Juniper Network Segmentation User Manual

Network Configuration Example

Published

2021-01-15

Network Segmentation using Device
Profiling with EX Series Switches and Aruba
ClearPass Policy Manager

Juniper Networks, Inc.

1133 Innovation Way

Sunnyvale, California 94089

USA

408-745-2000

www.juniper.net

Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in

the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks

are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right

to change, modify, transfer, or otherwise revise this publication without notice.

Network Configuration Example Network Segmentation using Device Profiling with EX Series Switches and Aruba ClearPass

Policy Manager

Copyright © 2021 Juniper Networks, Inc. All rights reserved.

The information in this document is current as of the date on the title page.

ii

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related

limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with)

Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement

(“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, you

agree to the terms and conditions of that EULA.

Table of Contents

1

Device Profiling with EX Series Switches and Aruba ClearPass Policy Manager

About This Network Configuration Example | 5

Use Case Overview | 5

Technical Overview | 6

Configuring Device Profiling to provide Dynamic Segmentation with EX Series Switches

and Aruba ClearPass Policy Manager | 7

Configuring Colorless Ports on EX Series Switches with Aruba ClearPass Policy Manager

and Cisco ISE | 43

iii

1

CHAPTER

Device Profiling with EX Series

Switches and Aruba ClearPass Policy

Manager

About This Network Configuration Example | 5

Use Case Overview | 5

Technical Overview | 6

Configuring Device Profiling to provide Dynamic Segmentation with EX Series
Switches and Aruba ClearPass Policy Manager | 7

Configuring Colorless Ports on EX Series Switches with Aruba ClearPass Policy
Manager and Cisco ISE | 43

About This Network Configuration Example

This Network Configuration Example (NCE) describes how to configure a Juniper Networks EX Series
Ethernet Switch and Aruba ClearPass Policy Manager to authenticate wired endpoints that connect to EX
Series switches. Specifically, it shows how to configure an EX Series switch and Aruba ClearPass to profile
endpoints in authentication process and use the device profiling information to determine access policy.

The colorless port concept rely on device profiling to return the appropriate VLAN/policy. All ports have
the same configuration (colorless) and based on the device type connected (AP, IP camera, or printer),
NAC (ClearPass) will return the appropriate VLAN/role.

Use Case Overview

5

Juniper Networks EX Series Ethernet Switches are designed to meet the demands of today’s
high-performance businesses. They enable companies to grow their networks at their own pace, minimizing
large up-front investments. Based on open standards, EX Series switches provides:

Carrier-class reliability

•

Security risk management

•

Virtualization

•

Application control

•

Lower total cost of ownership (TCO

•

•

Also, allow businesses to scale in an economically sensible way for years to come.

Aruba ClearPass Policy Manager is a policy management platform that provides role-based and device-based
network access control (NAC) for any user across any wired, wireless, and VPN infrastructure. Enterprises
can deploy EX Series switches can leverage the extensive RADIUS capabilities on EX Series switches to
integrate with Aruba ClearPass. This integration enables enterprises to deploy consistent security policies
across their wired and wireless infrastructure.

Enterprises typically have a variety of users and endpoints, which results in multiple use cases that need
to be addressed by their policy infrastructure. Depending on the type of endpoint and how it is being used,
an endpoint might be authenticated by 802.1X authentication, MAC RADIUS authentication, or captive
portal authentication. The policy infrastructure enables any device to be connected to any port on the
access switch, and authenticates based on the type of device, the authorization level of the user, or both.

In this network configuration example, we show how to configure Juniper Networks EX Series switches
and Aruba ClearPass Policy Manager to use device profiling as part of the authentication process. Device
profiling enables Aruba ClearPass to determine the type of endpoint that is being authenticated (for
example, whether it is an access point or a VoIP phone or a Windows computer) and then use that
information to enforce access policy appropriate to the device type.

Technical Overview

Aruba ClearPass profiling is part of the ClearPass Policy Manager module that performs device profiling.
Profiling is enabled by default and automatically collects a variety of data about endpoints, analyzes the
data to classify the endpoints, and stores the classifications as device profiles in an endpoint repository.
Use the device profiles in enforcement policies to control access to your network. For example, create an
enforcement policy that grants endpoints profiled as VoIP phones access to specific servers in your network.
Or, create an enforcement policy that places all endpoints profiled as access points in a specific VLAN.

6

A device profile classifies an endpoint according to the following three hierarchical elements:

Category—This is the broadest classification of a device. It denotes the type of the device. For example:

•

access point, VoIP phone, printer, computer, or smart device.

Family—Devices within a category are organized into families based on type of OS or type of vendor.

•

For example, when the device category is computer, the family might be Windows, Linux, or Mac OS X.
When the device category is smart device, the family might be Apple or Android.

Name—Devices within a family are further organized by more granular details, such as version. For

•

example, when the device family is Windows, the device name might be Windows 10 or Windows 2008
server.

In addition to the hierarchical classification above, a device profile contain information such as IP address,
hostname, vendor, and time when the device was first discovered or when it was last seen.

To profile devices, Aruba ClearPass Profile uses a number of different types of collectors to collect data
on endpoints. For a complete list of the kinds of collectors used. This network configuration example relies
on data provided by the DHCP and MAC Organizationally Unique Identifier (OUI) collectors:

DHCP collector—Collects DHCP attributes such as option55 (parameter request list), option60 (vendor

•

class), and options list from DHCPDiscover and DHCPRequest packets. This information can uniquely
fingerprint most endpoints that use DHCP to acquire an IP address on the network. DHCP packets also
provide the hostname and IP address of a device.

For the DHCP collector to be able to collect this information, Aruba ClearPass must receive DHCP
packets from the endpoints. DHCP relay on EX Series switches allows a switch to send the initial
DHCPDiscover and DHCPRequest packets from endpoints to more than one receiver. Configuring

ClearPass as one of these receivers allows ClearPass to listen in on the DHCP message exchange between
the DHCP servers and client endpoints and to collect the required information from the DHCP packets.

MAC OUI collector—Collects the OUI portion of a device’s MAC address. The MAC OUI can be used

•

to better classify some endpoints. For example, DHCP fingerprinting can classify an endpoint as a generic
Android device, but it cannot provide information about the vendor. By using the MAC OUI in addition
to DHCP fingerprinting, ClearPass Profile can classify an Android device as an HTC Android device, a
Samsung Android device, a Motorola Android device, and so on. ClearPass Profile can also use the MAC
OUI to profile devices such as printers that might have static IP addresses.

The MAC OUI collector obtains the MAC OUI from the MAC address information included in the RADIUS
request packets sent from the EX Series switch on behalf of the endpoint.

Configuring Device Profiling to provide Dynamic
Segmentation with EX Series Switches and Aruba

7

ClearPass Policy Manager

IN THIS SECTION

Requirements | 8

Overview and Topology | 9

Configuration | 10

Dynamic Segmentation provides the flexibility of assigning wired ports on EX switches with dynamic VLAN
and policies to segment the internet of things (IOT), access point traffic, and wired user traffic. Aruba
ClearPass can centrally manage and enforce network access polices for wired and wireless control.

Micro segmentation is obtained by applying dynamic firewall filters to the wired ports once we successfully
authenticate the device to control the east-west traffic. With dynamic filters we can control in a camera
network so that it talks only to the secured camera recording server or few dedicated terminals used by
security personals. Similarly, we can apply firewall filters on the IP Phone network to allow communication
between IP phones and call manager server in the network.

This configuration example illustrates how to use the features of EX Series switches and Aruba ClearPass
Policy Manager to perform device profiling as part of the endpoint authentication process.

In this example, an organization has four types of endpoints in its wired infrastructure for which it has
defined access policies:

Access points—Endpoints profiled as access points are allowed access to the network and are dynamically

•

assigned to the AP_VLAN VLAN.

IP phones—Endpoints profiled as IP phones are allowed access to the network. The IPPhone_VLAN is

•

dynamically assigned as the VoIP VLAN.

