HPE Aruba ClearPass - RADIUS Configuration with Authentication Manager - RSA Ready Implementation Guide
6 months ago

This article describes how to integrate Authentication Manager (AM) with HPE Aruba Networking ClearPass Policy Manager using RADIUS.

      

Configure AM

Perform these steps to configure AM using RADIUS.

Procedure

  1. Sign in to Security Console.
  2. Go to RADIUS > RADIUS Servers and make a note of the IP address of the selected RADIUS server.
  3. Navigate to RADIUS > RADIUS Clients and click Add New.
  4. On the Add RADIUS Client page, enter the following details:
    1. Client Name: Enter a descriptive name for the RADIUS client.
    2. IPv4 Address: Enter the IP address of the RADIUS client (ClearPass Policy Manager server).
    3. Make/Model: Standard Radius.
    4. Shared Secret: Create and enter a secure shared secret. This secret will be used for secure communication between the RADIUS client and the RADIUS server.
  5. Click Save & Create Associated RSA Agent.
  6. On the Add New Authentication Agent page, click Save, and then confirm by clicking Yes, Save Agent.

Notes:

  • RSA Authentication Manager RADIUS server listens on ports UDP 1645 and UDP 1812.
  • The relationship of agent host record to RADIUS client in the Authentication Manager can 1 to 1, 1 to many or 1 to all (global).
  • Shared Secret must be an alphanumeric string between 1 and 31 characters in length and is case-sensitive.

   

Configure HPE Aruba Networking ClearPass Policy Manager 

Perform these steps to configure HPE Aruba Networking ClearPass Policy Manager.

Procedure

  1. Sign in to HPE Aruba Networking ClearPass Policy Manager.
  2. Navigate to Configuration > Authentication > Sources and click Add.
  3. On the Configure Authentication Source page, under the General tab:
    1. In the Name field, enter a name for the Authentication Source (for example, RSA Authentication Manager).
    2. In the Type drop-down list, select Token Server.
    3. Click Next to proceed.
  4. On the Primary tab, provide the following details:
    1. In the Server Name field, enter the IP address or FQDN of the RSA RADIUS server.
    2. In the Protocol drop-down list, select RADIUS.
    3. Set the Port to 1812.
    4. In the Secret field, enter the RADIUS shared secret key that was used when configuring ClearPass Policy Manager as a RADIUS client in AM previously.
    5. Click Save to apply the settings.
  5. Go to Configuration > Services and click Add.
  6. Configure the Service Template and then click Next to continue.
    1. Select 802.1X Wireless (or another appropriate template based on your requirements).
    2. Enter a suitable Name for the service.
    3. In the Service Rules section, add the following rule:
      1. Set Type to RADIUS: Aruba
      2. Set Name to Aruba-Essid-Name
      3. Set the Operator to EQUALS
      4. Set the Value to RSA-CORP

Note: Before adding a new entry, note that the list already contains two pre-populated types, as illustrated in the screenshot.

  1. On the Authentication tab, select RSA Authentication Manager (added earlier as a Token Server) in the Authentication Sources drop-down list and click Next.
  2. On the Roles and Enforcement tabs, adjust the settings to suit your environment. Then, on the Summary tab, review the configuration for accuracy and click Save.

    

Configure Network Supplicant

After configuring ClearPass Policy Manager for RSA authentication, you need a compatible 802.1X supplicant to complete the setup. The supplicant must support either EAP-GTC (Generic Token Code) or native RSA authentication to handle AM challenges, such as prompts for a new PIN or next token code.

In this example, the EAP-GTC plugin from HPE is used for Windows, supporting both 32-bit and 64-bit versions of Windows 10 and 11. This plugin is available for download from the HPE Networking Support Portal.

Procedure

  1. Run the downloaded installer for the Aruba EAP-GTC plugin and click Next to proceed.
  2. Accept the license agreement and click Install.
  3. Choose Reboot now and click Finish. Once the system restarts, the EAP-GTC plugin will be fully installed and ready to use.
  4. After the installation is complete, you need to create a Network Profile for the SSID that will use RSA. Open the Network and Sharing Center and click Setup a new connection or network.
  5. Choose Manually connect to a wireless network.
  6. Enter the following information in the Wireless Network Information window and click Next.
    1. Network name: Enter the network SSID.
    2. Security type: Select WPA2 Enterprise or 802.1x in the drop-down list and click Next.
  7. Click Change connection settings.

    The Wireless Network Properties dialog box appears.
  8. Click the Security tab.
  9. Select Microsoft: Protected EAP (PEAP) in the Choose a network authentication method: drop-down list.
  10. Make other changes as appropriate, and click Settings.
  11. In the Select Authentication Method: drop-down list, select EAP-Token and click OK. Make any other changes as appropriate.
  12. Click Advanced if you need to make changes to the Advanced Properties, such as the Authentication Mode.
  13. Click OK when all the changes are made.

When you connect to the SSID configured in the Wireless Network Profile, the EAP-GTC plugin will prompt you with a login screen to enter your username and password.

 

The configuration is complete.

Related Articles

Trending Articles

Don't see what you're looking for?