Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Try the Ask AI chatbot for answers to your technical questions about Juniper products and solutions.

close
external-header-nav
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation Network Segmentation using Device Profiling with EX Series Switches and Aruba ClearPass Policy Manager Device Profiling with EX Series Switches and Aruba ClearPass Policy Manager

Network Segmentation using Device Profiling with EX Series Switches and Aruba ClearPass Policy Manager

keyboard_arrow_up
close
keyboard_arrow_left
Network Segmentation using Device Profiling with EX Series Switches and Aruba ClearPass Policy Manager
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Configuring Device Profiling to provide Dynamic Segmentation with EX Series Switches and Aruba ClearPass Policy Manager

date_range 20-Sep-23
arrow_backward
arrow_forward

Dynamic Segmentation provides the flexibility of assigning wired ports on EX switches with dynamic VLAN and policies to segment the internet of things (IOT), access point traffic, and wired user traffic. Aruba ClearPass can centrally manage and enforce network access polices for wired and wireless control.

Micro segmentation is obtained by applying dynamic firewall filters to the wired ports once we successfully authenticate the device to control the east-west traffic. With dynamic filters we can control in a camera network so that it talks only to the secured camera recording server or few dedicated terminals used by security personals. Similarly, we can apply firewall filters on the IP Phone network to allow communication between IP phones and call manager server in the network.

This configuration example illustrates how to use the features of EX Series switches and Aruba ClearPass Policy Manager to perform device profiling as part of the endpoint authentication process.

In this example, an organization has four types of endpoints in its wired infrastructure for which it has defined access policies:

  • Access points—Endpoints profiled as access points are allowed access to the network and are dynamically assigned to the AP_VLAN VLAN.

  • IP phones—Endpoints profiled as IP phones are allowed access to the network. The IPPhone_VLAN is dynamically assigned as the VoIP VLAN.

  • Corporate laptops—Endpoints that have an 802.1X supplicant are authenticated by the user credentials. After the user is successfully authenticated, the laptop is granted access to the network and placed in the Employee_VLAN VLAN.

  • Camera /IOT Devices—Camera and IOT devices having or not having 802.1x supplicants can be added to the network and granted access to the Camera_IOT_VLAN VLAN.

  • Noncorporate laptops/Tablets—Endpoints that do not have an 802.1X supplicant and that are profiled as non-corporate devices are provided only internet access

Table 1 shows the defines values of the access policies for wired, wireless, and authorization.

Table 1: Access Policies Details

Access Policies

Wired

Wireless

Authorization

AP VLAN

130 (NATIVE)

ALLOWED VLAN = 121,131,151,102

-

IP-Phone

120

121

Between phones and call manager server

Employee

150

151

Access all

Remediation

101

102

Quarantine

IOT Camera

130

131

DHCP, NTP, and NVR

Requirements

This example the following hardware and software components for the policy infrastructure:

  • EX4300, EX2300, EX3400 switch running Junos OS Release 20.2R1 or earlier

  • Aruba ClearPass Policy Manager running 6.9.0.130064

Overview and Topology

To implement the endpoint access policies, the policy infrastructure is configured as follows:

  • All access interfaces on the switch are initially configured to be in VLAN 100, which serves as a remediation VLAN. If an endpoint is not successfully authenticated or is not successfully profiled as one of the supported endpoints, it remains in the remediation VLAN.

    Note:

    When the endpoints utilize DHCP, avoid changing the VLANs. The endpoint will not send another DHCPRequest until their existing lease expires or a port bounce occurs.

  • Endpoints that have an 802.1X supplicant are authenticated by using 802.1X PEAP authentication. For more information on 802.1X PEAP authentication, see Configuring 802.1X PEAP and MAC RADIUS Authentication with EX Series Switches and Aruba ClearPass Policy Manager.

  • Endpoints that do not have an 802.1X supplicant are authenticated using MAC RADIUS authentication and are profiled to determine what type of device they are. These endpoints undergo a two-step authentication process:

    1. The first step occurs after an endpoint first connects to the switch but before it has been profiled by Aruba ClearPass Profile. After it connects, the endpoint is authenticated using MAC RADIUS authentication. Aruba ClearPass applies an enforcement policy that instructs the switch to grant the endpoint access to the Internet but prevents it from accessing the internal network.

    2. The second step occurs after an endpoint has been successfully profiled. After being authenticated in the first step, the endpoint contacts a DHCP server to request an IP address. The switch relays the DHCP messages sent by the endpoint to the DHCP server to Aruba ClearPass as well, which allows ClearPass to profile the endpoint. After it has profiled the endpoint and added the endpoint to its endpoint repository, ClearPass sends a RADIUS Change of Authorization (CoA) message to the switch, telling it to terminate the session. The switch then attempts reauthentication on behalf of the endpoint. Because the endpoint now exists in the endpoint repository, Aruba ClearPass is able to apply an enforcement policy appropriate to the device type when it authenticates the endpoint. For example, if the endpoint is an access point, ClearPass applies the enforcement policy that dynamically assigns the access point to the AP_VLAN VLAN.

