Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example 2: Configuring the User Query Function

 

This configuration example illustrates how to protect against the rare case where an SRX Series device loses a user’s authentication information, or does not receive it from the Aruba ClearPass server. This example shows how to configure the SRX Services Gateway and ClearPass Policy Manager so that the device can query the server for user authentication information when required.

This topic covers:

Requirements

This example uses the following hardware and software components:

  • An SRX650 device running Junos OS Release 12.3X48-D30 or later

  • An EX4300 switch running Junos OS Release 15.1R3 or later

  • Aruba ClearPass Policy Manager (CPPM) 6.6 on a CP-VA-500 platform

Overview and Topology

This network configuration example uses the topology shown in Figure 1.

Figure 1: Solution Topology for SRX Series Integration with ClearPass
Solution Topology for SRX Series Integration
with ClearPass
Note

All the examples in this document use the same topology.

This example uses the same general setup as Example 1: Configuring Endpoint Authentication and Enforcement. User test1 sits at PC Endpoint 1 and wants to access the protected server. User test1 belongs to the QA group. The EX4300 switch has 802.1X authentication enabled on interface ge-0/0/1 and uses CPPM as its RADIUS server. On the SRX650 device, a security policy is defined to allow only users from the QA group to access the protected server.

In this example, user test1 is authenticated by CPPM; however, the SRX650 device has not received the user information from CPPM (you will delete user test1’s authentication table entry on the SRX650 device to simulate this scenario). When traffic from user test1 arrives at the SRX650 device, the first packet is assessed by the device’s security policy; however, when the device checks its local ClearPass authentication table, it does not find an entry for the user.

With the user query function configured, the SRX650 device automatically sends a query to CPPM to obtain the needed information. The SRX650 device receives the information and adds the authentication table entry for user test1. The security policy now functions as expected, and subsequent packets from the user to the protected server are now permitted.

Task Overview

This example continues from Example 1: Configuring Endpoint Authentication and Enforcement. The following new tasks are performed:

On the SRX650 device:

  • Enable the user query function

On the EX4300 switch:

  • No additional configuration is required

On CPPM:

  • Use ClearPass Guest to create an OAuth token

  • Create an OAuth2 API client

Configuration

This section provides instructions for:

Configuring the SRX650 Device

Step-by-Step Procedure

To configure the SRX650 device:

  1. Perform the SRX650 configuration steps from the Example 1 section Example 1: Configuring Endpoint Authentication and Enforcement.
  2. Enable the user query function.

    The user query function allows the SRX650 device to query CPPM for user authentication and identity information when it does not receive this information from CPPM through the Web API daemon (webapi).

    [edit]
    user@host# set services user-identification authentication-source aruba-clearpass user-query client-id Client3
    user@host# set services user-identification authentication-source aruba-clearpass user-query client-secret <password>
    user@host# set services user-identification authentication-source aruba-clearpass user-query token-api api/oauth
    user@host# set services user-identification authentication-source aruba-clearpass user-query query-api "api/v1/insight/endpoint/ip/$IP$"
    user@host# set services user-identification authentication-source aruba-clearpass user-query web-server bankshot-cppm-sim
    user@host# set services user-identification authentication-source aruba-clearpass user-query web-server address 10.10.0.20
    user@host# set services user-identification authentication-source aruba-clearpass user-query web-server port 443
    user@host# set services user-identification authentication-source aruba-clearpass user-query delay-query-time 0
    Note

    The client ID and secret must match the values entered in CPPM on the Create API Client page.

    The ClearPass endpoint API requires use of OAuth (RFC 6749) to authenticate and authorize SRX Series device access.

Configuring the EX4300 switch

Step-by-Step Procedure

This section uses the same EX4300 configuration steps as the Example 1 section Example 1: Configuring Endpoint Authentication and Enforcement. If you have not yet performed these steps, do so now.

Configuring Aruba ClearPass Policy Manager

Step-by-Step Procedure

To configure CPPM to allow the SRX650 device to query its Insight database:

  1. Perform the CPPM configuration steps from the Example 1 section Example 1: Configuring Endpoint Authentication and Enforcement.
  2. Use ClearPass Guest to create an OAuth token.

    On the CPPM Dashboard page, in the Quick Links section, select ClearPass Guest.

  3. Create an OAuth2 API client.

    Navigate to Administration > API Services > API Clients and create an API client using the information shown below.

    Note

    The values used in the Client ID and the Client Secret fields must match the OAuth2 client configuration on the SRX650 device.

Verification

Confirm that the configuration is working properly.

Verifying User Authentication

Purpose

Verify that user test1 on Endpoint 1 has successfully authenticated with the various network elements.

Action

  1. On the EX4300 switch, verify that user test1 is authenticated through 802.1X.
    user@host> show dot1x interface ge-0/0/1
  2. In CPPM, verify that user test1 is authenticated.
    1. Navigate to Monitoring > Live Monitoring > Access Tracker, find the relevant RADIUS event and verify that user test1 has Login Status of ACCEPT.

    2. Click on the RADIUS event, and on the Summary tab that appears, verify that user test1 with role QA has Login Status of ACCEPT and Online Status of Online. Note also that CPPM has enforced the SRX650 jetstar post trigger profile, which will send (post) the user information to the SRX650 device.

  3. On the SRX650 device, verify that user test1’s authentication information has been received from CPPM.
    user@host> show services user-identification authentication-table authentication-source aruba-clearpass

Meaning

The user has successfully authenticated with all network elements.

Verifying User Access to the Protected Server

Purpose

Verify that when the SRX650 device does not have a user’s authentication information, it can collaborate with CPPM to permit user test1 on Endpoint 1 to access the protected server.

Action

  1. On the SRX650 device, clear the ClearPass authentication table entry for user test1.
    user@host> clear services user-identification authentication-table authentication-source aruba-clearpass
  2. From Endpoint 1, ping the protected server (10.20.0.2).
    Note

    Because the SRX650 device had no authentication entry for user test1, the first ping matched the default (deny) policy and timed out. In the meantime, that first ping triggered a user query to obtain user test1’s information from CPPM. With the authentication entry again in the SRX650 device’s authentication table, the remaining pings are successful.

  3. On the SRX650 device, verify that user test1’s authentication information has been received from CPPM and added to the ClearPass authentication table.
    user@host> show services user-identification authentication-table authentication-source aruba-clearpass

Meaning

The user can successfully reach the protected server due to the interworking between the SRX650 device and CPPM.