Aruba ClearPass Workshop (2021) - Wireless Access #1 - 802.1X WPA-Enterprise - Basic part 1

Introduction

This tutorial guides you through setting up an Aruba ClearPass deployment integrated with an Aruba Instant Access Point (AP) for wireless access using EAP-TLS authentication. By following these steps, you will learn how to configure the Instant AP, connect it to ClearPass, and troubleshoot initial connectivity issues.

Chapter 1: Configure the Aruba Instant AP

1. Access the Instant AP Configuration

   • Log in to your Aruba Instant AP management interface.

2. Set the Virtual Controller IP

   • Navigate to the System settings.
   • Configure a Virtual Controller IP (e.g., 10.1.10.2). This IP will be used for RADIUS requests.

3. Enable Dynamic RADIUS Proxy

   • Activate the Dynamic RADIUS Proxy feature. This allows the AP to be reachable regardless of its DHCP-assigned IP.

4. Create the SSID

   • Go to the Wireless section and create a new SSID named Airheads-corp.
   • Set the Primary Use to Employee.
   • Choose WPA2-Enterprise as the security level.
   • Add the ClearPass server as an authentication server with the shared key (to be defined later in ClearPass).

5. Enable Dynamic Authorization

   • Enable Dynamic Authorization (CoA/RFC3799) for later use.
   • Set the accounting interval to 3 minutes and enable OKC, 11r, k, and v as best practices.

Chapter 2: Troubleshoot Initial Connection Issues

1. Attempt to Connect to SSID

   • Try connecting a client device to the Airheads-corp SSID. Expect a failure initially.

2. Check ClearPass Access Tracker

   • Open the ClearPass Policy Manager.
   • Navigate to Access Tracker to see if any authentication attempts are recorded.

3. Investigate Event Viewer

   • If no attempts show up, check the Event Viewer for any authentication errors.
   • Look for errors indicating an unknown network access device.

Chapter 3: Add Network Device in ClearPass

1. Create a New Network Device

   • Go to Network Devices in ClearPass and add a new device.
   • Input the Instant AP's IP address and provide a description.
   • Set the RADIUS shared secret (same as in the Instant AP).
   • Set the vendor name to Aruba and enable RADIUS Dynamic Authorization.

2. Re-attempt Client Connection

   • Try connecting the client to the SSID again.

Chapter 4: Create a ClearPass Service for Wireless Access

1. Add New Service

   • Navigate to the Services section in ClearPass.
   • Click to add a new service and select 802.1X Wireless.
   • Use a service identifier like ws_ to denote it's for the workshop.

2. Configure Authentication Methods

   • Remove any default methods like EAP-PEAP and EAP-FAST.
   • Select EAP-TLS and configure it without a common name check for now.

3. Set Authentication Source

   • Add an Active Directory authentication source.
   • Input the hostname of your domain controller and provide credentials for a service account.

Chapter 5: Verify Client Connection

1. Attempt Connection Again

   • Try connecting the client to the SSID once more.
   • If the connection fails, check the Access Tracker for updates.

2. Review Alerts

   • Look for fatal alerts indicating issues, such as unknown_ca.

Conclusion

In this tutorial, we've configured an Aruba Instant AP and integrated it with ClearPass for EAP-TLS authentication. You learned how to troubleshoot initial connection issues, add network devices, and create a service for wireless access. The next steps involve installing the necessary certificates on your ClearPass server to resolve the unknown_ca error, which will allow successful client authentication.