Airheads

Reply
Contributor I

Colourless port with Dynamic Segmentation, using Centralized Policy Orchestration

 

Setting up Colourless port with Dynamic Segmentation, using Centralized Policy Orchestration:

The post lists the steps involved in setting up “Colourless port with Dynamic Segmentation” on ArubaOS-Switch.

We will be using Downloadable User Roles in ClearPass, for Centralized Policy and access control.

This post would be useful for Aruba Partner Engineers and Customers who are trying to implement this capability.

 

What we will be achieving?

Employee laptop performing 802.1X Authentication:

  • Placed in VLAN 29 and bridged locally on switch.

IoT Device like Security Camera, authorized based on profiled information:

  • Placed in VLAN 30 and tunnelled to the Controller for Stateful firewall / DPI

Network Diagram:Network Diagram.jpg

 

 

The following are the Bill of Materials for the above setup:

7005 Mobility Controllers            -             8.3.0.0_64659

2930M Aruba Switch                    -             WC.16.05.0007

Server with VMWare ESXi VSphere 6.5 running the following VMs

Mobility Master              -             8.3.0.0_64659

ClearPass server             -             6.7.3

7010 Mobility Controller X 3       -             8.3.0.0_64659

2930F Aruba Switches                  -             WC.16.05.0007

Windows laptop                            -             Windows 10

Wired PoE IP Camera

AP335

 

ArubaOS-Switch Configuration:

Configure the Basic components like NTP, uplinks and VLANs

NTP is required as accurate time plays a critical role in network authentication.NTP.jpg

Uplinks and Default Gateway:Uplink and Default Gateway.jpg

User VLANs:

These VLANs should only be created/defined. No IP address should be added and the VLAN should not be tied to any port.User VLANs.jpg

 

 

Define the ClearPass server as RADIUS server and dynamic authorization client:

radius-server host 192.168.26.52 key Aruba123!             

radius-server host 192.168.26.52 dyn-authorization

aaa server-group radius "ClearPass" host 192.168.26.52

 

Enable global functions and configurations:

ip source-interface radius vlan 17

ip client-tracker trusted

 

Configuring User-Based Tunneling (UBT)

tunneled-node-server                               

   controller-ip 192.168.17.179                 

   mode role-based                                     

   exit

 

Enable AAA functions:

aaa accounting network start-stop radius server-group "ClearPass"

aaa authorization user-role enable download

aaa authentication port-access eap-radius server-group "ClearPass"

aaa authentication mac-based chap-radius server-group "ClearPass"

 

Port configuration:

aaa port-access authenticator 2-24

aaa port-access authenticator 2-24 tx-period 10             

aaa port-access authenticator 2-24 supplicant-timeout 10

aaa port-access authenticator 2-24 client-limit 32

aaa port-access authenticator active

aaa port-access mac-based 2-24             

aaa port-access mac-based 2-24 addr-limit 32

 

Other Requirements for DUR:

To support downloadable user roles, the signing CA of the ClearPass HTTPS certificate must be added to the switch and marked as trusted. By default, the following CA are installed in the ArubaOS-Switch.Trusted CA.jpg

 I will be using the HTTPS Server Certificate signed by GeoTrust in ClearPass.

 

DURs also require a ClearPass read-only user account to download the user role configuration. Configure the expected username and password for the account.

radius-server cppm identity s-admin key Aruba123!

 

 

Clearpass Configuration:

Bring UP the ClearPass Server, Install the License and configure all the basic settings.

Now let’s configure things specific to this Demo

Defining NAD:

Goto “Configuration -> Network -> Devices” and add the Dynamic Segmentation Switch as the NAD.Adding the NAD.jpg

Create Local Users:

Create local users under "Configuration -> Identity -> Local Users"

user1 / Aruba123!

 

Profiler Settings:

Goto "Configuration -> Profile and Network Scan -> Network Scan" and add the subnets you wanted to scan.

Ensure you point the "IP helper address" to Clearpass Server on user VLAN.

 

Read Only User Account:

Under "Administration -> Users and Privileges -> Admin Users" configure the read-only user account. This will be used by the ArubaOS-Switch to download the user role configuration.Read-Only-Users.jpg

Install Certificate:

Goto "Administration -> Certificates -> Certificate Store" and Click on "Import Certificate"import Certificate.jpgVerify the Same:Public Cert.jpg

 

 

Creating the Enforcement Profiles:

Goto "Configuration -> Enforcement -> Profiles"

Add an "Aruba Downloadable Role Enforcement" Profile.

Select “Role Configuration Mode = Advanced”

Select “Product = ArubaOS-Switch”

Create the Type, Name and Value as follows

For Employee:dur_employee.jpg

For Camera:dur_camera.jpg

 

Creating Services:

Edutech 802.1X Wired Service:Dot1x service.jpg

Enforcement Policy Details

 

Conditions

Enforcement Profiles

1.

(Tips:Role  EQUALS  [User Authenticated]) 
AND  (Tips:Role  EQUALS  [Employee])

dur_employee

 

Edutech Device MAC Authentication Service:Mac-auth Service.jpg

Enforcement Policy Details

 

Conditions

Enforcement Profiles

1.

(Endpoint:Device Type  EQUALS  Printer)

dur_printer

2.

(Endpoint:Device Type  EQUALS  Camera)

dur_camera

 

 

Controller Configuration:

Refer the following post for

http://community.arubanetworks.com/t5/Wireless-Access/AOS-8-x-How-to-create-a-WLAN-from-scratch/td-p/421135

  • Bringing up the Mobility Master
  • Installing the license.
  • Placing the 3 X 7010 Controllers into Cluster. Ensure that 192.168.17.179 is Cluster Leader.
  • Creating an SSID on AP335 for management purpose.

Once you have done that, Ensure that you have the following roles in the controller under,

Managed Network -> Cluster Group name -> Configuration -> Roles and Policies -> Roles

Camera: Define Session based ACL as per your requirement. Eg: Provide access to camera only from certain subnet.Controller Roles.jpg

 

 

Time to Test:

Please connect the Employee Laptop and Camera to any port on the 2930F Switch.

 

Verification Commands on Switch:Verification Commands1.jpg 

Verification Commands2.jpg

 

Verification Commands on the Controller:Verification Commands3.jpg

 

Pre-Sales people can demonstrate this functionality using a Switch Monitor Web App.Further Demo.jpg

 

 

Hope you find this useful. Please post your feedback!

Regards,

Kapildev Erampu

 

 

 

 

Highlighted
Guru Elite

Re: Colourless port with Dynamic Segmentation, using Centralized Policy Orchestration

Couple of comments:

1) The UBT VLAN should not have ANY IP addresses on the switch, including helper

2) The MAC Auth service should be using [Allow All MAC Auth] not [MAC Auth]

3) The role download admin user should now use the Aruba User Role Download role in 6.7.3+

4) Why do you have so many EAP methods defined in your 802.1X service?


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Colourless port with Dynamic Segmentation, using Centralized Policy Orchestration

Thanks for the review and comments Tim Cappalli.
Regarding Question No 4, I used the "802.1X Wired" Template, So the "Authentication Methods" in it were the defaults. I forget the remove the unnecessary EAP methods.

Regards,

Kapil

 

New Contributor

Re: Colourless port with Dynamic Segmentation, using Centralized Policy Orchestration

Thanks Kapil for this well-written guide. I am new to Aruba (coming from Cisco background) and such guides are very helpful in conducting POC. Please keep them coming.

 

Regards,

Tariq

Contributor I

Re: Colourless port with Dynamic Segmentation, using Centralized Policy Orchestration

Thanks for your feedback Tariq :)

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: