Loader

Configuring Policy via

Interfacing with Aruba ClearPass

Introduction

Document Number

ENG-010592

Purpose

Aruba ClearPass is a software package providing policy management to control network access.  The purpose of this document is to explain how to configure and administer the Tellabs OLAN system to interface with Aruba ClearPass.

Applies To

This document applies to all Tellabs OLAN systems running OLT SR29.2 and EMS SR30.0 or above.  Earlier releases do not fully support Aruba ClearPass and are limited to simple access via 802.1x.  Aruba Clearpass 6.7.3 or above is recommended.

Enforcing Policy on OLAN using Aruba ClearPass

 



Aruba ClearPass is an application that can characterize devices that are discovered on the network and apply policies based on rule sets.  This allows more consistent application of policy across the network.  It also allows application of policy based on the user login or device type which allows for dynamic configuration and allocation of resources in real time.

The OLAN PAE or Port Authentication Entity interfaces with Aruba ClearPass for two different protocols:

  • RADIUS - Remote Authentication Dial In User Service.  This interface allows a switch to transparently forward credentials from a user to the RADIUS server for authentication.  The RADIUS Server will either grant access via an Access Accept or Access Reject.  Radius also supports a mechanism to pass back the name of the policy to apply to the port via the FILTER-ID attribute.  
  • COA - Change of Authorization is an extension to the RADIUS protocol to allow additional updates to a port. RADIUS suffers from only being triggered by authentication requests and cannot send updates in real time to the port.  COA allows updates of the port in real time.

COA which is in SR29.2 and above supports the following messages for additional control:

  • Session Re-authentication - Force re-authentication of a port.
  • Session Termination - Allows terminating a user immediately from the network.  RADIUS only can terminate a user when it attempts to re-authenticate after the re-authentication timeout.
  • Session Termination with Port Shutdown - Terminate a session and shut off the port afterwards.  This prevents further access after the session is terminated from that port.  Admin is required to manually admin the port up before it can be used again.  This can be used in highly secure areas to prevent further attempts to access the port.
  • Session Termination with Port Bounce - Terminate the session and disable/re-enable the port to restart authentication and restart with a new session.
  • Session Policy Push - COA can push a new policy to a port at any time using the Session Policy Push.  This allows changes to take effect immediately rather than waiting for the next re-authentication attempt from the Port.
  • Session Re-authentication with rerun - Force Re-authentication with the configured authentication method from the beginning.  This is not supported by Tellabs in the current release.
  • Session Re-authentication with last - Force Re-authentication using the last successful method of authentication.  This is not supported by the Tellabs system in the current release.

Additional general information on RADIUS authentication, support and configuration can be found in the AppNote ENG-010428 Configuring Policy Via RADIUS Authentication.  This document explains the basic operation of RADIUS and how to use RADIUS to distribute policy via the RADIUS FILTER-ID attribute.

The following table outlines the Tellabs OLAN product support for Aruba ClearPass Features:

Aruba ClearPass and Wireless End Points

Aruba ClearPass has two authentication models, one is Server based, the other is Controller based.  In the case of Wireless Access Points, the authentication is typically between ClearPass and the AP.  Tellabs simply passes the packets through and is not involved in the authentication process.  The rest of this document addresses Wired Port configurations where Tellabs is involved in the Port Authentication.

Aruba ClearPass Configuration for Tellabs OLAN

Aruba ClearPass documentation should always be consulted first to get the latest up to date information about configuration of ClearPass features.  This example configuration shows one example of how to configure ClearPass to interoperate with Tellabs OLAN.  This section only details configuration of components that are unique to Tellabs OLAN.  It does not cover full configuration of Aruba ClearPass and Aruba manuals and documentation should be consulted for Aruba ClearPass configuration. 

Import Tellabs RADIUS Dictionaries

In later versions of Aruba ClearPass, major release 6.8, the Tellabs Dictionary will be included.  If your Aruba ClearPass instance does not include the Tellabs RADIUS Dictionary will need to be imported.    

The RADIUS Dictionary and support files if needed can be downloaded here: 

Tellabs Aruba Dictionary and Support Files

The user can determine if the Tellabs Dictionary is loaded by looking at: 

Administration->Dictionaries->Radius then look for Tellabs 
 


 

If the Tellabs entry is missing, then the Tellabs RADIUS Dictionary will need to be added.  It can be downloaded from the link above.  

If required, click on the Import button, choose the Tellabs-RadiusDictionary.xml file that was downloaded and add it to Aruba ClearPass.  The user should then see the Tellabs dictionary listed.

Import RADIUS CoA Templates

In later versions of Aruba ClearPass, major release 6.8, the Tellabs CoA Templates will be included.  If your Aruba ClearPass instance does not include the Tellabs CoA Templates, they will need to be imported.    You can determine if the Tellabs RADIUS CoA templates are loaded by looking at: 

      Administration->Dictionaries->Radius CoA Templates
 

Under the Administration->Dictionaries->Radius CoA Templates, click on Import and then Import the file:


 

The user should import the following files:

  • RadiusCoATemplate-Tellabs-DisableSwitchPort.zip
  • RadiusCoATemplate-Tellabs-BounceSwitchPort.zip
  • RadiusCoATemplate-Tellabs-ReauthenticateSession.zip
  • RadiusCoATemplate-Tellabs-TerminateSession.zip

Each file, per the Clearpass standard procedures, is password protected and the password can be found in the file RADIUSCoATemplates-Password.txt.  The password is defaulted to Tellabs-1.

Radius CoA Bounce Switch Port

Radius CoA Disable Switch Port

Radius CoA Reauthenticate Session


 

Radius CoA Terminate Session

Set Up Authentication Sources

Consult ClearPass documentation on how to set up Authentication sources and connect them to active directory.  An example is shown below.  This menu is reached via:

    Configuration->Authentication->Sources->Add

Creation of Network Device for Tellabs OLAN

A Network Device needs to be created for each Tellabs OLT that will be managed.

   Go to Configuration->Network->Devices and clickthe Add button

 

 

Edit the following fields:

  • Name: Name for the Tellabs OLAN OLT
  • IP or Subnet Address: Enter the IP address of the Tellabs OLT
  • Radius Shared Secret: Enter the Shared Secret to be used in when performing RADIUS authentications. The same shared key must be placed into the the Tellabs OLT configuration.
  • TACACS+: Tellabs does not currently support TACACS+ and so this should be left blank.
  • Vendor Name: Select Tellabs from the dropdown.  If it does not appear, ensure you have imported the Tellabs RADIUS Dictionary files as shown above.
  • Enable RADIUS CoA: Click this to enable CoA.
  • RADIUS CoA Port: Use the default port of 3799
  • No Custom Attributes are needed.


     

Go to the SNMP Read Settings and configure the following settings:

  • Allow SNMP Read: Click to enable reading of SNMP Data from the OLT.
  • SNMP Read Setting: Set for SNMPv2 with Community Strings, or SNMPv3 with SHA and Privacy.  Tellabs supports both V2 and V3.
  • Community String: Enter the community string that you will use to configure SNMP on the OLT.
  • Force Read: Check to always Read information from this device.
  • Read ARP Table Info: Leave this unchecked as the OLT currently does not support this table.


     
  • Allow SNMP Write: Check to Enable Policy Manager to Perform SNMP Write operations.
  • Default VLAN: Add the Management VLAN
  • SNMP Write Setting: Set for SNMPv2 with Community Strings, or SNMPv3 with SHA and Privacy.  Tellabs supports both V2 and V3.
  • Community String: Set the Community String that you will set in the OLT on the SNMP settings.  Ensure they agree to allow SNMP access.

Press the Save button to Save the device and repeat for any other OLTs you wish to add.

Creation of Network Device Group for Tellabs OLAN

A Network Device Group needs to be created for the Tellabs OLAN system.  After the Network Device Group is created, Tellabs OLT OLTs can be added to the Network Device Group.

You can reach this menu vis Configuration->Network->Device Groups

Then Press the Add button to create the group.

 

 

 

 



   The following fields should be edited:

 

 

 

 

  • Name: Tellabs OLAN
  • Description: Tellabs OLAN
  • Format: List
    • Add the Tellabs OLAN OLTs that appear in the list to the group.

Save and close the dialog.

Creation of Enforcement Profiles

Under the Configuration->Enforcement->Profiles, you need to create CoA enforcements profiles which define a set of RADIUS attributes which can later be used in Enforcement Policies to configure or take actions on the port.


 





 

 

 

 

The Profile above gives an example for a Data Service which sets the NAC profile for the data service and also assigns an ACL List to the port.

 

 

 

 

Click the Add button to add a new Profile and add the following Attributes:

  • Session-Timeout: This configures the RADIUS re-authentication timeout for this port.
  • Termination Action: Set to RADIUS-Request
  • Filter-ID(NAC): You can typically set the NAC profile via one of two methods.   You can set it explicitly, or you can use profile MATCH to do a search within the list of service profiles for a NAC profile associated with the port for a partial match.  In this example, it will search the port for a default vlan service profile which starts with the text "DATA".
  • Filter-Id(ACL): This example also sets an ACL list on the port via the PROFILE-ACL qualifier.  This allows setting ACLS on the port based on current state.  In this example, it permits all traffic.
  • Filter-Id(IFALIAS): This defines a data tag that will show up on the EMS for that dynamic connection when viewed.  It allows an understanding of what has been assigned.

The following example shows how to set up and Enforcement Profile for a Phone:


 

Click Add to add a new Profile and add the following Attributes:

  • Session-Timeout: This configures the RADIUS re-authentication timeout for this port.
  • Termination Action: Set to RADIUS-Request
  • Filter-ID: You can typically set the NAC profile via one of two methods.   You can set it explicitly, or you can use profile MATCH to do a search within the list of service profiles for a NAC profile associated with the port for a partial match.  In this example, it will search the port for a default vlan service profile which starts with the text "VOICE".
  • Filter-Id: This example also sets an ACL list on the port via the PROFILE-ACL qualifier.  This allows setting ACLs on the port based on current state.  In this example, it is permitting all traffic.

The following example shows how to set up and Enforcement Profile for a Printer:


 

Click the Add button to add a new Profile and add the following Attributes:

  • Session-Timeout: This configures the RADIUS re-authentication timeout for this port.
  • Termination Action: Set to RADIUS-Request
  • Filter-ID: You can typically set the NAC profile via one of two methods.   You can set it explicitly, or you can use profile MATCH to do a search within the list of service profiles for a NAC profile associated with the port for a partial match.  In this example, it will search the port for a default vlan service profile which starts with the text "PRINTER".
  • Filter-Id: This example also sets an ACL list on the port via the PROFILE-ACL qualifier.  This allows setting ACLs on the port based on current state.  In this example, it is permitting all traffic.

The following section defines how to configure an Enforcement Profile for CoA Reauthenticate:


 

This defines the Tellabs attribute values that are needed to force the Tellabs RADIUS client to re-authenticate the user.  This is used in Enforcement policies to force re-authentication.  Re-authenticate does not bounce the port but just forces user re-authentication.  

The following section defines how to configure an Enforcement Profile for CoA Port Bounce:


 

This defines the Tellabs Attribute values to force a Port Bounce.  Port Bounce will cause the Ethernet port to go link down, then attempt to re-link.  As a consequence, the user will also be re-authenticated.

The following Enforcement Profile defines how to perform a CoA Port Disable:


 

The CoA Port Disable will shut down the port and the port will remain down unless the AdminState is re-enabled on the EMS.  This is often used to deny access to a port where a security violation has been detected.

The following Enforcement Profile defines how to perform a CoA Terminate-Session action:


 

The CoA Disconnect will terminate the session and return the port to an initial state.    This is used to terminate a user’s access and force them to re-authenticate to gain access to the network.

Creation of Enforcement Policies

The Enforcement policies define conditions and actions to be applied to users. 

The Enforcement Policies are reached via Configuration->Enforcement->Policies:

 

One example of a common policy might be to detect the vendor of a particular type of phone via the MAC address OUI and perform an action on it, in this case to assign an Enforcement Profile which assigned the VLAN and ACL list.


