Scribd Logo
Загрузить

Добро пожаловать в Scribd!

  • ClearPass With AOS - 802.1x UNP RoleMapping

    Загружено:

    Nicolas Bonina
    271 просмотров11 страниц

    Оригинальное название

    13146 ClearPass With AOS - 802.1x UNP RoleMapping

    Авторское право

    © © All Rights Reserved

    Доступные форматы

    PDF, TXT или читайте онлайн в Scribd

    Этот документ был вам полезен?

    Это неприемлемый материал?

    Пожаловаться на этот документ

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    271 просмотров11 страниц

    ClearPass With AOS - 802.1x UNP RoleMapping

    Загружено:

    Nicolas Bonina

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    из 11

    Document rev. 1.

    0
    /11

    1/11
    ClearPass & AOS
    802.1x/UNP configuration
    with a role mapping policy










    This document shows a sample configuration for ALE BYOD solution.


    In this example:

    2 groups of users, Employee & Contractor
    Employee & Contractor are two groups configured in Active Directory
    ClearPass Policy Manager is added to the Active Directory Domain
    Role mapping between CPPM and AD is configured in ClearPass
    A UNP is returned depending on the Active Directory group the user belongs to



    Releases

    6850E: 6.4.6.R01.GA
    ClearPass: 6.2.0
    Active Directory: Windows Server 2008 R2 Enterprise Service Pack 1


    Document rev. 1.0
    /11

    2/11
    ClearPass & AOS
    802.1x/UNP configuration
    with a role mapping policy
    1- Configure Active Directory as the authentication
    source

    Go to Configuration>Authentication>Sources
    Select the type: Active Directory




    In the Primary tab, configure:

    The hostname

    Bind DN/password Distinguished Name of the administrator account.
    This account is used to access all records in the active directory.

    Base DN Node from which to start searching for records.
    Click on Search Base DN to browse the AD.

    Check Bind User



    Document rev. 1.0
    /11

    3/11
    ClearPass & AOS
    802.1x/UNP configuration
    with a role mapping policy

    2- Add CPPM to the domain

    Go administration > Server Manager > Server Configuration
    Click on Join AD Domain





    Enter the FQDN of the domain controller.
    Specify the domains admin user password (or another user/password if not Administrator).



    Document rev. 1.0
    /11

    4/11
    ClearPass & AOS
    802.1x/UNP configuration
    with a role mapping policy

    ClearPass Policy Manager is in the domain now.




    An entry is created on the domain controller.





    Document rev. 1.0
    /11

    5/11
    ClearPass & AOS
    802.1x/UNP configuration
    with a role mapping policy

    3- Configure the Enforcement Profiles

    2 profiles:

    A profile which returns a UNP for contractors
    A profile which returns a UNP for employees


    Go to Configuration>Enforcement>Profiles
    Create a new Profile




    Add the radius attribute Filter-Id with the UNP name.
    It must match the one configured on the switch.





    Repeat the above steps for the Contractor profile.











    Document rev. 1.0
    /11

    6/11
    ClearPass & AOS
    802.1x/UNP configuration
    with a role mapping policy
    4- Configure the Enforcement Policy

    Go to Configuration>Enforcement>Policy
    Create a new Policy.






    Configure two conditions using the Enforcement Profiles configured above.

    [Employee] & [Contractor] are two ClearPass predefined roles (so the type is Tips).
    These roles will be mapped to Active Directory groups using a role mapping policy.




    Document rev. 1.0
    /11

    7/11
    ClearPass & AOS
    802.1x/UNP configuration
    with a role mapping policy

    5- Configure the Role Mapping

    Go to Configuration>Identity>Role Mappings
    Create a new role mapping policy.





    Add two conditions:

    The first condition assigned the ClearPass role [Employee] if the authenticating user belongs
    to the Active Directory group Employee.

    The second condition assigned the ClearPass role [Contractor] if the authenticating user
    belongs to the Active Directory group Contractor.





    Document rev. 1.0
    /11

    8/11
    ClearPass & AOS
    802.1x/UNP configuration
    with a role mapping policy
    6- Configure the Service

    Go to configuration>Start here
    Select 802.1x wired service.



    Add the Service name.
    Do not forget to check Authorization for role mapping purpose.




    OR it is also possible to enable authorization on the authentication source directly.
    In this case, there is no need for enabling authorization in the Service like mentioned just
    above.



    Document rev. 1.0
    /11

    9/11
    ClearPass & AOS
    802.1x/UNP configuration
    with a role mapping policy


    In Authentication tab, select the Authentication method and the Active Directory as
    authentication source.




    In Authorization tab, select the Active Directory as authorization source.




    Document rev. 1.0
    /11

    10/11
    ClearPass & AOS
    802.1x/UNP configuration
    with a role mapping policy

    In the Roles tab, add the role mapping policy previously created.




    In the Enforcement tab, add the Enforcement Policy created before.




    Service configuration is completed now.
    Reorder the Service if needed.



    Document rev. 1.0
    /11

    11/11
    ClearPass & AOS
    802.1x/UNP configuration
    with a role mapping policy

    7- Switch configuration

    Configure ClearPass Policy Manager as the radius server.

    vlan port mobile 1/12
    vlan port 1/12 802.1x enable

    aaa radius-server "cppm" host 172.26.60.70 key 12345678
    aaa authentication 802.1x "cppm"
    aaa accounting 802.1x cppm

    aaa user-network-profile name "UNP_contractor" vlan 80
    aaa user-network-profile name "UNP_employee" vlan 70


    8- Verify the logs

    Go to Monitoring>Live Monitoring>Access Tracker

    Вам также может понравиться