Corporate laptops—Endpoints that have an 802.1X supplicant are authenticated by the user credentials.

•

After the user is successfully authenticated, the laptop is granted access to the network and placed in
the Employee_VLAN VLAN.

Camera /IOT Devices—Camera and IOT devices having or not having 802.1x supplicants can be added

•

to the network and granted access to the Camera_IOT_VLAN VLAN.

Noncorporate laptops/Tablets—Endpoints that do not have an 802.1X supplicant and that are profiled

•

as non-corporate devices are provided only internet access

Table 1 on page 8 shows the defines values of the access policies for wired, wireless, and authorization.

8

Table 1: Access Policies Details

130 (NATIVE)AP VLAN

Requirements

121,131,151,102

121120IP-Phone

AuthorizationWirelessWiredAccess Policies

-ALLOWED VLAN =

Between phones and call manager

server

Access all151150Employee

Quarantine102101Remediation

DHCP, NTP, and NVR131130IOT Camera

This example the following hardware and software components for the policy infrastructure:

EX4300, EX2300, EX3400 switch running Junos OS Release 20.2R1 or earlier

•

Aruba ClearPass Policy Manager running 6.9.0.130064

•

Overview and Topology

To implement the endpoint access policies, the policy infrastructure is configured as follows:

All access interfaces on the switch are initially configured to be in VLAN 100, which serves as a

•

remediation VLAN. If an endpoint is not successfully authenticated or is not successfully profiled as one
of the supported endpoints, it remains in the remediation VLAN.

NOTE: When the endpoints utilize DHCP, avoid changing the VLANs. The endpoint will not

send another DHCPRequest until their existing lease expires or a port bounce occurs.

Endpoints that have an 802.1X supplicant are authenticated by using 802.1X PEAP authentication. For

•

more information on 802.1X PEAP authentication, see Configuring 802.1X PEAP and MAC RADIUS

Authentication with EX Series Switches and Aruba ClearPass Policy Manager.

Endpoints that do not have an 802.1X supplicant are authenticated using MAC RADIUS authentication

•

and are profiled to determine what type of device they are. These endpoints undergo a two-step
authentication process:

9

1. The first step occurs after an endpoint first connects to the switch but before it has been profiled by
Aruba ClearPass Profile. After it connects, the endpoint is authenticated using MAC RADIUS
authentication. Aruba ClearPass applies an enforcement policy that instructs the switch to grant the
endpoint access to the Internet but prevents it from accessing the internal network.

2. The second step occurs after an endpoint has been successfully profiled. After being authenticated
in the first step, the endpoint contacts a DHCP server to request an IP address. The switch relays
the DHCP messages sent by the endpoint to the DHCP server to Aruba ClearPass as well, which
allows ClearPass to profile the endpoint. After it has profiled the endpoint and added the endpoint
to its endpoint repository, ClearPass sends a RADIUS Change of Authorization (CoA) message to the
switch, telling it to terminate the session. The switch then attempts reauthentication on behalf of
the endpoint. Because the endpoint now exists in the endpoint repository, Aruba ClearPass is able
to apply an enforcement policy appropriate to the device type when it authenticates the endpoint.
For example, if the endpoint is an access point, ClearPass applies the enforcement policy that
dynamically assigns the access point to the AP_VLAN VLAN.

Figure 1 on page 10 shows the topology used in this example.

