Security

Reply
Occasional Contributor I
Posts: 9
Registered: ‎10-12-2012

WLC integration to CPPM roles

WLC : 7210 6.4.28

CPPM  6.6.5

 

What I'm looking for:

 

I've already ACL user-roles in WLC and users are authenticated by CPPM using EAP-PEAP(inner EAP-GTC) and accounts are in CPPM Local user repository (and End user reposotiry)
Now I'd like to use ACL roles in WLC like this:
as user authenticates in CPPM reply message should provide the information of user-role it should be pointed in WLC.
I don't want to useAruba Downloadable Role  Enforcement because I have to do ACL's again in CPPM

 

Now

1. I'd like to implement following

- in WLC aaa- profile : Enable Role from CPPM

Q : What privileges WLC user account  requires in CPPM like:

read only Administrator or API admin with r/w rights?
2. in CPPM
- what is the confiruaration in CPPM Enforcement to allow only certain user- role return when user authenticates in CPPM.
user-role : is the name of role already in WLC

Thanks
Juha-Pekka

Guru Elite
Posts: 21,525
Registered: ‎03-29-2007

Re: WLC integration to CPPM roles

In ClearPass, the Enforcement profile should return the Aruba-User-Role radius attribute.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 9
Registered: ‎10-12-2012

Re: WLC integration to CPPM roles

Ok,
What is the setup in WLC aaa-profile
What I've done is
1. Added CPPM Credentials to all WLCs (Authentication-Servers-Radius Server)

2. In AAA-profile download Role from CPPM

 

Q: What should I set to the : 8021X Authentication Default Role

- role name I'd like to use and returned from CPPM after successful authentication or something else?

Or does this matter at all = CPPM resturning role override this what ever I set there?

Br
Juha-Pekka

Guru Elite
Posts: 21,525
Registered: ‎03-29-2007

Re: WLC integration to CPPM roles

A:  The 802.1x default role will be the role that users get if CPPM returns an "accept" but does not return a role.  If CPPM returns a role via the Aruba-User-Role attribute, it will override this default role.

 

To see the radius attributes that are returned, do this:

config t
logging level debugging security process authmgr
logging level debugging security subcat aaa

Do your authentication, then type "show log security 50" to see your attributes:

 

Apr 27 05:45:55 :121031:  <3841> <DBUG> |authmgr| |aaa| [rc_api.c:151] Radius authenticate raw using server CPPM
Apr 27 05:45:55 :121031:  <3841> <DBUG> |authmgr| |aaa| [rc_request.c:55] Add Request: id=69, srv=192.168.1.32, fd=84
Apr 27 05:45:55 :121031:  <3841> <DBUG> |authmgr| |aaa| [rc_server.c:2307] Sending radius request to CPPM:192.168.1.32:1812 id:69,len:278 
Apr 27 05:45:55 :121031:  <3841> <DBUG> |authmgr| |aaa| [rc_server.c:2323]  User-Name: employee-pixelc 
Apr 27 05:45:55 :121031:  <3841> <DBUG> |authmgr| |aaa| [rc_server.c:2323]  NAS-IP-Address: 192.168.1.3 
Apr 27 05:45:55 :121031:  <3841> <DBUG> |authmgr| |aaa| [rc_server.c:2323]  NAS-Port-Id: 0 
Apr 27 05:45:55 :121031:  <3841> <DBUG> |authmgr| |aaa| [rc_server.c:2323]  NAS-Identifier: 192.168.1.3 
Apr 27 05:45:55 :121031:  <3841> <DBUG> |authmgr| |aaa| [rc_server.c:2323]  NAS-Port-Type: Wireless-IEEE802.11 
Apr 27 05:45:55 :121031:  <3841> <DBUG> |authmgr| |aaa| [rc_server.c:2323]  Calling-Station-Id: AC3743494E04 
Apr 27 05:45:55 :121031:  <3841> <DBUG> |authmgr| |aaa| [rc_server.c:2323]  Called-Station-Id: 000B86B8B5F8 
Apr 27 05:45:55 :121031:  <3841> <DBUG> |authmgr| |aaa| [rc_server.c:2323]  Service-Type: Framed-User 
Apr 27 05:45:55 :121031:  <3841> <DBUG> |authmgr| |aaa| [rc_server.c:2323]  Framed-MTU: 1100 
Apr 27 05:45:55 :121031:  <3841> <DBUG> |authmgr| |aaa| [rc_server.c:2323]  EAP-Message: \002\012 
Apr 27 05:45:55 :121031:  <3841> <DBUG> |authmgr| |aaa| [rc_server.c:2323]  State: AFsA/gBsAMnOUgAAcgIf7AfesjTDf90FzBDHsQ== 
Apr 27 05:45:55 :121031:  <3841> <DBUG> |authmgr| |aaa| [rc_server.c:2323]  Aruba-Essid-Name: ACME-TLS 
Apr 27 05:45:55 :121031:  <3841> <DBUG> |authmgr| |aaa| [rc_server.c:2323]  Aruba-Location-Id: Office-325 
Apr 27 05:45:55 :121031:  <3841> <DBUG> |authmgr| |aaa| [rc_server.c:2323]  Aruba-AP-Group: default 
Apr 27 05:45:55 :121031:  <3841> <DBUG> |authmgr| |aaa| [rc_server.c:2323]  Aruba-Device-Type: Linux 
Apr 27 05:45:55 :121031:  <3841> <DBUG> |authmgr| |aaa| [rc_server.c:2323]  Message-Auth: \270M\015\354\236\245\210~w\317\234\012d\272#e 
Apr 27 05:45:55 :121031:  <3841> <DBUG> |authmgr| |aaa| [rc_request.c:79] Find Request: id=69, srv=192.168.1.32, fd=84
Apr 27 05:45:55 :121031:  <3841> <DBUG> |authmgr| |aaa| [rc_request.c:85]  Current entry: srv=192.168.1.32, fd=84
Apr 27 05:45:55 :121031:  <3841> <DBUG> |authmgr| |aaa| [rc_request.c:40] Del Request: id=69, srv=192.168.1.32, fd=84
Apr 27 05:45:55 :121031:  <3841> <DBUG> |authmgr| |aaa| [rc_api.c:1229] Authentication Successful
Apr 27 05:45:55 :121031:  <3841> <DBUG> |authmgr| |aaa| [rc_api.c:1231] RADIUS RESPONSE ATTRIBUTES:
Apr 27 05:45:55 :121031:  <3841> <DBUG> |authmgr| |aaa| [rc_api.c:1246]  {Aruba} Aruba-User-Role: authenticated-vsa 

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: