ClearPass – dual interface and routing

When you are using both interfaces on a ClearPass server (MGMT and DATA) than ClearPass uses the DATA interface to connect to services, like LDAPS to Active Directory, SMTP delivery, Active Directory joining and more. ClearPass uses the DATA interface as default gateway if no specific route is available on the MGMT interface.

That being said, you have the option to add routes to the ClearPass routing table. Routes are added via the ClearPass shell. Use the following command to add a route.

Usage:

network ip add <mgmt|data|greN|vlanN> [-i <id>] <[-s <SrcAddr>] [-d <DestAddr>]> [-g <ViaAddr>]

Where:

  • greN — Name of the gre tunnel where N corresponds to the gre
    tunnel number ranging from 1,2,3…N
  • vlanN — Vlan interface where N corresponds to the vlan id ranging from 1,2,3…N. For example if the configured vlan identifier is ’85’ then input ‘vlan85’
  • -i — Optional parameter. Id of the network ip rule. If unspecified the system will auto generate the Id
  • -s <SrcAddr> — Optional parameter. The source interface ip address or netmask from where the network ip rule is specified. The allowed values are valid IP Address or Netmask or ‘0/0’
  • -d <DestAddr> — Optional parameter. The destination interface ip address or netmask where the network ip rule is specified. The allowed values are valid IP Address or Netmask or ‘0/0’
  • -g <ViaAddr> — Optional parameter. The via or gateway ip address through which the network traffic should flow. The allowed value is valid IP Address

An example:

[appadmin@CPPM01]# network ip add mgmt -d 10.10.10.0/24 -g 20.20.20.1
INFO – Added route for destination=10.10.10.0/24 via=20.20.20.1
INFO – New ip rule created with the id = 12000

You can check the routing table via the command: network ip list.

Aruba ClearPass – Cisco Prime – TACACS+

When using Cisco Prime you have the option to configure authentication to a remote AAA server via RADIUS or TACACS+. Today I configured Cisco Prime to use HPE Aruba ClearPass as remote AAA server based on the TACACS+ protocol. The configuration of an AAA server in Cisco Prime is very straightforward. Configure the AAA Mode Setting under Administration / Users / Users, Role & AAA / AAA Mode Settings. The next step involves adding HPE Aruba ClearPass as TACACS+ servers via the option menu Administration / Users / Users, Role & AAA / TACACS+ Servers.

I configured a TACACS+ service in ClearPass with a very basic Enforcement Profile. In the beginning I used the same Enforcement Profile, which I also use to enforce privilege level 15 to switches and routers. Authentication will fail at this point. In the Access Tracker I get the following error message:

Tacacs service=NCS:HTTP not enabled

And the login screen from Cisco Prime shows me the following error message.

I created a new Enforcement Profile and added the TACACS+ service NCS:HTTP to the Enforcement Profile. Now I see an access granted in the Access Tracker, but I still get the same error message on the Cisco Prime website. After some digging in Cisco Prime I noticed that Cisco Prime needs to receive TACACS+ attributes from the AAA server to grant access and assign privileges and tasks to the user.

First you need to get the TACACS+ attributes from the Virtual Domain configuration. In the menu options navigate to Administration \ Users \ Virtual Domains. At the upper right corner you have the option to “Export Custom Attributes”.

These attributes need to be configured in ClearPass. As you notice you also need to configure these attributes if you would like to use RADIUS as authentication protocol. You also need to add the attributes from the user group. Navigate to Administration / Users / Users, Role & AAA / User Groups. Click the “Task List” option next to the User Group you would like to use. I use Root in this example.

The User Group Root contains 194 tasks, which need to be added to the Enforcement Profile in ClearPass. Below you see a snippet from the Enforcement Profile configuration.

To make it easy for you, I exported the Enforcement Profile including all the 194 tasks for the Root User Group. You can download the Enforcement Profile in XML format below. Just import the profile into ClearPass and you are good to go!!!

Download here: Cisco Prime Enforcement Policy

ClearPass – concurrent session limit

I tried to configure a restriction to the concurrent number of active sessions a user can have on the wireless network. I found a great article on AirHeads Community “How to deny access for authentication requests based on session limit?

In short the article tells you to:

  1. Edit the Insight Repository
  2. Add more Filiters on the Attributes tab
  3. Enter the following information
    1. Filter Name: sessions
    2. Filter Query: see below
    3. Name: sessions
    4. Alias Name: sessions
    5. Data Type: Integer
    6. Enabled As: Role
  4. Add the Insight Repository as Authorization Source
  5. Create an Enforcement Policy Condition to check the Insight Repository
    1. Type: Authorization:[Insight Repository]
    2. Name: sessions
    3. Operator: GREATER_THAN_OR_EQUALS
    4. Value: <number of allowed simultaneous connections + 1

I configured my ClearPass environment like shown in the article, but I didn’t see any active sessions in the access tracker. The counter remained 0. I connected to the Insight database with the tool pgAdmin to see if the Insight database is updated. The database is updated, so every thing seems to be working.

Be accident I found the solution. The SSID is using EAP-PEAP authentication and users enter there username as <username>@<domain-name>, like rene@booches.nl. This is necessary, because the SSID is configured to work with Govroam. Govroam provides government employees with seamless access to WiFi networks, wherever the service has been made available by participating organisations. To authenticated the users correctly, I configured the CPPM Service with Strip Username Rules.

Strip Username Rules

The SQL query checks the attribute %{Authentication:Username}

select count(*) as sessions from radius_acct where (username = ‘%{Authentication:Username}’) AND end_time is null AND termination_cause is null AND (updated_at BETWEEN (now() – interval ‘1 hour’) AND now());

In the InsightDB the username has the format <username>@<domain-name>, but the attribute %{Authentication:Username} has the format <username>. I saw this “mismatch” while checking the Access Tracker.

ClearPass Access Tracker

I altered the query by changing %{Authentication:Username} into %{Authentication:Full-Username}. After this the session information was correct and I could use the session counter in a Role Mapping or Enforcement Profile to limit the concurrent number of active sessions from a user.