Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[WLC] Example Configuration - Integrating Juniper wireless controller with Aruba Clearpass for captive portal Authentication

0

0

Article ID: KB32116 KB Last Updated: 26 Sep 2017Version: 1.0
Summary:

This article ​provides configuration guidance on getting a Juniper Wireless controller to work with ClearPass to deploy a Guest solution.​

Solution:

Configuration in ClearPass

  1. Add the Juniper Wireless Controller (WLC) as a Network Device in CPPM, but set the Vendor to "IETF". This is needed to build an "IETF-Generic" custom Change of Author (CoA).


  2. ​Add Trpz-CoA-Replace-Userattribute to the Trapeze dictionary. The Trpz-CoA-Replace-User attribute does not exist in the Trapeze Radius dictionary in CPPM. You can manually export the existing
    dictionary, add this attribute, then import it back into CPPM.

  3. Create a custom CoA with the following attributes:

  4. Navigate to Configuration > Enforcement > Profiles > Edit Enforcement Profile. Then provide the name as shown below:



    Click "Add" in the upper right corner. Under Profile tab, select Radius Change of Authorization (CoA) template, give the profile a name, then click the Attributes t​ab. Select IETF-Generic-CoA-IETF template. Then add the attributes above and click Save.
     

  5. Configuring services for web-portal and mac-auth

    Create two services to make a server-initiated web login work; a WebAuth service that will initiate the CoA and a Radius service for Mac Auth, Mac-Caching and bypassing of web portal for authenticated users that have just been bounced via CoA. Edit the WebAuth service. Under the Enforcement tab, create a rule that triggers this new CoA upon user authentication.


     

  6. Configure the Media Access Control Authentication service that is set to Accept any request. This is mandatory, otherwise the CoA will not work. Ignore the mac-caching conditions in this policy example. Notice the default enforcement is set to Allow.


     

  7. Ensure that your web login page is set to Login Method of Server Initiated. The Vendor in this case does not matter. Set login delay to 5 seconds to ensure CoA takes place and the state is
    changed on the controller before redirecting to welcome/landing page.

Configuration in the WLC

  1. Create service-profile and radio-profile

    set service-profile MAC-WEB ssid-name MAC-WEB
    set service-profile MAC-WEB ssid-type clear
    set service-profile MAC-WEB web-portal-form https://clearpass.sps.org:8443/gp2/webportal/ext/webPortalAuthLogin
    set service-profile MAC-WEB web-portal-acl portalacl
    set service-profile MAC-WEB 11n short-guard-interval disable
    set service-profile MAC-WEB wpa-ie auth-dot1x disable
    set service-profile MAC-WEB rsn-ie auth-dot1x disable
    set service-profile MAC-WEB attr vlan-name wireless

    set radio-profile MAC-WEB service-profile MAC-WEB

  2. Add clearpass ip-address as the radius client

    set radius server ClearPass address 10.0.30.10 timeout 5 retransmit 3 deadtime 5 key <pass-phrase> author-password USE-MAC-ADDRESS
    set server group Clearpass-GROUP members ClearPass

  3. Create the aaa-profile

    set aaa-profile CPAccess
    set aaa-profile CPAccess mac Clearpass-GROUP
    set aaa-profile CPAccess web Clearpass-GROUP


    Note: aaa-profile configuration is needed inorder to accomodate both mac-authentication and web-portal authentication

  4. Add the authentication rule and authentication-profile

    set authentication web ssid MAC-WEB** Clearpass-GROUP
    set authorization dynamic ssid MAC-WEB Clearpass
    set authentication profile ssid MAC-WEB CPAccess
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search