 

The user might also do the same thing for detection of printers:

 

 

The following example demonstrates how to assign an Enforcement Policy based on an authentication with a Microsoft Active Directory:

Creation of Services in ClearPass

Services in Clearpass define a set of conditions which when fully satisfied, associate an Enforcement Policy to the device.

Services are configured vis Configuration->Services->Add.

 

 

An example of how to configure a wired MAB Service is shown below.  MAB or MAC Authentication Bypass is used to authenticate devices using the MAC address as the authentication credentials.  RADIUS will then either authorize or deny the port based on whether that MAC address is known.

 

 

When it is a MAB authentication, NAS-Port-Type is set to Ethernet, and Service Type is set to Call-Check.  The RADIUS attribute User-Name is being used to get the client-mac-address for use by Clearpass.

A similar example is shown for wired printers:


 

The following example shows how to construct a service for authenticating a user on the network in the Tellabs Domain using Active directory:


 

 

The RADIUS attribute Ethernet defines that it is a wired port, and the Framed-User attribute the user to be authenticated.  The authentication method and source tell where to authenticate the user.  The Enforcement Policy "Tellabs compliant user" is assigned if authentication is successful.

Profiling Using Aruba Clearpass

The Process of Profiling uses information gleaned from DHCP Attributes such as device type, and additionally verifies the MAC OUI matches the DHCP Attributes that are sent. This allows ClearPass to identify the device and assign a role so that the appropriate profile can be applied upon reauthentication. Clearpass will then utilize a Port Bounce to force the device to re-authenticate and apply the proper policy to the device. On subsequent authentications the device will be immediately recognized via MAC and immediately assigned to the proper role and policy.

Creation of Roles

Once a device has been profiled, it is assigned a Role. In this example we will be using three Roles, DHCP to be used during profiling, IP Phone and Printer will be used as the Roles once the type of device is recognized and it’s role assigned.

.
 

Creation of Role Mapping Policy

Once the Roles are created, the Roles need to be mapped using a Role Mapping Policy. Use the screen below to create the proper conditions and Role Assignments.


 

  • IsProfiled: If an endpoint does not exist in the database, assign the Tellabs DHCP role.
  • Category equals VoIP Phone: Once a device has been categorized as a VoIP Phone, then assign the Role of Tellabs IP Phone.
  • Category equals Printer: Once a device has been categorized as a Printer, then assign the Role of Printers.

Creation of Enforcement Profiles

When a device comes on the network and is unknown due to not being in the Endpoints repository, it will be assigned the role of DHCP. The device is placed onto a VLAN and allowed to DHCP so that ClearPass can Profile based on the Attributes that are sent in the DHCP request along with the MAC Address. The following example shows how to set up a DHCP Profile:

  • Session Timeout: The Session timeout along with the termination action define what to do after the session times out, and in this case to Re-authenticate.
  • Termination Action: Set to RADIUS-Request
  • Filter-ID: The PROFILE-MATCH DHCP will select the DHCP Service profile from the matching NAC profile and assign that VLAN to be used for the device to DHCP on the network. This VLAN is usually temporary and used just for the profiling action.
  • Filter-Id: The ACL-LIMITED-ACCESS Filter-ID will limit the device's access on the network to just the DHCP server.
  • Filter-Id: The IFALIAS being set to DHCP will set the User Label of the Port so that in the EMS, you can see the devices that are currently attempting to DHCP during the profiling process.

The following example shows how to set up and Enforcement Profile for a Phone. This will be used in a later step after the device is profiled:

  • Termination Action: Set to RADIUS-Request
  • Filter-ID: You can typically set the NAC profile via one of two methods. You can set it explicitly, or you can use profile MATCH to do a search within the list of service profiles for a NAC profile associated with the port for a partial match. In this example, it will search the port for a default VLAN service profile which starts with the text "VOICE".
  • Filter-Id: This example also sets an ACL list on the port via the PROFILE-ACL qualifier. This allows setting ACLs on the port based on its current state. In this example, it is permitting all traffic.