Figure 1 shows the topology used in this example.

Figure 1: Topology Used in This Example Topology Used in This Example

Configuration

This section provides step-by-step instructions for:

Configuring the EX Switch

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them in a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
[edit]
set access radius-server 10.25.22.11 dynamic-request-port 3799
set access radius-server 10.25.22.11 secret "$9$tqCW01hevLVwgSrwgoJHkp0BISrKM87db"
set access radius-server 10.25.22.11 source-address 10.25.99.11
set access profile ACCESS_PROF_RADIUS accounting-order radius
set access profile ACCESS_PROF_RADIUS authentication-order radius
set access profile ACCESS_PROF_RADIUS radius authentication-server 10.25.22.11
set access profile ACCESS_PROF_RADIUS radius accounting-server 10.25.22.11
set protocols dot1x authenticator authentication-profile-name ACCESS_PROF_RADIUS
set protocols dot1x authenticator interface AUTHC supplicant multiple
set protocols dot1x authenticator interface AUTHC transmit-period 3
set protocols dot1x authenticator interface AUTHC mac-radius
set vlans AP vlan-id 130
set vlans EMPLOYEE-WIRED vlan-id 150
set vlans EMPLOYEE-WIRELESS vlan-id 151
set vlans IOT-WIRED vlan-id 111
set vlans IOT-WIRELESS vlan-id 112
set vlans IP-PHONE-WIRED vlan-id 120
set vlans IP-PHONE-WIRELESS vlan-id 121
set vlans MANAGEMENT vlan-id 99
set vlans MANAGEMENT l3-interface irb.99
set vlans REMEDIATION-WIRED vlan-id 101
set vlans REMEDIATION-WIRELESS vlan-id 102
set interfaces interface-range AP member ge-0/0/0
set interfaces interface-range AP native-vlan-id 130
set interfaces interface-range AP unit 0 family ethernet-switching interface-mode trunk
set interfaces interface-range AP unit 0 family ethernet-switching vlan members AP
set interfaces interface-range AP unit 0 family ethernet-switching vlan members EMPLOYEE-WIRELESS
set interfaces interface-range AUTHC member ge-0/0/6
set interfaces interface-range AUTHC member ge-0/0/3
set interfaces interface-range AUTHC member ge-0/0/2
set interfaces interface-range AUTHC member ge-0/0/4
set interfaces interface-range AUTHC member ge-0/0/7
set interfaces interface-range AUTHC member ge-0/0/8
set interfaces interface-range AUTHC member ge-0/0/9
set interfaces interface-range AUTHC member ge-0/0/5
set interfaces interface-range AUTHC unit 0 family ethernet-switching interface-mode access
set interfaces interface-range AUTHC unit 0 family ethernet-switching vlan members REMEDIATION-WIRED
set firewall family ethernet-switching filter Internet_Only_Access term Allow_DHCP from destination-port 67
set firewall family ethernet-switching filter Internet_Only_Access term Allow_DHCP from destination-port 68
set firewall family ethernet-switching filter Internet_Only_Access term Allow_DHCP from ip-protocol udp
set firewall family ethernet-switching filter Internet_Only_Access term Allow_DHCP then accept
set firewall family ethernet-switching filter Internet_Only_Access term Allow_DNS from destination-port 53
set firewall family ethernet-switching filter Internet_Only_Access term Allow_DNS from ip-protocol udp
set firewall family ethernet-switching filter Internet_Only_Access term Allow_DNS from ip-protocol tcp
set firewall family ethernet-switching filter Internet_Only_Access term Block_Internal from ip-destination-address 192.168.0.0/16
set firewall family ethernet-switching filter Internet_Only_Access term Block_Internal then discard
set firewall family ethernet-switching filter Internet_Only_Access term Allow_All then accept

Step-by-Step Procedure

The general steps to configure the EX switch are:

  • Configure the connection to the Aruba ClearPass Policy Manager.

  • Create the access profile used by the 802.1X protocol. The access profile tells the 802.1X protocol which authentication server and authentication methods to use and the order of the authentication methods.

  • Configure the 802.1X protocol.

  • Configure the VLANs.

  • Configure Ethernet switching on the access ports.

  • Configure integrated routing and bridging (IRB) interfaces and assign them to the VLANs.

  • Configure DHCP relay to send DHCP packets to Aruba ClearPass so that it can perform device profiling.

  • Create the firewall policy that blocks access to the internal network.

