Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Example: Configuring 802.1X-PEAP and MAC RADIUS Authentication with EX Series Switches and Aruba ClearPass Policy Manager

This configuration example illustrates how to:

  • Configure an EX Series switch, Aruba ClearPass Policy Manager, and a laptop running Windows 7 for 802.1X PEAP authentication

  • Configure an EX Series switch and Aruba ClearPass for MAC RADIUS authentication

  • Configure an EX Series switch and Aruba ClearPass to implement dynamic VLANs and firewall filters

Requirements

This example uses the following hardware and software components for the policy infrastructure:

  • An EX4300 switch running Junos OS Release 14.1X53-D30 or later

  • An Aruba ClearPass Policy Manager platform running 6.3.3.63748 or later

  • Laptops running Microsoft Windows 7 Enterprise

Overview and Topology

In this example, the policy infrastructure components are configured to authenticate the following endpoints:

  • An employee laptop that is configured for 802.1X PEAP authentication.

    In the example configuration, Aruba ClearPass Policy Manager is configured to authenticate 802.1X users using its local user database. If the authenticated employee is listed in the database as belonging to the finance department, Aruba ClearPass returns the VLAN ID 201 to the switch in a RADIUS attribute. The switch then dynamically configures the laptop access port to be in VLAN 201.

  • A guest laptop that is not configured for 802.1X authentication.

    In this case, the switch detects that the endpoint does not have an 802.1X supplicant. Because MAC RADIUS authentication is also enabled on the interface, the switch then attempts MAC RADIUS authentication. If the laptop MAC address is not in the Aruba ClearPass MAC address database—as would be the case for a guest laptop—Aruba ClearPass is configured to return the name of the firewall filter the switch should enforce on the access port. This firewall filter, which is configured on the switch, allows the guest to access to the entire network except subnet 192.168.0.0/16.

Figure 1 shows the topology used in this example.

Figure 1: Topology Used in this ExampleSimplified network diagram with Aruba ClearPass managing access policies, internal network cloud, EX4300 switch connecting guest and employee devices.

Configuration

This section provides step-by-step instructions for:

Configuring the EX4300 Switch

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them in a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The general steps to configure an EX4300 switch are:

  • Configure the connection to the Aruba ClearPass Policy Manager.

  • Create the access profile used by the 802.1X protocol. The access profile tells the 802.1X protocol which authentication server to use and the authentication methods and order.

  • Configure the 802.1X protocol.

  • Configure Ethernet switching on the ge-0/0/10 and ge-0/0/22 access ports.

  • Create the firewall policy to be used when a guest laptop connects to a port.

To configure the EX4300 switch:

  1. Provide the RADIUS server connection information.

  2. Configure the access profile.

  3. Configure the 802.1X protocol to use Aruba-Test-Profile and to run on each access interface. In addition, configure the interfaces to use MAC RADIUS authentication and to allow more than one supplicant, each of which must be individually authenticated.

  4. Configure the access ports.

  5. Configure VLAN 201, which is used for employees that are members of the Finance department.

    Note that for dynamic VLAN assignment to work, the VLAN must exist on the switch before authentication is attempted. If the VLAN doesn’t exist, authentication fails.

  6. Configure the firewall filter to be used when a guest laptop connects to a port.

Results

From configuration mode, confirm your configuration by entering the following show commands.

If you are done configuring the device, enter commit from configuration mode.

Configuring Aruba ClearPass Policy Manager

Step-by-Step Procedure

The general steps for configuring Aruba ClearPass are:

  • Add the Juniper Networks RADIUS dictionary file.

  • Add the EX4300 as a network device.

  • Ensure that the server certificate used for 802.1X PEAP authentication has been installed.

  • Add the local user used in this example and assign the user to the Finance group.

  • Create two enforcement profiles:

    • A profile that defines the RADIUS attributes for the dynamic firewall filter.

    • A profile that defines the RADIUS attributes for the dynamic VLAN.

  • Create two enforcement policies:

    • A policy that is invoked when MAC RADIUS authentication is used.

    • A policy that is invoked when 802.1X authentication is used.

  • Define the MAC RADIUS authentication service and the 802.1X authentication service.

  • Ensure that the MAC RADIUS authentication service is evaluated before the 802.1X authentication service.

To configure Aruba ClearPass:

  1. Add the Juniper Networks RADIUS dictionary file.

    Step-by-Step Procedure

    1. Copy the following contents to a file named Juniper.dct on your desktop.

    2. In Aruba ClearPass, navigate to Administration > Dictionaries > RADIUS and click on Import to import the Juniper.dct file.

      Import RADIUS dictionary file interface with juniper.dct selected. Options to enter a secret, import, or cancel.

  2. Add the EX4300 switch as a network device.

    Step-by-Step Procedure

    1. Under Configuration > Network > Devices, click Add.

      Network configuration interface showing Network Devices section with Add green plus icon, Import green download icon, and Export All green upload icon.

    2. On the Device tab, enter the hostname and IP address of the switch and the RADIUS shared secret that you configured on the switch. Set the Vendor Name field to Juniper.

      Configuration interface for adding a device in a network management system with fields for device name, IP address, description, RADIUS and TACACS+ shared secrets, vendor name, and RADIUS CoA checkbox. Includes Add and Cancel buttons, and tabs for SNMP and CLI settings.

  3. Ensure that a server certificate for 802.1X PEAP authentication exists.

    Under Administration > Certificates > Server Certificate, verify that Aruba ClearPass has a valid server certificate installed. If it does not, add a valid server certificate. The Aruba ClearPass documentation and your Certificate Authority can provide more details on how to obtain certificates and import them into ClearPass.

    Web interface showing RADIUS Server Certificate for cp-campus.englab.juniper.net; valid, issued and expires 2015-2016; manage options available.

  4. Add a test user to the local user repository.

    This user will be used to verify 802.1X authentication.

    Step-by-Step Procedure

    1. Under Configuration -> Identity -> Local Users, click Add.

    2. In the Add Local User window, enter the user ID (usertest1), user name (Test User), password, and select Employee as the user role. Under Attributes, select the Department attribute and type Finance under Value.

      User interface for adding a local user with User ID usertest1, name Test User, enabled status, role Employee, department Finance, and buttons for Add and Cancel.

  5. Configure a dynamic filter enforcement profile.

    This profile defines the RADIUS filter ID attribute, assigning to it the name of the firewall filter you configured on the switch. The attribute is sent to the switch when the endpoint’s MAC address is not in the MAC database, enabling the switch to dynamically assign the firewall filter to the access port.

    Step-by-Step Procedure

    1. Under Configuration > Enforcement > Profiles, click Add.

    2. On the Profile tab, set Template to RADIUS Based Enforcement and type the profile name, Juniper_DACL_1, in Name field.

      Configuration interface for creating or editing a RADIUS-based Enforcement Profile. Template: RADIUS Based Enforcement. Name: Juniper_DACL_1. Type: RADIUS. Action: Accept. No device group selected. Buttons: Remove, View Details, Modify.

    3. On the Attributes tab, set Type to Radius:IETF, Name to Filter-Id (11), and type the name of firewall filter, mac_auth_policy_1, in the Value field.

      Configuration interface for creating or editing an Enforcement Profile in a network management system Attributes tab. Type is Radius:IETF. Name is Filter-Id 11. Value is mac_auth_policy_1.

  6. Configure a dynamic VLAN enforcement profile.

    This profile defines the RADIUS attributes for specifying VLAN 201. These RADIUS attributes are sent to the switch when a user who belongs to the Finance department authenticates using 802.1X, enabling the switch to dynamically assign VLAN 201 to the access port.

    Step-by-Step Procedure

    1. Under Configuration > Enforcement > Profiles, click Add.

    2. On the Profile tab, set Template to RADIUS Based Enforcement and type the name of the profile, Juniper_Vlan_201, in the Name field.

      Configuration interface for adding RADIUS based enforcement profile. Name: Juniper_Vlan_201. Action: Accept.

    3. On the Attributes tab, define the RADIUS attributes as shown.

      Configuration interface for adding enforcement profile attributes in network management system: Tunnel-Medium-Type IEEE-802 6, Tunnel-Type VLAN 13, Tunnel-Private-Group-Id 201.

  7. Configure the MAC RADIUS authentication enforcement policy.

    This policy tells Aruba ClearPass to take one of the following actions, depending on whether the endpoint’s MAC address is in the RADIUS database:

    • If the address is in the RADIUS database, send an Access Accept message to the switch.

    • If the address is not in the RADIUS database, send an Acess Accept message to the switch along with the name of the firewall filter defined in the MAC RADIUS authentication profile.

    Step-by-Step Procedure

    1. Under Configuration > Enforcement > Policies, click Add.

    2. On the Enforcement tab, type the name of policy (Juniper-MAC-Auth-Policy) and set Default Profile to Juniper_DACL_1 (the profile you defined in Step 5.)

      Configuration interface for adding enforcement policies in a network management system. Policy Name is Juniper-MAC-Auth-Policy. RADIUS is selected as Enforcement Type. Default Profile is Juniper_DACL_1.

    3. On the Rules tab, click Add Rule and add the two rules shown.

      You must add the rules sequentially by creating the first rule in the Rules Editor and clicking Save before you create the second rule.