The following example shows how to set up an Enforcement Profile for a Printer. This will be used in a later step after the device is profiled:

Click Add to add a new Profile and add the following attributes:

  • Session-Timeout: This configures the RADIUS re-authentication timeout for this port.
  • Termination Action: Set to RADIUS-Request
  • Filter-ID: You can typically set the NAC profile via one of two methods. You can set it explicitly, or you can use profile MATCH to do a search within the list of service profiles for a NAC profile associated with the port for a partial match. In this example, it will search the port for a default vlan service profile which starts with the text "PRINTER".
  • Filter-Id: This example also sets an ACL list on the port via the PROFILE-ACL qualifier. This allows setting ACLs on the port based on current state. In this example, it permits all traffic.

Creation of Enforcement Policies

The next step will create policies. In this example, a single policy is defined with three roles. The DHCP role is used during the early stages of profiling to gather the device data from its DHCP response. After profiling, the Printer or IP Phone roles are used for assigning Actions to be taken on devices with those roles.

Creation of Service

The Service is used to match for endpoints of a certain type and assign Policy.

 

The following Service defines the service to be used for MAC Authenticated Devices.

 

  • Type: MAC Authentication
  • Status: Enabled
  • Monitor Mode: Leave unchecked.
  • More Options: Select Authorization, and Profile Endpoints

On the Authentication Tab select Allow all MAC Auth in the Select to Add Pulldown.

Under Authentication Sources, select Endpoints Repository Local SQL DB.

The Authorization Tab select the Authentication Source Endpoints repository.

Under the Roles Tab, create a role mapping policy by selecting Profiling in the Role Mapping Policy Dropdown.  Also set the default role to Tellabs MAB, which will catch any devices that are not profiled as phones or printers.

In the Enforcement Tab, select Tellabs - Profiling as the Enforcement Policy.

The default profile will be Deny Access Profile which if the device can’t be profiled, or authenticated will deny access to the device.

In the Profiler tab, select the VoIP Phone and Printer as endpoint classifications.

Then select a RADIUS CoA action of Bounce Host Port.  This will after profiling cause the port to be bounced and force reauthentication and assignment to the proper working VLAN.

This Access Tracker output shows the Tellabs Wired MAB Services Profiling for Phones and Printers be used taking the Endpoint from the initial state for an unknown endpoint which is DHCP, to the final Profile selected (in this case, Printer) based on the Profile data learned.  

 Posturing Using Aruba Clearpass

Posturing is the process of checking the endpoint to see if it is healthy using the OnGuard agent before granting full access to the network.  If the device is designated to not be healthy, network access will be limited.   

This screen shows the OnGuard settings that were used for this example:

Installation of the OnGuard Agent onto the computer is out of scope for this document and can be done in many ways, such as manual install, or Windows Group Policy Object (GPO) Push.  When manually installed, the link for the OnGuard agent can be found within ClearPass.

 

The following section will create the two services used to accomplish posturing:

  • 802.1x Wired Service
  • 802.1x Wired Posture Check Service

Create 802.1x Wired Service

Creation of Enforcement Profiles

The Enforcement Policy Tellabs Posture is going to be used when an Endpoint is unknown to ClearPass.  This is the Policy that helps ClearPass to begin the Posture Checks to find out whether the Endpoint is Healthy or Not Healthy. 

Create an Enforcement Policy Tellabs Posture as Follows:

  • Session-Timeout: This configures the RADIUS re-authentication timeout for this port.
  • Termination Action: Set to RADIUS-Request
  • Profile-Match=DATA: Defines this to match the data profile which is typically used for PCs on the network.
  • Profile-ACL=CPPM-POSTURE: Defines an Authorized MAC ACL that will be used during the posturing sequence.
  • TLAB:IFALIAS=POSTURE-UNKNOWN: This will mark the port in the EMS with an UserLabel of POSTURE-UNKNOWN so that ports in this state can be seen. 

The following Enforcement Profile is used when an Endpoint is found to be NONCOMPLIANT and should only have limited access to the network.


 

  • Session-Timeout: This configures the RADIUS re-authentication timeout for this port.
  • Termination Action: Set to RADIUS-Request
  • Profile-Match=DATA: Defines this to match the data profile which is typically used for PCs on the network.
  • Profile-ACL=LIMITED-ACCESS: Defines an ACL that limits access a very few addresses in the network until the device reaches a Compliant state.  
  • TLAB:IFALIAS=POSTURE-UNKNOWN: This will mark the port in the EMS with a UserLabel of POSTURE-NONCOMPLIANT so that ports in this state can be seen. 