To configure the EX switch:

  1. Provide the RADIUS server connection information..

    content_copy zoom_out_map
    [edit]
user@Policy-EX-switch# set access radius-server 10.25.22.11 dynamic-request-port 3799
user@Policy-EX-switch# set access radius-server 10.25.22.11 secret password
user@Policy-EX-switch# set access radius-server 10.25.22.11 source-address 10.25.99.11

  2. Configure the access profile.

    content_copy zoom_out_map
    [edit access]
user@Policy-EX-switch# set access profile ACCESS_PROF_RADIUS accounting-order radius
user@Policy-EX-switch# set access profile ACCESS_PROF_RADIUS authentication-order radius
user@Policy-EX-switch# set access profile ACCESS_PROF_RADIUS radius authentication-server 10.25.22.11
user@Policy-EX-switch# set access profile ACCESS_PROF_RADIUS radius accounting-server 10.25.22.11

  3. Configure 802.1X to use ACCESS_PROF_RADIUS and enable the protocol on each access interface. In addition, configure the interfaces to support MAC RADIUS authentication and to allow more than one supplicant, each of which must be individually authenticated.

    By default, the switch will first attempt 802.1X authentication. If it receives no EAP packets from the endpoint, indicating that the endpoint does not have an 802.1X supplicant, it then tries MAC RADIUS authentication.

    content_copy zoom_out_map
    [edit]
user@Policy-EX-switch# set protocols dot1x authenticator authentication-profile-name ACCESS_PROF_RADIUS
user@Policy-EX-switch# set protocols dot1x authenticator interface AUTHC supplicant multiple
user@Policy-EX-switch# set protocols dot1x authenticator interface AUTHC transmit-period 3
user@Policy-EX-switch# set protocols dot1x authenticator interface AUTHC mac-radius
user@Policy-EX-switch# set interfaces interface-range AP member ge-0/0/0
user@Policy-EX-switch# set interfaces interface-range AP native-vlan-id 130
user@Policy-EX-switch# set interfaces interface-range AP unit 0 family ethernet-switching interface-mode trunk
user@Policy-EX-switch# set interfaces interface-range AP unit 0 family ethernet-switching vlan members AP
user@Policy-EX-switch# set interfaces interface-range AP unit 0 family ethernet-switching vlan members EMPLOYEE-WIRELESS
user@Policy-EX-switch# set interfaces interface-range AUTHC member ge-0/0/6
user@Policy-EX-switch# set interfaces interface-range AUTHC member ge-0/0/3
user@Policy-EX-switch# set interfaces interface-range AUTHC member ge-0/0/2
user@Policy-EX-switch# set interfaces interface-range AUTHC member ge-0/0/4
user@Policy-EX-switch# set interfaces interface-range AUTHC member ge-0/0/7
user@Policy-EX-switch# set interfaces interface-range AUTHC member ge-0/0/8
user@Policy-EX-switch# set interfaces interface-range AUTHC member ge-0/0/9
user@Policy-EX-switch# set interfaces interface-range AUTHC member ge-0/0/5

  4. Configure the VLANs used in this example.

    content_copy zoom_out_map
    [edit]
user@Policy-EX-switch# set vlans AP vlan-id 130
user@Policy-EX-switch# set vlans EMPLOYEE-WIRED vlan-id 150
user@Policy-EX-switch# set vlans EMPLOYEE-WIRELESS vlan-id 151
user@Policy-EX-switch# set vlans IOT-WIRED vlan-id 111
user@Policy-EX-switch# set vlans IOT-WIRELESS vlan-id 112
user@Policy-EX-switch# set vlans IP-PHONE-WIRED vlan-id 120
user@Policy-EX-switch# set vlans IP-PHONE-WIRELESS vlan-id 121
user@Policy-EX-switch# set vlans MANAGEMENT vlan-id 99
user@Policy-EX-switch# set vlans MANAGEMENT l3-interface irb.99
user@Policy-EX-switch# set vlans REMEDIATION-WIRED vlan-id 101
user@Policy-EX-switch# set vlans REMEDIATION-WIRELESS vlan-id 102

    Note that for dynamic VLAN assignment to work, the VLAN must exist on the switch before authentication is attempted. If the VLAN doesn’t exist, authentication fails.

  5. Configure DHCP relay to forward DHCP request packets to Aruba ClearPass.

    content_copy zoom_out_map
    [edit]
user@Policy-EX-switch# set dhcp-relay server-group dhcp-dot1x 10.25.22.11
user@Policy-EX-switch# set dhcp-relay active-server-group dhcp-dot1x

  6. Configure a firewall filter, Internet_Only_Access, to be used for devices that have been authenticated by MAC RADIUS authentication but have not yet been profiled.