      Configuration interface for NAC system enforcement policies with rules evaluation algorithm options: Select first match or Select all matches. Conditions: UnknownClient applies Juniper_DACL_1, KnownClient applies Allow Access Profile. Includes Add Rule, Move Up, Move Down buttons for rule management.

  8. Configure the 802.1X enforcement policy.

    This policy tells Aruba ClearPass to take one of the following actions, depending on whether the user belongs to the Finance department or not:

    • If the user belongs to the Finance department, send an Access Accept message to the switch and the VLAN 201 information defined in the 802.1X enforcement profile.

    • If the user does not belong to Finance department, send an Access Accept message to the switch.

    Step-by-Step Procedure

    1. Under Configuration > Enforcement > Policies, click Add.

    2. On the Enforcement tab, type the name of policy (Juniper_Dot1X_Policy) and set Default Profile to [Allow Access Profile]. (This is a prepackaged profile that comes with Aruba ClearPass.)

      Configuration interface for adding an enforcement policy in a network management system with fields for policy name, description, enforcement type, and default profile. RADIUS is selected as the enforcement type with Juniper_Dot1X_Policy as the policy name and Allow Access Profile as the default profile.

    3. On the Rules tab, click Add Rule and add the rule shown.

      Configuration interface for setting up enforcement policies. Rule: LocalUser:Department equals Finance. Action: Assign to Juniper_Vlan_201 via RADIUS.

  9. Configure the MAC RADIUS authentication service.

    The configuration for this service results in MAC RADIUS authentication being performed when the RADIUS User-Name attribute and the Client-MAC-Address attribute received have the same value.

    Step-by-Step Procedure

    1. Under Configuration > Services, click Add.

    2. On the Services tab, fill out the fields as shown.

      Configuration interface for MAC Authentication service named Juniper_Mac_Auth with monitoring and additional options like Authorization. Service rule matches conditions based on NAS-Port-Type and Client-Mac-Address.

    3. On the Authentication tab, remove [MAC AUTH] from the Authentication Methods list and add [EAP MD5] to the list.

      Configuration interface for setting up network authentication methods and sources, featuring dropdowns for EAP MD5, EAP TLS, and management buttons.

    4. On the Enforcement tab, select Juniper-MAC-Auth-Policy.

      Configuration interface for network management system on Enforcement tab. Dropdown menu shows Juniper-MAC-Auth-Policy selected. Condition set for all weekdays with Allow Access Profile.

  10. Configure the 802.1X authentication service.

    Step-by-Step Procedure

    1. Under Configuration > Services, click Add.

    2. On the Service tab, fill out the fields as shown.

      Configuration interface for adding 802.1X Wired Access Service in a network management system. Service name is Juniper_Dot1X_Service with no monitoring enabled. Service rule matches NAS-Port-Type equals Ethernet 15.

    3. On the Authentication tab, set Authentication Sources to [Local User Repository][Local SQL DB].

      Configuration interface for network authentication with Authentication tab selected. Shows methods EAP PEAP, EAP FAST, EAP TLS, EAP TTLS, EAP MSCHAPv2 and sources dropdown with Local User Repository highlighted.

    4. On the Enforcement tab, set Enforcement Policy to Juniper_Dot1X_Policy.

      Configuration interface on Enforcement tab for network management, showing dropdown for selecting enforcement policies and rules based on day of the week.

  11. Verify that the MAC RADIUS authentication service policy is evaluated before the 802.1X authentication service policy.

    Because Aruba ClearPass is configured to recognize MAC RADIUS authentication requests by the RADIUS User-Name attribute and the Client-MAC-Address attribute having the same value, it is more efficient to have the MAC RADIUS service policy evaluated first.

    In the Services main window, verify that Juniper-MAC-Auth-Policy appears before Juniper-MAC_Dot1X_Policy in the services list, as shown. If it does not, click Reorder and move Juniper-MAC-Auth-Policy above Juniper-MAC_Dot1X_Policy.

    Configuration interface for managing network services with details on order, name, type, template, and status. Service Juniper_Dot1X_Service added.

Configuring the Windows 7 Supplicant on the Laptop

Step-by-Step Procedure

This network configuration example uses the native 802.1X supplicant on the Windows 7 laptop. This supplicant must be configured for 802.1X PEAP authentication.

The general steps for configuring the Windows 7 supplicant are:

  • Ensure that the Wired AutoConfig service is started.

  • Enable 802.1X PEAP authentication for the Local Area Connection.

  • Configure the settings for server certificate validation.

  • Configure the user credential settings.

  1. Ensure that the Wired AutoConfig service is started on the laptop.

    Select Control Panel > Administrative Tools > Services. Started should appear in the Wired AutoConfig Status field.

