Dell PowerConnect W Clearpass 100 Software ArubaOS Integration Guide
Dell PowerConnect W Clearpass 100 Software Manual
View all Dell PowerConnect W Clearpass 100 Software manuals
Add to My Manuals
Save this manual to your list of manuals |
Dell PowerConnect W Clearpass 100 Software manual content summary:
- Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 1
Amigopod and ArubaOS Integration Version 1.0 - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 2
Source Code Certain Aruba products include Open Source software code developed by third parties, including software code subject to the GNU General Public License FOR ARUBA PRODUCTS OR SERVICES PURSHASED DIRECTLY FROM ARUBA, WHICHEVER IS LESS. Warning and Disclaimer This guide is designed to provide - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 3
(Optional) Import Sample Welcome Page Integration Verification Create a Test Account Within Amigopod Guest Manager Testing RADIUS Test Basic RADIUS Transactions Test Login and Verify Successful RADIUS Transaction Check that RADIUS Accounting is Working as Expected Application Note 5 5 6 6 7 10 12 - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 4
Amigopod and ArubaOS Integration Chapter 6: Troubleshooting Tips Appendix A: Contacting Aruba Networks Contacting Aruba Networks Application Note 49 50 50 Aruba Networks, Inc. Table of Contents | 4 - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 5
Application Note Chapter 1: Introduction Aruba supports advanced visitor management services through the combination of Aruba Mobility Controllers and APs running the ArubaOS software, and Aruba Amigopod guest management software. This guide describes the configuration process that must - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 6
shown in Figure 1. Figure 1 Amigopod captive portal page Captive portal authentication is the simplest form of authentication to use and it requires no software installation or configuration on the client. The guest SSID is typically open and does not use any form of encryption. The portal usually - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 7
for operator logins Provisioning of nonguest user roles by operators Limit operators to view only the account they created Self-registration workflow with automated login Sponsor-approved self-registration Time zone support for guest access in distributed deployments Bulk provisioning of guest - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 8
information printing via templates Guest credential delivery through email and SMS Force password change on first login Delete and/or disable guest accounts on expiration Guest Session Management Time and day policy Guest access expiry timer starts on first login Limit access based on total session - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 9
Plus Amigopod Enterprise Features and Scalability Managing 1000s of accounts High availability/redundancy Expandability (plug-in architecture) Although ArubaOS supports internal and external captive portal functionality, this guide focuses on external captive portal functionality. The internal - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 10
Web login Authentication Authorization Internet browsing Accounting-Request [8] Accounting-Response Accounting-Request [9] Accounting-Response [9] Session timeout [10] Accounting-Request [11] Accounting-Response Accounting Interim Accounting Accounting arun_0540 Figure 2 Workflow for captive - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 11
and ArubaOS Integration Application Note 4. The login message instructs the guest user's browser to submit the user user session and their device is permitted access to the network. 8. If RADIUS accounting has been configured correctly on the Aruba controller, an AccountingStart packet is sent to - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 12
make up the configuration of the ArubaOS controller to support external captive portal based authentication leveraging the RADIUS protocol Amigopod uses the default ports of 1812 for authentication and 1813 for accounting. The default Retransmit and Timeout value are adequate for most installs - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 13
Amigopod and ArubaOS Integration Adding a RADIUS Server aaa authentication-server radius "Amigopod" host 10.169.130.50 key ******* Application Note NOTE Figure 4 Adding a RADIUS server Ensure that the key is recorded, because you will need this shared secret for a later step in the Amigopod - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 14
local deployment, you must modify the NAS ID of the local controllers to ensure that the correct identifier is recorded in the RADIUS accounting traffic sourced from each local controller that is responsible terminating the APs. In the VRD campus topology, the local controllers are deployed on - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 15
to a Server Group A server group must be created to define which authentication server will be referenced during the authentication of visitor accounts. This server group is then referenced in the subsequent captive profile configuration. Make these configurations in the newly created server group - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 16
, such as bandwidth throttling after a quota is exceeded. Configuring an RFC3576 Server As part of the guest access solution addressed by this guide, Amigopod serves as the RFC3576 server and can perform the disconnect and CoA functions. Make these configurations in the RFC3576 server definition - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 17
Amigopod and ArubaOS Integration RFC3576 Server Configuration aaa rfc-3576-server "10.169.130.50" key wireless Application Note Figure 7 RFC3576 server configuration Aruba Networks, Inc. ArubaOS Configuration | 17 - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 18
