Community Expert Day 1/17/14

Reply
Occasional Contributor II
Posts: 12
Registered: ‎10-05-2011

User Roles and Access Switches

Hi Guys,

 

I have a question about ARUBA switches and Mobility access control. In Figure 1 taken from the S3500 data sheet, the PC, IP Phone, Printer and ARUBA AP are directly connected to the switch. 

 

On the AP, there will be multiple types of devices and different users connecting to the network.

 

With Clearpass, user roles may be automatically downloaded and applied to the Mobility Access Switch. How does Clearpass and/or the Access Switch handle the user roles if there are multiple users and devices on the same switch port?  

 

When the data sheet says user roles are downloaded to the Access Switch, are they referring to a physical switch port that the user is connected to?

 

Hope this makes sense. 

 

I’ll appreciate you advice/feedback. 

 

Thanks

Michael

Aruba Employee
Posts: 49
Registered: ‎12-28-2012

Re: User Roles and Access Switches

When a user’s attribute matches a CPPM enforcement profile with downloadable role, CPPM RADIUS ACCESS-ACCEPT message includes a new VSA Aruba-CPPM-Role, which indicates the role and version number.

 

 

Below is a sample dot1x authentication of a user. Post his authentication, the roles are downloaded if necessary from CCPM to MAS or controller.

 

CPPM- AUTh integ.PNG

 

When Auth module tracks users, it tracks them based on authentication configured on that interface. It can be an L2 auth or L3 auth. Different users will have different MAC and IP addresses, based on which they are put in different roles by MAS.

Thanks,
Abilash (ACCP, CWSP, CWAP, CWDP)
(Above answer is based on my knowledge and NOT an official statement from Aruba)
[Hit Kudos if my reply helps. ]
Aruba Employee
Posts: 49
Registered: ‎12-28-2012

Re: User Roles and Access Switches

When the data sheet says user roles are downloaded to the Access Switch, are they referring to a physical switch port that the user is connected to?

 

Ans: No. Users are mapped a role (a set of acls) post their authentication based on their credentials. If these bunch of ACLs are not pre-existing in MAS, then it can be downloaded by MAS from CPPM.

Thanks,
Abilash (ACCP, CWSP, CWAP, CWDP)
(Above answer is based on my knowledge and NOT an official statement from Aruba)
[Hit Kudos if my reply helps. ]
Search Airheads
Showing results for 
Search instead for 
Did you mean: