Professional Documents
Culture Documents
Ale Network Solutions Aruba Clearpass Interop Implementation en
Ale Network Solutions Aruba Clearpass Interop Implementation en
Ale Network Solutions Aruba Clearpass Interop Implementation en
2
Introduction
Purpose
The purpose of this document is to provide a comprehensive guide on how to
implement Omnivista NMS, OmniSwitch and OmniAccess Stellar with Aruba
Clearpass Policy Manager. This guide will walk you through the step -by-step
process of integrating these two systems, highlighting the necessary
configurations and settings needed for successful implementation. By following
the instructions outlined in this document, you will be able to seamlessly integrate
Omnivista Access Stellar and Omniswitch with Aruba Clearpass, enabling you to
effectively manage and secure your network infrastructure.
This guide will provide you with the necessary information to successfully
implement these systems.
Solution Overview
Global Knowledge
3
802.1x is a standard for network access control that provides an authentication
mechanism for devices attempting to connect to a network. 802.1x uses an
authentication server, such as a Radius server, to authenticate users or devices
before granting access to the network. This ensures that only authorized devices
are allowed onto the network and helps to prevent unauthorized access and
security breaches.
Posture assessment, also known as endpoint security posture assessment, is the
evaluation of the security status or health of a device (e.g., computer,
smartphone) that is attempting to connect to a network. It ensures that the device
meets the security requirements and complies with the organization's policies
before granting access.
Authentication Access Policies are used to define the mapping conditions for an
Authentication Strategy. Through Access Policy configuration, authentication
strategy can be applied to different user groups, which can be divided by SSID or
other attributes.
Access Role Profile can be applied to users when they connect to the network. An
Access Role Profile can contain a Policy List with security and QoS policies.
Unified Policies are QoS Policies that can be applied to both wireline and wireless
devices. Unified Policies are created using a wizard that guides you through each of the
steps needed to create the Policy and apply the Policy to devices in the network.
Access Auth Profile enables you to assign a predefined UNP port configuration to a
port or linkagg, or to specify them individually on each port to enable UNP port status
and set the parameters for the authentication process for the port. The Access Auth
Profile configures 802.1X and MAC authentication for both wired and wireless devices,
Access Classification, and the default AAA Server and/or UNP Profile to be used once a
user is authenticated.
AAA Server Profiles are used to define specific AAA parameters that can be used in an
Access Auth Profile or Captive Portal Profile.
Bring Your Own Device (BYOD), ALE OmniSwitch and OmniAccess Stellar can leverages
functionality along with the ClearPass Policy Manager (CPPM) to provide the overall
BYOD solution. BYOD allows a wired guest, device, or authenticated user to connect to
the network through a captive portal using the CPPM for unified authentication.
4
OmniVista Network Management System introduction
UPAM introduction
The Alcatel-Lucent OmniVista Unified Policy Authentication Management module
is a unified access management platform for Alcatel-Lucent OmniSwitch Ethernet
switches, and Alcatel-Lucent OmniAccess Stellar access points. OmniVista UPAM
includes both a captive portal and a RADIUS server and can implement multiple
authentication methods such as MAC authentication, 802.1x authentication, and
captive portal authentication. Users can authenticate against the UPAM local
database or against external databases including Microsoft Active Directory, LDAP,
and external RADIUS. The OmniVista UPAM customizable captive portal can
implement flexible authentication strategies for Guest and BYOD users with
integrated credential management through email, SMS and social login (for
example, Facebook, Google, WeChat and Rainbow™ by Alcatel-Lucent Enterprise).
Hardware Software
AP 1301 4.0.7.14
Omnivista
4.8R1 GA (Build 40)
2500
5
Aruba
CPPM-VM-x86_64-6.11.1.251304
Clearpass
Windows 10
Latest
(client)
Windows
Latest
Server 2016
Environment
For the purpose of creating this document, the following network configuration
was
used.
6
Addressing plan
PortGroup
NAME IP MASK GATEWAY
s
192.168.125.10 255.255.255. 192.168.125.25
OV2500 (Management) VLAN 125
0 0 3
OV2500 (Captive 192.168.125.10 255.255.255. 192.168.125.25
VLAN 125
Portal) 0 0 3
Aruba ClearPass 192.168.125.15 255.255.255. 192.168.125.25
VLAN 125
(Mgmt) 0 0 3
192.168.123.15 255.255.255. 192.168.123.25
Aruba ClearPass (Data) VLAN 123
0 0 4
Windows 10 DHCP DHCP DHCP Untag
192.168.125.11 255.255.255. 192.168.125.25
Windows Server 2016 VLAN 125
0 0 3
192.168.125.25 255.255.255. 192.168.125.25
OS6860 VLAN 125 VLAN 125
3 0 3
This section provides the necessary steps for configuring the ALE devices to work
with Aruba Clearpass.
Two approaches are available for authenticating the user through Aruba ClearPass with
ALE products. One option involves utilizing OmniVista UPAM as a proxy to redirect
Radius requests from the access point/Switch to Aruba ClearPass using UPAM IP as
Proxy for NAS-IP. This solution can only be implemented with the on-prem version of
OmniVista.
Another alternative is to directly use Aruba ClearPass without the involvement of UPAM.
This can be leverage by the on-prem version of OmniVista as well as the cloud one.
The difference between the two options is that without proxying the request, we need
to manage all the devices in Aruba ClearPass, whereas by proxying the request only
OmniVista needs to be configured in Aruba ClearPass.
Other benefits apart not having to register ALE devices on ClearPass is that by using
UPAM as a proxy, you will have access to some radius monitoring that can be useful for
troubleshooting.
In this document both ways will be detailed for the main use cases, but we will focus on
how to configure the solution with UPAM as a proxy. You will find how to do the
7
configuration to authenticate directly on Aruba ClearPass and in the OV on-prem section
how to do it with UPAM as a proxy.
Prerequisite configuration
Adding a Network Access Device on CPPM
A Network Access Device (NAD) must belong to the global list of devices in the
ClearPass database in order to connect to ClearPass.
Notes
Since OmniVista acts as a proxy for Stellar APs, including it as a Network Device is sufficient. However, in
the case you do not want to use OV on-prem and UPAM as a proxy radius, you will need to add your
OmniAccess Stellar access points and OmniSwitchs separately.
In order to use Clearpass with OV on-prem and UPAM as a radius proxy, the
clearpass plateform must be added to OV on-prem as an external radius server.
8
Add a new External radius server on OV on-prem
Wired authentication
On CPPM
Step 1 > Go to
Configuration> Services.
Click on +/Add.
Select Authentication
sources.
In this case we selected the
local User repository from
CPPM.
9
On OmniVista on-prem
Click on +/Add.
In Authentication Strategy
for Radius Server select
ClearPass.
Click on create
Step 2 -> Go to Unified
Access>Unified
Profile>Template> Access
Auth Profile
Click on +/Add.
Click on create.
10
Step 3 -> Go to Unified
Access>Unified
Profile>Template> Access
Auth Profile
Click OK
Notes
You can enable Port-bounce in the step 2. This feature is required to handle scenarios where a client is
switched from one VLAN to other after COA.
11
with CPPM as a Radius Server and UPAM as a proxy radius
Click on +/Add.
In Authentication Strategy
for Radius Server select
ClearPass.
Click on create
Step 2 -> Go to Unified
Access>Unified
Profile>Template> Access
Auth Profile
Click on +/Add.
Click on create.
12
Step 3 -> Go to Unified
Access>Unified
Profile>Template> Access
Auth Profile
Click OK
13
Step 4 -> Go to
UPAM>Authentication>Authe
ntication Strategy
Click on +/Add.
Step 5 -> Go to
UPAM>Authentication>Acces
s Policy
Click on +/Add.
Attribute: NAS-IP-Address
Operator: Equals
Value: *Switch IP*
In Authentication Strategy
select the Strategy created in
step 4.
Create.
Step 1 > Go to
Configuration> Services.
Click on +/Add.
14
Add the 2 following
conditions:
Select Authentication
sources.
In this case we selected the
User repository from CPPM.
On OmniVista on-prem
Click on +/Add.
In Authentication Strategy
for Radius Server select
ClearPass.
15
Create a SSID and an Authentication Strategy
Click on +/Add.
In Authentication Strategy
for Radius Server select
UPAMRadiusServer
Go to Configuration>
Services.
Click on +/Add.
16
Keep the 3 generic
conditions.
On OmniVista on-prem
Click on +/Add.
17
OmniAccess Stellar with CPPM and UPAM as Proxy Radius Server
Create a SSID
Click on +/Add.
18
OmniAccess Stellar guest captive portal
authentication with CPPM and UPAM as a
proxy
On CPPM
Submit URL:
https://cportal.al-
enterprise.com/login
Authentication: Anonymous
– Do not require a username
or password
19
Create a service for Guest Access
Go to Configuration>
Services.
Click on +/Add.
In Authentication
On OmniVista on-prem
Configure the Access Role Profile with Wall Garden & Captive portal Attributes.
Go to Unified Access>
Template> Access Role
Profile
Click on +/Add.
20
Notes
Walled Garden only works with FQDN to let the endpoint access to the Portal Page.
In Authentication Servers>
Captive Portal section add
UPAMRadiusServer as the
Captive Portal Primary
21
Add your VLAN and select
the desire AP groups then
Apply
Create a SSID
Click on +/Add.
Click on +/Add.
22
Add the condition.
In the Authentication
Strategy section click sur Add
New
On the Authentication
Strategy menu
In the Authentication
Strategy section click on your
Authentication Strategy
created above
Click on create
Postures
On CPPM
Step 1-> Go to
Configuration>Enforcement>
Profiles.
