Ale Network Solutions Aruba Clearpass Interop Implementation en

Implementation Guide
How to implement ALE network

solutions with Aruba Clearpass
using OmniVista Network
Management System
Table of Contents
Introduction ............................................................................................................................................ 3
Purpose ............................................................................................................................................... 3
Solution Overview .................................................................................................................................. 3
Global Knowledge .............................................................................................................................. 3
OmniVista NMS introduction ............................................................................................................. 5
UPAM introduction ............................................................................................................................. 5
Hardware & Software ......................................................................................................................... 5
Environment ....................................................................................................................................... 6
Addressing plan .................................................................................................................................. 7
Device and software configuration ................................................................................................... 7
Prerequisite configuration..................................................................................................................... 8
Adding a Network Access Device on CPPM ...................................................................................... 8
Adding ClearPass as an External Radius on OV on-prem ............................................................... 8
Wired authentication ............................................................................................................................. 9
On CPPM ............................................................................................................................................. 9
On OV on-prem ................................................................................................................................ 10
Stellar 802.1x authentication with CPPM ............................................................................................ 14
On CPPM ........................................................................................................................................... 14
On OV on-prem ................................................................................................................................ 15
Stellar MAC authentication with CPPM ............................................................................................... 16
On CPPM ........................................................................................................................................... 16
On OV on-prem ................................................................................................................................ 17
Stellar guest captive portal authentication with CPPM and UPAM as a proxy ............................... 19
On CPPM ........................................................................................................................................... 19
On OV on-prem ................................................................................................................................ 20
Postures ................................................................................................................................................ 23
On CPPM ........................................................................................................................................... 23
On OV on-prem ................................................................................................................................ 27
NAC role for SSID .................................................................................................................................. 28
On CPPM ........................................................................................................................................... 28
On OV on-prem ................................................................................................................................ 29
BYOD ..................................................................................................................................................... 30
On CPPM ........................................................................................................................................... 30
On OV on-prem ................................................................................................................................ 35
Conclusion............................................................................................................................................. 38
Support.................................................................................................................................................. 39
2
Introduction
Purpose
The purpose of this document is to provide a comprehensive guide on how to
implement Omnivista NMS, OmniSwitch and OmniAccess Stellar with Aruba
Clearpass Policy Manager. This guide will walk you through the step -by-step
process of integrating these two systems, highlighting the necessary
configurations and settings needed for successful implementation. By following
the instructions outlined in this document, you will be able to seamlessly integrate
Omnivista Access Stellar and Omniswitch with Aruba Clearpass, enabling you to
effectively manage and secure your network infrastructure.
This guide will provide you with the necessary information to successfully
implement these systems.
Solution Overview
Global Knowledge
Authentication is the process of verifying the identity of a user, system, or device.

It ensures that the entity trying to access a network or system is who or what it
claims to be.
Authorization is the process of granting or denying access to specific resources or
actions based on the authenticated entity's identity and privileges. Once
authentication is successful, authorization determines what the authenticated
entity is allowed to do within the network or system.
Radius, or Remote Authentication Dial-In User Service, is a networking protocol
that provides centralized authentication, authorization, and accounting services
for network access. Radius servers are used to authenticate users before granting
them access to a network, ensuring that only authorized users are allowed in.
Radius also provides accounting features that allow network administrators to
track and monitor user activity on the network.
MAC authentication is a method of network access control that uses a device's
Media Access Control (MAC) address to authenticate it before granting network
access. This method can be used in conjunction with 802.1x authentication or as a
standalone authentication method. MAC authentication is often used in
environments where it is not feasible or practical to install client software on every
device that needs to access the network, such as in guest or public networks.
3
802.1x is a standard for network access control that provides an authentication
mechanism for devices attempting to connect to a network. 802.1x uses an
authentication server, such as a Radius server, to authenticate users or devices
before granting access to the network. This ensures that only authorized devices
are allowed onto the network and helps to prevent unauthorized access and
security breaches.
Posture assessment, also known as endpoint security posture assessment, is the
evaluation of the security status or health of a device (e.g., computer,
smartphone) that is attempting to connect to a network. It ensures that the device
meets the security requirements and complies with the organization's policies
before granting access.
Authentication Access Policies are used to define the mapping conditions for an
Authentication Strategy. Through Access Policy configuration, authentication
strategy can be applied to different user groups, which can be divided by SSID or
other attributes.
Access Role Profile can be applied to users when they connect to the network. An
Access Role Profile can contain a Policy List with security and QoS policies.
Unified Policies are QoS Policies that can be applied to both wireline and wireless
devices. Unified Policies are created using a wizard that guides you through each of the
steps needed to create the Policy and apply the Policy to devices in the network.
Access Auth Profile enables you to assign a predefined UNP port configuration to a
port or linkagg, or to specify them individually on each port to enable UNP port status
and set the parameters for the authentication process for the port. The Access Auth
Profile configures 802.1X and MAC authentication for both wired and wireless devices,
Access Classification, and the default AAA Server and/or UNP Profile to be used once a
user is authenticated.
AAA Server Profiles are used to define specific AAA parameters that can be used in an
Access Auth Profile or Captive Portal Profile.
Bring Your Own Device (BYOD), ALE OmniSwitch and OmniAccess Stellar can leverages
functionality along with the ClearPass Policy Manager (CPPM) to provide the overall
BYOD solution. BYOD allows a wired guest, device, or authenticated user to connect to
the network through a captive portal using the CPPM for unified authentication.
4
OmniVista Network Management System introduction
The Alcatel-Lucent OmniVista Network Management System (NMS) provides cohesive

management and network-wide visibility, increasing IT efficiency and business agility.
It provides a full set of management tools for converged mobile campus. This NMS,
available on-premises and in the cloud, enables operators to easily provision, manage
and maintain a unified Campus Mobile infrastructure with its network elements,
alarms, unified access security policies, and virtualization. It also provides advanced
network analytics for a full visibility into wired-wireless devices, IoT endpoints and
applications, as well as predictive analysis for forward planning.
UPAM introduction
The Alcatel-Lucent OmniVista Unified Policy Authentication Management module
is a unified access management platform for Alcatel-Lucent OmniSwitch Ethernet
switches, and Alcatel-Lucent OmniAccess Stellar access points. OmniVista UPAM
includes both a captive portal and a RADIUS server and can implement multiple
authentication methods such as MAC authentication, 802.1x authentication, and
captive portal authentication. Users can authenticate against the UPAM local
database or against external databases including Microsoft Active Directory, LDAP,
and external RADIUS. The OmniVista UPAM customizable captive portal can
implement flexible authentication strategies for Guest and BYOD users with
integrated credential management through email, SMS and social login (for
example, Facebook, Google, WeChat and Rainbow™ by Alcatel-Lucent Enterprise).
Hardware & Software

This document applies to all OmniVista NMS systems running OmniVista 2500 release
8.9.221.R03, OmniVista Cirrus 4.8.2, OmniVista Cirrus 10.3 and ClearPass Policy
Manager 6.11.1.251304 or newer versions.
The hardware and software listed below were utilized for creating this document
and will remain unchanged unless significant feature enhancements occur:
Hardware Software
AOS 6860E 8.9.221.R03
AP 1301 4.0.7.14
Omnivista
4.8R1 GA (Build 40)
2500
5
Aruba
CPPM-VM-x86_64-6.11.1.251304
Clearpass
Windows 10
Latest
(client)
Windows
Latest
Server 2016
Environment
For the purpose of creating this document, the following network configuration
was
used.
6
Addressing plan
PortGroup
NAME IP MASK GATEWAY
s
192.168.125.10 255.255.255. 192.168.125.25
OV2500 (Management) VLAN 125
0 0 3
OV2500 (Captive 192.168.125.10 255.255.255. 192.168.125.25
VLAN 125
Portal) 0 0 3
Aruba ClearPass 192.168.125.15 255.255.255. 192.168.125.25
VLAN 125
(Mgmt) 0 0 3
192.168.123.15 255.255.255. 192.168.123.25
Aruba ClearPass (Data) VLAN 123
0 0 4
Windows 10 DHCP DHCP DHCP Untag
192.168.125.11 255.255.255. 192.168.125.25
Windows Server 2016 VLAN 125
0 0 3
192.168.125.25 255.255.255. 192.168.125.25
OS6860 VLAN 125 VLAN 125
3 0 3
Device and software configuration
This section provides the necessary steps for configuring the ALE devices to work
with Aruba Clearpass.
Two approaches are available for authenticating the user through Aruba ClearPass with
ALE products. One option involves utilizing OmniVista UPAM as a proxy to redirect
Radius requests from the access point/Switch to Aruba ClearPass using UPAM IP as
Proxy for NAS-IP. This solution can only be implemented with the on-prem version of
OmniVista.
Another alternative is to directly use Aruba ClearPass without the involvement of UPAM.
This can be leverage by the on-prem version of OmniVista as well as the cloud one.
The difference between the two options is that without proxying the request, we need
to manage all the devices in Aruba ClearPass, whereas by proxying the request only
OmniVista needs to be configured in Aruba ClearPass.
Other benefits apart not having to register ALE devices on ClearPass is that by using
UPAM as a proxy, you will have access to some radius monitoring that can be useful for
troubleshooting.
In this document both ways will be detailed for the main use cases, but we will focus on
how to configure the solution with UPAM as a proxy. You will find how to do the
7
configuration to authenticate directly on Aruba ClearPass and in the OV on-prem section
how to do it with UPAM as a proxy.
Prerequisite configuration
Adding a Network Access Device on CPPM
A Network Access Device (NAD) must belong to the global list of devices in the
ClearPass database in order to connect to ClearPass.
Add a new NAD
Step 1 > Go to configuration -

> Network -> Devices.
Step 2 > Click on Add
Step 3 > Specify the NAD

name, the IP address the
Radius shared Secret and the
vendor’s name (i.e., Alcatel-
Lucent Enterprise).
Make sure to enable Radius
Dynamic Authorization on
the port 3799.
Notes
Since OmniVista acts as a proxy for Stellar APs, including it as a Network Device is sufficient. However, in
the case you do not want to use OV on-prem and UPAM as a proxy radius, you will need to add your
OmniAccess Stellar access points and OmniSwitchs separately.
Adding ClearPass as an External Radius on OmniVista

on-prem
In order to use Clearpass with OV on-prem and UPAM as a radius proxy, the
clearpass plateform must be added to OV on-prem as an external radius server.
8
Add a new External radius server on OV on-prem
Step 1 > Go to UPAM >

Settings > External Radius
Step 2 > Click on +/Add.
Step 3 > Specify the new

External radius server (i.e.,
ClearPass) name, the IP
address and the same Radius
shared secret define for the
NAD on ClearPass.
Enable *UPAM-IP as Proxy

for NAS-IP
Wired authentication
On CPPM
Create a service for 802.1x wired
Step 1 > Go to
Configuration> Services.
Click on +/Add.
Create a service for 802.1x

wired.
Add the following conditions:
Type -> Radius IETF

Name -> NAS-Identifier
Operator -> EQUALS
Value -> *NAS ID*
Step 2 > in Authentication
Select Authentication
sources.
In this case we selected the
local User repository from
CPPM.
Step 3 > Select your Roles

Mapping Policy and
Enforcement Policy
9
On OmniVista on-prem
with CPPM as a Radius Server
Step 1 -> Go to Unified

Access>Unified
Profile>Template> AAA
Server Profile
Click on +/Add.
Create a AAA Server Profile

with your ClearPass server as
Authentication Servers for
802.1x (CP and MAC if
needed).
In Authentication Strategy
for Radius Server select
ClearPass.
In the advanced Settings

section, open the RADIUS
tab.
Configured the NAS ID as

String user and enter a NAS
ID that match the one
configured in the ClearPass
802.1X Wired service created
above.
Click on create
Access>Unified
Profile>Template> Access
Auth Profile
Click on +/Add.
Create an Access Auth

