Header Only - DO NOT REMOVE - Extreme Networks
Solved

ClearPass -> WING SSID assignment

  • 12 October 2019
  • 7 replies
  • 231 views

Hello,

i am working to authenticate the WiFi against ClearPass.
Currently i have an "Office" SSID and a "Special" SSID with restricted access. The restricted access is done via the WING IP Firewall (IPv4 ACL).
My plan with ClearPass is that all devices will use the "Office" SSID. The question is how to limit the devices which currently have only access to the "Special" SSID? They should be possible to reach the "Special" SSID via the "Office" SSID.
I am not sure if i have to work with Attribute Number. For instance the Attribut Number 2 ?

I am using WING 5.9.4.1 with AP7532.

Each hint is appreciated.

Regards,
Stefan
icon

Best answer by Chris Kelly 14 October 2019, 15:23

Stefan, it sounds like maybe something that would work for you is role-based firewalling, using one of WiNG's VSAs (specifically, the WING-User-Group attribute).

With this WiNG VSA, you can add the attribute and desired values to Clearpass and assign to users, and the value is passed back to the WiNG controller or AP within the RADIUS access-accept message. WiNG will then look at the value and place the user into that WiNG user-group name. The user group defines all the ways that you want to treat/restrict users belonging to that group.....including applying an IP ACL.

So on the WiNG side, you would need to create a Wireless Client Role, which contains the 'group' value that will be looked for in the access-accept message. The Client Role configuration also allows you to assign firewall rules that you want to apply to users that will fall into this role/group, based on the value contained in the access-accept attribute.

Role Based Firewall Guide
The guide for the Role Based Firewall setup is what also need to help walk you through creating the user group. Since you already have an IP ACL created for the Special SSID, you should be able to simply indicate that this same ACL should be used for users that will belong to this user group. The guide does NOT though contain how to create and setup a VSA for Clearpass. It does contain an example for Windows Server. It does contain an example of how to setup things on the WiNG side for this user-group restriction method.

Below is what you need to define on Clearpass in case you already know how to setup a VSA.

2894b3ea-d41f-481c-a14a-636c5e7cdcda.jpg

View original

7 replies

Userlevel 6
Stefan, I think I understand your question up until you say,
"They should be possible to reach the "Special" SSID via the "Office" SSID."

To be clear, it sounds like what you are wanting to accomplish is to get rid of the Special SSID and have everyone use just the single Office SSID - but then you need a way to continue to restrict access to the network in some way for certain users that previously used the Special SSID. Is this correct?
Userlevel 6
I believe that Stefan is refereeing to RADIUS server (which is the authentication server/ClearPass Policy Manager server).

ClearPass is an Aruba network naming convention for Radius Server.
Userlevel 6
For further help to configure RADIUS check the following articles:

Radius attributes - How to
How to configure a WiNG controller for 802.1x authentication with internal RADIUS, using LDAP to connect to a Windows Active Directory server.
How to configure 802.1x authentication with internal RADIUS on a WiNG controller

How to include location attribute in RADIUS request sent by a WiNG device?
How to set internal RADIUS server on WiNG with LDAP based authentication?
Hello Chris,

yes, you are right. restrict access for certain devices not users.

Hello Robert,
thank you. I am aware of the provided documents.
I think i need help which attribute i should use and if it is possible what i would like to do.

Regards,
Stefan
Userlevel 6

Stefan, it sounds like maybe something that would work for you is role-based firewalling, using one of WiNG's VSAs (specifically, the WING-User-Group attribute).

With this WiNG VSA, you can add the attribute and desired values to Clearpass and assign to users, and the value is passed back to the WiNG controller or AP within the RADIUS access-accept message. WiNG will then look at the value and place the user into that WiNG user-group name. The user group defines all the ways that you want to treat/restrict users belonging to that group.....including applying an IP ACL.

So on the WiNG side, you would need to create a Wireless Client Role, which contains the 'group' value that will be looked for in the access-accept message. The Client Role configuration also allows you to assign firewall rules that you want to apply to users that will fall into this role/group, based on the value contained in the access-accept attribute.

Role Based Firewall Guide
The guide for the Role Based Firewall setup is what also need to help walk you through creating the user group. Since you already have an IP ACL created for the Special SSID, you should be able to simply indicate that this same ACL should be used for users that will belong to this user group. The guide does NOT though contain how to create and setup a VSA for Clearpass. It does contain an example for Windows Server. It does contain an example of how to setup things on the WiNG side for this user-group restriction method.

Below is what you need to define on Clearpass in case you already know how to setup a VSA.

2894b3ea-d41f-481c-a14a-636c5e7cdcda.jpg

Hi Chris,

Thank you.

Looks promising. I think this was the hint which I've been looking for. Will test it within this week and let you know.

 

Regards,

Stefan

Hello Chris,

it is working. Thanks again for your hints.


Regards,

Stefan

Reply