23
Click on +/Add.
Enforcement Profiles for
Employee.
Click on +/Add.
Enforcement Profiles for
Quarantine.
Step 2-> Go to
Configuration>Enforcement>
Policies
24
Click on +/Add.
Create an enforcement
Policies for Posture
enforcement.
First rule
Condition:
(Tips:Role EQUALS [User
Authenticated]) AND
(Tips:Posture NOT_EQUALS
HEALTHY (0))
Action: Employee-Profile
Second rule
Condition:
(Tips:Role EQUALS [User
Authenticated]) AND
(Tips:Posture NOT_EQUALS
HEALTHY (0))
Action: *Quarantine-profile
name*
Click on +/Add.
Create an enforcement
Policies for Terminating
session.
First rule
Condition:
25
(Tips:Posture EQUALS
HEALTHY (0))
Action: Terminate Session
Second rule
Condition:
(Tips:Posture NOT_EQUALS
HEALTHY (0))
Action: Terminate Session
Click on +/Add
Step 4 > Go to
Configuration> Services.
Click on +/Add.
26
Last create another service
for 802.1x Wireless or Wired.
Click on +/Add.
Notes
Find in Administration » Agents and Software Updates » OnGuard Settings >>Installers – All the ClearPass
Onguard installer for your devices.
On OmniVista on-prem
Go to Unified Access>
Template> Access Role
Profile
Click on +/Add.
27
Select your devices on which
you want to push the
configuration.
Click on Apply.
Create an Identity Role, Enforcement Profile, Enforcement Policy and configure your Service
Go to ClearPass >
Configuration > Identity >
Roles.
Click on +/Add.
Go to ClearPass >
Configuration > Enforcement
> Profiles.
Click on +/Add.
Save it.
28
Go to ClearPass >
Configuration > Enforcement
> Policies.
Click on +/Add.
Go to ClearPass >
Configuration > Services.
On OmniVista on-prem
Go to Unified Access>
Template> Access Role
Profile
Click on +/Add.
29
BYOD
On CPPM
30
Configure an Onboard Authentication Method
Click on +/Add.
Create an authentication
method with type EAP-TLS
31
Configure Onboard Configuration Profile
32
Configure the Onboard service
33
Once the service created,
Clearpass will automatically
create create and add the
Enforcement Profiles,
Enforcement policies, the
role mapping policies and 3
services that we will need.
Clearpass Policy Manager>
Configuration>Services you
can now see the 3 services
that have been added.
In the Authentication
Section, remove the method
[EAP PEAP Without Fast
reconnect] and add the
Authentication Method
created in Step 2.
In the Authentication
Sources select the repository
on which you will
authenticate users.
Save it.
Edit the Onboard
Provisioning service.
In the Authentication
Sources select the repository
on which you will
authenticate users.
Save it.
34
Edit the Onboard Pre-Auth
service.
In the Authentication
Sources select the repository
on which you will
authenticate users.
Save it.
On OmniVista on-prem
Configure the Access Role Profile with Wall Garden & Captive portal Attributes.
Click on +/Add.
Notes
Walled Garden only works with FQDN to let the endpoint access to the Portal Page.
35
In AAA Server Profile select
add new
Create a new AAA server
profile.
In Authentication Servers>
Captive Portal section add
UPAMRadiusServer as the
Captive Portal Primary
36
Create a SSID
Click on +/Add.
Click on +/Add.
In the Authentication
Strategy section click sur Add
New
37
On the Authentication
Strategy menu
In the Authentication
Strategy section click on your
Authentication Strategy
created above
Click on create
Conclusion
In conclusion, this application note has provided a comprehensive guide to
integrating Alcatel-Lucent Enterprise network solutions with Aruba Clearpass
Policy Manager.
Starting with an overview of the purpose and solution, we delved into the details
of OmniVista NMS and UPAM introductions, followed by hardware and software
considerations. We then explored environment setup, addressing plans, and
necessary device and software configurations. Throughout the document, step -by-
step instructions were provided for various configurations, including wired and
wireless authentication methods such as 802.1x and MAC authentication, as well
as guest captive portal authentication. Additionally, scenarios like postures, NAC
roles for SSID, and BYOD implementations on both CPPM and OV on-premises
were explained.
It's worth noting that the scenarios described in this application note have been
thoroughly tested and validated, ensuring their reliability and effectiveness.
By following the guidelines outlined in this document, users can confidently
integrate and manage their network infrastructure, ensuring security and
efficiency in their operations.
38
Support
For technical assistance regarding Alcatel-Lucent Enterprise network solutions,
please visit the ALE Technical Knowledge Center. Here, you can browse articles to
troubleshoot reported issues or reach out to the support team for assistance.
URL : https://myportal.al-enterprise.com
39