    This filter blocks an endpoint from accessing the internal network (192.168.0.0/16).

    content_copy zoom_out_map
    [edit]
user@Policy-EX-switch# set firewall family ethernet-switching filter INTERNET_ACCESS_ONLY term ALLOW_DHCP from destination-port 67
user@Policy-EX-switch# set firewall family ethernet-switching filter INTERNET_ACCESS_ONLY term ALLOW_DHCP from destination-port 68
user@Policy-EX-switch# set firewall family ethernet-switching filter INTERNET_ACCESS_ONLY term ALLOW_DHCP from ip-protocol udp
user@Policy-EX-switch# set firewall family ethernet-switching filter INTERNET_ACCESS_ONLY term ALLOW_DHCP then accept
user@Policy-EX-switch# set firewall family ethernet-switching filter INTERNET_ACCESS_ONLY term ALLOW_DNS from destination-port 53
user@Policy-EX-switch# set firewall family ethernet-switching filter INTERNET_ACCESS_ONLY term ALLOW_DNS from ip-protocol udp
user@Policy-EX-switch# set firewall family ethernet-switching filter INTERNET_ACCESS_ONLY term ALLOW_DNS from ip-protocol tcp
user@Policy-EX-switch# set firewall family ethernet-switching filter INTERNET_ACCESS_ONLY term BLOCK_RFC_1918 from ip-destination-address 10.0.0.0/8
user@Policy-EX-switch# set firewall family ethernet-switching filter INTERNET_ACCESS_ONLY term BLOCK_RFC_1918 from ip-destination-address 172.16.0.0/12
user@Policy-EX-switch# set firewall family ethernet-switching filter INTERNET_ACCESS_ONLY term BLOCK_RFC_1918 from ip-destination-address 192.168.0.0/16
user@Policy-EX-switch# set firewall family ethernet-switching filter INTERNET_ACCESS_ONLY term BLOCK_RFC_1918 then discard
user@Policy-EX-switch# set firewall family ethernet-switching filter INTERNET_ACCESS_ONLY term ALLOW_ALL then accept

Results

From configuration mode, confirm your configuration by entering the following show commands.

content_copy zoom_out_map
user@Policy-EX-switch# show access
radius-server {
        10.25.22.11 {
            dynamic-request-port 3799;
            secret "$9$tqCW01hevLVwgSrwgoJHkp0BISrKM87db"; ## SECRET-DATA
            source-address 10.25.99.11;
        }
    }
    profile ACCESS_PROF_RADIUS {
        accounting-order radius;
        authentication-order radius;
        radius {
            authentication-server 10.25.22.11;
            accounting-server 10.25.22.11;
        }
    }
}
content_copy zoom_out_map
user@Policy-EX-switch# show protocols                                     
dot1x {
        authenticator {
            authentication-profile-name ACCESS_PROF_RADIUS;
            interface {
                AUTHC {
                    supplicant multiple;
                    transmit-period 3;
                    mac-radius;
                }
            }
        }
    }
content_copy zoom_out_map
user@Policy-EX-switch# show interfaces                                         
  interface-range AP {
        member ge-0/0/0;
        native-vlan-id 130;
        unit 0 {
            family ethernet-switching {
                interface-mode trunk;
                vlan {
                    members [ AP EMPLOYEE-WIRELESS ];
                }
            }
        }
    }
        interface-range AUTHC {
        member ge-0/0/6;
        member ge-0/0/3;
        member ge-0/0/2;
        member ge-0/0/4;
        member ge-0/0/7;
        member ge-0/0/8;
        member ge-0/0/9;
        member ge-0/0/5;
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                vlan {
                    members REMEDIATION-WIRED;
                }
            }
        }
    }
content_copy zoom_out_map
user@Policy-EX-switch# show vlans                                            
AP {
        vlan-id 130;
    }
    EMPLOYEE-WIRED {
        vlan-id 150;
    }
    EMPLOYEE-WIRELESS {
        vlan-id 151;
    }
    IOT-WIRED {
        vlan-id 111;
    }
    IOT-WIRELESS {
        vlan-id 112;
    }
    IP-PHONE-WIRED {
        vlan-id 120;
    }
    IP-PHONE-WIRELESS {
        vlan-id 121;
    }
        MANAGEMENT {
        vlan-id 99;
        l3-interface irb.99;
    }
    REMEDIATION-WIRED {
        vlan-id 101;
    }
    REMEDIATION-WIRELESS {
        vlan-id 102;
    }
    }
}
content_copy zoom_out_map
user@Policy-EX-switch# show forwarding-options
dhcp-relay {
    server-group {
        dhcp-dot1x {
            10.25.22.11;
             }
    }
    helpers {
        bootp {
            server 10.25.22.11;
        }
}
content_copy zoom_out_map
user@Policy-EX-switch# show firewall
family ethernet-switching {
        filter INTERNET_ACCESS_ONLY {
            term ALLOW_DHCP {
                from {
                    destination-port [ 67 68 ];
                    ip-protocol udp;
                }
                then accept;
            }
            term ALLOW_DNS {
                from {
                    destination-port 53;
                    ip-protocol [ udp tcp ];
                }
            }
            term BLOCK_RFC_1918 {
                from {
                    ip-destination-address {
                        10.0.0.0/8;
                        172.16.0.0/12;
                        192.168.0.0/16;
                    }
                }
                then discard;
            }
            term ALLOW_ALL {
                then accept;
            }
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Configuring Aruba ClearPass Policy Manager

Step-by-Step Procedure

The general steps for configuring Aruba ClearPass are:

  • Verify the Juniper-AV-Pair attribute exists in your RADIUS dictionary.

  • Add the EX switch as a network device.

  • Ensure that the server certificate used for 802.1X PEAP authentication has been installed.

  • Add the local user used in this example for 802.1X authentication.

  • Create the following enforcement profiles:

    • VLAN 150 ENF PROF that places endpoints in VLAN 150.

    • JUNIPER VOIP VLAN 120 ENF PROF that defines VLAN 120 as the VoIP VLAN.

    • VLAN 130 ENF PROF that places endpoints in VLAN 130.

    • Internet_Only_Access_Fliter_ID_ENF_Prof that specifies the firewall filter Internet_Only_Access be used for devices that have not yet been profiled.

  • Create two enforcement policies:

    • A policy that is invoked when MAC RADIUS authentication is used.

    • A policy that is invoked when 802.1X authentication is used.

  • Define the MAC RADIUS authentication service and the 802.1X authentication service.

  • Ensure that the MAC RADIUS authentication service is evaluated before the 802.1X authentication service.

To configure Aruba ClearPass:

  1. Verify the Juniper-AV-Pair attribute exists in your RADIUS dictionary.

    Go to Administration > Dictionaries > RADIUS and Open the Juniper dictionary.

    Note:

    If the Juniper dictionary is shown in red, open the Juniper dictionary page to enable the dictionary and click the enable button.

    If the Juniper-AV-Pair attribute is not present, follow these steps to add it:

    1. Click the Export button.

    2. Save the RadiusDictionary.xml file to your computer and then open it with a text editor.

    3. Under the RadiusAttributes section, add the following line:

      <Attribute profile="in out" type="String" name="Juniper-AV-Pair" id="52"/>

    4. Save the XML file.

    5. Return to your ClearPass session and click on the Import button in the top right corner of the RadiusDictionary page.

    6. Click the Browse button and find the RadiusDictionary.xml file you just saved

    7. Click Import.

    8. Now open the Juniper RADIUS dictionary and verify if the Juniper-AV-Pair attribute is present

  2. Add the EX switch as a network device.

    Step-by-Step Procedure

    1. Under Configuration > Network > Devices, click Add.

    2. On the Device tab, enter the hostname and IP address of the switch and the RADIUS shared secret that you configured on the switch. Set the Vendor Name field to Juniper.

    3. Ensure that a trusted server certificate for 802.1X PEAP authentication exists.

      • Under Administration > Certificates > Certificate Store, verify that each Aruba ClearPass server has a valid RADIUS/EAP Server Certificate installed. If they do not, add a valid server certificate. The Aruba ClearPass documentation and your Certificate Authority can provide more details on how to obtain certificates and import them into ClearPass.

    4. Add a test user to the local user repository. This user will be used to verify 802.1X authentication.

      • Under Configuration > Identity > Local Users, click Add.

      • In the Add Local User window, enter the user ID (usertest1), username (Test User), and password. Then select Employee as the user role. Under Attributes, select the Department attribute and type Finance under value.

      Note:

      In this configuration example, the ClearPass Local User Repository is used as the authentication source. In a typical enterprise deployment, however, Microsoft Active Directory is used as the authentication source. For further detail on how to configure Active Directory as an authentication source, search the ClearPass documentation located in Administration » Support » Documentation.

  3. Configure an enforcement profile for employee laptops or desktops that authenticate using 802.1X.

    • This profile places the endpoints in VLAN 150.

    Step-by-Step Procedure

    Under Configuration > Enforcement > Profiles, click Add.

    1. On the Profile tab, set Template to VLAN Enforcement and type the profile name, VLAN 150 ENF PROF, in the Name field.

    2. On the Attributes tab, configure the attributes as shown.

  4. Configure an access point enforcement profile, which places access points in VLAN 130.

    • Use the same basic procedure to create this profile as you used in the previous step. After you complete the profile, the information on the Summary tab will appear as shown.

  5. Configure an IP phone enforcement profile.

    • This profile instructs Aruba ClearPass to return VLAN 120 as the VLAN that should be used as the VoIP VLAN. The Juniper Networks RADIUS dictionary defines a special RADIUS attribute to use for this purpose. Select RADIUS-Juniper for the attribute type and Juniper-VoIP-Vlan as the attribute name.

    • After you complete the profile, the information on the Summary tab will appear as shown.

  6. Configure an Internet access only enforcement profile.

    • This enforcement profile tells Aruba ClearPass to return the name of the firewall filter Internet_Only_Access, which is the firewall filter you configured on the switch that blocks access to the internal network. After you complete this profile, the information on the Summary tab will appear as shown.

    • Configure the MAC RADIUS authentication enforcement policy.

    • For endpoints being authenticated by MAC RADIUS authentication, this policy informs Aruba ClearPass to apply enforcement policies according to the device profile. The VLAN 130 ENF PROF is applied to endpoints profiled as access points, and the JUNIPER VOIP VLAN 120 ENF PROF is applied to endpoints profiled as VoIP phones. The predefined enforcement policy [Deny Access Profile] is applied to endpoints profiled as Windows devices. This enforces the organization access policy that only laptops with an 802.1X supplicant are allowed access to the network. For all other endpoints, including endpoints that have not yet been profiled, the INTERNET ONLY ACCESS FILTER ID ENF PROF profile will be applied.

    • Under Configuration > Enforcement > Policies, click Add.

    • On the Enforcement tab, type the name of the policy (JUNOS MAC AUTH ENF POL) and set Default Profile to INTERNET ONLY ACCESS FILTER ID ENF PROF.

    • On the Rules tab, click Add Rule and add the rules shown.

      You must add the rules sequentially by clicking Save before you create the next rule.

  7. Configure the 802.1X enforcement policy.

    This policy tells Aruba ClearPass to use the VLAN 150 ENF PROF enforcement profile if a user is successfully authenticated as a member of the finance department. Any other user authentication will match the Default Profile and the switch will be sent a RADIUS Accept and place the endpoint in the remediation VLAN 100.

    • Under Configuration » Enforcement » Policies, click Add.

    • On the Enforcement tab, type the name of the policy (JUNOS DOT1X ENF POL) and set Default Profile to [Allow Access Profile].

    • On the Rules tab, click Add Rule and add the rule shown.

  8. Configure the JUNOS MAC AUTH authentication service.

    The configuration for this service results in MAC RADIUS authentication being performed when the RADIUS User-Name attribute and the Client-MAC-Address attribute received have the same value.

    • Under Configuration » Services, click Add.

    • On the Services tab, fill out the fields as shown. Be sure to select the Authorization and Profile Endpoints options.

    • On the Authentication tab, delete [Allow All MAC AUTH] from the Authentication Methods list and add [EAP MD5] to the list.

      Select [Endpoints Repository] [Local SQL DB] in the Authentication Sources list.

    • On the Enforcement tab, select JUNOS MAC AUTH ENF POL.

    • On the Profiler tab, add Computer, VoIP Phone, Access Points to the Endpoint Classification list.

      Select [Juniper Terminate Session] from the RADIUS CoA Action list. This configuration causes endpoints to go through reauthentication after they are profiled and added to the endpoint repository. Before an endpoint is profiled, the INTERNET ONLY ACCESS FILTER ID ENF PROF enforcement profile is in effect for the authenticated user session. (This profile is the default profile for the MAC authentication policy configured in Step 7.) After Aruba ClearPass successfully classifies a device, it sends a RADIUS CoA to the switch, which causes the switch to terminate the session. The switch then attempts to reauthenticate the endpoint. Because the endpoint’s device profile is now in the endpoint repository, the appropriate device enforcement profile will be applied when the endpoint is authenticated.

    • Click Save.

  9. Configure the 802.1X authentication service.

    • Under Configuration > Services, click Add.

    • On the Service tab, fill out the fields as shown.

    • On the Authentication tab:

      • Set Authentication Sources to [Local User Repository][Local SQL DB].

      • Remove the [EAP FAST], [EAP-TLS] and [EAP-TTLS] Authentication Methods.

    • On the Enforcement tab, set Enforcement Policy to Juniper_Dot1X_Policy.

    • Verify that the MAC RADIUS authentication service policy is evaluated before the 802.1X authentication service policy.

      • Because Aruba ClearPass is configured to recognize MAC RADIUS authentication requests by the RADIUS User-Name attribute and the Client-MAC-Address attribute having the same value, it is more efficient to have the MAC RADIUS service policy evaluated first.

      • In the Services main window, verify that JUNOS MAC AUTH appears before JUNOS DOT1X in the services list, as shown. If it does not, click Reorder and move JUNOS MAC AUTH above JUNOS DOT1X.

Verification

Confirm that the configuration is working properly.

