This configuration example illustrates how toconfigure and integrate an SRX Services Gateway, an EX Series switch,and Aruba ClearPass Policy Manager to enable user-level access controlto protected resources on the network.
This topic covers:
Requirements
This example uses the following hardware and software components:
An SRX650 device running Junos OS Release 12.3X48-D30or later
An EX4300 switch running Junos OS Release 15.1R3 or later
Aruba ClearPass Policy Manager (CPPM) 6.6 on a CP-VA-500platform
Overview and Topology
This network configuration example uses the topology shown in Figure1.
All the examples in this document use the same topology.
In this example, user test1 sits at PC Endpoint 1 and wantsto access the protected server. User test1 belongs to the QA group.The EX4300 switch has 802.1X authentication enabled on interface ge-0/0/1and uses CPPM as its RADIUS server. On the SRX650 device, a securitypolicy is defined to allow only users from the QA group to accessthe protected server.
When the user tries to connect to the protected server, theEX4300 switch authenticates the user using 802.1X authentication. The user is verified against the CPPM user database and is allowedaccess to the network. CPPM then posts the user’s identity informationto the SRX650 device, which can then enforce security policies basedon the username or group information to allow or deny the user accessto the protected servers.
A DHCP server is used in this example to allocate IP addressesto the authenticated endpoints. As CPPM uses DHCP options to profilethe endpoint’s device type, OS info, and so on, the EX4300 switchforwards DHCP packets from the endpoint to CPPM in addition to theDHCP server.
Task Overview
The following tasks are performed in this example:
On the SRX650 device:
Configure interfaces and zones
Configure a security policy that includes the source-identity statement to allow access control based on a username or group
Configure the Web API service to enable communicationwith CPPM
On the EX4300 switch:
Configure interfaces and VLANs.
Configure 802.1X authentication and RADIUS settings (specifyCPPM as the RADIUS server)
Configure DHCP relay to forward DHCP packets to CPPM fordevice profiling
On CPPM:
Add the EX4300 switch as a network device
Define the CPPM server’s basic configuration, includingenabling the Insight database
Add the SRX650 device as an Endpoint Context Server (ECS)
Define Context Server Actions for the SRX650 device
Add an enforcement profile and policy
Add a local user and map it to a role
Bind the role mapping and enforcement policy into the802.1X wired service
Configuration
This section provides instructions for:
Configuring the SRX650 Device
Configuring the EX4300 Switch
Configuring Aruba ClearPass Policy Manager
Configuring the SRX650 Device
Step-by-Step Procedure
To configure the SRX650 device:
- Configure interfaces and zones.
[edit]user@host# set interfaces ge-0/0/1 unit 0 familyinet address 10.10.0.201/24user@host# set interfaces ge-0/0/2 unit 0 familyinet address 10.20.0.1/24user@host# set security zones security-zoneuntrust interfaces ge-0/0/1.0 host-inbound-traffic system-servicesany-serviceuser@host# set security zones security-zoneuntrust interfaces ge-0/0/1.0 host-inbound-traffic protocols alluser@host# set security zones security-zonetrust interfaces ge-0/0/2.0 host-inbound-traffic system-services any-serviceuser@host# set security zones security-zonetrust interfaces ge-0/0/2.0 host-inbound-traffic protocols all(Video) Aruba ClearPass Workshop (2021) - AOS-CX Wired #1 Wired 802.1X - Configure a security policy, and include the source-identity statement to allow users belonging to the QA group to access theprotected server.
[edit]user@host# set security address-book servers-zone-addressesaddress protected-server 10.20.0.2/32user@host# set security policies from-zone untrustto-zone trust policy policy1 match source-address anyuser@host# set security policies from-zone untrustto-zone trust policy policy1 match destination-address protected-serveruser@host# set security policies from-zone untrustto-zone trust policy policy1 match application anyuser@host# set security policies from-zone untrustto-zone trust policy policy1 match source-identity QA ## an “interested group”user@host# set security policies from-zone untrustto-zone trust policy policy1 then permitNote CPPM can interwork with various authentication servers.When CPPM uses a Windows Active Directory (AD) LDAP server as theauthentication source, the user information sent to the SRX Seriesdevice will include the username (or role name) and a domain name. This variation requires adjusting the configurationto support the additional information. The domain name must be addedto the username (or role name) identified in the configuration usingthe format domain\role. For example, for theconfiguration setting used above,
source-identity QA, identifies the role name as QA and is the correct format for localauthentication; when using Windows AD, this statement must be adjustedtosource-identity juniper\QA, to accommodatethe domain name (in this case, juniper). - Configure the Web API service to communicate with ArubaClearPass.
