Академический Документы
Профессиональный Документы
Культура Документы
0
/11
1/11
ClearPass & AOS
802.1x/UNP configuration
with a role mapping policy
This document shows a sample configuration for ALE BYOD solution.
In this example:
2 groups of users, Employee & Contractor
Employee & Contractor are two groups configured in Active Directory
ClearPass Policy Manager is added to the Active Directory Domain
Role mapping between CPPM and AD is configured in ClearPass
A UNP is returned depending on the Active Directory group the user belongs to
Releases
6850E: 6.4.6.R01.GA
ClearPass: 6.2.0
Active Directory: Windows Server 2008 R2 Enterprise Service Pack 1
Document rev. 1.0
/11
2/11
ClearPass & AOS
802.1x/UNP configuration
with a role mapping policy
1- Configure Active Directory as the authentication
source
Go to Configuration>Authentication>Sources
Select the type: Active Directory
In the Primary tab, configure:
The hostname
Bind DN/password Distinguished Name of the administrator account.
This account is used to access all records in the active directory.
Base DN Node from which to start searching for records.
Click on Search Base DN to browse the AD.
Check Bind User
Document rev. 1.0
/11
3/11
ClearPass & AOS
802.1x/UNP configuration
with a role mapping policy
2- Add CPPM to the domain
Go administration > Server Manager > Server Configuration
Click on Join AD Domain
Enter the FQDN of the domain controller.
Specify the domains admin user password (or another user/password if not Administrator).
Document rev. 1.0
/11
4/11
ClearPass & AOS
802.1x/UNP configuration
with a role mapping policy
ClearPass Policy Manager is in the domain now.
An entry is created on the domain controller.
Document rev. 1.0
/11
5/11
ClearPass & AOS
802.1x/UNP configuration
with a role mapping policy
3- Configure the Enforcement Profiles
2 profiles:
A profile which returns a UNP for contractors
A profile which returns a UNP for employees
Go to Configuration>Enforcement>Profiles
Create a new Profile
Add the radius attribute Filter-Id with the UNP name.
It must match the one configured on the switch.
Repeat the above steps for the Contractor profile.
Document rev. 1.0
/11
6/11
ClearPass & AOS
802.1x/UNP configuration
with a role mapping policy
4- Configure the Enforcement Policy
Go to Configuration>Enforcement>Policy
Create a new Policy.
Configure two conditions using the Enforcement Profiles configured above.
[Employee] & [Contractor] are two ClearPass predefined roles (so the type is Tips).
These roles will be mapped to Active Directory groups using a role mapping policy.
Document rev. 1.0
/11
7/11
ClearPass & AOS
802.1x/UNP configuration
with a role mapping policy
5- Configure the Role Mapping
Go to Configuration>Identity>Role Mappings
Create a new role mapping policy.
Add two conditions:
The first condition assigned the ClearPass role [Employee] if the authenticating user belongs
to the Active Directory group Employee.
The second condition assigned the ClearPass role [Contractor] if the authenticating user
belongs to the Active Directory group Contractor.
Document rev. 1.0
/11
8/11
ClearPass & AOS
802.1x/UNP configuration
with a role mapping policy
6- Configure the Service
Go to configuration>Start here
Select 802.1x wired service.
Add the Service name.
Do not forget to check Authorization for role mapping purpose.
OR it is also possible to enable authorization on the authentication source directly.
In this case, there is no need for enabling authorization in the Service like mentioned just
above.
Document rev. 1.0
/11
9/11
ClearPass & AOS
802.1x/UNP configuration
with a role mapping policy
In Authentication tab, select the Authentication method and the Active Directory as
authentication source.
In Authorization tab, select the Active Directory as authorization source.
Document rev. 1.0
/11
10/11
ClearPass & AOS
802.1x/UNP configuration
with a role mapping policy
In the Roles tab, add the role mapping policy previously created.
In the Enforcement tab, add the Enforcement Policy created before.
Service configuration is completed now.
Reorder the Service if needed.
Document rev. 1.0
/11
11/11
ClearPass & AOS
802.1x/UNP configuration
with a role mapping policy
7- Switch configuration
Configure ClearPass Policy Manager as the radius server.
vlan port mobile 1/12
vlan port 1/12 802.1x enable
aaa radius-server "cppm" host 172.26.60.70 key 12345678
aaa authentication 802.1x "cppm"
aaa accounting 802.1x cppm
aaa user-network-profile name "UNP_contractor" vlan 80
aaa user-network-profile name "UNP_employee" vlan 70
8- Verify the logs
Go to Monitoring>Live Monitoring>Access Tracker