Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Example: Configuring Central Web Authentication with EX Series Switches and Aruba ClearPass

This configuration example illustrates how to use EX Series switches and Aruba ClearPass to implement central Web authentication of guest users. Specifically, it illustrates how to use the following EX Series switch features in conjunction with Aruba ClearPass:

  • The built-in firewall filter JNPR_RSVD_FILTER_CWA, which allows a guest endpoint that has not yet been authenticated to access the services required for central Web authentication while blocking access to the rest of the network.

  • The Juniper-CWA-Redirect-URL RADIUS VSA, which allows Aruba ClearPass to pass the redirect URL to the switch as part of the authentication process.

  • RADIUS CoA support, which allows an EX Series switch to dynamically change the firewall filter in effect for a guest endpoint after the endpoint is authenticated.

This topic covers:

Requirements

This example uses the following hardware and software components for the policy infrastructure:

  • An EX4300 switch running Junos OS Release 15.1R3 or later

  • An Aruba ClearPass Policy Manager platform running 6.3.3.63748 or later

Overview and Topology

This network configuration example uses the topology shown in Figure 1. A guest laptop connects to port ge-0/0/22 of an EX4300 switch. The Aruba ClearPass server provides both ClearPass Guest and ClearPass Policy Management services.

Figure 1: Topology Used in This ExampleSimplified network diagram with Aruba ClearPass server IP 10.105.5.153, internal network cloud, EX4300 Switch IP 10.105.5.91 port ge-0/0/22, and guest laptop connection flow.

Both 802.1X and MAC RADIUS authentication are enabled on port ge-0/0/22. Because the guest laptop does not have a 802.1X client, the switch does not receive any EAPoL packets from the laptop and 802.1X authentication fails. The EX4300 switch automatically tries MAC RADIUS authentication next. A MAC RADIUS enforcement policy in Aruba ClearPass is configured to send a RADIUS access-accept message for unknown clients attempting MAC RADIUS authentication, along with the name of the JNPR_RSVD_FILTER_CWA built-in filter and the redirect URL for the Aruba ClearPass Guest login page.

When the guest user opens a browser and attempts to access a webpage, the EX4300 switch redirects the browser to the Aruba ClearPass Guest login page, where the guest enters the guest credentials. A Web authentication enforcement policy in Aruba ClearPass is configured to add the guest endpoint to the endpoint repository and to send a RADIUS CoA message to the switch. This message tells the switch to change the firewall filter associated with the endpoint to guest_access_policy_1, which is configured on the switch. This filter permits the guest to access everything except the internal network.

Configuration

This section provides step-by-step instructions for:

Configuring the EX4300 Switch

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them in a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The general steps to configure the EX4300 switch are:

  • Configure the connection to the Aruba ClearPass Policy Manager.

  • Create the access profile used by the 802.1X protocol. The access profile tells the 802.1X protocol which authentication server to use and the authentication methods and order.

  • Enable HTTP and HTTPS services.

  • Configure the 802.1X protocol.

  • Configure the VLAN used by the guest endpoints.

  • Configure Ethernet switching on the access port.

  • Create the firewall policy that blocks access to the internal network.

To configure the EX4300 switch:

  1. Provide the RADIUS server connection information.

  2. Configure the access profile.

  3. Enable HTTP and HTTPS services. These services must be enabled for URL redirection.

  4. Configure the 802.1X protocol to use CP-Test-Profile, and enable the protocol on each access interface. In addition, configure the interfaces to support MAC RADIUS authentication and to allow more than one supplicant, each of which must be individually authenticated.

    By default, the switch will first attempt 802.1X authentication. If it receives no EAP packets from the endpoint, indicating that the endpoint does not have an 802.1X supplicant, or if the 802.1X authentication fails, it then tries MAC RADIUS authentication.

  5. Configure the VLAN used in this example.

  6. Configure the access port.

    The access port is configured to be in VLAN v100, the quarantine VLAN. This VLAN will be used by the endpoint if Aruba ClearPass does not send dynamic VLAN information when it authenticates the endpoint.

  7. Configure a firewall filter, guest_access_policy_1, to be used for the endpoint after the guest credentials have been authenticated by Aruba ClearPass Guest.

    This filter blocks the endpoint from accessing the internal network (192.168.0.0/16), while permitting access to the Internet.

Results

From configuration mode, confirm your configuration by entering the following show commands.

If you are done configuring the device, enter commit from configuration mode.

Configuring Aruba ClearPass Guest

Step-by-Step Procedure

The general steps for configuring Aruba ClearPass Guest are:

  • Set up the guest user account.

  • Configure the guest login page.

To configure Aruba ClearPass Guest:

  1. Log in to ClearPass Guest. For example:

  2. Set up the guest user account.

    Step-by-Step Procedure

    1. Click Create New Guest Account.

      Aruba Networks ClearPass Guest Manager interface for managing guest Wi-Fi accounts with navigation and account creation options

    2. Provide the details for the guest user account, as shown below. Be sure to note the password, which is automatically generated.

      Create Guest Account form with fields: Guest's Name guest2, Company Name guestcompany, Email guest2@guestcompany.com, Activation Now, Expiration 30 days, Role Guest, Password 25938257. Terms of Use checked. Create Account button present.

    3. Click Create Account.

  3. Configure the guest access login page.

    Step-by-Step Procedure

    1. Select Configuration > Web Logins.

      Note:

      If you are using a recent version of Aruba ClearPass Guest, you might need to select Configuration > Pages > Web Logins.

      Software interface menu for configuration settings with sections: Guest, Onboard + WorkSpace, and Configuration.

    2. In the Web Logins page, click Create a new web login page.

    3. In the Web Login Editor, provide a name for Web login page you are creating, specify the login page name as it appears in the URL, and set Login Method to Server-Initiated – Change of authorization (RFC 3576) sent to controller.

      Configuration interface for creating a new web login page with fields for Name, Page Name, Description, Vendor Settings, Login Method, and Security Hash.

    4. In the Login Form section of the Web Login page, set Pre-Auth Check to None – no extra checks will be made.

      Configuration interface for login form in a network setup with options for authentication, custom forms, and pre-auth checks.

    5. In the Default Destination section, enter a default URL to which the guest gets redirected after successful authentication. In this example, the guest is redirected to the Juniper Networks home page after authentication.

      Configuration interface for setting Default Destination with text field for URL entry and checkbox to force override to http://www.juniper.net.

Configuring Aruba ClearPass Policy Manager

Step-by-Step Procedure

The general steps for configuring Aruba ClearPass are:

  • Modify the Juniper Networks RADIUS dictionary file so that it includes new Juniper Networks RADIUS attributes.

  • Add the EX4300 as a network device.

  • Create the following enforcement profiles:

    • A profile that is enforced after MAC RADIUS authentication.

    • A profile that is enforced after central Web authentication.

  • Create two enforcement policies:

    • A policy that is invoked when MAC RADIUS authentication is used.

    • A policy that is invoked when centeral Web authentication is used.

  • Define the MAC RADIUS authentication service and the Web authentication service.

To configure Aruba ClearPass:

  1. Update the Juniper Networks RADIUS dictionary file.

    A Juniper Network RADIUS dictionary file comes preinstalled on Aruba ClearPass. Junos OS Release 15.1R3 for EX Series switches adds support for three new Juniper Networks VSAs, which need to be added to the dictionary file.

    Step-by-Step Procedure

    1. In Aruba ClearPass, navigate to Administration > Dictionaries > RADIUS.

    2. In the RADIUS Dictionaries window, use the Filter field to search for Juniper under Vendor Name.

    3. Click the Juniper dictionary name, and then click Export to save the RadiusDictionary.xml file to your desktop.

      Screenshot of Aruba ClearPass Policy Manager showing RADIUS Dictionaries under Administration. Vendor filter set to contains juniper displaying Juniper with Vendor ID 2636. RADIUS Attributes table lists attributes like Juniper-Allow-Commands with ID and Type details. Navigation menu on the left includes options like ClearPass Portal and Users. Buttons at the bottom offer Disable, Export, or Close options.

    4. Copy the following three attributes, paste them into RadiusDictionary.xml, and save the file.

      The dictionary file should look like this when you complete the paste:

      XML snippet defining RADIUS configuration for Juniper: includes vendor details and various RADIUS attributes like Juniper-Allow-Commands and Juniper-VoIP-Vlan.

    5. Import the dictionary file into Aruba ClearPass by clicking Green downward arrow above yellow tray with Import text indicating Import button or feature.in the RADIUS Dictionaries window and browsing to the file.

      Import dialog for RADIUS dictionary file with fields for file selection and optional secret input, and Import and Cancel buttons.

    6. After you have imported the file, the Juniper dictionary file should look like this:

      Web interface displaying RADIUS attributes for Juniper vendor 2636 with options to disable, export, or close.

  2. Add the EX4300 switch as a network device.

    Step-by-Step Procedure

    1. Under Configuration > Network > Devices, click Add.

      Network configuration interface with options: Add, Import, and Export All. Cursor points to Add option.

    2. On the Device tab, enter the hostname and IP address of the switch and the RADIUS shared secret that you configured on the switch. Set the Vendor Name field to Juniper.

      Configuration interface for adding a network device with fields for name, IP address, RADIUS and TACACS+ secrets, vendor name, and options for RADIUS CoA. Includes Add and Cancel buttons.

  3. Create the enforcement profile to be used for MAC RADIUS authentication.

    This profile provides the switch with the name of the built-in firewall filter JNPR_RSVD_FILTER_CWA and the redirect URL for Aruba ClearPass Guest.

    Step-by-Step Procedure

    1. Under Configuration > Enforcement > Profiles, click Add.

    2. On the Profile tab, set Template to RADIUS Based Enforcement and type the profile name, Guest_Access_Portal_Enforcement, in the Name field.

      Configuration interface for RADIUS-based Enforcement Profile: Template is RADIUS Based Enforcement; Name is Guest_Access_Portal_Enforcement; Action is Accept.

    3. On the Attributes tab, configure the following attributes:

      • Juniper-CWA-Redirect-URL—Type the following URL:

        This URL must contain the IP address of the Aruba ClearPass Guest server. It also passes the MAC address of the endpoint to ClearPass Guest (Radius:IETF:Calling-Station-Id).

      • Filter-Id—Type the following filter name:

      Configuration interface for adding an Enforcement Profile in a network management system under Attributes tab, defining RADIUS attributes.

  4. Configure an enforcement profile to be used for central Web authentication.

    This profile is configured as a RADIUS Change of Authorization (CoA) profile. It tells Aruba ClearPass to send a RADIUS CoA to the switch, informing it to change the firewall filter in effect for the endpoint from JNPR_RSVD_FILTER_CWA to guest_access_policy_1.

    Step-by-Step Procedure

    1. Under Configuration > Enforcement > Profiles, click Add.

    2. On the Profile tab, set Template to RADIUS Change of Authorization (CoA) and type the profile name, Guest_Access_CoA_Profile, in the Name field.

      Configuration interface for editing RADIUS Change of Authorization profile named Guest_Access_CoA_Profile. Action set to Accept.

    3. On the Attributes tab, set Select RADIUS CoA Template to IETF - Generic-CoA-IETF and enter the attributes as shown. All values must be typed in or copied and pasted from this document. The values do not appear in the selection lists.

    Configuration interface for adding an enforcement profile in a network management system. Attributes tab shows RADIUS CoA template set to IETF - Generic-CoA-IETF and a table with RADIUS attributes: Calling-Station-Id, User-Name, and Filter-Id.

  5. Configure the MAC RADIUS authentication enforcement policy.

    The MAC RADIUS policy tells Aruba ClearPass to apply the Guest_Access_Portal_Enforcement profile to all endpoints undergoing MAC RADIUS authentication that are not already known to ClearPass—that is, are not in the endpoint repository.

    Step-by-Step Procedure

    1. Under Configuration > Enforcement > Policies, click Add.

    2. On the Enforcement tab, type the name of policy (Juniper-MAC-Auth-Policy) and set the Default Profile to the predefined profile [Deny Access Profile].

      Configuration interface for editing network enforcement policies, fields include Name set to Juniper-MAC-Auth-Policy, empty Description, Enforcement Type with options like RADIUS, and Default Profile set to Deny Access Profile.

    3. On the Rules tab, click Add Rule and add the rule shown.

      This rule permits the Guest_Access_Portal_Enforcement profile to take effect for endpoints that are not known to Aruba ClearPass.

      Rules Editor interface showing conditions and enforcement profiles for network access control. Conditions match ALL: Authentication type MacAuth equals UnknownClient. Selected enforcement profile is RADIUS Guest_Access_Portal_Enforcement.

  6. Configure the Web authentication enforcement policy.

    This policy takes effect after the guest is redirected to the Aruba ClearPass Guest and ClearPass Guest authenticates the guest. It tells Aruba ClearPass to add the endpoint to the endpoint repository and to apply the Guest_Access_CoA_Profile.

    Step-by-Step Procedure

    1. Under Configuration > Enforcement > Policies, click Add.

    2. On the Enforcement tab, type the name of the policy (Guest_Auth_Enforcement_Policy) and set Default Profile to [Post Authentication][Update Endpoint Known]. This is a predefined profile that results in the endpoint being added as a known endpoint in the endpoint repository.

      Configuration interface for network access control policies with fields for policy name, description, enforcement type, and default profile. Highlighted option: Post Authentication Update Endpoint Known.

    3. On the Rules tab, click Add Rule and add the rule shown.

      This rule tells Aruba ClearPass to apply the Guest_Access_CoA_Profile enforcement profile to any endpoint that ClearPass Guest has assigned to role Guest.

      Rules Editor interface for defining network access conditions and enforcement profiles. Conditions require Role equals Guest. Enforcement profile selected is RADIUS_CoA Guest_Access_CoA_Profile.

  7. Configure the MAC RADIUS authentication service.

    The configuration for this service results in MAC RADIUS authentication being performed when the RADIUS User-Name attribute and the Client-MAC-Address attribute received have the same value.

    Step-by-Step Procedure

    1. Under Configuration > Services, click Add.

    2. On the Services tab, fill out the fields as shown.

      JUNOS MAC AUTH configuration screen with MAC Authentication enabled, showing conditions for NAS-Port-Type Ethernet 15, Service-Type Call-Check 10, and Client-Mac-Address equals Radius IETF User-Name. Tabs include Summary, Service, Authentication, Roles, and Enforcement.

    3. On the Authentication tab:

      • Delete [MAC AUTH] from the Authentication Methods list and add [EAP MD5] to the list.

      • Select [Endpoints Repository] [Local SQL DB] in the Authentication Sources list.

      Configuration interface focused on Authentication tab to set authentication methods and sources. EAP MD5 method and Endpoints Repository Local SQL DB source selected.

    4. On the Enforcement tab, select Juniper-MAC-Auth-Policy.

      Configuration interface for network management with tabs for Service, Authentication, Roles, Enforcement, and Summary. Enforcement policy dropdown with Juniper-MAC-Auth-Policy selected. Conditions allow access every day with Allow Access Profile.

  8. Configure the Web-based authentication service.

    Step-by-Step Procedure

    1. Under Configuration > Services, click Add.

    2. On the Service tab, fill out the fields as shown.

      The service rule is the default service rule when you select Web-based Authentication. It allows Web-based authentication requests from any client.

      Configuration interface for Guest_WebAuth_Service, a Web-based Authentication service. Fields: Type Web-based Authentication, Name Guest_WebAuth_Service. Service Rule matches ALL conditions: Type Host, Name CheckType, Operator MATCHES_ANY, Value Authentication. Monitor Mode unchecked, More Options unchecked.

    3. On the Authentication tab, set Authentication Sources to [Guest User Repository][Local SQL DB].

      Configuration interface with tabs: Service, Authentication, Roles, Enforcement, Summary. Authentication tab displayed. Authentication Sources lists Guest User Repository and Local SQL DB. Buttons: Move Up, Move Down, Remove, View Details, Modify.

    4. On the Enforcement tab, set Enforcement Policy to Guest_Auth_Enforcement_Policy.

      Enforcement tab in network access control system showing Guest_Auth_Enforcement_Policy with first-applicable rules and Guest_Access_Profile for guest role.

Verification

Confirm that the configuration is working properly.

Verifying Central Web Authentication

Purpose

Verify that the guest user’s browser is redirected to Aruba ClearPass Guest for authentication and that the guest is successfully authenticated after entering the guest credentials.

Action

  1. Connect a laptop to port ge-0/0/22 on the EX4300 switch.

  2. Open a Web browser on the laptop and attempt to access a webpage.

    The ClearPass Guest login page should appear as shown.

    ClearPass Guest login page for Aruba Networks with fields for username and password; contact staff for login issues.

  3. On the EX Series switch, enter the following show command:

    The output shows that the endpoint has been authenticated, that the authentication method currently in effect is central Web authentication (CWA Authentication), and that the JNPR_RSVD_FILTER_CWA firewall filter and the redirect URL are also in effect.

  4. In the ClearPass Guest login page, enter the guest e-mail address and the automatically generated password that you noted when you configured Aruba ClearPass Guest.

    Login page for Aruba Networks ClearPass Guest system with filled username guest2 at guestcompany dot com, password field obscured. Contact staff if login issues.

  5. After you log in, your browser should be redirected to the Juniper Networks home page, as configured in Aruba ClearPass Guest.

  6. On the EX Series switch, enter the following show command:

    The output shows that the guest_access_policy_1 firewall filter is now in effect. The switch received the RADIUS CoA from Aruba ClearPass after the endpoint was authenticated by central Web authentication, telling it which firewall filter to use.

Verifying Status of Authentication Requests on Aruba ClearPass Policy Manager

Purpose

Verify that the endpoints are being correctly authenticated and that the correct RADIUS attributes are being exchanged between the switch and Aruba ClearPass.

Action

  1. Go to Monitoring > Live Monitoring > Access Tracker to display the status of the authentication requests.

    The Access Tracker monitors authentication requests as they occur and reports on their status.

    Access Tracker displays authentication requests for server cp-campus.englab.juniper.net with IP 10.105.5.153 on February 1, 2016, at 18:59:49 PST.

  2. To get more details on the initial MAC RADIUS authentication request from the endpoint, click the request (line 2 of Access Tracker request table).

    Screenshot of a NAC system interface showing session ID R00002db6-01-56b01a85 with MAC 00-50-56-9b-03-7f, timestamp Feb 01 2016 18:55:01 PST, username 0050569b037f, and IP 10.105.5.91:555. System posture UNKNOWN 100, service Juniper_MAC_Auth_Service, EAP-MD5 authentication, User Authenticated role, Guest_Access_Portal_Enforcement profile. Options: Change Status, Export, Show Logs, Close.

  3. To get more details on the Web authentication request from the endpoint, click the request (line 1 of the Access Tracker request table).

    Request Details interface with session identifier, date, time, end-host ID, username, posture status, policies, service mode, online status, and action buttons.

Related Documentation