeout value for Aruba ClearPass.
  12. Configure an independent timeout value to be assigned to invalid user authentication entries in the device authentication table for Aruba ClearPass.
  13. Configure an independent timeout value to be assigned to invalid user authentication entries in the device authentication table for JIMS.
  14. Set a query-delay-time parameter, specified in seconds, that allows the device to wait for a period of time before sending the query.
  15. Set a query-delay-time parameter, specified in seconds, that allows the device to wait for a period of time before sending the query.

Verifying the Configuration

Purpose

Confirm that the configuration is working properly.

Action

  • Verify that the device identity authentication table for JIMS is updated.

  • Verify that the device identity authentication table for ClearPass is updated.

  • Verify that the ClearPass webserver is online.

  • Verify that the JIMS server is online.