This Enforcement Profile will be used when a device is found compliant with all health checks by the OnGuard Endpoint Agent Posture Check.

  • Session-Timeout: This configures the RADIUS re-authentication timeout for this port.
  • Termination Action: Set to RADIUS-Request
  • Profile-Match=DATA: Defines this to match the data profile which is typically used for PCs on the network.
  • Profile-ACL=PERMIT-ALL-TRAFFIC: Defines an ACL that permits access to all the resources on the network.
  • TLAB:IFALIAS=DATA: This will mark the port in the EMS with an UserLabel of DATA indicating the user is on the DATA VLAN and is compliant.

 Creation of Enforcement Policies

The Enforcement Policy has three states where the Posture is either Unknown, UnHealthy, or Healthy.  Based on those conditions, the appropriate action or Enforcement Profile is applied to the port.  The example below shows these conditions:

Creation of Service 

The Service is used to match for endpoints of a certain type and assign Policy based on the result of health checks. 

  • Type: Select a type of 802.1x Wired.
  • NAS-Port-Type: Add a match on type of Ethernet.
  • Service-Type: Set to Framed User.
  • User-Name: Add a condition on the User-Name that tests for the domain so that domain specific rules can be applied.  Typically, the domain name is appended to the username when authenticating in Windows.
  • Authentication Sources: Add your Active Directory Authentication Sources.
  • Enforcement Policy: Select the 802.1x Wired Enforcement Policy created above. 

The default settings for the Service Tab should be accepted. 

The default Authentication methods are typically fine. Select from the list those used in your organization.

The Authentication Sources should be defined as appropriate for your network. 

No Roles are needed in this example.

     

  • Use Cached Results: Select Use cached Roles and Posture attributes from previous sessions.
  • Enforcement Policy: Select the Tellabs - 802.1X Wired Enforcement Policy created in the setps above.
  • Default Profile: Select Deny Access Profile so that devices failing authentication will be denied access.
  • Rules Evaluation Algorithm: select first-applicable. 

 Create 802.1x Wired Posture Check Service

Creation of Posture Policy

 

 

Posture Policies should be created based on local network policies.  This particular example uses OnGuard as the Posture agent and applies to Windows Machines. 

Configure the Posture Plugins per your network policy.

 

This example has two rules, one for Healthy, one for Quarantine.  Roles should be defined per Network Policy.

Creation of Enforcement Profiles

Create an Enforcement Profile for Endpoints in a Healthy state. 

  • Message: Give the message to be given to the user when the OnGuard agent prompts the user when the computer is in a healthy state.  

Create an Enforcement Profile to be used when the client’s computer is not healthy.

  • Message: Give the message to be given to the user when OnGuard agent prompts the user when the user is in the UnHealthy or Quarantined State.

 Creation of Enforcement Policies

The 802.1x Wired OnGuard Agent Enforcement Policy that will utilize the profiles for Healthy or Not Healthy.  This sends a message to the user to indicate the user the current state of their machine and apply the new enforcement profile.

  • Enforcement Type: Select WebAuth
  • Default Profile: Select Tellabs - Bounce-Host-Port
  • Posture: Create two postures; one for Healthy, and one for Not Healthy.

Creation of Service 

The Service Tellabs 802.1x Wired Posture Check is a Web Based Health Check through posturing with OnGuard.

  • Type: Select Web-based health Check Only when creating the service. 

  • More Options: Select Posture Compliance
  • Service Rules
    • Create a Host Rule, named CheckType with Operator Matches all and Value equal to Health.
    • Create a Host rule, named InterfaceType, with Operator Equals WIRED.

  • Posture Policies: Select the Posture Policy Tellabs - 802.1X Wired Windows Posture Checks created previously.
  • Default Posture Token: Select Quarantine
  • Remediate End-Hosts: Select Enable auto-remediation of non-compliant end-hosts. 
  • Enforcement Policy: Select Tellabs - 802.1X Wired OnGuard Agent Enforcement Policy 

The following screen shows the service transitions that occur when an unknown endpoint enters ClearPass, it will first hit the 802.1x Wired Service, then transition to the 802.1x Wired Posture Checks Service, then reauthenticate using 802.1x Wired Service where it will have the Health Enforcement policy applied and be given full access to the network.

