Aruba Wireless with MPSK Service Template

The Aruba Wireless with MPSK service template allows you to authenticate devices using an Aruba MPSK. For wireless devices that do not support strong 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication, Aruba MPSK allows each device to be assigned a unique preshared key during Device Registration. The service type handles the device authentication from an Aruba Mobility controller or Instant Access Point (AP).

Prerequisites

ClearPass Policy Manager Insight must be enabled for the Aruba MPSK feature to work. For information on enabling Insight, see Table 1, Server Configuration > System Page Parameters.

To access the service template:

1. Navigate to Configuration > Service Templates & Wizards.

2. From the Service Templates & Wizards page, select Aruba Wireless with MPSK. The following page opens:

Figure 1  Aruba Wireless with MPSK Service Template

General Tab

1. Specify the General tab service template parameters as described in the following table:

Table 1: General Tab Parameters

Parameter

Action/Description
General

Name Prefix

Enter a unique prefix that is appended to the services using this template.

Use this to identify the services that use this template.

2. Click Next or select the Wireless Network Settings tab.

Wireless Network Settings

When you select the Wireless Network Settings tab, the following configuration dialog opens:

Figure 2  Wireless Network Settings Configuration Dialog

1. Specify the Wireless Network Settings tab service template parameters as described in the following table:

Table 2: Wireless Network Settings Parameters

Parameter

Action/Description
Wireless Network Settings

Wireless Controller Name

Specify the name of a wireless controller.

NOTE: The controller must exist in the Policy Manager server's list of network devices (see Adding a Network Device).

Controller IP Address

The Controller IP Address is automatically populated when you select a wireless controller.

Vendor Name

The vendor name is set to: Aruba.

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Shared Secret

The RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Shared Secret is automatically populated when you select a wireless controller.

Enable RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Dynamic Authorization

If RADIUS Dynamic Authorization has not been automatically enabled, click the check box to enable this option.

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Dynamic Authorization allows dynamic changes to a user session, as implemented by network access server products. This includes support for disconnecting users and changing authorizations applicable to a user session.

Dynamic Authorization Port

The access point's UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. Port for Dynamic Authorization must be reachable from your RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

The Dynamic Authorization Port is set by default to 3799. This value may not be changed.

Enable RadSec

Aruba MPSK works with RadSec for the Aruba Controller. Enable as needed for your deployment requirements.

2. Click Next or select the Device Roles tab.

Device Roles

Define logical device roles (think tags) that allow for dynamic policy construction; for example, Media Player, Printer, Game Console, Building Controls, etc. Enter up to ten device roles. When you select the Device Roles tab, the following configuration dialog opens:

Figure 3  Device Roles Configuration Dialog

1. Select one or more existing roles from the drop-down or type in a role name to create a new one.

2. Click Next or select the Enforcement Details tab.

Enforcement Details

The device roles selected in the Device Roles dialog are populated into the new Enforcement policy defined in the Enforcement Details configuration dialog.

Aruba Roles are configured on the controller.

Figure 4  Enforcement Details Configuration Dialog

1. Aruba Role: For each Device Role, specify the corresponding Aruba Role configured on your Aruba controller(s) or access points.

2. Default MPSK: Enter the default MPSK for new or unregistered devices. The Default MPSK is a static (constant) password (passphrase) that is provided while using this service template.

The Default MPSK is returned when a device does not have a unique MPSK and is used to lock users into a locked-down role.

3. Default Aruba User Role: Enter the Default Aruba User Role. This is the user role that is sent back with the Default MPSK. In our example, the Default Aruba User Role is set to mpsk-splash.

4. Click Add Service.

The Aruba Wireless with MPSK service is created. You return to the Services page where the new service is now listed.