Profile.
Select the AAA Server Profile

created in step 1.
Enable 802.1x Auth (Mac

Auth if needed).
Click on create.
10
Access>Unified
Auth Profile
Select the Access Auth Profile

created in step 2.
Click on Apply to Devices
Click on ADD and Use Switch

Picker
Select your switches, click on

Add> and then OK.
In the list of the Selected

Devices, under your
switches, click on Add port
Select the port that you want

the Access Auth Profile
configuration to be pushed
on.
Click OK
Then click on Apply to push

the configuration on the
switch
Notes
You can enable Port-bounce in the step 2. This feature is required to handle scenarios where a client is
switched from one VLAN to other after COA.
11
with CPPM as a Radius Server and UPAM as a proxy radius

Access>Unified
Profile>Template> AAA
Server Profile
Click on +/Add.
Create a AAA Server Profile

with your ClearPass server as
Authentication Servers for
802.1x (CP and MAC if
needed).
ClearPass.
In the advanced Settings

section, open the RADIUS
tab.
Configured the NAS ID as

String user and enter a NAS
ID that match the one
configured in the ClearPass
802.1X Wired service created
above.
Click on create
Access>Unified
Auth Profile
Click on +/Add.
Create an Access Auth

Profile.
Select the AAA Server Profile

created in step 1.
Enable 802.1x Auth (Mac

Auth if needed).
Click on create.
12
Access>Unified
Auth Profile
Select the Access Auth Profile

created in step 2.
Click on Apply to Devices
Click on ADD and Use Switch

Picker
Select your switches, click on

Add> and then OK.
In the list of the Selected

Devices, under your
switches, click on Add port
Select the port that you want

the Access Auth Profile
configuration to be pushed
on.
Click OK
Then click on Apply to push

the configuration on the
switch
13
Step 4 -> Go to
UPAM>Authentication>Authe
ntication Strategy
Click on +/Add.
Enter your Strategy name.
In the Authentication Source

select External Radius and
add ClearPass as the
External Radius.
Step 5 -> Go to
UPAM>Authentication>Acces
s Policy
Click on +/Add.
Enter your Policy name.
For the Mapping Condition

select Advanced Attribute
and add the following
condition:
Attribute: NAS-IP-Address
Operator: Equals
Value: *Switch IP*
select the Strategy created in
step 4.
Create.
OmniAccess Stellar 802.1x authentication

with CPPM
On CPPM
Create a service for 802.1x wireless
Step 1 > Go to
Click on +/Add.

wireless.
14
Add the 2 following
conditions:
Type -> Radius IETF

Name -> Called-Station ID
Operator -> ENDS_WITH
Value -> *SSID name*
Type -> Radius IETF

Name -> Service type
Operator -> BELONGS_TO
Value -> Login-User (1),
Framed User (2),
Authenticate-Only (8)
Step 2 > in Authentication
Add EAP MSCHAPv2 and

move it up the list.
Select Authentication
sources.
User repository from CPPM.

Mapping Policy and
Enforcement Policy
Stellar with CPPM as a Radius Server

Create a SSID
Go to WLAN > SSID.
Click on +/Add.
Create a SSID for Enterprise

Network for Employees
(802.1x)
ClearPass.
Save and Apply to APs group.
Stellar with CPPM and UPAM as Proxy Radius Server
15
Create a SSID and an Authentication Strategy
Step 1 > Go to WLAN > SSID.
Click on +/Add.
Create a SSID for Enterprise

Network for Employees
(802.1x)
UPAMRadiusServer
Step 2 > Go to customize

SSID > Authentication
Strategy > Advanced
Configuration
Select External Radius as the

Authentication source.
Add CPPM as the External

Radius and apply.
Save and apply APs group
OmniAccess Stellar MAC authentication with

CPPM
On CPPM
Create a service for MAC authentication
Go to Configuration>
Services.
Click on +/Add.

Wireless.
16
Keep the 3 generic
conditions.
In the Authentication section
For authentication methods

select: [Allow ALL MAC
AUTH]
And add the Authentication

sources – in this case the
authentication source is the
Endpoints Repository from
CPPM.

Mapping Policy and
Enforcement Policy
Stellar with CPPM as a Radius Server

Create a SSID
Go to WLAN > SSID.
Click on +/Add.
Create a SSID for Guest

Network (Open or Captive
portal)
In Authentication Strategy >

Enabled MAC authentication.
And for Radius Server select
ClearPass.
Save and Apply to APs group.
17
OmniAccess Stellar with CPPM and UPAM as Proxy Radius Server
Create a SSID
Go to WLAN > SSID.
Click on +/Add.
Create a SSID for Guest

Network (Open or Captive
portal)
In Authentication Strategy >

Enabled MAC authentication.
And for Radius Server select
UPAMRadiusServer.
Go to customize SSID >

Authentication Strategy >
Advanced Configuration
Select External Radius as the

Authentication source.
Add CPPM as the External

Radius and apply.
Save and apply APs group
18
OmniAccess Stellar guest captive portal
authentication with CPPM and UPAM as a
proxy
On CPPM
Create a captive portal web login page
Go to ClearPass Guest >

Configuration > Pages > Web
Logins
Click on Create a new web

login page.
Fill in the form for the web

login page.
Vendors Settings: Custom

Settings
Submit URL:
https://cportal.al-
enterprise.com/login
Submit Method: POST
Authentication: Anonymous
– Do not require a username
or password
Username Field: user
Password Field: Password
19
Create a service for Guest Access
Go to Configuration>
Services.
Click on +/Add.
Create a service for RADIUS

Enforcement (Generic)
Add the following conditions:
Type -> Connection

Name -> SSID
Operator -> EQUALS
In Authentication
For the authentication

methods select: [PAP]
And add the Authentication

sources – in this case the
authentication source is the
Guest user Repository from
CPPM.
Select your Roles Mapping

Policy and Enforcement
Policy
Configure the Access Role Profile with Wall Garden & Captive portal Attributes.
Go to Unified Access>
Template> Access Role
Profile
Click on +/Add.
In the Wall Garden section

add ClearPass domain in the
Allowlist Domains
20
Notes
Walled Garden only works with FQDN to let the endpoint access to the Portal Page.
In the Captive Portal

Attributes section
Select External as the Captive

Portal Auth
Enter the FQDN of ClearPass

as the Portal Server
And your CPPM Web Logins

URL as the Redirect-URL
In AAA Server Profile select

add new
Create a new AAA server
profile.
In Authentication Servers>
Captive Portal section add
UPAMRadiusServer as the
Captive Portal Primary
Scroll down and Click on

Create
Back on the Access Role

Profile creation, select the
AAA Server profile that you
created.

Create
Profile menu, select you
Access Role Profile and click
on Apply to Devices
21
Add your VLAN and select
the desire AP groups then
Apply
Create a SSID
Go to WLAN> SSIDs> WLAN

Service (Expert)
Click on +/Add.
After naming your SSID go to

the Security section
Select “Open” as the Security

Level
In Default Access Role Profile

select the previously created
ARP

Create
Create an Access Policy and an Authentication Strategy
Go to UPAM > Authentication

> Access Policy
Click on +/Add.
Add a Policy Name and

create the following Mapping
Condition with Basic
Attribute
Attribute -> SSID

Operator -> Equals
Value -> *YourSSIDName*
22
Add the condition.
In the Authentication
Strategy section click sur Add
New
On the Authentication
Strategy menu
Select External Radius as

Authentication Source
And your ClearPass Server as

External Radius
Back on the Access Policy

menu
Strategy section click on your
Authentication Strategy
created above
Click on create
Postures
On CPPM
Step 1-> Go to
Configuration>Enforcement>
Profiles.
23
Click on +/Add.
Enforcement Profiles for
Employee.
Select RADIUS as the type

and
Accept for the Action.
Add the following attributes:
Type -> Radius: IETF

Name-> Filter-ID
Value -> Employee
Click on +/Add.
Enforcement Profiles for
Quarantine.
Select RADIUS as the type

and
Accept for the Action.
Add the following attributes:

Name-> Filter-ID
Value -> Quarantine
Step 2-> Go to
Configuration>Enforcement>
Policies
24
Click on +/Add.
Create an enforcement
Policies for Posture
enforcement.
Select RADIUS as the

Enforcement type and
the generic [Deny Access
Profile] as Default Profile.
In the Rules section choose

Select first match as Rules
Evaluation Algorithm.
Add the 2 following

Conditions in the
Enforcement Policy Rules:
First rule
Condition:
(Tips:Role EQUALS [User
Authenticated]) AND
(Tips:Posture NOT_EQUALS
HEALTHY (0))
Action: Employee-Profile
Second rule
Condition:
(Tips:Role EQUALS [User
Authenticated]) AND
HEALTHY (0))
Action: *Quarantine-profile
name*
Click on +/Add.
Create an enforcement
Policies for Terminating
session.
Select WEBAUTH as the

Enforcement type and
Terminate Session as Default
Profile.
In the Rules section choose

Select first match as Rules
Evaluation Algorithm.
Add the 2 following

Conditions in the
Enforcement Policy Rules:
First rule
Condition:
25
(Tips:Posture EQUALS
HEALTHY (0))
Action: Terminate Session
Second rule
Condition:
HEALTHY (0))
Action: Terminate Session
Step 3-> Go to Configuration

>Posture>Posture Policies
Click on +/Add
Create a Posture Policy for

your Onguard agent.
Step 4 > Go to
Click on +/Add.
Create a service for Web-

based Health Check Only
In the service section, enable

Posture Compliance and add
the following conditions:
Type -> Host

Name -> CheckType
Operator -> MATCHES_EXACT
Value -> Health
in the Posture tab add the

Posture Policy created above
and select UNKNOWN (100)
as the Default Posture
Token.
In the enforcement section

add the Terminate session
policy.
26
Last create another service
for 802.1x Wireless or Wired.
Click on +/Add.
Add condition accordingly to

the type of service created
(cf. previous configuration
for 802.1X or Wired)
In the Authentication tab:

local User repository from
CPPM.
In the enforcement tab

enabled the Use Cached
Results and select the
Posture_Enforcement_Policy
created in the step 2.
Notes
Find in Administration » Agents and Software Updates » OnGuard Settings >>Installers – All the ClearPass
Onguard installer for your devices.
Create a new Access Role
Profile
Click on +/Add.

Profile with the same name
you give to the Enforcement
Profile created in ClearPass.
In this case we have

Quarantine and Employee.
In this case we have only

configure the profile name.
Select only one Access role

profile at a time.
And then Apply them to

Devices, again only on at the
time.
27
Select your devices on which
you want to push the
configuration.
Choose your Mapping

Method, in our case we
selected Map To Vlan and
added the right Vlan.
Click on Apply.
NAC role for SSID

On CPPM
Create an Identity Role, Enforcement Profile, Enforcement Policy and configure your Service
Go to ClearPass >
Configuration > Identity >
Roles.
Click on +/Add.
Name the Role and Save it
Go to ClearPass >
Configuration > Enforcement
> Profiles.
Click on +/Add.
In the Profile section:

Name your Enforcement
Profiles and select the
enforced Action.
In the Attributes section

create the following:

Name -> Filter-ID
Value -> *your Role Name*
Save it.
28
Go to ClearPass >
Configuration > Enforcement
> Policies.
Click on +/Add.
Create a condition that will

enforce your profile created
before
Go to ClearPass >
Configuration > Services.
Select the service you want

to edit.
In the Enforcement section:

Select your Enforcement
Policy created previously
Configure an Access Role Profile
Profile
Click on +/Add.

