Skip to main content
All CollectionsAdvanced 5G LAN Features
Network Access Control (NAC) Integration - Aruba ClearPass
Network Access Control (NAC) Integration - Aruba ClearPass

Aruba ClearPass integration to automate authorization of Private Cellular Devices on Celona 5G LAN

A
Written by Angelin Monica
Updated over 2 months ago

Introduction

Aruba ClearPass is an identity-based Network Access Control (NAC) and policy enforcement platform designed to enhance security and simplify network management. Integrating with Celona Orchestrator, Aruba ClearPass provides a seamless solution for managing access policies across private 5G, Wi-Fi, and wired networks. This integration ensures that only authorized and compliant devices can connect to the network, delivering higher security and control.

Key Benefits:

  • Centralized management of user and device authorization across the network.

  • Enhanced security with RADIUS-based authorization for private 5G, Wi-Fi, and wired devices.

  • Simplified access policy management from a single console, reducing operational complexity.

NOTE: This feature is available starting from Edge OS version 2406 and is accessible only to users with an Admin role.

Feature Description

The scope of the feature is to use Enterprise RADIUS based NAC systems for authorization, while SIM based authentication is handled directly on the Celona Edge. Users are authorized by validating SIM card (IMSI) or Device (IMEI) credentials. This enables Enterprises to use a unified policy engine to authorize wired, Wi-Fi, & Private 5G devices.

  • As part of the Attach process the device will go through SIM-based authentication via HSS (in LTE) and AUSF/UDM/UDR (in 5G) function.

  • Once the device has been authenticated, Celona Edge will initiate an authorization request to the configured policy engine (such as Cisco ISE or Aruba ClearPass). Device (IMEI) or SIM identifiers (IMSI) information will be passed to the NAC system to identify the device and automatically retrieve the configured authorization policy.

  • This information will be passed back to the Celona Edge in the authorization response. In phase 1, we automatically retrieve the device group of the device and configure it on the private network. Based on the device group, the following networking and security policy will be dynamically set up on the Private Network

    • QoS policy

    • Admission control policy

    • IP domain & VLAN segmentation

NOTE:

  1. The Edge and Aruba ClearPass should be installed on the same network.

  2. SSL support has not yet been implemented between Celona Edge and Clearpass.

NAC Integration

Configuration on Celona Orchestrator

  1. Login to the Celona Orchestrator by entering your Admin user credentials.

  2. Navigate to the “Edge Clusters” tab on the main Dashboard.

  3. Select an Edge Cluster to view the Cluster Details.

    Edge Cluster Details

  4. Enable the “Device Authorization” by toggling the relevant setting.

    Device Authorization Toggle

  5. In the Device Authorization Server field, click Add New to create a new profile. In this example, the new profile created is Aruba_Clearpass.

    Option to Add or Edit Device Authorization Server

  6. In the “Device Authorization Server” window, enter all the required fields, such as the Server Name, Secret Source, Server IP Address, Server Port, User Name, and Password.

    1. Server Name: Aruba ClearPass Server

    2. Secret Source: Shared secret (must match RADIUS Shared Secret on Aruba ClearPass)

    3. Server IP Address: Aruba ClearPass server IP address

    4. Server Port: Aruba ClearPass server port number

    5. User Name: AAA server’s user name

      • Currently, this is not being passed to NAC server in the the RADIUS access request message.

    6. Password: AAA server's password

    7. Choose IMSI or IMEI as the identifier.
      NOTE: The default option for “Device Authorization Identifier” is IMSI.

    Device Authorization Server

  7. Click the ADD button to add the settings. Ensure you choose the new Device Authorization Server profile you created in the Device Authorization Server field.

NOTE: Enabling the feature without selecting the server will result in device attach failure.

Configuration on Aruba ClearPass

  1. Login to the Aruba ClearPass Policy Manager web interface by entering your Admin credentials

  2. Configure Network Devices (Edge Cluster)

    1. Navigate to ClearPass Policy Manager Menu → Configuration → Network → Devices.

    2. Click + Add to add the Celona Edge details. Or click on the device to edit the details.

      ClearPass Policy Manager Menu → Configuration → Network → Devices

    3. On the Device Details page, fill in the required information for the device:

      1. Name: Enter the Edge name.

      2. IP or Subnet Address: Enter the Edge IP address

      3. Device Group: Select the device group to which you want to add the device.

      4. RADIUS Shared Secret: Enter the shared secret key that the device will use to communicate with ClearPass via RADIUS. Must match “Shared Source” field on the “Device Authorization Server” window on Orchestrator.

      5. Vendor Name: Choose the vendor name (e.g., Aruba, Cisco, etc.).

      6. Enable RADIUS Dynamic Authorization: Check the Port and enter the port number as configured on Orchestrator.

        Edit Device Details

  3. Configure Network Device Groups

    1. Navigate to ClearPass Policy Manager Menu → Configuration → Network → Device Groups.

    2. Click + Add to create a new device group. Or click on the device group to edit.

      ClearPass Policy Manager Menu → Configuration → Network → Device Groups

    3. Move the devices from Available Devices to Selected Devices using the arrows. The selected devices will form a device group.

      Device Groups

  4. Configure Enforcement Profile

    1. Navigate to ClearPass Policy Manager Menu → Configuration → Enforcement → Profiles.

    2. Click + Add to create an enforcement profile. Or click on the enforcement profile to edit.

      ClearPass Policy Manager Menu → Configuration → Enforcement → Profiles

    3. In the Profile tab, configure the enforcement profile to Accept, Reject, or Drop network access requests based on the outcome of authentication and policy evaluation. These actions determine how the network device responds to the authentication request.

      Enforcement Profile

    4. In the Attributes tab, you can specify the responses sent to the network device. For example, configure the Reply-Message attribute by selecting the message from the drop-down menu. After authentication, this message is sent to the Edge.

      Set Attributes

  5. Configure Enforcement Policy

    1. Navigate to ClearPass Policy Manager Menu → Configuration → Enforcement → Policies.

      ClearPass Policy Manager Menu → Configuration → Enforcement → Policies

    2. To create a new Enforcement Policy, click. + Add. In the Enforcement tab, enter the Name and Enforcement Type (RADIUS) and select the Enforcement Profile you created for the Default Profile.

      New Enforcement Policy

    3. To create conditions or rules for the enforcement policy, click the Rules tab and Add Rule.

      Rules

    4. Create new enforcement rules or conditions on the Rules Editor. In this editor, assign authentication conditions by setting the devices that users want to get authorized as Username EQUALS to IMSI/IMEI. After creating the conditions, save the changes.

      Rules Editor

    5. The Summary tab lists all the rules created under the enforcement policy.

      Enforcement Policy Summary

  6. Configure Authorization Service

    1. Navigate to ClearPass Policy Manager menu → Configuration → Services.

      ClearPass Policy Manager Menu → Configuration → Services

    2. The services page lists the order of services that ClearPass follows during authentication and authorization. You can reorder the order of authorization services. Click the service to edit.

      Authorization Services

For more information on troubleshooting, configuration, and service logs, contact support@celona.io.

Related Articles
Celona Network Monitoring API: How To
Private Cellular and Wi-Fi: Security
Link of Links
Network Access Control (NAC) Integration - Cisco ISE
Network Domain Configuration - Pre 2406
Did this answer your question?