This is just a quick little post about how to utilize Clearpass Policy Manager to authenticate RADIUS requests from Airwave.  This is a quick and dirty configuration document to assign Domain Admin users administrator rights on Airwave.

In Airwave
1. Navigate to AMP Setup -> Authentication -> Enable RADIUS Authentication and Authorization and click “Yes”. Then fill in the RADIUS server Hostname/IP Address and Shared Secret and click “Save”.


2. Navigate to AMP Setup -> Roles and click the “Add” button. Name it “AMP-Admin” set the Type as “AMP Administrator”, the Aruba Controller Role as “root” and click the Add button.


In Clearpass
1. Navigate to Configuration -> Network -> Devices and click Add Device in the upper left corner. Fill in the Name, IP Address, RADIUS Shared Secret, and in the Vendor Name drop-down, select “Aruba”. Then click “Add”.


2. This step is completely optional. Navigate to Configuration -> Network -> Device Groups and click Add Device Group. Fill in the Name, click “List” and then add the Airwave server to Selected Devices. Then click “Save”.


3. Navigate to Configuration -> Enforcement -> Profiles and click “Add Enforcement Profile”. Select “Aruba RADIUS Enforcement” as the template, fill in the Name, leave “Accept” as the Action and click Next.


4. In Attributes, set Type “Radius:Aruba”, NameAruba-Admin-Role (4)”, Value “AMP-Admin” and click Save.


5. Navigate to Configuration -> Enforcement -> Policies and click “Add Enforcement Policy”. Fill in the Name, leave “RADIUS” as the Enforcement Type, select “[Deny Access Profile]” as the Default Profile and click Next.


6. Click Add Rule, and click “Click to add…” to add a Condition. In the Condition, select “Tips” as the Type, “Role” as the Name, “EQUALS” as the Operator, and your previously created role as the Value. Under Enforcement Profiles, add the Airwave Enforcement RADIUS profile that was created in steps 5 & 6, and click Save. Then click Save again to complete the Enforcement Policy creation.


7. Navigate to Configuration -> Services and click “Add Service” in the upper right corner. Select TypeRADIUS Enforcement ( Generic )”, fill in the Name and click “Click to add…” to add a Service Rule. In the new Service Rule select “Connection” for the Type, “NAD-IP-Address” for the Name, “BELONGS_TO_GROUP” as the Operator, and the Device Group we created in step 4 as the Value. Then click Next.


8. Select “PAP” to add it to Authentication Methods, select the correct authentication source to add it to Authentication Sources, and click Next.


9. Select your admin Role Mapping Policy and click Next.


10. Select the Enforcement Policy we created in step 7 and click Save.



Thanks to Mike Courtney for putting the below post together to get me going on mine.