Aruba AOS-CX Switch 802.1X/MAB Template for ClearPass, ISE, FortiAuthenticator, etc

Below is a template for Aruba AOS-CX Switches for 802.1X and MAB. This template can be used with any standards-based RADIUS server such as Aruba ClearPass, Cisco Identity Services Engine, Fortinet FortiAuthenticator, FortiNAC, FreeRADIUS, etc. This configuration is just basic 802.1X and MAC Address Bypass, it does not cover Downloadable User Roles (DUR) or other advanced Aruba segmentation features.  The various sections of the configuration are explained prior to each as a comment denoted by !. This configuration should be valid for any version of AOS-CX and has practically been tested with both Cisco ISE and Aruba ClearPass.


!Define the RADIUS servers. This can be a ClearPass VIP, a load-balancer, or the actual RADIUS servers. Replace the x.x.x.x with your RADIUS server IPs.

radius-server host x.x.x.x key plain-text SuperSecureKey!

radius-server host x.x.x.x key plain-text SuperSecureKey!


!Place the RADIUS servers inside a AAA group. Replace [name] with the whatever name you would like for your RADIUS group. Replace the x.x.x.x with your RADIUS server IPs.

aaa group server radius [name]

server x.x.x.x

server x.x.x.x


!Configure necessary AOS-CX AAA configuration to enable 802.1X, MAB, and RADIUS Accounting. Replace [name] with your AAA server group defined previously.

aaa authentication port-access dot1x authenticator radius server-group [name]

aaa authentication port-access dot1x authenticator enable

aaa authentication port-access mac-auth radius server-group [name]

aaa authentication port-access mac-auth enable

aaa accouting port-access start-stop interim


!Configure the interface/IP that the switch should source the RADIUS packets from. This must match the corresponding network device IP address defined on the RADIUS server.

ip source-interface radius X.X.X.X


!Enable RADIUS Change of Authorization (CoA). This is also known as dynamic authorization. Dynamic authorization allows the RADIUS server to instruct the network access device to make changes to currently authenticated and authorized endpoints. Replace the x.x.x.x with your RADIUS server IPs.

radius dyn-authorization enable

radius dyn-authorization client x.x.x.x secret-key plain-text SuperSecureKey!

radius dyn-authorization client x.x.x.x secret-key plain-text SuperSecureKey!


!Define ACLs

!Permit all ACL. This ACL will be applied by the RADIUS sever to over-write the pre-auth ACL.

access-list ip Permit_All

10 permit ip any any


!ACL to enforce before 802.1X/MAB completes. Also known as a "pre-auth" state.

access-list ip Dot1x_PreAuth

10 permit udp any any eq domain

20 permit tcp any any eq domain

30 permit udp any any eq bootpc

40 permit udp any any eq bootps

50 deny   ip any 10.0.0.0 255.0.0.0

60 deny   ip any 192.168.0.0 255.255.0.0

70 deny   ip any 172.16.0.0 255.240.0.0

80 permit ip any any


!Define classes to reference in Local User Roles (LURs)

!Any IP class

class ip ALL

10 match ip any any


!RFC 1918 class

class ip INTERNAL

10 match ip any 10.0.0.0 255.0.0.0

20 match ip any 192.168.0.0 255.255.0.0

30 match ip any 172.16.0.0 255.240.0.0


!Define port access policy for when the AAA servers are marked as down. This policy drops all traffic to RFC1918 IP addresses and allows everything else. Allow internet, block everything else.

port-access policy AAA-DOWN-ACL-ALLOW

10 class ip INTERNAL action drop

20 class ip ALL


!Define local user roles and associate policy.

port-access role AAA-DOWN

associate policy AAA-DOWN-ACL-ALLOW


!Interface configuration. This configuration should be applied to each access interface. This configuration allows CDP and LLDP, limits the port to ten endpoints, enables 802.1X and MAB, applies the Pre-Auth ACL to the port, and applies the AAA-DOWN role for the critical-role. The switch applies the critical-role if all configured RADIUS servers are down. Note that the RADIUS server must send the name Permit_All in the filter-id attribute when responding to RADIUS requests. This ensures that the pre-auth ACL is removed from the port and the Permit_All ACL is applied instead. 

int X/X/X

aaa authentication port-access allow-cdp-bpdu

aaa authentication port-access allow-lldp-bpdu

aaa authentication client-limit 10

aaa authentication port-access dot1x authenticator enable

aaa authentication port-access mac-auth enable

apply access-list ip Dot1x_PreAuth in

aaa authentication port-access critical-role AAA-DOWN

Comments

Post a Comment

Popular posts from this blog

Fix Cisco ISE Messaging Service

Cisco Identity Services Engine 2.6 introduced the concept of the ISE Messaging Service as an encrypted, lightweight protocol to replace syslog communication between the ISE nodes for logging purposes.  The ISE Messaging Services runs over TCP/8671.  In 2.6 Patch 2 and later, the Cisco ISE Messaging Service is enabled by default.   The overall implementation of the ISE Messaging Service has been buggy (but has gotten much better in recent versions) in both new ISE builds and upgrades.  One solution is simply to disable the ISE Messaging Service within Administration > System > Logging.  But then the ISE logging traffic isn't encrypted and the legacy syslog delivery method is not as efficient as the ISE Messaging Service so we will focus the rest of this article on how to identity and fix the ISE Messaging Service. Problem Identification Usually problems with the ISE Messaging Service involve a blank Live Logs page.  You know authentication is...
Read more

ClearPass MPSK per Device Type with Profiling

Image
Multiple Pre-Shared Key or MPSK helps solve for IOT or other endpoint device types that are not 802.1X capable.  The Aruba ClearPass default implementation of MPSK (the configuration created by the wizard) requires manually registering, enrolling, and managing individual PSK keys per endpoint using the ClearPass Guest dashboard.  While the most secure approach, excluding any sort of API based automation, this can obviously be a nightmare to manage and support due to the sheer number of PSKs.  This approach instead delivers a unique PSK per device type (printer, thermostat, etc.) so that each flavor of endpoint would have its own PSK.  If one PSK was compromised, then only those endpoints would need to be manually re-configured.  PSK rotation would also be limited to only those specific device types allowing rotation to take place slowly over several weeks rather than all devices at the same time on the SSID with a traditional single PSK; lessoning the burde...
Read more

Cisco Designated VIP 2024

I'm pleased  to announce that I have been recognized as a Cisco Community Designated VIP for 2024 for my assistance in the Cisco Secure Network Access Control community focusing on Identity Services Engine.  Be sure to check out all of the   Cisco Community Designated VIPs .
Read more