Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configuring Central Web Authentication with EX Series Switches and Aruba ClearPass

 

This configuration example illustrates how to use EX Series switches and Aruba ClearPass to implement central Web authentication of guest users. Specifically, it illustrates how to use the following EX Series switch features in conjunction with Aruba ClearPass:

  • The built-in firewall filter JNPR_RSVD_FILTER_CWA, which allows a guest endpoint that has not yet been authenticated to access the services required for central Web authentication while blocking access to the rest of the network.

  • The Juniper-CWA-Redirect-URL RADIUS VSA, which allows Aruba ClearPass to pass the redirect URL to the switch as part of the authentication process.

  • RADIUS CoA support, which allows an EX Series switch to dynamically change the firewall filter in effect for a guest endpoint after the endpoint is authenticated.

This topic covers:

Requirements

This example uses the following hardware and software components for the policy infrastructure:

  • An EX4300 switch running Junos OS Release 15.1R3 or later

  • An Aruba ClearPass Policy Manager platform running 6.3.3.63748 or later

Overview and Topology

This network configuration example uses the topology shown in Figure 1. A guest laptop connects to port ge-0/0/22 of an EX4300 switch. The Aruba ClearPass server provides both ClearPass Guest and ClearPass Policy Management services.

Figure 1: Topology Used in This Example
Topology Used in This
Example

Both 802.1X and MAC RADIUS authentication are enabled on port ge-0/0/22. Because the guest laptop does not have a 802.1X client, the switch does not receive any EAPoL packets from the laptop and 802.1X authentication fails. The EX4300 switch automatically tries MAC RADIUS authentication next. A MAC RADIUS enforcement policy in Aruba ClearPass is configured to send a RADIUS access-accept message for unknown clients attempting MAC RADIUS authentication, along with the name of the JNPR_RSVD_FILTER_CWA built-in filter and the redirect URL for the Aruba ClearPass Guest login page.

When the guest user opens a browser and attempts to access a webpage, the EX4300 switch redirects the browser to the Aruba ClearPass Guest login page, where the guest enters the guest credentials. A Web authentication enforcement policy in Aruba ClearPass is configured to add the guest endpoint to the endpoint repository and to send a RADIUS CoA message to the switch. This message tells the switch to change the firewall filter associated with the endpoint to guest_access_policy_1, which is configured on the switch. This filter permits the guest to access everything except the internal network.

Configuration

This section provides step-by-step instructions for:

Configuring the EX4300 Switch

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them in a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The general steps to configure the EX4300 switch are:

  • Configure the connection to the Aruba ClearPass Policy Manager.

  • Create the access profile used by the 802.1X protocol. The access profile tells the 802.1X protocol which authentication server to use and the authentication methods and order.

  • Enable HTTP and HTTPS services.

  • Configure the 802.1X protocol.

  • Configure the VLAN used by the guest endpoints.

  • Configure Ethernet switching on the access port.

  • Create the firewall policy that blocks access to the internal network.

To configure the EX4300 switch:

  1. Provide the RADIUS server connection information.
  2. Configure the access profile.
  3. Enable HTTP and HTTPS services. These services must be enabled for URL redirection.
  4. Configure the 802.1X protocol to use CP-Test-Profile, and enable the protocol on each access interface. In addition, configure the interfaces to support MAC RADIUS authentication and to allow more than one supplicant, each of which must be individually authenticated.

    By default, the switch will first attempt 802.1X authentication. If it receives no EAP packets from the endpoint, indicating that the endpoint does not have an 802.1X supplicant, or if the 802.1X authentication fails, it then tries MAC RADIUS authentication.

  5. Configure the VLAN used in this example.
  6. Configure the access port.

    The access port is configured to be in VLAN v100, the quarantine VLAN. This VLAN will be used by the endpoint if Aruba ClearPass does not send dynamic VLAN information when it authenticates the endpoint.

  7. Configure a firewall filter, guest_access_policy_1, to be used for the endpoint after the guest credentials have been authenticated by Aruba ClearPass Guest.

    This filter blocks the endpoint from accessing the internal network (192.168.0.0/16), while permitting access to the Internet.

Results

From configuration mode, confirm your configuration by entering the following show commands.

If you are done configuring the device, enter commit from configuration mode.

Configuring Aruba ClearPass Guest

Step-by-Step Procedure

The general steps for configuring Aruba ClearPass Guest are:

  • Set up the guest user account.

  • Configure the guest login page.

To configure Aruba ClearPass Guest:

  1. Log in to ClearPass Guest. For example:
    https://10.105.5.153/guest/

  2. Set up the guest user account.

    1. Click Create New Guest Account.

    2. Provide the details for the guest user account, as shown below. Be sure to note the password, which is automatically generated.

    3. Click Create Account.
  3. Configure the guest access login page.

    1. Select Configuration > Web Logins.Note

      If you are using a recent version of Aruba ClearPass Guest, you might need to select Configuration > Pages > Web Logins.

    2. In the Web Logins page, click Create a new web login page.
    3. In the Web Login Editor, provide a name for Web login page you are creating, specify the login page name as it appears in the URL, and set Login Method to Server-Initiated – Change of authorization (RFC 3576) sent to controller.

    4. In the Login Form section of the Web Login page, set Pre-Auth Check to None – no extra checks will be made.

    5. In the Default Destination section, enter a default URL to which the guest gets redirected after successful authentication. In this example, the guest is redirected to the Juniper Networks home page after authentication.

Configuring Aruba ClearPass Policy Manager

Step-by-Step Procedure

The general steps for configuring Aruba ClearPass are:

  • Modify the Juniper Networks RADIUS dictionary file so that it includes new Juniper Networks RADIUS attributes.

  • Add the EX4300 as a network device.

  • Create the following enforcement profiles:

    • A profile that is enforced after MAC RADIUS authentication.

    • A profile that is enforced after central Web authentication.

  • Create two enforcement policies:

    • A policy that is invoked when MAC RADIUS authentication is used.

    • A policy that is invoked when centeral Web authentication is used.

  • Define the MAC RADIUS authentication service and the Web authentication service.

To configure Aruba ClearPass:

  1. Update the Juniper Networks RADIUS dictionary file.

    A Juniper Network RADIUS dictionary file comes preinstalled on Aruba ClearPass. Junos OS Release 15.1R3 for EX Series switches adds support for three new Juniper Networks VSAs, which need to be added to the dictionary file.

    1. In Aruba ClearPass, navigate to Administration > Dictionaries > RADIUS.
    2. In the RADIUS Dictionaries window, use the Filter field to search for Juniper under Vendor Name.
    3. Click the Juniper dictionary name, and then click Export to save the RadiusDictionary.xml file to your desktop.

    4. Copy the following three attributes, paste them into RadiusDictionary.xml, and save the file.

      The dictionary file should look like this when you complete the paste:

    5. Import the dictionary file into Aruba ClearPass by clicking in the RADIUS Dictionaries window and browsing to the file.

    6. After you have imported the file, the Juniper dictionary file should look like this:

  2. Add the EX4300 switch as a network device.

    1. Under Configuration > Network > Devices, click Add.
    2. On the Device tab, enter the hostname and IP address of the switch and the RADIUS shared secret that you configured on the switch. Set the Vendor Name field to Juniper.

  3. Create the enforcement profile to be used for MAC RADIUS authentication.

    This profile provides the switch with the name of the built-in firewall filter JNPR_RSVD_FILTER_CWA and the redirect URL for Aruba ClearPass Guest.

    1. Under Configuration > Enforcement > Profiles, click Add.
    2. On the Profile tab, set Template to RADIUS Based Enforcement and type the profile name, Guest_Access_Portal_Enforcement, in the Name field.

    3. On the Attributes tab, configure the following attributes:
      • Juniper-CWA-Redirect-URL—Type the following URL:

        This URL must contain the IP address of the Aruba ClearPass Guest server. It also passes the MAC address of the endpoint to ClearPass Guest (Radius:IETF:Calling-Station-Id).

      • Filter-Id—Type the following filter name:

  4. Configure an enforcement profile to be used for central Web authentication.

    This profile is configured as a RADIUS Change of Authorization (CoA) profile. It tells Aruba ClearPass to send a RADIUS CoA to the switch, informing it to change the firewall filter in effect for the endpoint from JNPR_RSVD_FILTER_CWA to guest_access_policy_1.

    1. Under Configuration > Enforcement > Profiles, click Add.
    2. On the Profile tab, set Template to RADIUS Change of Authorization (CoA) and type the profile name, Guest_Access_CoA_Profile, in the Name field.

    3. On the Attributes tab, set Select RADIUS CoA Template to IETF - Generic-CoA-IETF and enter the attributes as shown. All values must be typed in or copied and pasted from this document. The values do not appear in the selection lists.