Server Initiated Web Auth with Self Registration

Creation of Self Registration Page

The following page shows the workflow of authenticating a user via the Self Service Web Portal using Self Registration.  The Tellabs OLT supports Web Redirection, which allows redirecting all the users' web session requests to a specified URL.  This allows forcing the user to perform a Web Login prior to gaining access.

 

  • Name: Enter the Name to be used for the Self Registration page, Tellabs-Guest in this example.
  • Register Page: Enter the name of the web page name for the self-registration page.  This will be a part of the page URL.
  • User Database: Select ClearPass Policy Manager.
  • All other selections take the defaults.
  • Enabled: Select Enable guest login to a Network Access Server
  • Vendor Settings: Select Captive Portal with ClearPass Web Auth under Vendor Settings.
  • Default URL: The URL the user will be redirected to after completion of the web login.  
  • Pre-Auth Check: Select None - no extra checks will be made.
  • Terms: If desired, select Require a Terms and Conditions Confirmation to force the user to agree to Terms and Conditions before gaining access to the network.  

  • Login Delay: Set the Login Delay to 15 seconds.  

  • CoA Delay: The CoA Delay needs to be set to 5 seconds.  

Setting the CoA Delay to 5 seconds and Login Delay to 15 seconds ensure that there is enough time for attributes to be added to the endpoint repository before the next MAC Auth request comes in. 

The settings in the Customize Form Field should be set based on network policy.  As an example the Validator NwalsValidExpireAfter defines the number of hours the Guest Account is valid.  

This example generates the following Web Login page:

 

Configuration of Role Mappings

The Role Mappings will utilize a number of built-in roles such as Contractor, Employee, Guest, and MAC Caching.  One new role will be need the Tellabs - Captive Portal Role. 

This role mapping is used to evaluate what the guest role id is and assign the correct access policy. 

The following section will create the two services used to accomplish Web Authorization with Self Registration:

  • Tellabs Guest MAC Auth Service
  • Tellabs Guest Web Auth Service

Tellabs Guest MAC Auth Service 

This service will define how to handle endpoints for WebAuthenticated endpoints.

Creation of Enforcement Profiles

This Enforcement profile is allowing the guest to access the network with limited access rights.



The following RADIUS attributes should be created: 

  • Session-Timeout: This configures the RADIUS re-authentication timeout for this port.
  • Termination Action: Set to RADIUS-Request
  • FilterID: PROFILE-MATCH=GUEST, this will match against the Service Profile within the NAC profile that includes the prefix GUEST.
  • FilterID: Profile-ACL=CPPM-GUEST-REDIRECT, this should be a simple Authorized MAC ACL.
  • Tellabs-AVPair: This string will define the URL that the user should be re-directed to and in this example is url-rdirect=https://172.28.6.82/guest/Tellabsguest.php?mac=%{Connection:Client-Mac-Address-NoDelim}.  This is the URL that redirects to the self registration portal on ClearPass and Passes the MAC address that is to be authorized.  This ties the request with the endpoint.  The highlighted text needs to match what was entered on the Self Registration Configuration page.

Creation of Enforcement Policies

This Enforcement Policy has a set of states to apply the appropriate action based on the roles assigned.

  • Rule: MATCHES_ALL [MAC Caching] This is for MAB clients whose MAC is stored in the database.  They are allowed Access via the Tellabs Allow Access Profile
  • Rule: MATCHES_ANY [Guest] If the role is determined to be Guest, they will be sent to the Captive Portal.
  • Rule: EQUALS [User Authenticated] If the role is determined to be User Authenticated the user will be sent to the Captive Portal.

Creation of Service

  • Name: Enter Tellabs - MAC Auth Service.
  • Service Rules:
    • NAS-Port-Type: Add an attribute for NAS-Port-Type EQUALS Ethernet(15).
    • Service-Type: Add an attribute for Service-Type EQUALs Call-Check(10).
    • Client-Mac-Address: Add an attribute for Client Mac Address equal to %{Radius:IETF:User-Name}.

