Sample Configuration
的following example shows the configuration details to integrateClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method.server with amanaged deviceto automatically download roles.
ClearPass Policy Manager Server Configuration
This section describes the following topics:
Adding a Device
的following procedure describes how to add a device:
2.Clickabove thelist. Thepage opens.
3.Under thetab, enter the,, andfields.
Keep the rest of the fields as default.
4.Click.
The fields are described inTable 1.
Parameter |
Description |
The name or identity of the device. |
|
The IP address orsubnetSubnet is the logical division of an IP network.(example 10.1.1.1/24) of the device. |
|
Enter and confirm a Shared Secret for each of the two supported request protocols. |
Adding an Enforcement Profile
的following procedure describes how to add an enforcement profile:
1.Navigate to thepage.
2.Clickabove thelist. Thepage opens.
3.Under thetab, selectfrom thedrop-down list.
4.Enter theof the enforcement profile.
5.Under, select.
Keep the rest of the fields as default.
6.Click.
其余的配置,请参阅Advanced Role Configuration Mode.
The fields are described inTable 2.
Parameter |
Description |
Policy Manager comes pre-packaged with several enforcement profile templates. In this example, select-RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.template that can be filled with user role definition to create roles that can be assigned to users after successful authentication. |
|
The name of the enforcement profile. |
|
: Configures the enforcement profile role using standard mode. : Configures the enforcement profile role using advanced mode. |
Advanced Role Configuration Mode
的following procedure describes how to enable advanced role configuration mode:
1.Under thetab, selectfrom thetable.
2.From thedrop-down list, select.
3.In thefield, enter the attribute for the downloadable-role.
4.Click theicon to save the attribute.
5.Clickto save the enforcement profile.
The fields are described inTable 3.
Parameter |
Description |
AnyRADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.vendor dictionary that is pre-packaged with Policy Manager, or imported by the Administrator. This field is pre-populated with the dictionary names. |
|
The name of the attribute from the dictionary selected in the Type field. The attribute names are pre-populated from the dictionary. |
|
The attribute for the downloadable role. You can enter free-form text to define the role and policy. The maximum limit for free form text is 16,000 bytes. |
Adding Enforcement Policy
的following procedure describes how to add an enforcement policy:
1.Navigate to thepage.
2.Clickabove thelist. Thepage opens.
3.Under thetab, enter theof the enforcement policy.
4.From thedrop-down list, select.
Keep the rest of the fields as default.
5.Click.
The fields are described inTable 4.
Parameter |
Description |
The name of the enforcement policy. |
|
An Enforcement Policy applies Conditions (roles, health, and time attributes) against specific values associated with those attributes to determine the Enforcement Profile. If none of the rules matches, Policy Manager applies the Default Profile. SeeAdding an Enforcement Profileto add a new profile. |
6.Under thetab, click. Thepage opens.
7.Selectfrom thesection. Select the appropriate values, and then click theicon.
8.In thesection, select theRADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.enforcement profile that you created infrom thedrop-down list.
9.Click.
The fields are described inTable 5.
Parameter |
Description |
The rules editor appears throughout the Policy Manager interface. It exposes different namespace dictionaries depending on Service type. When working with service rules, you can selectnamespace dictionary |
|
Drop-down list of attributes present in the selected namespace. In this example, select. |
|
Drop-down list of context-appropriate (with respect to the attribute) operators. In this example, select. |
|
Drop-down list of the Authentication source database. In this example, select. |
|
Name of theRADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.enforcement profile. |
Adding Services
的following procedure describes how to add services:
1.Navigate to thepage.
2.Clickabove thelist.
3.Under thetab, selectfrom thedrop-down-list.
4.In thefield, enter the name of the service.
Keep the rest of the fields as default.
5.Click.
The fields are described inTable 6.
Parameter |
Description |
服务类型。在本例中,选择. |
|
The name of the service. |
6.Under thetab, selectfrom thedrop-down list.
Keep the rest of the fields as default.
7.Clicktwice.
8.Under thetab, select the enforcement policy that you created inAdding Enforcement Policyfrom thedrop-down list.
Keep the rest of the fields as default.
9.Click.
For more configuration details onClearPass Policy Manager, see theClearPass Policy Manager User Guide.
Managed DeviceConfiguration
This section describes the following topics:
Configuring ClearPass Policy Manager Server on aManaged Device
的followingCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.commands configureClearPass Policy Managerserver on amanaged device:
(主机)md] (config) #aaa authentication-server radius cppm_server
(主机)md] (RADIUS Server "cppm_server") #host cppm_server> (主机)md] (RADIUS Server "cppm_server") #key (主机)md] (RADIUS Server "cppm_server") #cppm username password 的followingCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.commands configure a server group to includeClearPass Policy Managerserver: (主机)md] (config) #aaa server-group cppm_grp (主机)md] (server group "cppm_grp") #auth-server cppm_server 的followingCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.command configures a802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.profile: (主机)md] (config) #aaa authentication dot1x cppm_dot1x_prof 的followingCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.commands configure aAAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption.profile: (主机)md] (config) #aaa profile cppm_aaa_prof (主机)md] (AAA Profile "cppm_aaa_prof") #authentication-dot1x cppm_ dot1x_prof (主机)md] (AAA Profile "cppm_aaa_prof") #dot1x-server-group cppm_gr (AAA Profile "cppm_aaa_prof") #download-role 的followingCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.command displays anAAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption.profile: (主机)md] #show aaa profile cppm_aaa_prof AAA Profile "cppm_aaa_prof" --------------------- Parameter Value Set --------- ----- --- Initial role logon MAC Authentication Profile N/A MAC Authentication Default Role guest MAC Authentication Server Group default 802.1X Authentication Profile N/A 802.1X Authentication Default Role guest 802.1X Authentication Server Group N/A Download Role from CPPM Disabled Set username from dhcp option 12 Disabled L2 Authentication Fail Through Disabled Multiple Server Accounting Disabled User idle timeout N/A Max IPv4 for wireless user 2 RADIUS Accounting Server Group N/A RADIUS Interim Accounting Disabled XML API server N/A RFC 3576 server N/A User derivation rules N/A Wired to Wireless Roaming Enabled Device Type Classification Enabled Enforce DHCP Disabled PAN Firewall Integration Disabled Open SSID radius accounting Disabled For additional command parameters, see theArubaOSCLI Reference Guide.Configuring Server Group to include ClearPass Policy Manager Server
Configuring 802.1X Profile
Configuring AAA Profile
Show AAA Profile