Profile with the same name
you give to the Role you
created in ClearPass
29
BYOD
On CPPM
Configure Onboarding Certificate Authority (CA)
Step 1 > Go to Onboard>

Certificate Authorities
Click on create a new

certificate Authority.
In Authority Info Access

select Specify an OCSP
Responder URL
30
Configure an Onboard Authentication Method
Step 2 > Go to ClearPass

Policy Manager>
Authentication > Methods.
Click on +/Add.
Create an authentication
method with type EAP-TLS
Untick the option “override

OCSP URL from client.”
Configure Onboard Network Setting

Configuration > Network
setting.

network.
In the Wireless Network

Setting section, in SSID, enter
the name of the SSID that
you’ll will create for user
BYOD access.
Save the configuration
31
Configure Onboard Configuration Profile

Deployment and
Provisioning > Configuration
Profiles

Configuration Profile
In the Networks section

select the Network setting
created in step 3.
Configure Onboard Provisioning Settings

Deployment and
Provisioning > Provisioning
Settings

Provisioning setting.
Fill in the general

information such as name
and the name of your
company.
In the Identity section, select

for the Certificate Authority
the certificate created in step
1 and in signer select
Onboard Certificate
Authority.
In the Authorization section,

for the Configuration Profile,
select the configuration
profile created in step 4.
32
Configure the Onboard service
Step 6 > Go to Clearpass

Policy Manager>
Configuration>Service
templates and Wizard.
Click on the Onboard Service
Fill in the name in the

general section.
In the Provisioning Wireless

Network Setting session, in
the Wireless SSID for
Onboard Provisioning enter
the name of the SSID you’ll
create.
Fill in the name in the

general section.
In the Provisioning Wireless

Network Setting session, in
the Wireless SSID for
Onboard Provisioning enter
the name of the SSID you’ll
create.
33
Once the service created,
Clearpass will automatically
create create and add the
Enforcement Profiles,
Enforcement policies, the
role mapping policies and 3
services that we will need.
Clearpass Policy Manager>
Configuration>Services you
can now see the 3 services
that have been added.
Edit the Onboard

Provisioning service.
In the Service section, create

the two following Service
rules:
Type -> Radius IETF

Name -> Called-Station ID
Operator -> ENDS_WITH
Type -> Radius IETF

Name -> Service type
Operator -> BELONGS_TO
Value -> Login-User (1),
Framed User (2),
Authenticate-Only (8)
Section, remove the method
[EAP PEAP Without Fast
reconnect] and add the
Authentication Method
created in Step 2.
Sources select the repository
on which you will
authenticate users.
Save it.
Edit the Onboard
Provisioning service.
on which you will
authenticate users.
Save it.
34
Edit the Onboard Pre-Auth
service.
on which you will
authenticate users.
Save it.
with CPPM as a Radius Server and UPAM as Proxy
Configure the Access Role Profile with Wall Garden & Captive portal Attributes.
Step 1- Go to Unified Access>

Profile
Click on +/Add.
In the Wall Garden section

add Clearpass domain in the
Allowlist Domains
Notes
Walled Garden only works with FQDN to let the endpoint access to the Portal Page.
In the Captive Portal

Attributes section
Select External as the Captive

Portal Auth
Enter the FQDN of Clearpass

as the Portal Server
And your CPPM captive

portal URL as the Redirect-
URL
35
In AAA Server Profile select
add new
Create a new AAA server
profile.
In Authentication Servers>
Captive Portal section add
UPAMRadiusServer as the
Captive Portal Primary

Create

Profile creation, select the
AAA Server profile that you
created.

Create

Profile menu, select you
Access Role Profile and click
on Apply to Devices
Add your VLAN and select

the desire AP groups then
Apply
36
Create a SSID
Step 2 - Go to WLAN> SSIDs>

WLAN Service (Expert)
Click on +/Add.
After naming your SSID go to

the Security section
Select “Enterprise” as the

Security Level
In the AAA Profile, select the

profile previously created in
step 1.
In Default Access Role Profile

select the previously created
ARP in step 1.

