HPE Aruba ClearPass - RADIUS Configuration with Cloud Access Service - RSA Ready Implementation Guide
6 months ago

This article describes how to integrate Cloud Access Service (CAS) with HPE Aruba Networking ClearPass Policy Manager using RADIUS.

   

Configure CAS

Perform these steps to configure CAS using RADIUS.

Procedure

  1. Sign in to RSA Cloud Administration Console.
  2. Navigate to Authentication Clients > RADIUS.
  3. Click Add RADIUS Client and Profiles.
  4. On the RADIUS Client page, enter the following details:
    1. Name: Enter a descriptive name for the RADIUS client.
    2. IP Address: Enter the IP address of the RADIUS client (ClearPass Policy Manager IP address).
    3. Shared Secret: Create and enter a secure shared secret. This secret will be used for secure communication between the RADIUS client and the RADIUS server.
  5. Click Save and Next Step, and then click Finish to complete the configuration.
  6. Click Publish Changes to apply your changes to the RADIUS server and wait for the process to be completed.

Notes:

  • CAS RADIUS server is configured to listen on UDP port 1812.
  • Shared Secret must be an alphanumeric string between 1 and 31 characters in length and is case-sensitive.

   

Configure HPE Aruba Networking ClearPass Policy Manager

Perform these steps to configure HPE Aruba Networking ClearPass Policy Manager.

Procedure

  1. Sign in to HPE Aruba Networking ClearPass Policy Manager.
  2. Navigate to Configuration > Authentication > Sources and click Add.
  3. On the Configure Authentication Source page, under the General tab:
    1. In the Name field, enter a name for the Authentication Source (for example, RSA Cloud Access Service).
    2. In the Type drop-down list, select Token Server.
    3. Click Next to proceed.
  4. On the Primary tab, provide the following details:
    1. In the Server Name field, enter the IP address or FQDN of the RSA RADIUS server.
    2. In the Protocol drop-down list, select RADIUS.
    3. Set the Port to 1812.
    4. In the Secret field, enter the RADIUS shared secret key that was used when configuring ClearPass Policy Manager as a RADIUS client in CAS previously.
    5. Click Save to apply the settings.
  5. Go to Configuration > Services and click Add.
  6. Configure the Service Template and then click Next to continue.
    1. Select 802.1X Wireless (or another appropriate template based on your requirements).
    2. Enter a suitable Name for the service.
    3. In the Service Rules section, add the following rule:
      1. Set Type to RADIUS: Aruba
      2. Set Name to Aruba-Essid-Name
      3. Set the Operator to EQUALS
      4. Set the Value to RSA-CORP

Note: Before adding a new entry, note that the list already contains two pre-populated types, as illustrated in the screenshot.

  1. On the Authentication tab, select RSA Cloud Access Service (added earlier as a Token Server) in the Authentication Sources drop-down list and click Next.
  2. On the Roles and Enforcement tabs, adjust the settings to suit your environment. Then, on the Summary tab, review the configuration for accuracy and click Save.

    

Configure Network Supplicant

After configuring ClearPass Policy Manager for RSA authentication, you need a compatible 802.1X supplicant to complete the setup. The supplicant must support either EAP-GTC (Generic Token Code) or native RSA authentication to handle CAS challenges, such as prompts for a new PIN or next token code.

In this example, the EAP-GTC plugin from HPE is used for Windows, supporting both 32-bit and 64-bit versions of Windows 10 and 11. This plugin is available for download from the HPE Networking Support Portal.

Procedure

  1. Run the downloaded installer for the Aruba EAP-GTC plugin and click Next to proceed.
  2. Accept the license agreement and click Install.
  3. Choose Reboot now and click Finish. Once the system restarts, the EAP-GTC plugin will be fully installed and ready to use.
  4. After the installation is complete, you need to create a Network Profile for the SSID that will use RSA. Open the Network and Sharing Center and click Setup a new connection or network.
  5. Choose Manually connect to a wireless network.
  6. Enter the following information in the Wireless Network Information window and click Next.
    1. Network name: Enter the network SSID.
    2. Security type: Select WPA2 Enterprise or 802.1x in the drop-down list and click Next.
  7. Click Change connection settings.

    The Wireless Network Properties dialog box appears.
  8. Click the Security tab.
  9. Select Microsoft: Protected EAP (PEAP) in the Choose a network authentication method: drop-down list.
  10. Make other changes as appropriate, and click Settings.
  11. In the Select Authentication Method: drop-down list, select EAP-Token and click OK. Make any other changes as appropriate.
  12. Click Advanced if you need to make changes to the Advanced Properties, such as the Authentication Mode.
  13. Click OK when all the changes are made.

When you connect to the SSID configured in the Wireless Network Profile, the EAP-GTC plugin will prompt you with a login screen to enter your username and password.

 

The configuration is complete.

Related Articles

Trending Articles

Don't see what you're looking for?