Figure 1: Topology Used in This Example

10

Configuration

IN THIS SECTION

Configuring the EX Switch | 10

Configuring Aruba ClearPass Policy Manager | 19

Verification | 34

Monitoring Device Profiling | 40

Troubleshooting Authentication | 43

This section provides step-by-step instructions for:

Configuring the EX Switch

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them in a text file, remove any
line breaks, change any details necessary to match your network configuration, copy and paste the
commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

[edit]

set access radius-server 10.25.22.11 dynamic-request-port 3799

set access radius-server 10.25.22.11 secret "$9$tqCW01hevLVwgSrwgoJHkp0BISrKM87db"

set access radius-server 10.25.22.11 source-address 10.25.99.11

set access profile ACCESS_PROF_RADIUS accounting-order radius

set access profile ACCESS_PROF_RADIUS authentication-order radius

set access profile ACCESS_PROF_RADIUS radius authentication-server 10.25.22.11

set access profile ACCESS_PROF_RADIUS radius accounting-server 10.25.22.11

set protocols dot1x authenticator authentication-profile-name ACCESS_PROF_RADIUS

set protocols dot1x authenticator interface AUTHC supplicant multiple

set protocols dot1x authenticator interface AUTHC transmit-period 3

set protocols dot1x authenticator interface AUTHC mac-radius

set vlans AP vlan-id 130

set vlans EMPLOYEE-WIRED vlan-id 150

set vlans EMPLOYEE-WIRELESS vlan-id 151

set vlans IOT-WIRED vlan-id 111

set vlans IOT-WIRELESS vlan-id 112

set vlans IP-PHONE-WIRED vlan-id 120

set vlans IP-PHONE-WIRELESS vlan-id 121

set vlans MANAGEMENT vlan-id 99

set vlans MANAGEMENT l3-interface irb.99

set vlans REMEDIATION-WIRED vlan-id 101

set vlans REMEDIATION-WIRELESS vlan-id 102

set interfaces interface-range AP member ge-0/0/0

set interfaces interface-range AP native-vlan-id 130

set interfaces interface-range AP unit 0 family ethernet-switching interface-mode

trunk

set interfaces interface-range AP unit 0 family ethernet-switching vlan members AP

set interfaces interface-range AP unit 0 family ethernet-switching vlan members

EMPLOYEE-WIRELESS

set interfaces interface-range AUTHC member ge-0/0/6

set interfaces interface-range AUTHC member ge-0/0/3

set interfaces interface-range AUTHC member ge-0/0/2

set interfaces interface-range AUTHC member ge-0/0/4

set interfaces interface-range AUTHC member ge-0/0/7

set interfaces interface-range AUTHC member ge-0/0/8

set interfaces interface-range AUTHC member ge-0/0/9

set interfaces interface-range AUTHC member ge-0/0/5

set interfaces interface-range AUTHC unit 0 family ethernet-switching interface-mode

access

set interfaces interface-range AUTHC unit 0 family ethernet-switching vlan members

REMEDIATION-WIRED

set firewall family ethernet-switching filter Internet_Only_Access term Allow_DHCP

from destination-port 67

11

set firewall family ethernet-switching filter Internet_Only_Access term Allow_DHCP

from destination-port 68

set firewall family ethernet-switching filter Internet_Only_Access term Allow_DHCP

from ip-protocol udp

set firewall family ethernet-switching filter Internet_Only_Access term Allow_DHCP

then accept

set firewall family ethernet-switching filter Internet_Only_Access term Allow_DNS

from destination-port 53

set firewall family ethernet-switching filter Internet_Only_Access term Allow_DNS

from ip-protocol udp

set firewall family ethernet-switching filter Internet_Only_Access term Allow_DNS

from ip-protocol tcp

set firewall family ethernet-switching filter Internet_Only_Access term Block_Internal

from ip-destination-address 192.168.0.0/16

set firewall family ethernet-switching filter Internet_Only_Access term Block_Internal

then discard

set firewall family ethernet-switching filter Internet_Only_Access term Allow_All

then accept

12

Step-by-Step Procedure

The general steps to configure the EX switch are:

Configure the connection to the Aruba ClearPass Policy Manager.

•

Create the access profile used by the 802.1X protocol. The access profile tells the 802.1X protocol which

•

authentication server and authentication methods to use and the order of the authentication methods.

Configure the 802.1X protocol.

•

Configure the VLANs.

•

Configure Ethernet switching on the access ports.

•

Configure integrated routing and bridging (IRB) interfaces and assign them to the VLANs.

•

Configure DHCP relay to send DHCP packets to Aruba ClearPass so that it can perform device profiling.

