Configuring Aruba ClearPass for Security Devices
Use the Aruba Clear Pass page to configure the Aruba ClearPass as the authentication source for the integrated ClearPass authentication and enforcement feature. The SRX Series device and Aruba ClearPass collaborate to protect your network resources by enforcing security at the user identity level and controlling user access to the Internet.
The ClearPass Policy Manager (CPPM) can authenticate users across wired, wireless, and VPN infrastructures. The integrated ClearPass feature allows the CPPM and the SRX Series device to collaborate in multiple environments in which they are deployed together.
To configure Aruba ClearPass:
Field |
Description |
---|---|
Name |
Select the name of the Aruba ClearPass from the list. |
Authentication Entry Timeout |
Set the timeout interval after which the idle entries in the ClearPass authentication table expire. The timout interval begins from when the user authentication entry is added to the ClearPass authentication table. If a value of 0 is specified, the entries will never expire. Range is 10 through 1440 minutes. |
Invalid Authentication Entry Timeout |
Enter the expiry time in minutes to apply to invalid authentication entries in the SRX Series authentication table for Windows active directory or Aruba ClearPass authentication sources. Range is 0 through 1440 minutes. The invalid authentication entry timeout setting is different from the general authentication entry timeout setting. It allows you to protect invalid user authentication entries in an authentication table from expiring before the user can be validated. |
No User Query |
Enable this option to turn off the user query function without deleting the user query configuration. |
User Query |
Enable this option to allow the SRX Series device to query the ClearPass webserver for authentication and identity information for an individual user, whose information was not posted to the SRX Series device by ClearPass. |
Client ID |
Enter the client ID that the SRX Series device requires to obtain an access token for the Integrated ClearPass Authentication and Enforcement user query function. Range is 1 through 64. If it is configured, the user query function allows the SRX Series device to query the CPPM for authentication and identity information about individual users when it does not receive this information from the CPPM through the SRX Series Web API daemon (webapi). |
CA Certificate |
Specify the certificate file that the SRX Series device
uses to verify the Clearpass server’s certificate for the SSL
connection that is used for the user query function. As the ClearPass
administrator, you must export the certificate of the server from
the CPPM and import it to the SRX Series device. Later, you must configure
the ca-certificate path and the certificate filename on the SRX Series
device. For example, |
Client Secret |
Specify the client secret used with the client ID that the SRX Series device requires to obtain an access token for the Integrated ClearPass Authentication and Enforcement user query function. The client secret must be consistent with the client secret configured on the CPPM. Range is 1 through 128. |
Delay Query Time |
Enter the amount of time for the SRX Series device to delay before sending queries to the Aruba ClearPass Policy Manager (CPPM) for authentication and identity information for individual users. Range: 0 through 60 seconds. After the delay timeout expires, the SRX Series device sends the query to the CPPM and creates a pending entry for the user in the Routing Engine authentication table. During this period, any arriving traffic matches the default policy whose action on the traffic you can configure. |
Query API |
Enter the query-api to specify the path of the URL that the SRX Series device uses to query the ClearPass Policy Manager (CPPM) webserver for authentication and identity information for an individual user. Consider the following The SRX Series device generates the complete URL for the user query request by combining the query-api string with the connection method (HTTPS) and the CPPM webserver IP address ({$server}).
In this example, the SRX Series device replaces the variables
with the following values resulting in a specific URL request for
the individual user: |
Token API |
Enter the token API that is used in generating the URL for acquiring an access token. The token API is combined with the connection method and the IP address of the ClearPass webserver to produce the complete URL used for acquiring an access token. For example, if the token API is oauth, the connection method is HTTPS, and the IP address of the ClearPass webserver is 192.0.2.199, the complete URL for acquiring an access token would be https://192.0.2.199/api/oauth. This is a required parameter. There is no default value. |
Web Server |
|
Address |
Enter the IPv4 address of the ClearPass webserver to communicate with the SRX Series device. The SRX Series device requests user authentication and identity information for an individual user from the ClearPass webserver whose address is configured. If you configure the user query function, the SRX Series device can obtain this information for a specific user when it does not receive it from the ClearPass Policy Manager through Web API POST requests. |
Server Name |
Enter the server name of the ClearPass webserver to communicate with the SRX Series device. |
Port |
Select the TCP port of the SRX Series device to use for incoming HTTP or HTTPS connection requests initiated by the ClearPass Policy Manager (CPPM). |
Connect Method |
Select the application protocol used for the SRX Series device connection to the ClearPass Policy Manager (CPPM) for user query requests. Default is HTTPS. You identify the connection protocol as part of the configuration that identifies the CPPM server. The user query function allows the SRX Series device to request from the CPPM user authentication and identity information for an individual user.
|