  • Name: Enter the name Tellabs - MAC Auth Service
  • More Options: Ensure Authorization is selected.  

  • Authentication Methods: Select Allow All MAC AUTH.
  • Authentication Sources: Select Endpoints Repository.  
  • Additional Authorization Sources: Add Time Source and Guest User Repository.  
  • Role Mapping Policy: Select Tellabs Guest Authentication Role Mapping - MAC Bypass that was created earlier.  
  • Enforcement Policy: Select the Tellabs - Unknown Endpoint which will populate all the rules.

Tellabs Guest Web Auth Service

This service will define how to handle endpoints for WebAuthenticated endpoints.  This service uses Web Authentication to either authenticate users who already exist in the database of users, or to allow new Guest user to create an account and authenticated for a configured duration. 

This is an example Guest authentication. 

Existing users would use the Sign In option to authenticate and gain access. 

Guest users would be given a Guest Password that would expire after the configured access interval configured in ClearPass.

 Creation of Enforcement Profiles

This is an action to update the status of an Unknown endpoint to a Known endpoint.

This Profile provides ClearPass internal attributes to ClearPass to be used in a later step for properly evaluating the user.

 The Enforcement profile below is used to terminate the user and re-direct them in a later step to the default configured URL.

 

 Creation of Enforcement Policies

For those users that are successfully authorized via web authentication, it will update the endpoint to a known endpoint, Update the username, guest role and expiry time in the ClearPass database, then terminate the session.  The endpoint will be immediately re-authenticated via MAB and given full access to the appropriate VLAN.

Creation of Service

The following service is used to set up the Web based authentication for Tellabs OLTs.

  • Type: Web-based Authentication should be selected for this Service.  
  • Authorization: Select Authorization.
  • CheckType: Ensure that CheckType Matches_ANY Authentication.  Remove any other attributes from the default record.
  • Authentication Source: Select Guest User Repository as the Authentication Source.  

Select Additional Authorization sources from which to fetch role-mapping attributes:

  • Endpoints Repository: Add Endpoints Repository to the list.
  • Time Source: Add Time Source to the list.  

Select the ClearPass Role Mapping Guest Roles and it will populate the conditions at the bottom of the screen. 

Chose the Enforcement Policy Tellabs - WebAuth Enf Policy created above. 

The Access Tracker can be used to view this configuration:

Setting Up Radius Authentication for CLI Sessions

Since Aruba ClearPass is also a RADIUS server, you can set up ClearPass to perform the RADIUS authentication of CLI users coming in via the Serial or ssh interfaces.  To do this, you must set up ClearPass to do the back-end authentication via Active Directory.  This gives single sign on that is authenticated via Active Directory. 

As noted above, you must have previously set up Authentication Sources to point to Active Directory.  See section above on Setting Up Authentication Sources for more information.

An enforcement profile needs to be created to allow authorization against Active Directory:

An Enforcement Policy needs to be created that performs authorization against the Active Directory Source:

A Service needs to be created that relates the Administrative user to the Enforcement Profile.

 On the OLT, you need to also set up the CLI authentication to point to the ClearPass IP address.  The menu is reached via OLT->Right Click->Properties->Security Tab:

Enter the following attributes in the top portion of the dialog(RADIUS Server for Craft User Authentication):

  • Authentication Protocol Type: Select any method supported by ClearPass.
  • Shared Key/Confirm Key: Enter the same shared key that was entered in ClearPass to secure the RADIUS interface.  

Then press Apply and you should be able to login using your Active Directory credentials.

Other Applicable AppNotes 

The following application notes should be consulted for further information relevant to RADIUS implementation on the Tellabs OLAN OLT:

  • ENG-010428 Configuring Policy via Radius Authentication
  • ENG-010466 Multiple Radius Authentication Domains

Summary

The above configuration outlines Tellabs specific configuration.  Outside of those elements, the configuration should follow typical Aruba ClearPass configuration rules.


 


 


 

FEEDBACK: Are you happy with this material?
  •   © 2025 Tellabs Access, LLC. All rights reserved - A Better Way to Build and Operate Networks.

On this page

light-box Image