MAC Authentication and OnGuard Posture Enforcement using Dell WSeries ClearPass and Dell Networking Switches Dell Networking W-Series ClearPass Configuration Guide Colin King Network Solutions Engineering Team
This document is for informational purposes only and may contain typographical errors and technical inaccuracies. The content is provided as is, without express or implied warranties of any kind. © 2013 Dell Inc. All rights reserved. Dell and its affiliates cannot be responsible for errors or omissions in typography or photography. Dell™, the Dell logo, PowerConnect™, Force10™ , and PowerEdge™ are trademarks of Dell Inc.
Dell Networking W-Series ClearPass Configuration Guide 3
Contents Executive Summary ...................................................................................... 6 Introduction ............................................................................................... 6 Network Topology ........................................................................................ 7 Applicable Hardware and Software Versions ......................................................... 8 Dell W-Series ClearPass ...................................................
Figures Figure 1. Basic Topology ................................................................................................. 7 Figure 2. MAC Authentication Configuration Flowchart ............................................................ 9 Figure 3. MAC Authentication 7024P Switch - RADIUS Server Configuration .................................. 11 Figure 4. MAC Authentication 7024P Switch - Authentication Configuration ................................. 12 Figure 5.
Executive Summary The Dell Networking W-Series ClearPass platform is a powerful access control appliance for use with wired or wireless networking. W-ClearPass is highly optimized for use with wireless access using the WSeries controllers and APs as the network access devices. In addition to wireless network access control, W-ClearPass can service authentication requests from Dell Networking wired switches.
Network Topology Figure 1. Basic Topology The figure above shows the setup used for this document. The printer is used for the MAC Authentication example configuration, while the PC is used for the OnGuard heath posture example configuration. The Dell Networking 7024P is representative of a typical closet access switch. The Dell Networking WClearPass appliance is normally located in the Data Center. The Dell 7024P switch is also capable of supplying PoE+ power to devices connected to its ports.
Applicable Hardware and Software Versions The examples in this document are validated on the following HW and SW versions: • Dell W-Series ClearPass SW v6.0.2 • Dell Networking 7024P firmware v5.1.0.1 Dell W-Series ClearPass Dell W-Series ClearPass SW v6.0.2 Configuration for the ClearPass appliance is the same for the latest version released during the publishing of this document, ClearPass v6.1.2. No changes to the MAC Authentication feature were implemented in this later version.
Figure 2. MAC Authentication Configuration Flowchart Dell Networking 7024P Configuration The following configuration steps start from a switch that has been configured to be an access switch with no network security settings in place. Basic settings outlined in the Quick Start Guide have been completed.
Add a RADIUS Server Navigate to System > Management Security > RADIUS > RADIUS Server Configuration Click on Add Input IP address of the ClearPass appliance into RADIUS Server Host Address Change RADIUS Server Name to an appropriate name Click Apply Click on Detail Choose the IP address from the RADIUS Server Host Address drop down list Click on the checkbox located in the Secret field. Enter a secret key to be used with the ClearPass appliance.
Figure 3.
Figure 4. MAC Authentication 7024P Switch - Authentication Configuration There are likely other ports on the switch that do not require Authentication. For those ports at this time it is recommended to force the port interface into Authorized mode.
Dell Networking ClearPass Configuration The following configuration steps start from a ClearPass appliance that has been setup according to the basic configuration outlined in the Dell Networking W-ClearPass Policy Manager 6.0 Quick Start Guide. It’s assumed that all Subscription IDs and licensing has been enabled for the product.
Create a Static Host List The Static Host List will be the repository for the MAC Addresses allowed onto the network. All devices using MAC Authentication will need to have their MAC addresses input into this list.
Configuring a Network Policy Navigate to Configuration > Start Here Choose MAC Authentication Under the Service tab, input and change the following: Enter a descriptive name in the Name field Enter a description in the Description field Under Service Rules, remove all default conditions by clicking on the trash icon to the right of each condition Add a new condition by clicking on Click to add… and choosing the following: o Type – Radius:IETF o Name – Calling-Station-Id o Operator –
Under the Authentication tab, input and change the following: Highlight [MAC AUTH] and remove it from the Authentication Methods list From the dropdown menu, --Select to Add--, choose [EAP MD5] Highlight [Endpoints Repository] [Local SQL DB] and remove it from the Authentication Sources list Click on Add new Authentication Source Enter a descriptive name in the Name field (for this example “static list Mac auth” is used) Enter a description in the Description field From the dropdo
Under the Roles tab, input and change the following: Click on Add new Role Mapping Policy Enter a descriptive name in the Policy Name field Enter a description Leave the Default Role as [Guest] Click on Next to move to the Mapping Roles tab Click on Add Rule Click on Click to add… within the Conditions window From the dropdown menu under Type, choose Authentication From the dropdown menu under Name, choose Source From the dropdown menu under Operator, choose EQUALS
Figure 9.
From the dropdown menu for Profile Names, --Select to Add--, choose [RADIUS] [Allow Access Profile] Click on Save Click on Next to move to the Summary tab Figure 10. MAC Authentication ClearPass – Configuring Enforcement Click on Save to move to the Reorder Services page ClearPass evaluates the Services created from the top of the list to the bottom. There are many default services that come configured with the base install. These default services will not interfere with this example.