Amigopod and ArubaOS Integration Application Note Creating a Captive Portal Profile One of the key features of Amigopod is the ability to host the branded web login or captive portal pages on the Amigopod appliance. With the captive portal profile, you can configure the login and optional welcome - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 19
Amigopod and ArubaOS Integration Captive Portal Profile Configuration aaa authentication captive-portal "guestnet" default-role auth-guest redirect-pause 3 no logout-popup-window login-page https://10.169.130.50/Aruba_Login.php welcome-page https://10.169.130.50/Aruba_welcome.php switchip-in- - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 20
Amigopod and ArubaOS Integration Application Note Configure Authentication for Captive Portal Profile Now that the new captive portal profile has been created, you must select the server group for the Amigopod RADIUS definition as the authentication source. Configure the Authentication Source aaa - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 21
Amigopod. Modify AAA Profile RADIUS Settings aaa profile "guestnet" initial-role guest-logon radius-interim-accounting radius-accounting "Guest-Amigopod" Figure 10 Modify AAA profile RADIUS settings Next enable RFC3576 support for the server group. Aruba Networks, Inc. ArubaOS Configuration | 21 - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 22
Amigopod and ArubaOS Integration Enable 3576 Support aaa profile "guestnet" rfc-3576-server "10.169.130.50" Application Note Figure 11 Enabling RFC3576 support Aruba Networks, Inc. ArubaOS Configuration | 22 - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 23
Amigopod and ArubaOS Integration Application Note Define a Policy to Permit Traffic to Amigopod A new firewall policy must be created and assigned to the initial role allocated to unauthenticated guest users to allow the successful redirect to the captive portal page defined on Amigopod. These - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 24
Amigopod and ArubaOS Integration Example of Source NAT on VLAN ip access-list session "amigopod" alias "user" alias "Amigopod" "svc-http" permit queue low alias "user" alias "Amigopod" "svc-https" permit queue low Application Note Figure 13 Amigopod access - source NAT on VLAN example Source NAT - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 25
Amigopod and ArubaOS Integration Application Note Enable Captive Portal on Initial Role of Captive Portal Profile In the previous step, the initial role for this captive portal authentication configuration is configured as guest-logon. This role must be modified to enable the newly created - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 26
Amigopod and ArubaOS Integration Application Note Verify Virtual AP Configuration Based on the baseline configuration detailed in the campus VRD resource, the guest virtual AP should have the appropriate SSID and AAA profile applied. Virtual AP Configuration wlan virtual-ap "guestnet" ssid-profile - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 27
the baseline configurations in the campus VRD design, this guide assumes that the Amigopod appliance is installed and available on the Amigopod wizard during the initial installation, which triggers a download of all licensed software and updates for the individual deployment at hand. A subscription - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 28
Amigopod and ArubaOS Integration Application Note A correctly configured subscription ID can be verified by browsing to Amigopod Administrator > Plugin Manager > Manage Subscriptions as shown in Figure 18. Figure 18 Amigopod Subscription Manager Aruba Networks, Inc. Amigopod Configuration | 28 - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 29
prompted instruction to restart services after the installation of new or updated plugins. Plugins must be updated to ensure that Amigopod has downloaded To troubleshoot the issue, begin your investigations in these areas: Firewall rules Upstream proxies (Amigopod support proxy integration - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 30
Amigopod and ArubaOS Integration Application Note A useful diagnostic tool to verify that Amigopod has Internet connectivity via HTTP is available under Administrator > Network Setup > Network Diagnostics shown in Figure 21. Figure 21 Amigopod diagnostics Configure RADIUS NAS for an Aruba - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 31
convention (need not be present in DNS). Enter IP address of the Aruba controller. The NAS Type should be set to Aruba Networks (RFC3576 support). The Shared Secret (called the Key in the first Aruba controller step) must be configured and confirmed. Check Create a RADIUS Web Login page for - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 32
Amigopod and ArubaOS Integration Application Note Click Create NAS Device, and you are prompted to restart the RADIUS server as seen in Figure 24. You must restart the server, because the RADIUS server within Amigopod rejects any request from the Aruba controller as unknown until the restart has - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 33
web login page can be seen in Customization > Web Logins. Figure 25 shows the automatically created web login, but a new one can be created manually at a later stage. Figure 25 Automatically generated web login page The Page Name field defines the URL that is hosted on the Amigopod appliance. For - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 34
VRD are permitted in the white list of valid controller IP addresses. The web login page now is configured and is ready to be tested against the previous Aruba controller configurations. Optional Customization of the Web Login Page Several Login Form options allow you to override the default login - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 35
