Controller Based WLANs

What is CPPM role download and how to configure it on the controller

by on ‎11-09-2014 11:08 AM

Summary :

 

CPPM the central device to manage all security policies in a controller deployment; the controllers will merely enforce those policies.

 

Introduction :

 

CPPM RADIUS will provide the role name at user authentication.  The authenticator switch or controller can request for the role details if the role does not exist. Users are then assigned to the newly defined role. CPPM RADIUS will provide the role name at user authentication.  The authenticator switch or controller can request for the role details if the role does not exist. Users are then assigned to the newly defined role.

 

 

Environment :

 

Role download is can be triggered in two ways:
Aruba-CPPM-Role VSA: When user does a full-authentication and received a role-name in this VSA, a role request is sent to the CPPM for this role.
 
Cached downloadable role: This applies only to HA-failover scenarios with dot1x-wpa2. During the first full-authentication, as soon as the role-name is received through the VSA, it is marked for caching, instead of the next-derived role. On HA-failover and user-creation, when the cached role is recovered, is found to be a downloadable role that is not present on the controller, a role request is sent for this role-name

 

Configuration Steps :

 

CLI audit trail will not show the CPPM commands being executed via Auth.
 
Enable/Disable knob will be available at AAA profile.

AAA Profile "test"
----------------------
Parameter                              Value
---------                              -----
Initial role                           logon
MAC Authentication Profile             N/A
MAC Authentication Default Role        logon
MAC Authentication Server Group        internal
802.1X Authentication Profile          default
802.1X Authentication Default Role     dot1x
802.1X Authentication Server Group     cppm-radius-group
RADIUS Accounting Server Group         N/A
RADIUS Interim Accounting              Disabled
Download Roles from CPPM               Enabled
XML API server                         N/A
User derivation rules                  N/A
Enforce DHCP                           Disabled
Authentication Failure Blacklist Time  3600 sec.

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.