•

Create the firewall policy that blocks access to the internal network.

•

To configure the EX switch:

1. Provide the RADIUS server connection information..

[edit]
user@Policy-EX-switch# set access radius-server 10.25.22.11 dynamic-request-port

3799

user@Policy-EX-switch# set access radius-server 10.25.22.11 secret password

user@Policy-EX-switch# set access radius-server 10.25.22.11 source-address

10.25.99.11

2. Configure the access profile.

[edit access]
user@Policy-EX-switch# set access profile ACCESS_PROF_RADIUS accounting-order

radius
user@Policy-EX-switch# set access profile ACCESS_PROF_RADIUS authentication-order

radius
user@Policy-EX-switch# set access profile ACCESS_PROF_RADIUS radius

authentication-server 10.25.22.11
user@Policy-EX-switch# set access profile ACCESS_PROF_RADIUS radius

accounting-server 10.25.22.11

3. Configure 802.1X to use ACCESS_PROF_RADIUS and enable the protocol on each access interface.
In addition, configure the interfaces to support MAC RADIUS authentication and to allow more than
one supplicant, each of which must be individually authenticated.

13

By default, the switch will first attempt 802.1X authentication. If it receives no EAP packets from the
endpoint, indicating that the endpoint does not have an 802.1X supplicant, it then tries MAC RADIUS
authentication.

[edit]
user@Policy-EX-switch# set protocols dot1x authenticator

authentication-profile-name ACCESS_PROF_RADIUS
user@Policy-EX-switch# set protocols dot1x authenticator interface AUTHC supplicant

multiple
user@Policy-EX-switch# set protocols dot1x authenticator interface AUTHC

transmit-period 3

user@Policy-EX-switch# set protocols dot1x authenticator interface AUTHC mac-radius
user@Policy-EX-switch# set interfaces interface-range AP member ge-0/0/0
user@Policy-EX-switch# set interfaces interface-range AP native-vlan-id 130
user@Policy-EX-switch# set interfaces interface-range AP unit 0 family

ethernet-switching interface-mode trunk
user@Policy-EX-switch# set interfaces interface-range AP unit 0 family

ethernet-switching vlan members AP
user@Policy-EX-switch# set interfaces interface-range AP unit 0 family

ethernet-switching vlan members EMPLOYEE-WIRELESS

user@Policy-EX-switch# set interfaces interface-range AUTHC member ge-0/0/6
user@Policy-EX-switch# set interfaces interface-range AUTHC member ge-0/0/3
user@Policy-EX-switch# set interfaces interface-range AUTHC member ge-0/0/2

user@Policy-EX-switch# set interfaces interface-range AUTHC member ge-0/0/4
user@Policy-EX-switch# set interfaces interface-range AUTHC member ge-0/0/7
user@Policy-EX-switch# set interfaces interface-range AUTHC member ge-0/0/8
user@Policy-EX-switch# set interfaces interface-range AUTHC member ge-0/0/9
user@Policy-EX-switch# set interfaces interface-range AUTHC member ge-0/0/5

4. Configure the VLANs used in this example.

[edit]
user@Policy-EX-switch# set vlans AP vlan-id 130
user@Policy-EX-switch# set vlans EMPLOYEE-WIRED vlan-id 150
user@Policy-EX-switch# set vlans EMPLOYEE-WIRELESS vlan-id 151
user@Policy-EX-switch# set vlans IOT-WIRED vlan-id 111
user@Policy-EX-switch# set vlans IOT-WIRELESS vlan-id 112
user@Policy-EX-switch# set vlans IP-PHONE-WIRED vlan-id 120
user@Policy-EX-switch# set vlans IP-PHONE-WIRELESS vlan-id 121
user@Policy-EX-switch# set vlans MANAGEMENT vlan-id 99
user@Policy-EX-switch# set vlans MANAGEMENT l3-interface irb.99
user@Policy-EX-switch# set vlans REMEDIATION-WIRED vlan-id 101
user@Policy-EX-switch# set vlans REMEDIATION-WIRELESS vlan-id 102

14

Note that for dynamic VLAN assignment to work, the VLAN must exist on the switch before
authentication is attempted. If the VLAN doesn’t exist, authentication fails.

5. Configure DHCP relay to forward DHCP request packets to Aruba ClearPass.

[edit]
user@Policy-EX-switch# set dhcp-relay server-group dhcp-dot1x 10.25.22.11
user@Policy-EX-switch# set dhcp-relay active-server-group dhcp-dot1x

6. Configure a firewall filter, Internet_Only_Access, to be used for devices that have been authenticated
by MAC RADIUS authentication but have not yet been profiled.

This filter blocks an endpoint from accessing the internal network (192.168.0.0/16).

[edit]
user@Policy-EX-switch# set firewall family ethernet-switching filter

INTERNET_ACCESS_ONLY term ALLOW_DHCP from destination-port 67
user@Policy-EX-switch# set firewall family ethernet-switching filter

INTERNET_ACCESS_ONLY term ALLOW_DHCP from destination-port 68
user@Policy-EX-switch# set firewall family ethernet-switching filter

INTERNET_ACCESS_ONLY term ALLOW_DHCP from ip-protocol udp

user@Policy-EX-switch# set firewall family ethernet-switching filter

INTERNET_ACCESS_ONLY term ALLOW_DHCP then accept
user@Policy-EX-switch# set firewall family ethernet-switching filter

INTERNET_ACCESS_ONLY term ALLOW_DNS from destination-port 53
user@Policy-EX-switch# set firewall family ethernet-switching filter

INTERNET_ACCESS_ONLY term ALLOW_DNS from ip-protocol udp
user@Policy-EX-switch# set firewall family ethernet-switching filter

INTERNET_ACCESS_ONLY term ALLOW_DNS from ip-protocol tcp
user@Policy-EX-switch# set firewall family ethernet-switching filter

INTERNET_ACCESS_ONLY term BLOCK_RFC_1918 from ip-destination-address 10.0.0.0/8
user@Policy-EX-switch# set firewall family ethernet-switching filter

INTERNET_ACCESS_ONLY term BLOCK_RFC_1918 from ip-destination-address 172.16.0.0/12
user@Policy-EX-switch# set firewall family ethernet-switching filter

INTERNET_ACCESS_ONLY term BLOCK_RFC_1918 from ip-destination-address 192.168.0.0/16
user@Policy-EX-switch# set firewall family ethernet-switching filter

INTERNET_ACCESS_ONLY term BLOCK_RFC_1918 then discard
user@Policy-EX-switch# set firewall family ethernet-switching filter

INTERNET_ACCESS_ONLY term ALLOW_ALL then accept

15

Results

From configuration mode, confirm your configuration by entering the following show commands.

user@Policy-EX-switch# show access
radius-server {

10.25.22.11 {
dynamic-request-port 3799;
secret "$9$tqCW01hevLVwgSrwgoJHkp0BISrKM87db"; ## SECRET-DATA
source-address 10.25.99.11;
}
}
profile ACCESS_PROF_RADIUS {
accounting-order radius;
authentication-order radius;
radius {
authentication-server 10.25.22.11;
accounting-server 10.25.22.11;
}
}
}

user@Policy-EX-switch# show protocols
dot1x {
authenticator {
authentication-profile-name ACCESS_PROF_RADIUS;
interface {
AUTHC {
supplicant multiple;
transmit-period 3;
mac-radius;
}
}
}
}

user@Policy-EX-switch# show interfaces
interface-range AP {
member ge-0/0/0;
native-vlan-id 130;
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members [ AP EMPLOYEE-WIRELESS ];
}
}
}
}
interface-range AUTHC {
member ge-0/0/6;
member ge-0/0/3;
member ge-0/0/2;
member ge-0/0/4;
member ge-0/0/7;
member ge-0/0/8;
member ge-0/0/9;
member ge-0/0/5;
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members REMEDIATION-WIRED;

16