Verifying 802.1X Authentication on the EX Switch

Purpose

Verify that the test user, usertest1, is being authenticated and placed in the correct VLAN.

To perform this procedure, you must have a Windows device with an active 802.1X supplicant that passes the authentication information for usertest1. For information on how to configure a Windows 7 supplicant for 802.1X PEAP authentication, see Configuring 802.1X PEAP and MAC RADIUS Authentication with EX Series Switches and Aruba ClearPass Policy Manager

Action

  1. Connect the Windows 7 laptop to ge-0/0/22 on the EX switch.

  2. On the switch, type the following command:

    content_copy zoom_out_map
    user@Policy-EX-switch-01> show dot1x interface ge-0/0/8
802.1X Information:
Interface     Role           State           MAC address          User
ge-0/0/8.0    Authenticator  Authenticated   98:90:96:D8:70:19    usertest1

  3. For more details, including the dynamic VLAN assignment, type:

    content_copy zoom_out_map
    user@Policy-EX-switch-01> show dot1x interface ge-0/0/8 detail 
ge-0/0/8.0
  Role: Authenticator
  Administrative state: Auto
  Supplicant mode: Multiple
  Number of retries: 3
  Quiet period: 60 seconds
  Transmit period: 3 seconds
  Mac Radius: Enabled
  Mac Radius Restrict: Disabled
  Mac Radius Authentication Protocol: EAP-MD5
  Reauthentication: Enabled
  Reauthentication interval: 3600 seconds
  Supplicant timeout: 30 seconds
  Server timeout: 30 seconds
  Maximum EAPOL requests: 2
  Guest VLAN member: not configured
  Number of connected supplicants: 1
    Supplicant: usertest1, 98:90:96:D8:70:19
      Operational state: Authenticated
      Backend Authentication state: Idle
      Authentication method: Radius
      Authenticated VLAN: EMPLOYEE-WIRED
      Session Reauth interval: 10800 seconds
      Reauthentication due in 10772 seconds
      Eapol-Block: Not In Effect
      Domain: Data

    The output shows that usertest1 has been successfully authenticated and placed in the EMPLOYEE-WIRED VLAN.

Verifying the Access Point Authentication on the EX Switch

Purpose

Verify that the access point has been successfully authenticated and placed in the correct VLAN.

Action

  1. Connect an access point to ge-0/0/6 on the EX switch.

  2. On the switch, type the following command:

    content_copy zoom_out_map
    user@Policy-EX-switch-01> show dot1x interface ge-0/0/6 
ge-0/0/6.0
  Role: Authenticator
  Administrative state: Auto
  Supplicant mode: Multiple
  Number of retries: 3
  Quiet period: 60 seconds
  Transmit period: 3 seconds
  Mac Radius: Enabled
  Mac Radius Restrict: Disabled
  Mac Radius Authentication Protocol: EAP-MD5
  Reauthentication: Enabled
  Reauthentication interval: 3600 seconds
  Supplicant timeout: 30 seconds
  Server timeout: 30 seconds
  Maximum EAPOL requests: 2
  Guest VLAN member: not configured
  Number of connected supplicants: 1
    Supplicant: 5c5b352e2d19, 5C:5B:35:2E:2D:19
      Operational state: Authenticated
      Backend Authentication state: Idle
      Authentication method: Mac Radius
      Authenticated VLAN: AP
      Session Reauth interval: 3600 seconds
      Reauthentication due in 3549 seconds
Egress Vlan: 102, 121, 130, 131, 151

	Operational supplicant mode: Single
   Eapol-Block: Not In Effect
   Domain: Data

    The output shows that the access point has been authenticated and placed in the AP_VLAN VLAN.

Verifying the VoIP Phone and Non-corporate Laptop Authentication on the EX Switch

Purpose

Verify that the VoIP phone has been successfully authenticated and that the non-corporate laptop has not been authenticated.

Action

  1. Connect a VoIP phone to ge-0/0/8 on the EX switch, and connect a laptop that does not have an enabled 802.1X supplicant to the Ethernet port on the phone.

