Integration of Aruba ClearPass with Authnull RADIUS Bridge

Introduction

ClearPass is a network access control (NAC) solution developed by Aruba Networks, designed to provide comprehensive security management for enterprise networks. It ensures that devices, users, and applications are authenticated, authorized, and continuously monitored before gaining access to the network. ClearPass offers advanced features such as role-based access control, device profiling, guest access management, and policy enforcement, helping organizations meet security and compliance standards. It supports a variety of network protocols, making it ideal for diverse network environments.

Objective

To integrate Aruba ClearPass with an existing authentication backend using RADIUS and AD/LDAP to provide secure and policy-driven access control.

Steps to Implement ClearPass AD and RADIUS Integration

1. Configure Active Directory (AD) as Authentication Source

First, configure Active Directory (AD) as an authentication source in ClearPass.

Steps:

  • Login to ClearPass Policy Manager.
  • Navigate to Authentication Sources:
    Go to Configuration > Authentication > Sources.
  • Add Authentication Source:
    Click on Add Authentication Source.
  • Choose Active Directory as the type.
  • Provide the following details:
    • Name: Name your AD source (e.g., AD-Primary).
    • LDAP Server IP: Enter the IP address of your AD server.
    • Base DN: Specify the base Distinguished Name (e.g., dc=example,dc=com).
    • Bind DN: Provide a bind DN (service account for querying AD, e.g., cn=admin,dc=example,dc=com).
    • Bind Password: Enter the password for the bind DN.
    • Test Connection: Click on Test Connection to ensure ClearPass can reach AD and authenticate properly.
  • Map User Attributes:
    Ensure that user attributes (such as username, group membership, etc.) are correctly mapped from AD to ClearPass.
    You may need to configure mappings for custom AD attributes that your organization uses.

2. Create an Authentication Service in ClearPass

Create a service in ClearPass that handles the authentication flow, prioritizing AD first and then forwarding requests to the RADIUS server (e.g., Authnull RADIUS Bridge).

Steps:

  • Navigate to Services:
    Go to Configuration > Services.
  • Add a New Service:
    Click on Add Service and select RADIUS Enforcement (Generic).
  • Define Authentication Sources:
    Under the Authentication Source section, select the Active Directory source configured in Step 1.
    Set up the authentication order to prioritize AD first.
  • Configure Service to Forward Requests to RADIUS:
    Under the Enforcement Profile, configure the enforcement profile to forward requests to the RADIUS server (e.g., Authnull RADIUS Bridge) after AD successfully authenticates the user.
    Specify the RADIUS server IP and shared secret in the enforcement profile.
  • Define Role Mapping and Enforcement Policies:
    Use ClearPass enforcement profiles to assign roles based on AD attributes (such as group membership).
    You can define access control policies, including VLAN assignments or other checks (e.g., security groups in AD).
    If necessary, configure additional RADIUS-specific policies (e.g., QoS, bandwidth limits).

3. Configure RADIUS Integration in ClearPass

Set up ClearPass to forward authentication requests to a RADIUS server after validating credentials against AD.

Steps:

  • Add RADIUS Server as Authentication Source:
    Navigate to Configuration > Authentication > Sources and add the RADIUS server (e.g., Authnull RADIUS Bridge) as an authentication source.
    Provide the necessary details such as IP address, shared secret, and any relevant configuration for the RADIUS server.
  • Forward Authentication Requests to RADIUS:
    In the service created earlier, configure ClearPass to forward authenticated requests to the Authnull RADIUS server after successful AD authentication.
    In the enforcement profile, specify the RADIUS server IP and shared secret.
  • Role Mapping and Policy Enforcement:
    Use ClearPass enforcement profiles to apply policies based on the results from the RADIUS server.
    For example, the RADIUS server may provide VLAN assignments, QoS settings, or additional checks like multi-factor authentication (MFA).

4. Test the Integration

Once ClearPass is configured to validate against AD and forward requests to RADIUS, it’s essential to test the setup thoroughly.

Steps:

  • Test Authentication:
    Use a test client (e.g., a wireless AP or VPN client) to initiate authentication via ClearPass.
    ClearPass should first authenticate the credentials against Active Directory.
    If AD authentication is successful, ClearPass will forward the request to the RADIUS server for further enforcement (e.g., access policies or additional checks like MFA).
  • Monitor Authentication Logs in Access Tracker:
    Go to Monitoring > Access Tracker to view detailed logs of authentication attempts.
    Ensure that the AD authentication is completed successfully and the RADIUS server is involved in the enforcement step.
  • Verify Policy Enforcement:
    Ensure that policies configured on the RADIUS server (e.g., VLAN assignments, group memberships, QoS) are applied to the authenticated client.

5. Troubleshooting

To ensure smooth integration, troubleshooting is crucial. Here are steps to diagnose potential issues:

Access Tracker:

  • Check the Access Tracker logs for detailed information about authentication attempts, attribute mappings, and any failures.
    Look for issues like authentication failure due to incorrect AD credentials or misconfigured RADIUS settings.

ClearPass Logs:

  • Review ClearPass logs to ensure the authentication request is reaching the correct service and that both AD and RADIUS sources are involved in the authentication flow.

RADIUS Logs:

  • On the backend RADIUS server (e.g., Authnull), check the RADIUS logs to confirm whether requests are being processed and the appropriate response is returned to ClearPass.
    Look for common issues like shared secret mismatches, unreachable RADIUS server, or incorrectly mapped attributes.

Debugging in ClearPass:

  • Enable debugging mode in ClearPass for deeper logs when troubleshooting authentication or policy enforcement issues.

RADIUS Server Debugging:

  • Enable debugging on the RADIUS server to see the flow of requests and responses.
    Ensure that the RADIUS server is correctly configured to process ClearPass requests and enforce access policies.

Conclusion

This integration combines the strengths of both Active Directory (for user authentication) and RADIUS (for network access control) in Aruba ClearPass. By validating user credentials against AD first and forwarding the request to RADIUS for enforcement, you achieve a highly flexible and secure access control system that can enforce policies like role-based access and multi-factor authentication (MFA).

Table of contents