CLEARPASS - 802.1X Configuration
Adding a RADIUS Server to Network Devices
Before you begin configuring 802.1X, ensure that your network devices (such as switches or wireless controllers) are configured to communicate with ClearPass as a RADIUS server.
Here’s an example configuration for a network switch (using Cisco CLI syntax):
radius-server host 192.168.1.100 key RADIUS_SECRET aaa authentication dot1x default group radius dot1x system-auth-control
In this configuration: - `192.168.1.100` is the IP address of the ClearPass server. - `RADIUS_SECRET` is the shared secret used to secure the RADIUS communication. - `aaa authentication dot1x default group radius` tells the switch to use ClearPass for 802.1X authentication.
Creating an Authentication Service in ClearPass
To authenticate users or devices, you need to create an Authentication Service in ClearPass. This service will define the rules and policies for accepting or denying access based on the authentication requests.
1. Log in to ClearPass and navigate to the **Configuration > Authentication Services** section. 2. Click **Add** to create a new service.
In the service settings: - **Name**: Choose a name for the service (e.g., "Wired 802.1X Authentication"). - **Service Type**: Select `Dot1X`. - **NAS Port Type**: Select the appropriate type of device (e.g., `Ethernet` for wired access). - **Authentication Method**: Select `EAP-MSCHAPv2` or `EAP-TLS`, depending on your authentication method.
You can define advanced options such as timeouts, retries, and failover behavior.
Defining Authentication Rules
Authentication rules define the logic to determine whether a user or device is authenticated. The most common rule sets include checking for valid credentials, certificates, and role mappings.
To create authentication rules: 1. Navigate to **Configuration > Authentication Policies**. 2. Create a new policy or modify an existing one. For example, create a policy that checks if a user is part of a specific Active Directory group.
Example policy:
if (user in "Wireless_Users" group) {
accept
} else {
reject
}
This policy ensures that only users in the "Wireless_Users" group are allowed to authenticate.
Configuring Role Mapping for 802.1X
Role mapping is a critical aspect of 802.1X because it determines what network access privileges a user or device will receive after successful authentication. You can map authentication results to specific roles based on policies defined in ClearPass.
To configure role mapping: 1. Navigate to **Configuration > Enforcement Policies**. 2. Create a new enforcement policy that maps the result of the authentication process to a specific VLAN or access level.
For example:
if (authentication successful and user role is "Wireless_Users") {
assign VLAN 10
} else {
assign VLAN 100
}
This role mapping assigns VLAN 10 to users who belong to the "Wireless_Users" group and VLAN 100 to others.
Configuring EAP-TLS Authentication
EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) is often used for strong certificate-based authentication. In order to configure EAP-TLS, the following steps should be followed:
1. Install a Certificate Authority (CA) on the ClearPass server. 2. Import the server certificate into ClearPass. 3. Configure the network devices to require certificate authentication.
In ClearPass: - **Authentication Method**: Select `EAP-TLS`. - **Client Certificate**: Ensure that client certificates are properly issued by a trusted CA.
Example configuration for an authentication service:
authentication method: EAP-TLS validate server certificate: enabled client certificate required: enabled
On the network device:
dot1x authentication-method eap-tls
This setup ensures that only devices with valid certificates can authenticate.
Configuring 802.1X for Wireless Networks
For wireless networks, the configuration steps are similar, but you must ensure that the wireless controller is also integrated with ClearPass.
1. Add ClearPass as a RADIUS server on the wireless controller. 2. Create an 802.1X authentication service in ClearPass. 3. Use the correct encryption (WPA2 or WPA3) and ensure that the controller is set to use RADIUS for authentication.
Example for a Cisco Wireless LAN Controller (WLC):
radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key RADIUS_SECRET aaa authentication dot1x default group radius
In ClearPass, create the authentication service with the same RADIUS secret and configure role mapping as needed.
Troubleshooting 802.1X Authentication
When troubleshooting 802.1X, it is important to focus on the following areas: - **Authentication logs**: ClearPass logs are key in identifying issues with the authentication process. You can view these logs in **Monitor > Live Logs**. - **Device Configuration**: Ensure that the devices are properly configured to point to the ClearPass RADIUS server and that the shared secret matches. - **Certificate Issues**: For EAP-TLS, ensure that the certificates are valid and properly installed on both the client and server.
Common troubleshooting commands: - **Show authentication status** on switches or access points to verify that 802.1X is working correctly. - Use the **Test Authentication** feature in ClearPass to simulate an authentication request.
Example of checking authentication status on a Cisco switch:
show dot1x all
Useful Links
- [ClearPass Documentation](https://www.arubanetworks.com/support-services/)
- [802.1X Configuration Overview](https://www.arubanetworks.com/techdocs/802.1X-Configuration-Guide/)
- [EAP-TLS Configuration Guide](https://www.arubanetworks.com/techdocs/EAP-TLS-Config-Guide/)
- [Cisco 802.1X Configuration Guide](https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5500/security/802-1x-config-guide/8021x-introduction.html)
- [RADIUS Protocol](https://tools.ietf.org/html/rfc2865)