    Windows Services Manager utility with Wired AutoConfig service selected, showing service details and a list of system services with their statuses and startup types.

  2. Enable 802.1X PEAP authentication for the Local Area Connection.

    Step-by-Step Procedure

    1. Under Control Panel > Network and Sharing Center > Change Adaptor Settings, right-click Local Area Connection and then click Properties.

    2. On the Authentication tab of the Local Area Connection Properties window, configure the properties as shown.

      Local Area Connection Properties window showing Authentication tab with IEEE 802.1X enabled, PEAP selected, and credentials saved.

  3. Configure whether or not the laptop validates the Aruba ClearPass server certificate.

    Click Settings to display the Protected EAP Properties window.

    • If you do not want the laptop to validate the ClearPass server certificate, uncheck Validate server certificate.

    • If you do want the laptop to validate the ClearPass server certificate, check Validate server certificate, type the name of the ClearPass server, and select the trusted root certificate authority for the ClearPass server certificate. The server name must match the CN in the server certificate.

      Protected EAP Properties dialog box in Windows Local Area Connection Properties, showing PEAP configuration settings for secure network authentication.

  4. Configure the user credentials settings.

    This configuration example does not use the Windows Active Directory credentials for user authentication. Instead, it uses the credentials of the local user defined on the Aruba ClearPass server.

    Step-by-Step Procedure

    1. In the Protected EAP Properties window, click Configure to configure Secured password (EAP-MSCHAP v2). Clear the Automatically use my Windows logon name and password check box.

      If your Aurba ClearPass server were configured to use Windows Active Directory to authenticate users, you would leave this option selected.

      Protected EAP Properties window in Windows showing EAP-MSCHAPv2 settings including trusted certificate authorities list, authentication options, and configure button.

    2. Finish configuring the Protected PEAP Properties by clicking OK.

    3. On the Authentication tab of the Local Area Connection Properties, click Additional Settings.

      Local Area Connection Properties window showing the Authentication tab with IEEE 802.1X enabled and PEAP selected.

    4. In Advanced settings, select User Authentication for the authentication mode and click Replace credentials.

      Local Area Connection Properties window showing Advanced settings for 802.1X authentication with options for user authentication, credential replacement, single sign-on, and separate VLANs.

    5. Enter the user ID (usertest1) and password of the local user that you added to local user database on the Aruba ClearPass server.

      Local Area Connection Properties dialog with Networking and Authentication tabs, Advanced settings for 802.1X, and Windows Security prompt for credentials.

Verification

Confirm that the configuration is working properly.

Verifying Authentication on the EX4300 Switch

Purpose

Verify that the test user, usertest1, is being authenticated and placed in the correct VLAN.

Action

  1. Connect the Windows 7 laptop configured as described in Configuring the Windows 7 Supplicant on the Laptop to ge-0/0/22 on the EX4300 switch.

  2. On the switch, type the following command:

  3. For more details, including the dynamic VLAN assignment, type:

Meaning

802.1X authentication is working as configured—usertest1 has been successfully authenticated and placed in VLAN 201.

You can use the show dot1x command to also verify that the guest laptop is being properly authenticated using MAC RADIUS authentication.

Verifying Status of Authentication Requests on Aruba ClearPass Policy Manager

Purpose

Verify that the endpoints are being correctly authenticated and that the correct RADIUS attributes are being exchanged between the switch and Aruba ClearPass.

Action

  1. Go to Monitoring > Live Monitoring > Access Tracker to display the status of the authentication requests.

    The Access Tracker monitors authentication requests as they occur and reports on their status.

    Aruba ClearPass Policy Manager interface showing Access Tracker with authentication requests table, navigation, and filter options.

  2. To verify the RADIUS attributes sent by the switch to Aruba ClearPass for a particular request, click the request and then click the Input tab in the Request Details window.

    Access Tracker interface showing RADIUS request details for usertest1 including username, MAC address, IP address, and NAS details.

  3. To verify the RADIUS attributes that Aruba ClearPass sent back to the switch for this request, click the Output tab.

    Request Details page with Output tab selected, showing RADIUS response for Juniper_Vlan_201. System and audit posture status unknown, attributes include Tunnel-Medium-Type 6, Tunnel-Private-Group-Id 201, and Tunnel-Type 13. Options: Change Status, Export, Show Logs, Close.

Meaning

The Login Status field of the Access Tracker shows that the employee laptop and guest laptop are being successfully authenticated. The request details for the authentication request from usertest1 shows that the switch is sending the correct RADIUS attributes to Aruba ClearPass and that ClearPass is returning to the switch the correct RADIUS attributes specifying VLAN 201.

Related Documentation