the Amigopod skin technology to brand the captive portal that is displayed to the wireless and wired users. These skins are available as a professional service as a purchasable SKU or custom and blank skins are available for customers who want to perform their own HTML and CSS style customization - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 36
process at the point where the contents of the Login Message HTML is displayed. This delay is useful for many reasons. If you need to troubleshoot any captive portal issues, this delay is a good time to obtain the contents of a view source in the client's browser. Alternatively this delay can be - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 37
session and return this value in the session-timeout attribute so the controller can manage the termination of the session. For example, if a guest account was created with a 2-hour expiry, Amigopod returns a session-timeout value of 7200 seconds. Aruba Networks, Inc. Amigopod Configuration | 37 - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 38
as a selection when creating new guest accounts via the Create User screens of originally request URL. Display information regarding the terms of service. Display a summary of session statistics that could page has been made and published for download. This backup file includes all the required - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 39
Amigopod and ArubaOS Integration Application Note Figure 32 Restore welcome page To restore the customized welcome page, check Restore settings from backup and click Restore Configuration. When the restore is complete, browse to Customize > Web Logins and verify that the web login page has been - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 40
portal profile on the ArubaOS controller must be modified to match any changes made. Figure 34 shows the sample welcome page developed for this guide. This welcome page highlights the following integration points between the Amigopod and ArubaOS controllers: Detection of guest user name logged - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 41
Amigopod and ArubaOS Integration Application Note A logout page is also included in the sample backup file. This page is linked to the Wi-Fi Logout button on the previous welcome page and allows for further messaging to be displayed on the logout page. As shown in Figure 35, the inclusion of this - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 42
(Guests > Create Multiple). Import from CSV (Guests > Import Device). Create a MAC device (Guest > Create Device). Any of these methods can be used to create the testing accounts. In the example in Figure 36, Create Multiple has been selected as a quick method to create one or more guest - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 43
shown in Figure 37. Figure 37 Completed guest account If numeric user credentials will be challenging during your testing phase, these credentials can be edited easily by clicking the List guest accounts option. Click the newly created guest account to display the actions that are available for the - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 44
Amigopod and ArubaOS Integration Application Note On the Edit screen, a new username and password can be defined manually to make any level of repetitive testing easier on the administrator. Click Update Account to display the confirmation page as shown in Figure 39. Figure 39 Updated guest - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 45
Amigopod and ArubaOS Integration Application Note On the Amigopod side, you can also look at the end of the RADIUS log to verify that the transactions are executing on that side. Figure 41 RADIUS log tail If you experience any issues with the authentication process, the RADIUS debugger can be - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 46
and Verify Successful RADIUS Transaction Now that everything is set up on the Amigopod and the Aruba controller, attempt to connect a test wireless or wired client to the network. The session should be redirected successfully to the Amigopod web login page. Figure 42 Amigopod portal Page Aruba - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 47
Amigopod and ArubaOS Integration Application Note After you enter the test user account credentials and click Log In, a successful end-to-end RADIUS transaction should be the result. You can verify by referring to the end of the - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 48
received by Amigopod, you will not find a corresponding entry in the Guests > Active Sessions page shown in Figure 44. Given the Interim Accounting support in ArubaOS 6.1, this page displays live traffic statistics based on these updates. If you also have configured RFC 3576 on your Aruba controller - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 49
an appropriate policy. Verify that the Amigopod has a route back to the address space of the test client. Look at how NAT and the default gateway of Amigopod are referenced as part of your troubleshooting steps. If the login process stalls and the logs show that no RADIUS request was received from - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 50
Support Main Site Support Site Software Licensing Site Wireless Security Incident Response Team (WSIRT) Support Emails Americas and APAC EMEA WSIRT Email Please email details of any security problem Telephone Support Aruba Corporate FAX Support United States Universal Free Phone Service Numbers - Dell PowerConnect W Clearpass 100 Software | ArubaOS Integration Guide - Page 51
Amigopod and ArubaOS Integration Application Note Telephone Support Universal Free Phone Service Numbers (UIFN): Japan Korea Singapore Taiwan (U) Belgium Israel Ireland Hong Kong Germany France China (P) Saudi Arabia UAE Egypt India IDC: 10 810 494 34526 * Select
Amigopod and ArubaOS
Integration
Version 1.0