Within the Dell Networking 7024P GUI, administrators can see the status of all authentications and can see if a port is currently authorized. For the Port Access Log, navigate to Switching > Dot1x Authentication > Monitoring Mode > Port Access Control History Log. ClearPass has an extensive Access Tracker which logs all the steps corresponding to Authentication, Authorization and Enforcement.
OnGuard posture enforcement with Dell Networking 7024P Switch OnGuard is a SW module within ClearPass used to determine the health of a device. Network administrators may want to enforce devices being connected to the network to have certain health related conditions met before access is granted. Typical conditions include the presence of an antivirus SW with updated virus definitions. Other conditions could involve a check on the state of the firewall.
Figure 11.
Navigate to Switching > Network Security > Dot1x Authentication > Authentication Under Global Parameters, choose Enable from the dropdown list in the Administrative Mode field NOTE: The enable authentication step above was completed in the previous MAC Authentication example. Identify the port to be used for wired authentication with OnGuard Under Interface Parameters, choose the port number from the dropdown list in the Interface field The default setting when enabling 802.
The following configuration steps start from a ClearPass appliance that has been setup according to the basic configuration outlined in the Dell Networking W-ClearPass Policy Manager 6.0 Quick Start Guide. It’s assumed that all Subscription IDs and licensing has been enabled for the product. This example builds upon the previous MAC Authentication example. The configuration of the RADIUS server and their shared secrets are not repeated in this section.
Figure 13.
Figure 14. OnGuard ClearPass – Web-Based Authentication Service Click Next to move to the Authentication tab From the dropdown menu under Authentication Sources, choose [Local User Repository] [Local SQL DB] Figure 15.
o From the dropdown menu under Operator, choose EXISTS o Click the disk icon to save the condition o From the dropdown menu under Actions, Role Name, choose [Employee] Click Next to move to the Summary tab Click Save to save the new Role Mapping Policy and to move back to the Service configuration Figure 16.
o From the dropdown menu under Select plugin Checks, choose Fails one or more SHV checks o Check ClearPass Windows Universal System Health Validator checkbox o From the dropdown menu under Posture Token, choose QUARANTINE (20) o Click on Save o Click Add Rule o From the dropdown menu under Select plugin Checks, choose Passes all SHV checks o Check ClearPass Windows Universal System Health Validator checkbox o From the dropdown menu under Posture Token, choose HEALTHY (0) o Click on Save Cl
Figure 18.
Enter a descriptive name in the Name field (example – Agent Unhealthy) Enter a description in the Description field Click Next to move to the Attributes tab Delete the two auto populated attributes Click on Click to add… From the dropdown menu under Attribute Name, choose Bounce Client From the dropdown menu under Attribute Value, check the checkbox Click the disk icon to save the attribute Click on Click to add… From the dropdown menu under Attribute Name, choose Message
Click the disk icon to save the condition Click on Save Click on Next to move to the Summary tab Click on Save to save the Enforcement policy and move back to the Service configuration Figure 19. OnGuard ClearPass – Enforcement Policy Clink on Next to move to the Summary tab Click on Save to move to the Reorder Services page ClearPass evaluates the Services created from the top of the list to the bottom. There are many default services that come configured with the base install.
Click on Click to add… From the dropdown menu under Type, choose Radius:IETF From the dropdown menu under Name, choose User-Name From the dropdown menu under Operator, choose EXISTS Click the disk icon to save the rule Figure 20. Wired 802.1x ClearPass – Service Configuration Click on Next to move to the Authentication tab Under the Authentication Methods, EAP FAST, EAP TLS, and EAP TTLS can be removed.
Figure 21. Wired 802.
Figure 22. Wired 802.
From the dropdown menu under Profile Names, --Select to Add--, choose [RADIUS] [Allow Access Profile] Click on Save Click on Next to move to the Summary tab Figure 23. Wired 802.1x ClearPass – Enforcement Click on Save to move back to the service configuration Click on Next to move to the Summary tab Click on Save to move to the Reorder Services page On the Reorder Services page, ensure this wired 802.
EAP (PEAP) is used, uncheck Validate server certificate, use method Secured password (EAP-MSCHAP v2) and uncheck Automatically use my Windows logon name and password. When connecting to the network, Windows will ask for a username and password. Enter the credentials that are located in the Local User database created within ClearPass for this example. Once connected to the network, the OnGuard application will also ask for a username and password.
Appendix A Dell Networking 55xx Series Switches Dell Networking 55xx Series switches have different features and use a different firmware base than the switches detailed above. Due to the feature and behavior differences, the configuration of the Dell Networking 55xx switch will be different. Dell Networking 55xx Series Firmware The following firmware version is used in the configuration information below: System firmware version 4.1.0.
Figure 24. Appendix A, 5524P Dot1x Global Settings Switching > Network Security > Dot1x Authentications > Port Based Authentication Interface Settings: Edit Figure 25.
Dell Networking W-ClearPass MAC Authentication Configuration The configuration for W-ClearPass does not change from the example shown in the main body of this document. The same service and its setup can be used for the MAC Authentication with MAB. OnGuard posture enforcement with Dell Networking 55xx Switch The Dell Networking 55xx Series Switch behaves in a very similar manner for 802.1x PEAP-EAPMSCHAPv2 authentication. The standard settings are shown in the following figure. Figure 26.