[edit]user@host# set system services webapi user srxuser@host# set system services webapi user password<password>user@host# set system services webapi client10.10.0.20user@host# set system services webapi http port8080 ## default portuser@host# set system services webapi httpsport 443 ## default port is 8443user@host# set system services webapi httpsdefault-certificateNote The username, password, and ports defined for the WebAPI service, must match what is defined in the Endpoint Context Server(ECS) section of CPPM.
Configuring the EX4300 Switch
Step-by-Step Procedure
To configure the EX4300 switch:
- Configure interfaces and VLANs.
[edit]user@host# set interfaces ge-0/0/0 unit 0 familyethernet-switching vlan members cppm-vlanuser@host# set interfaces ge-0/0/1 unit 0 familyethernet-switching vlan members cppm-vlanuser@host# set vlans cppm-vlan vlan-id 638user@host# set vlans cppm-vlan l3-interfaceirb.638user@host# set interfaces irb unit 638 familyinet address 10.10.0.202/24 - Configure 802.1X authentication and RADIUS settings. AssignCPPM as the RADIUS server.
[edit]user@host# set protocols dot1x authenticatorinterface ge-0/0/1.0 supplicant singleuser@host# set protocols dot1x authenticatorauthentication-profile-name cp-pf1user@host# set access radius-server 10.10.0.20secret <password> ## IP address of CPPMuser@host# set access radius-server 10.10.0.20source-address 10.10.0.202user@host# set access profile cp-pf1 authentication-orderradiususer@host# set access profile cp-pf1 radiusauthentication-server 10.10.0.20user@host# set access profile cp-pf1 radiusaccounting-server 10.10.0.20user@host# set access profile cp-pf1 radiusoptions nas-port-type ethernet ethernetuser@host# set access profile cp-pf1 radius-server10.10.0.20 secret <password>user@host# set access profile cp-pf1 radius-server10.10.0.20 source-address 10.10.0.202user@host# set access profile cp-pf1 accountingorder radiususer@host# set access profile cp-pf1 accountingaccounting-stop-on-access-denyuser@host# set access profile cp-pf1 accountingcoa-immediate-updateuser@host# set access profile cp-pf1 accountingaddress-change-immediate-update(Video) Comptia Security+ SY0-601 Exam Cram DOMAIN 1Note The RADIUS shared secret must match what is defined inCPPM.
- Configure DHCP relay to forward DHCP packets to CPPM fordevice profiling.
[edit]user@host# set forwarding-options dhcp-relayserver-group cppm 10.10.0.20user@host# set forwarding-options dhcp-relayactive-server-group cppmuser@host# set forwarding-options dhcp-relaygroup cppm-dhcp interface ge-0/0/0.0user@host# set forwarding-options dhcp-relaygroup cppm-dhcp interface irb.638user@host# set vlans cppm-vlan forwarding-optionsdhcp-security group dhcp-group overrides trusteduser@host# set vlans cppm-vlan forwarding-optionsdhcp-security group dhcp-group interface ge-0/0/0.0user@host# set vlans cppm-vlan forwarding-optionsdhcp-security option-82Note As the DHCP server is in the same subnet as Endpoint 1,the switch will broadcast the DHCP packets to the DHCP server, evenwith DHCP relay configured.
Configuring Aruba ClearPass Policy Manager
Step-by-Step Procedure
To configure CPPM interworking with the EX4300 switchand SRX650 device:
- Add the EX4300 switch as a network device.
Navigate to Configuration > Network > Devices and add the EX4300switch on the Network Devices page.
Note The RADIUS shared secret must match what is defined onthe EX4300 switch.
- Define the CPPM server’s basic configuration.
Navigate to Administration > Server Manager > Server Configuration.On the System tab, click the Enable Insight check box.and configure IP addressing for the Data/External Port.
Note The Insight database must be enabled, otherwise CPPM willnot post any information to the SRX650 device.
On the Service Parameters tab, under RADIUS Server Service,set Log Accounting Interim-Update Packets to TRUE.
(Video) API governance: A key element for security and scaling API programs
- Add the SRX650 device as the Endpoint Context Server.
Note For more detailed information on this step, see Integrating ClearPass with Juniper Networks SRX in the CPPMUser Guide.
Navigate to Administration > External Servers > Endpoint ContextServers, and on the Server tab set the Server Type to JuniperNetworks SRX.
Note By default, CPPM uses HTTPS port 443 to send user informationto the SRX Series device. To change the port number, adjust the ServerBase URL field using the format https://<ip address>:<port>, for example https://10.10.0.201:8443.
The username and password must match what is defined in theSRX Series device’s Web API configuration.
- Define Context Server actions for the SRX650 device.
Navigate to Administration > Dictionaries > Context Server Actions,and verify that the two entries with Server Type Juniper NetworksSRX exist.
- Add an enforcement profile and policy.
Navigate to Configuration > Enforcement > Profiles, andon the Profile tab select the Template Session Notification Enforcement, this triggers CPPM to send a notification on user login or logout.
On the Attributes tab, add (or edit) the attribute valuesfor the profile, as shown below.
On the Summary tab, review and save the configuration.
Navigate to Configuration > Enforcement > Policies, andon the Enforcement tab select the Default Profile [Deny AccessProfile].
On the Rules tab, click Add Rule and add anew rule.
Configure the rule so that if the condition matches the role User Authenticated (i.e. the role assigned by CPPM when a userauthenticates successfully), then the profile SRX650 jetstarpost profile profile (created earlier) is enforced.
On the Summary tab, review and save the configuration.
- Add a local user and map the user to a role.
Navigate to Configuration > Identity > Roles and definea new role.
For this example, the role is called QA.
Navigate to Configuration > Identity > Local users, andenter a User ID (in this case, test1), Password, and selectthe QA Role, as shown below.
See Also5 Ways to Reload Your Walmart MoneyCard - GiftCardRescue.comBest Verification Solutions | EM360Coronavirus (COVID-19): advice for UK visa applicants and temporary UK residentsIrs Letter About Employment Identity TheftNote The value selected in the Role field must match the valueused in the
source-identitystatement ofthe SRX650 device configuration.Navigate to Configuration > Identity > Role Mapping, andadd a new role mapping.
On the Mapping Rules tab, click Add Rule toassign a role to a specific user.
Configure the rule so that if the condition matches the username test1, assign the role QA.
Note This sub-step facilitates CPPM pushing role informationto the SRX device.
On the Summary tab, review and save the configuration.
- Bind the role mapping and enforcement policy into the802.1X wired service.
Navigate to Configuration > Services, and add a new service.On the Service tab, specify the Type as 802.1X Wired.
(Video) What's New in ISE 3.2 - Part 1On the same page, remove the Service Rule named Service-Type.
Note This rule is not needed, and if kept will cause the scenarioto not work properly.
On the Authentication tab, arrange the AuthenticationMethods and Authentication Sources as shown below.
On the Authorization tab, add the two Authentication Sourcesas shown below.
On the Roles tab, select role-mapping fromthe Role Mapping Policy drop-down list to bind the role mapping rulecreated earlier to this service.
On the Enforcement tab, select SRX post-policy from the Enforcement Policy drop-down list to bind the policy createdearlier to this service.
On the Summary tab, review and save the configuration.
Verification
Confirm that the configuration is working properly.
Verifying User Authentication
Verifying User Access to the Protected Server
Verifying User Authentication
Purpose
Verify that user test1 on Endpoint 1 has successfullyauthenticated with the various network elements.
Action
- On the EX4300 switch, verify that user test1 is authenticatedthrough 802.1X.
user@host> show dot1x interface ge-0/0/1802.1X Information:Interface Role State MAC address Userge-0/0/1.0 Authenticator Authenticated 00:50:56:BC:7E:7A test1
- In CPPM, verify that user test1 is authenticated.
Navigate to Monitoring > Live Monitoring > Access Tracker,find the relevant RADIUS event and verify that user test1 has LoginStatus of ACCEPT.
Click on the RADIUS event, and on the Summary tab thatappears, verify that user test1 with role QA has Login Status of ACCEPT and Online Status of Online. Note also that CPPM has enforced the SRX650 jetstarpost trigger profile, which will send (post) the user informationto the SRX650 device.
- On the SRX650 device, verify that user test1’s authenticationinformation has been received from CPPM.
user@host> show services user-identificationauthentication-table authentication-source aruba-clearpass extensiveDomain: GLOBALTotal entries: 1 Source-ip: 10.10.0.190 Username: test1 Groups:posture-unknown, qa, [employee], [user authenticated] Groups referenced by policy:qa State: Valid Source: Aruba ClearPass Access start date: 2000-01-01 Access start time: 14:21:50 Last updated timestamp: 2016-02-26 14:25:28 Age time: 27
Meaning
The user has successfully authenticated with all networkelements.
Verifying User Access to the Protected Server
Purpose
Verify that user test1 on Endpoint 1 can access theprotected server.
Action
From Endpoint 1, ping the protected server (10.20.0.2).
Meaning
The user can successfully reach the protected server.
Related Documentation
Use Case Overview
Technical Overview
Example 2: Configuring the User Query Function
Example 3: Configuring Threat and Attack Detection and Notification
FAQs
What is Cppm in networking? ›
CPPM authentication is triggered by requests from network access server (NAS) type devices, such as switches (including EX Series switches) and access controllers. CPPM then sends POST request messages containing authenticated user identity and device posture information to the SRX Series device.
What is Endpoint context server? ›Policy Manager provides the ability to collect endpoint profile information from different types of Aruba IAPs (Instant Access Points) and RAPs (Remote Access Points) via Aruba Activate.
Why do I need ClearPass? ›ClearPass helps identify which devices are being used, how many are connected to the network, where they're connecting from, and which operating systems are supported. It gives continuous visibility into changes on your network, including which devices are connecting and disconnecting.
What is ClearPass used for? ›ClearPass authenticates the user or device identity against a wide variety of identity sources such as Microsoft AD, LDAP, ODBC-compliant SQL database, token servers, and internal databases.
What is endpoint in API with example? ›When an API interacts with another system, the touchpoints of this communication are considered endpoints. For APIs, an endpoint can include a URL of a server or service. Each endpoint is the location from which APIs can access the resources they need to carry out their function.
Why do we need endpoint? ›Endpoint security in a nutshell
Not only does this fortify the network against unauthorized access, but it also ensures that you have a secure backup that can minimize losses in the event that a data breach occurs.
The Default Endpoint is an endpoint defined for adding QoS and other configurations to the endpoint which is resolved from the To address of the message context.
Is ClearPass a firewall? ›NEXT-GEN FIREWALL
ClearPass integration with firewalls lets you give an iPad user external web browsing privileges to access webmail and social sites, while restricting that same user on a company- issued laptop to external web browsing with no access to webmail and social sites.
ClearPass is not required to join multiple domains belonging to the same Active Directory forest because a one-way trust relationship exists between those domains. In this case, ClearPass can join the root domain.
How do I set up an IP with ClearPass? ›- Enter hostname:
- Enter Management Port IP Address:
- Enter Management Port Subnet Mask:
- Enter Management Port Gateway:
- Enter Data Port IP Address:
- Enter Data Port Subnet Mask:
- Enter Data Port Gateway:
- Enter Primary DNS:
What is ClearPass authentication? ›
ClearPass offers user and device authentication based on 802.1X, non-802.1X, and Web Portal access methods. To strengthen security in any environment, you can concurrently use multiple authentication protocols, such as PEAP, EAP-FAST, EAP-TLS, EAP-TTLS, and EAP-PEAP-Public.
How do I check my services on ClearPass? ›- In ClearPass, navigate to Administration>Server Manager>Server Configuration. The Server Configuration page opens.
- Click the row that lists the ClearPass server of interest. The Server Configuration screen for the selected ClearPass server opens. ...
- Select the Services Control tab.
The ClearPass Guest application can be accessed either directly or through Policy Manager. is built on the industry standard AAA framework, which consists of authenticationVerification of a user's credentials, typically a username and password., authorizationAuthorization controls the type of access that an ...
How do you write an API endpoint? ›- Pick the Programming Language of Your Choice. Many different programming languages are available, and choosing the right one can be difficult. ...
- Set Up Your Environment and Directory Structure. ...
- Get Started with Code. ...
- Test the API Endpoints Using Postman.
APIs are mechanisms that enable two software components to communicate with each other using a set of definitions and protocols. For example, the weather bureau's software system contains daily weather data. The weather app on your phone “talks” to this system via APIs and shows you daily weather updates on your phone.
