13146 clearpass with aos - 802.1x unp rolemapping
TRANSCRIPT
8/12/2019 13146 ClearPass With AOS - 802.1x UNP RoleMapping
http://slidepdf.com/reader/full/13146-clearpass-with-aos-8021x-unp-rolemapping 1/11
Document rev. 1.0
/11
1/11
ClearPass & AOS
802.1x/UNP configurationwith a role mapping policy
This document shows a sample configuration for ALE BYOD solution.
In this example:
• 2 groups of users, Employee & Contractor• Employee & Contractor are two groups configured in Active Directory• ClearPass Policy Manager is added to the Active Directory Domain• Role mapping between CPPM and AD is configured in ClearPass• A UNP is returned depending on the Active Directory group the user belongs to
Releases
• 6850E: 6.4.6.R01.GA• ClearPass: 6.2.0• Active Directory: Windows Server 2008 R2 Enterprise Service Pack 1
8/12/2019 13146 ClearPass With AOS - 802.1x UNP RoleMapping
http://slidepdf.com/reader/full/13146-clearpass-with-aos-8021x-unp-rolemapping 2/11
Document rev. 1.0
/11
2/11
ClearPass & AOS
802.1x/UNP configurationwith a role mapping policy
1- Configure Active Directory as the authentication
sourceGo to Configuration>Authentication>SourcesSelect the type: Active Directory
In the Primary tab, configure:
• The hostname
• Bind DN/password – Distinguished Name of the administrator account.This account is used to access all records in the active directory.
• Base DN – Node from which to start searching for records.Click on Search Base DN to browse the AD.
• Check “Bind User”
8/12/2019 13146 ClearPass With AOS - 802.1x UNP RoleMapping
http://slidepdf.com/reader/full/13146-clearpass-with-aos-8021x-unp-rolemapping 3/11
Document rev. 1.0
/11
3/11
ClearPass & AOS
802.1x/UNP configurationwith a role mapping policy
2- Add CPPM to the domain
Go administration > Server Manager > Server ConfigurationClick on Join AD Domain
Enter the FQDN of the domain controller.Specify the domain’s admin user password (or another user/password if not Administrator).
8/12/2019 13146 ClearPass With AOS - 802.1x UNP RoleMapping
http://slidepdf.com/reader/full/13146-clearpass-with-aos-8021x-unp-rolemapping 4/11
Document rev. 1.0
/11
4/11
ClearPass & AOS
802.1x/UNP configurationwith a role mapping policy
ClearPass Policy Manager is in the domain now.
An entry is created on the domain controller.
8/12/2019 13146 ClearPass With AOS - 802.1x UNP RoleMapping
http://slidepdf.com/reader/full/13146-clearpass-with-aos-8021x-unp-rolemapping 5/11
Document rev. 1.0
/11
5/11
ClearPass & AOS
802.1x/UNP configurationwith a role mapping policy
3- Configure the Enforcement Profiles
2 profiles:
• A profile which returns a UNP for contractors• A profile which returns a UNP for employees
Go to Configuration>Enforcement>ProfilesCreate a new Profile
Add the radius attribute “Filter-Id” with the UNP name.It must match the one configured on the switch.
Repeat the above steps for the Contractor profile.
8/12/2019 13146 ClearPass With AOS - 802.1x UNP RoleMapping
http://slidepdf.com/reader/full/13146-clearpass-with-aos-8021x-unp-rolemapping 6/11
Document rev. 1.0
/11
6/11
ClearPass & AOS
802.1x/UNP configurationwith a role mapping policy
4- Configure the Enforcement Policy
Go to Configuration>Enforcement>PolicyCreate a new Policy.
Configure two conditions using the Enforcement Profiles configured above.
[Employee] & [Contractor] are two ClearPass predefined roles (so the type is Tips).These roles will be mapped to Active Directory groups using a role mapping policy.
8/12/2019 13146 ClearPass With AOS - 802.1x UNP RoleMapping
http://slidepdf.com/reader/full/13146-clearpass-with-aos-8021x-unp-rolemapping 7/11
Document rev. 1.0
/11
7/11
ClearPass & AOS
802.1x/UNP configurationwith a role mapping policy
5- Configure the Role Mapping
Go to Configuration>Identity>Role MappingsCreate a new role mapping policy.
Add two conditions:
The first condition assigned the ClearPass role [Employee] if the authenticating user belongsto the Active Directory group Employee.
The second condition assigned the ClearPass role [Contractor] if the authenticating userbelongs to the Active Directory group Contractor.
8/12/2019 13146 ClearPass With AOS - 802.1x UNP RoleMapping
http://slidepdf.com/reader/full/13146-clearpass-with-aos-8021x-unp-rolemapping 8/11
Document rev. 1.0
/11
8/11
ClearPass & AOS
802.1x/UNP configurationwith a role mapping policy
6- Configure the Service
Go to configuration>Start hereSelect “802.1x wired” service.
Add the Service name.Do not forget to check “Authorization” for role mapping purpose.
OR it is also possible to enable authorization on the authentication source directly.In this case, there is no need for enabling authorization in the Service like mentioned justabove.
8/12/2019 13146 ClearPass With AOS - 802.1x UNP RoleMapping
http://slidepdf.com/reader/full/13146-clearpass-with-aos-8021x-unp-rolemapping 9/11
Document rev. 1.0
/11
9/11
ClearPass & AOS
802.1x/UNP configurationwith a role mapping policy
In Authentication tab, select the Authentication method and the Active Directory as
authentication source.
In Authorization tab, select the Active Directory as authorization source.
8/12/2019 13146 ClearPass With AOS - 802.1x UNP RoleMapping
http://slidepdf.com/reader/full/13146-clearpass-with-aos-8021x-unp-rolemapping 10/11
8/12/2019 13146 ClearPass With AOS - 802.1x UNP RoleMapping
http://slidepdf.com/reader/full/13146-clearpass-with-aos-8021x-unp-rolemapping 11/11
Document rev. 1.0
/11
11/11
ClearPass & AOS
802.1x/UNP configurationwith a role mapping policy
7- Switch configuration
Configure ClearPass Policy Manager as the radius server.
vlan port mobile 1/12vlan port 1/12 802.1x enable
aaa radius-server "cppm" host 172.26.60.70 key 12345678aaa authentication 802.1x "cppm"aaa accounting 802.1x cppm
aaa user-network-profile name "UNP_contractor" vlan 80
aaa user-network-profile name "UNP_employee" vlan 70
8- Verify the logs
Go to Monitoring>Live Monitoring>Access Tracker