Create
Create an Access Policy and an Authentication Strategy
Step 3 -> Go to UPAM >

Authentication > Access
Policy
Click on +/Add.
Add a Policy Name and

create the following Mapping
Condition with Basic
Attribute
Attribute -> SSID

Operator -> Equals
Value -> *YourSSIDName*
Add the condition.
Strategy section click sur Add
New
37
On the Authentication
Strategy menu
Select External Radius as

Authentication Source
And your Clearpass Server as

External Radius
Back on the Access Policy

menu
Strategy section click on your
Authentication Strategy
created above
Click on create
Conclusion
In conclusion, this application note has provided a comprehensive guide to
integrating Alcatel-Lucent Enterprise network solutions with Aruba Clearpass
Policy Manager.
Starting with an overview of the purpose and solution, we delved into the details
of OmniVista NMS and UPAM introductions, followed by hardware and software
considerations. We then explored environment setup, addressing plans, and
necessary device and software configurations. Throughout the document, step -by-
step instructions were provided for various configurations, including wired and
wireless authentication methods such as 802.1x and MAC authentication, as well
as guest captive portal authentication. Additionally, scenarios like postures, NAC
roles for SSID, and BYOD implementations on both CPPM and OV on-premises
were explained.
It's worth noting that the scenarios described in this application note have been
thoroughly tested and validated, ensuring their reliability and effectiveness.
By following the guidelines outlined in this document, users can confidently
integrate and manage their network infrastructure, ensuring security and
efficiency in their operations.
38
Support
For technical assistance regarding Alcatel-Lucent Enterprise network solutions,
please visit the ALE Technical Knowledge Center. Here, you can browse articles to
troubleshoot reported issues or reach out to the support team for assistance.
URL : https://myportal.al-enterprise.com
The Alcatel-Lucent Enterprise product documentation that are relevant to these

Application Notes can be found at https://www.spacewalkers.com
39

Ale Network Solutions Aruba Clearpass Interop Implementation en

Uploaded by

Copyright:

Available Formats

You might also like

Ale Network Solutions Aruba Clearpass Interop Implementation en

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ale Network Solutions Aruba Clearpass Interop Implementation en

Uploaded by

Copyright:

Available Formats

Implementation Guide

How to implement ALE network

Authentication is the process of verifying the identity of a user, system, or device.

The Alcatel-Lucent OmniVista Network Management System (NMS) provides cohesive

Hardware & Software

AOS 6860E 8.9.221.R03

Device and software configuration

Add a new NAD

Step 1 > Go to configuration -

Step 2 > Click on Add

Step 3 > Specify the NAD

Adding ClearPass as an External Radius on OmniVista

Step 1 > Go to UPAM >

Step 2 > Click on +/Add.

Step 3 > Specify the new

Enable *UPAM-IP as Proxy

Create a service for 802.1x wired

Create a service for 802.1x

Add the following conditions:

Type -> Radius IETF

Step 2 > in Authentication

Step 3 > Select your Roles

with CPPM as a Radius Server

Step 1 -> Go to Unified

Create a AAA Server Profile

In the advanced Settings

Configured the NAS ID as

Create an Access Auth

Select the AAA Server Profile

Enable 802.1x Auth (Mac

Select the Access Auth Profile

Click on Apply to Devices

Click on ADD and Use Switch

Select your switches, click on

In the list of the Selected

Select the port that you want

Then click on Apply to push

Step 1 -> Go to Unified

Create a AAA Server Profile

In the advanced Settings

Configured the NAS ID as

Create an Access Auth

Select the AAA Server Profile

Enable 802.1x Auth (Mac

Select the Access Auth Profile

Click on Apply to Devices

Click on ADD and Use Switch

Select your switches, click on

In the list of the Selected

Select the port that you want

Then click on Apply to push

Enter your Strategy name.

In the Authentication Source

Enter your Policy name.

For the Mapping Condition

OmniAccess Stellar 802.1x authentication

Create a service for 802.1x wireless

Create a service for 802.1x