  5. Configure the MAC RADIUS authentication enforcement policy.

    The MAC RADIUS policy tells Aruba ClearPass to apply the Guest_Access_Portal_Enforcement profile to all endpoints undergoing MAC RADIUS authentication that are not already known to ClearPass—that is, are not in the endpoint repository.

    1. Under Configuration > Enforcement > Policies, click Add.
    2. On the Enforcement tab, type the name of policy (Juniper-MAC-Auth-Policy) and set the Default Profile to the predefined profile [Deny Access Profile].

    3. On the Rules tab, click Add Rule and add the rule shown.

      This rule permits the Guest_Access_Portal_Enforcement profile to take effect for endpoints that are not known to Aruba ClearPass.

  6. Configure the Web authentication enforcement policy.

    This policy takes effect after the guest is redirected to the Aruba ClearPass Guest and ClearPass Guest authenticates the guest. It tells Aruba ClearPass to add the endpoint to the endpoint repository and to apply the Guest_Access_CoA_Profile.

    1. Under Configuration > Enforcement > Policies, click Add.
    2. On the Enforcement tab, type the name of the policy (Guest_Auth_Enforcement_Policy) and set Default Profile to [Post Authentication][Update Endpoint Known]. This is a predefined profile that results in the endpoint being added as a known endpoint in the endpoint repository.

    3. On the Rules tab, click Add Rule and add the rule shown.

      This rule tells Aruba ClearPass to apply the Guest_Access_CoA_Profile enforcement profile to any endpoint that ClearPass Guest has assigned to role Guest.

  7. Configure the MAC RADIUS authentication service.

    The configuration for this service results in MAC RADIUS authentication being performed when the RADIUS User-Name attribute and the Client-MAC-Address attribute received have the same value.

    1. Under Configuration > Services, click Add.
    2. On the Services tab, fill out the fields as shown.

    3. On the Authentication tab:
      • Delete [MAC AUTH] from the Authentication Methods list and add [EAP MD5] to the list.

      • Select [Endpoints Repository] [Local SQL DB] in the Authentication Sources list.

    4. On the Enforcement tab, select Juniper-MAC-Auth-Policy.

  8. Configure the Web-based authentication service.

    1. Under Configuration > Services, click Add.
    2. On the Service tab, fill out the fields as shown.

      The service rule is the default service rule when you select Web-based Authentication. It allows Web-based authentication requests from any client.

    3. On the Authentication tab, set Authentication Sources to [Guest User Repository][Local SQL DB].

    4. On the Enforcement tab, set Enforcement Policy to Guest_Auth_Enforcement_Policy.

Verification

Confirm that the configuration is working properly.

Verifying Central Web Authentication

Purpose

Verify that the guest user’s browser is redirected to Aruba ClearPass Guest for authentication and that the guest is successfully authenticated after entering the guest credentials.

Action

  1. Connect a laptop to port ge-0/0/22 on the EX4300 switch.
  2. Open a Web browser on the laptop and attempt to access a webpage.

    The ClearPass Guest login page should appear as shown.

  3. On the EX Series switch, enter the following show command:

    The output shows that the endpoint has been authenticated, that the authentication method currently in effect is central Web authentication (CWA Authentication), and that the JNPR_RSVD_FILTER_CWA firewall filter and the redirect URL are also in effect.

  4. In the ClearPass Guest login page, enter the guest e-mail address and the automatically generated password that you noted when you configured Aruba ClearPass Guest.

  5. After you log in, your browser should be redirected to the Juniper Networks home page, as configured in Aruba ClearPass Guest.
  6. On the EX Series switch, enter the following show command:

    The output shows that the guest_access_policy_1 firewall filter is now in effect. The switch received the RADIUS CoA from Aruba ClearPass after the endpoint was authenticated by central Web authentication, telling it which firewall filter to use.

Verifying Status of Authentication Requests on Aruba ClearPass Policy Manager

Purpose

Verify that the endpoints are being correctly authenticated and that the correct RADIUS attributes are being exchanged between the switch and Aruba ClearPass.

Action

  1. Go to Monitoring > Live Monitoring > Access Tracker to display the status of the authentication requests.

    The Access Tracker monitors authentication requests as they occur and reports on their status.

  2. To get more details on the initial MAC RADIUS authentication request from the endpoint, click the request (line 2 of Access Tracker request table).

  3. To get more details on the Web authentication request from the endpoint, click the request (line 1 of the Access Tracker request table).