  2. To verify the authentication state of the devices, type the following command on the switch:

    content_copy zoom_out_map
    user@Policy-EX-switch-01> show dot1x interface ge-0/0/8 
ge-0/0/8.0
  Role: Authenticator
  Administrative state: Auto
  Supplicant mode: Multiple
  Number of retries: 3
  Quiet period: 60 seconds
  Transmit period: 30 seconds
  Mac Radius: Enabled
  Mac Radius Restrict: Disabled
  Mac Radius Authentication Protocol: EAP-MD5
  Reauthentication: Enabled
  Configured Reauthentication interval: 3600 seconds
  Supplicant timeout: 30 seconds
  Server timeout: 30 seconds
  Maximum EAPOL requests: 2
  Guest VLAN member: not configured
  Number of connected supplicants: 2
    Supplicant: 08173515ec53, 08:17:35:15:EC:53
      Operational state: Authenticated
      Backend Authentication state: Idle
      Authentication method: Mac Radius
      Authenticated VLAN: IPPhone_VLAN
      Session Reauth interval: 3600 seconds
      Reauthentication due in 3591 seconds
      Session Accounting Interim  Interval: 600 seconds
      Accounting Update  due in 591 seconds
    Supplicant: No User, D0:67:E5:50:E3:DD
      Operational state: Connecting
      Backend Authentication state: Idle
      Authentication method: None
      Session Reauth interval: 0 seconds
      Reauthentication due in 0 seconds
      Session Accounting Interim  Interval: 600 seconds
      Accounting Update  due in 0 seconds

    The output shows that two supplicants are attached to the port, each identified by MAC address. The VoIP phone has been successfully authenticated and placed in IPPhone_VLAN. The laptop is in a connecting state, not authenticated state, indicating that it has failed to be authenticated.

  3. To verify that IPPhone_VLAN VLAN has been assigned as the VoIP VLAN, type the following command:

    content_copy zoom_out_map
    user@Policy-EX-switch-01> show ethernet-switching interface ge-0/0/8  
Routing Instance Name : default-switch
Logical Interface flags (DL - disable learning, AD - packet action drop,
                         LH - MAC limit hit, DN - interface down,
                         MMAS - Mac-move action shutdown,
                         SCTL - shutdown by Storm-control )

Logical     Vlan         TAG  MAC    STP       Logical         Tagging 
interface   members           limit  state     interface flags 
ge-0/0/8.0                    65535                            tagged,untagged   
            default      1    65535  Forwarding                untagged   
            IPPhone_VLAN 120  65535  Forwarding                tagged     

    IPPhone_VLAN is shown as a tagged VLAN, indicating that it is the VoIP VLAN.

Verifying the Status of Authentication Requests on Aruba ClearPass Policy Manager

Purpose

Verify that the endpoints are being correctly authenticated and that the correct RADIUS attributes are being exchanged between the switch and Aruba ClearPass.

Action

  1. Go to Monitoring > Live Monitoring > Access Tracker to display the status of the authentication requests.

    The Access Tracker monitors authentication requests as they occur and reports on their status.

  2. To get more details on a particular authentication request, click on the request.

  3. To verify the RADIUS attributes that Aruba ClearPass sent back to the switch for this request, click the Output tab.

Meaning

The authentication request from the IOT Device (Camera) was successful and the correct information about the IOT VLAN was returned to the switch.

Monitoring Device Profiling

Step-by-Step Procedure

You can view the devices that Aruba ClearPass Profile has discovered and maintains in its endpoint repository, obtaining information on the total number of devices profiled, the kinds of devices, and device-specific data, such as the device vendor, device hostname, and timestamp when the device was added to the repository.

  1. In Aruba ClearPass, select Monitoring » Profiler and Network Scan » Endpoint Profiler . The initial Endpoint Profiler window provides an overview of the endpoints in its repository, grouping devices within the device category, device family, and device name hierarchies. The table at the bottom of the window lists the endpoints that are in the currently selected device name group.

  2. To display more information about an individual endpoint, click on the endpoint in the table.

    In the View Endpoint window, you can display the information ClearPass Profile used to profile the device by clicking the Device Fingerprints tab. In the following example, ClearPass Profile used information obtained from various DHCP options in the DHCP messages to profile the device.

Troubleshooting Authentication

Step-by-Step Procedure

This topic describes how you get detailed diagnostic information by enabling tracing of authentication operations on the EX Series switch.

Aruba ClearPass Policy Manager provides additional detailed diagnostic information.

You can enable trace options for the 802.1X protocol.

  1. The following set of commands enables the writing of trace logs to a file named do1x.

    content_copy zoom_out_map
    root@EX-switch-1# set protocols dot1x traceoptions file dot1x
root@EX-switch-1# set protocols dot1x traceoptions file size 5m
root@EX-switch-1# set protocols dot1x traceoptions flag all

  2. Use the show log CLI command to display the contents of the trace log file. For example:

    content_copy zoom_out_map
    root@EX-switch-1> show log dot1x
root@EX-switch-1> set protocols dot1x traceoptions file size 5m

  3. You can also display the contents of the trace log file from the UNIX-level shell. For example:

    content_copy zoom_out_map
    root@EX-switch-1> start shell 
root@EX-switch-1: RE:0% tail -f /var/log/dot1x
arrow_backward PREVIOUS Technical Overview
NEXT arrow_forward Configuring Colorless Ports on EX Series Switches with Aruba ClearPass Policy Manager and Cisco ISE
external-footer-nav