The full configuration necessary to enable wireless access has many components and options. This example assumes the administrator has a functional basic WLAN configuration. The administrator should configure the following before implementing this example:
- Controller Network settings – VLANs, Ports, IP
- AP configuration – AP Group, Virtual AP, SSID
- AP installation – APs provisioned to an AP Group
Note: For more information about basic configuration, see the Dell Networking W-Series Aruba OS User Guide at https://www.dell.com/support/.
The configuration settings in this section are crucial to enable the authentication and access per the OnGuard example scenario.
Note: Most configuration changes require the administrator to commit the change by pressing the Apply button. This saves the change to the running configuration. Clicking another area of the UI before committing the changes causes the changes not to be saved. Click Save Configuration to save the running configuration to the start-up configuration. The instructions below do not detail when to save the configuration.
Define 802.11 security
- Go to Wireless > AP Configuration and on the Configuration tab, click AP Group Name.
Note: Descriptive settings such as AP group name and SSID are unique to this example. The following images show the names as used in the test setup.
- Click the + to expand the Wireless LAN > Virtual AP > SSID categories.
Figure 35. SSID profile – 802.11 Security
The previous figure shows the authentication and encryption settings of the Virtual AP within the AP Group. Administrators may keep their current security settings. W-ClearPass supports all the types and sources used by the W-Series controller.
- Click the WPA2 and AES radio buttons in the 802.11 Security section.
- Click Apply to commit the changes.
Set W-ClearPass as the RADIUS server
To set W-ClearPass as the RADIUS server, perform the following steps:
- Click Security > Authentication and on the Servers tab, select RADIUS Server.
Figure 36. RADIUS Server settings
- Add W-ClearPass, specify the Host, Key, and NAS IP in the fields provided.
- Click Apply to save the changes.
Set W-ClearPass as RFC 3576 server
To set W-ClearPass as the RFC 3576 server, perform the following steps:
- Go to Security > Authentication, and on the Servers tab, select RFC 3576 Server.
Figure 37. RFC 3576 Server
- Use the IP address of W-ClearPass to add the server.
- Enter the Key in the fields provided, then click Apply to save the changes.
Create a Server Group
To create a Server Group, perform the following steps:
- Click Security > Authentication and on the Servers tab, select Server Group.
Figure 38. Server Group
- Add a server group using a descriptive name, for example, Employee_CPDG_svrgrp-vgs43.
- From the Servers section, click New.
- Under Server Name, click the drop-down menu and select the W-ClearPass Radius server previously configured.
- Click Add Server and then click Apply to save the changes.
Define User Roles
This example contains two roles:
- If the device is healthy, the user is assigned an Employee role. In this example, the Employee role is used with an allow-all policy.
- If the device is not healthy, the user is assigned a Quarantine role and is restricted to only allow a set of restricted protocols and destinations.
In this example, the user is only allowed to access the W-ClearPass server on the OnGuard landing webpage. The details of this landing page are shown in the Create an OnGuard landing webpage section.
Create an Employee User Role
- Go to Security > Access Control and select the User Roles tab.
Figure 39. Employee Role
- Click Add.
- From the Misc. Configuration, enter a Role Name, for example, Employee.
- Select the appropriate Role VLAN ID.
- From the Firewall Policies tab, click Add.
- Select Choose From Configured Policies, and select Allow all (session) from the drop-down menu.
- Click the Done button, and then click Apply to save the changes.
Creation of the Quarantine User Role
The creation of the Quarantine User Role is completed in two parts:
- Create a Destination alias
- Create a Quarantine User Role
Create a Destination alias
Before the creation of a Quarantine User Role, you must first create the Destination alias.
- Click Advanced Services > Stateful Firewall, then select the Destinations tab.
Figure 40. Destination configuration
- Click Add.
- In the Destination Name field, enter a descriptive name, for example, OnGuard-page.
- From the Type section, click Add.
- From the Rule Type drop-down, select host.
- Enter the IP Address of the W-ClearPass server in the field provided.
- Click Add and then click Apply to save the configuration.
Create a Quarantine User Role
To create the Quarantine User Role, perform the following steps:
- Click Security > Access Control and select the User Roles tab.
- Click Add.
- In the Misc. Configuration field, enter a descriptive name, for example, OnGuard-redirect.
- Select the appropriate Role VLAN ID.
Note: The example uses the same VLAN as the Employee VLAN.
- From the Firewall Policies tab, click Add.
- Select Create New Policy, and then click Create.
- Enter a descriptive Policy Name in the field provided, for example, Allow_Access_OnGuard_Weblogin_page.
- For the Policy Type, select Session and then click Add.
- Adjust the following settings, leaving all other options at their default setting:
- Source – user
- Destination – select Alias, then select OnGuard-page using the destination from previous steps
- Service/Application – select Service then select svc-http (tcp 80).
- Action – permit
- Click Add, then click Add again.
- Adjust the following settings, leaving all other options at their default setting:
- Source – user
- Destination – select Alias then select OnGuard-page using the destination from previous step
- Service/Application – select Service and then select svc-https (tcp 443)
- Action – permit
- Click Add, and then click Done.
Note: Administrators must add rules to this firewall policy to enable access to services and hosts that are key to joining the network and authenticating access. DHCP is an example of a service that needs to communicate while in the quarantine role. The following image shows only the http and https rules with the destination alias.
Figure 41. Firewall rules for user role
- From the Firewall Policies tab, click Add.
Figure 42. Quarantine User Role
- From the Choose From Configured Policies option, select captive portal (session) from the drop-down menu.
- Click Done and then click Apply to commit the changes.
Note: The Captive Portal Profile setting under Misc. Configuration shows an OnGuard profile in the previous figure. The steps to create this profile are addressed in the next sections. To set this profile, it must be revisited after it is created.
Create Captive Portal Authentication profile
This example uses a Captive Portal for users to access the OnGuard installation files. Users that do not have OnGuard installed can open a browser and access a webpage that instructs the user to run a health scan. This method provides access to installation links. Details on building the webpage are shown in the Create an OnGuard landing webpage section.
- Click Security > Authentication and select the L3 Authentication tab > Captive Portal Authentication.
- In the field provided, enter a descriptive name, then click Add. An example of a descriptive name could be OnGuard.
- Within the Captive Portal Authentication in the left column, select the name that you created.
- Under Default Role, select the quarantine role previously created, for example, OnGuard-redirect.
- Under Default Guest Role, select the quarantine role previously created, for example, OnGuard- redirect.
- From the Login page, verify that the URL for the landing page described above, is shown. For this example, the configured webpage is hosted on W-ClearPass. The URL in this example is http://172.25.172.188/guest/OnGuard.php. You will use this page name in the Create an OnGuard landing webpage section.
- Click Apply to save the changes.
- Click the Server Group setting located within the profile created above.
- From the Server Group drop-down menu, choose the server group you created. In this example, the Employee_CPDG_svrgrp-vgs43 was created.
- Click Apply to save the changes.
Figure 43. Captive Portal profile
Update Quarantine User role
Now that the captive portal profile has been created, you must update the Quarantine User role. To update the role, perform the following steps:
- Click Security > Access Control then click the User Roles tab.
- Click the Edit listing next to the corresponding Quarantine User role. In our example, we will edit the OnGuard-redirect Quarantine user role.
- On the right side, under the Captive Portal Profile, select the profile created in the previous step, for example, OnGuard.
- Under Captive Portal Check for Accounting, verify that the checkbox is selected.
- Click Apply to save the changes.
Add AAA profile
Note: Administrators may already have a functional AAA profile. You can also modify the existing profile.
- Click Security > Authentication then click the AAA Profiles tab.
- Click Add.
- In the field provided, enter a descriptive name. For example, Employee_CPDG-aaa_prof, and then click Add.
- Click the name to edit the profile.
- Under Initial role, select the Quarantine role created previously, for example, OnGuard-redirect.
This setting ensures that the initial role given to any user is the role designated for devices with unknown health status. Leave all other settings at their default setting.
Note: Dell Technologies recommends that you specify all the default role settings as directed by your network security policies.
- Click Apply.
- Click the 802.1x Authentication Server Group setting located under the profile created above.
- From the drop-down menu, select the server group you created, for example, Employee_CPDG_svrgrp-vgs43.
- Click Apply.
- Click the RADIUS Accounting Server Group setting located under the profile created above.
- From the drop-down menu, select the server group created previously, for example, Employee_CPDG_svrgrp-vgs43.
- Click Apply.
- Click RFC 3576 server.
- Enter the IP address of the ClearPass server in the field provided then click Add.
- Click Apply.
- Click the IP address and enter the same key used for the RADIUS Server settings.
- Click Apply.
Note: Leave all other options at their default setting.
Figure 44. AAA profile
Add the AAA profile to Virtual AP profile
The AAA profile needs to be used within the Virtual AP profile used for wireless user access.
- Click Wireless > AP Configuration. From the Configuration tab, click the AP Group Name.
- Expand the Wireless LAN and Virtual AP listings.
- Click the Virtual AP profile that is in use, for example, Employeee_CPDG-vap_prof.
- Click the AAA setting.
- From the AAA Profile drop-down menu, select the profile you created in the previous step, for example, Employee_CPDG-aaa_prof.
- Click Apply.
Figure 45. Server Group