How do you find the endpoint of an API? ›Through the dataset URL: You can get the API endpoint by simply taking the dataset's UID and replacing it in this string: https://domain/resource/UID.extension *where the extension is the data format you's like to pull the data as. For a full list of extension formats please go here.
What is the most common example of an endpoint? ›...
Examples of endpoints include:
- Desktops.
- Laptops.
- Smartphones.
- Tablets.
- Servers.
- Workstations.
- Internet-of-things (IoT) devices.
Examples of endpoint security management include, but are not limited to: Managed antivirus software. Web filtering. Application/patch management.
What is my endpoint? ›An endpoint is any device that connects to a computer network.
How does endpoint work? ›Endpoint security works by examining files, processes, and systems for suspicious or malicious activity. Organizations can install an endpoint protection platform — EPP — on devices to prevent malicious actors from using malware or other tools to infiltrate their systems.
What are the different types of endpoint security? ›
- Hybrid Cloud Security. Virtual Network Firewall. Denial-of-Service (DDoS) Protection.
- Cloud-native Protection. Workload Protection & Cloud Security Posture Management. DevSecOps.
- Web Application / API Protection. Web Application Firewall. ...
- SaaS Security. Email Security.
- Use Cases. AWS. ...
- Quick Links. Cloud Security Explained.
An API endpoint is a digital location where an API receives requests about a specific resource on its server. In APIs, an endpoint is typically a uniform resource locator (URL) that provides the location of a resource on the server.
What is Cppm receiver? ›CPPM is one of several protocols for connecting a receiver to a flight controller for a multi-copter, or heli or a gyrostabilizer in an airplane.
What is ClearPass Cppm? ›Aruba's ClearPass Policy Manager in AWS provides role- and device-based secure network access control (NAC) for IoT, BYOD, corporate devices, as well as employees, contractors, and guests across any multivendor wired, wireless and VPN infrastructure.
What is a BPA in networking? ›The Best Practice Assessment (BPA) tool compares the configuration of firewalls and Panorama to the Palo Alto Networks best practice recommendations. Run the BPA periodically to identify security weaknesses, see the best practice settings, and implement them to improve your security posture.
What is a CM in tech? ›Configuration management (CM) is a governance and systems engineering process used to track and control IT resources and services across an enterprise.
Is PPM and Cppm the same? ›PPM is also known as CPPM or PPMSUM. A PPM signal is basically a series of PWM signals sent one after another on the same wire, and modulated differently.
How do I connect my SBUS receiver? ›With any F3 or F4 flight controllers, SBUS and Smart port setup is very straightforward. Simply connect SBUS to any free UART RX pin on the FC (or the dedicated SBUS pin if there is one), and Smart port to another free UART TX (not on the same UART as SBUS). The same procedure goes for both X4R-SB and XSR RX.
How does an RC receiver work? ›Once the RC toy receives the radio waves, the motors kick into life to cause a specific action to occur. The power source sends power to all working parts, including the motor. The transmitter enables control through radio waves and the receiver activates the motors.
Can ClearPass do MFA? ›To configure multi-factor authentication in ClearPass, you first create an account with an MFA. MFA lets you require multiple factors, or proofs of identity, when authenticating a user. Policy configurations define how often multi-factor authentication will be required, or conditions that will trigger it.
Why does BPA stand for? ›
BPA stands for bisphenol A, an industrial chemical that has been used to make certain plastics and resins since the 1950s. BPA is found in polycarbonate plastics and epoxy resins.
What are the benefits of BPA? ›Uses & Benefits
Products made from BPA meet high-performance demands. Epoxy resins made with BPA are tough and readily adhere to metal surfaces, making them excellent materials for protective coatings. Polycarbonate plastic made with BPA is shatter-resistant, lightweight, and has high optical clarity similar to glass.
The purpose of configuration management (CM) is to establish and maintain the integrity of all of the identified outputs of a project or process and make them available to concerned parties (ISO/IEC/IEEE 2015).
What is the job of a CM? ›Configuration management (CM) engineers are responsible for establishing and maintaining configuration management tools, as well as supporting configuration identification.
What is an example of configuration management? ›Configuration management can be used to maintain OS configuration files. Example systems include Ansible, Bcfg2, CFEngine, Chef, Nix, Otter, Puppet, Quattor, SaltStack, Terraform, Pulumi and Vagrant. Many of these systems utilize Infrastructure as Code to define and maintain configuration.