ClearPass Configuration for Third-Party Switches

As part of the configuration, on ClearPass you will create two enforcement profiles, one for quarantine and one for terminate. Then you will use them in the ClearPass enforcement policy. Once ClearPass is configured, you will configure a ClearPass Connector on Policy Enforcer.

• API Client
• Custom Attribute
• Enforcement Profiles
• Enforcement Policy

1. In ClearPass, navigate to Administration > API Services > API Clients and create a client with the following attributes:

   Note: You must login as ClearPass Guest to see the API services menu.

   • Client ID: sdsnclient
   • Enabled: Select the check box for Enable API client
   • Operator Profile: Create a profile from Administrator > Operator Logins > Profiles for the API client with minimum access privileges as shown in Figure 1.

     Figure 1: ClearPass API Client Operator Profile Minimum Privileges

     
   • Grant Type: Select Client credentials (grant_type = client_credentials)
   • Client Secret: Copy and save this. It will not be shown again.
   • Access Token Lifetime: Enter a time-frame.

     Warning: When the Access Token Lifetime expires, you must generate a new Client Secret and update it in the Policy Enforcer Connector UI page.

   Figure 2: ClearPass Edit API Client

   
2. Click Save Changes.

1. In ClearPass, navigate to Administration > Dictionaries > Attributes and create a custom attribute. Then add it into the Dictionary: sdsnEpStatus. Enter the following:
   • Entity Type: Endpoint
   • Name: sdsnEpStatus (Note that you must use this name - sdsnEpStatus)
   • Data Type: List
   • Is Mandatory: Yes
   • Allowed Values: healthy, blocked, quarantine
   • Default Value: healthy

   Figure 3: ClearPass Edit Attribute

   
2. Click Save.

1. In ClearPass, navigate to Configuration > Enforcement > Profiles and create two enforcement profiles.
2. Profile 1: Create the following profile to quarantine infected endpoints:
   • Name: [JNPR SDSN Quarantine]
   • Description: Quarantine profile for SDSN
   • Type: RADIUS
   • Action: Accept

   Figure 4: ClearPass Enforcement Profile: Quarantine

   

   Note: The data displayed at the bottom of the screen is for example and not for configuration purposes. Note that the 4th attribute can be set for the accounting packets to be sent by the NAS device to the Clearpass Radius server.

3. Profile 2: Create the following profile to block infected endpoints:
   • Name: [JNPR SDSN Terminate Session]
   • Description: System-defined profile to disconnect user (Juniper)
   • Type: RADIUS_CoA
   • Action: Disconnect

   Note: If there are any vendor-specific additional attributes required for the Terminate COA, those needs to be added here. For example, in the case of Juniper Networks Trapeze Wireless Clients, the [JNPR SDSN Terminate Session] profile requires two additional attributes: NAS-IP-Address and User-Name.

   Figure 5: ClearPass Enforcement Profile: Terminate

   

Configure an Enforcement Policy:

In ClearPass, navigate to Configuration > Enforcement > Policies. Both profiles you created must be added to all the enforcement policies for endpoints addressed by Policy Enforcer.

Figure 6: ClearPass Enforcement Policy

Note: Rules Evaluation should be set to "First applicable."

Note: Make sure the default termination enforcement profile for each of the supported vendors is not superseded by any of its enforcement profile copies. Also make sure that all the attributes required for termination are set in the profile. (As in the previous Juniper Networks Trapeze Wireless Clients example.)

Enable Insight:

1. In ClearPass, navigate to Administration > Server Manager > Server Configuration for the server in use.
2. Enable Insight in the System tab.

Set the Log accounting Interim-update Packets as TRUE:

1. In ClearPass, navigate to Administration > Server Manager > Server Configuration for the server in use.
2. Select the Service Parameters tab.
3. In the Select Service drop down list, select Radius Server and set the Log accounting Interim-update Packets as TRUE.