Wired Networks

Enabling Downloadable Role on Mobility Access Switch

Aruba Employee
If the user-role does not exist in Mobility Access Switch or if we want the Mobility Access Switch to download the role attribute details from ClearPass Policy Manager (CPPM) and assign the role to the client, in that situation enabling downloadable role on the Mobility switch will help to assign the role to the client based on the CPPM return attribute.
 
We can enable role download using the CLI or WebUI.
 
Using the WebUI
 
1. Navigate to the Configuration > Authentication > Profiles tab.
2. Select an AAA profile.
3. Select Enabled from the Role Download drop-down list.
 
Using the CLI
 
(host) (config) #aaa profile <profile-name>
(host) (AAA profile) #download-role
 

The following example shows the configuration details to integrate CPPM server with Mobility Access Switch to automatically download roles.

 

CPPM Server Configuration

 

Adding a Device

 

  1. From the Configuration > Network > Devices page, click the Add Device link.
  2. On the Device tab, enter the Name, IP or Subnet Address, and RADIUS Shared Secret fields. Keep the rest of the fields as default.

  3. Click Add.


The fields are described in Figure 1 and Table 1.
 
Figure 1 Device Tab

 

Step 1 Add Device_thumb_300_0.png

 

Table 1: Device Tab

 

 

Container

Description

Name

Specify the name or identity of the device.

IP or Subnet Address

Specify the IP address or subnet (example 10.1.1.1/24) of the device.

RADIUS Shared Secret

Enter and confirm a Shared Secret for each of the two supported request protocols.

 

Adding Enforcement Profile

 

  1. From Configuration > Enforcement > Profiles page, click Add Enforcement Profile.
  2. On the Profile tab, select Aruba Downloadable Role Enforcement from the Template drop-down list.
  3. Enter the Name of the enforcement profile.
  4. From the Role Configuration Mode, select Standard or Advanced. Keep the rest of the fields as default.

  5. Click Next.


For the rest of the configuration, see Standard Role Configuration Mode or Advanced Role Configuration Mode.

 

The fields are described in Figure 2 and Table 2.

 

Figure 2  Enforcement Profiles Page

 

Step 2a Configuration » Enforcement » Profiles » Add Enforcement Profile_thumb_300_0.png

 

Table 2: Enforcement Profiles Page

 

Container

Description

Template

Policy Manager comes pre-packaged with several enforcement profile templates. In this example, select Aruba Downloadable Role Enforcement - RADIUS template that can be filled with user role definition to create roles that can be assigned to users after successful authentication.

Name

Specify the name of the enforcement profile.

Role Configuration Mode

Standard—Configure enforcement profile role using standard mode.

Advanced—Configure enforcement profile role using advanced mode.

 

Standard Role Configuration Mode

 

  1. Under Role Configuration tab, enter the parameters based on Table 3.
  2. Click Save.


The fields are described in Figure 3 and Table 3.

 

Figure 3  Enforcement Profiles Role Configuration Tab

 

Step 2c Configuration » Enforcement » Profiles » Add Enforcement Profile_thumb_300_0.png

 

 

Table 3: Enforcement Profiles Role Configuration Tab

 

 

Container

Description

Captive Portal Profile

This parameter defines a Captive Portal authentication profile.

Policer Profile

This parameter defines a policer profile to manage the transmission rate of a class of traffic based on user-defined criteria.

QoS Profile

This parameter defines a QoS profile to assign Traffic-Class/Drop-Precedence, Differentiated Services Code Point (DSCP), and 802.1p values to an interface or policer profile of a Mobility Access Switch.

VoIP Profile

This parameter defines a VoIP profile that can be applied to any interface, interface group, or a port-channel of a Mobility Access Switch.

Reauthentication Interval Time (0—4096)

Time interval in minutes after which the client is required to reauthenticate.

VLAN To Be Assigned (0—4094)

Identifies the VLAN ID to which the user role is mapped.

ACL

Adds the following Access Control List (ACL):

Ethertype—Defines an Ethertype ACL.

The Ethertype field in an Ethernet frame indicates the protocol being transported in the frame. This type of ACL filters on the Ethertype field in the Ethernet frame header, and is useful when filtering non-IP traffic on a physical port. This ACL can be used to permit IP frames while blocking other non-IP protocols such as IPX or Appletalk.

MAC—Defines a MAC ACL.

MAC ACLs allow filtering of non-IP traffic. This ACL filters on a specific source MAC address or range of MAC addresses.

Stateless—Defines a stateless ACL.

A stateless ACL statically evaluates packet contents. The traffic in the reverse direction is allowed unconditionally.

NOTE: In CPPM, do not configure the Next Hop parameter under Stateless ACL configuration.

NetService Configuration

Defines an alias for network protocols.

Aliases can simplify configuration of session ACLs, as you can use an alias when specifying the network service. Once you configure an alias, you can use it in multiple session ACLs.

NetDestination Configuration

Defines an alias for an IPv4 network host, subnet mask, or a range of addresses.

Aliases can simplify configuration of session ACLs, as you can use an alias when specifying the traffic source and/or destination IP in multiple session ACLs.

User Role Configuration

See the Summary tab for auto-generated Role Configuration.

 

Advanced Role Configuration Mode

 

  1. On the Attributes tab, select Radius:Aruba from the Type drop-down list.
  2. From the Name drop-down list, select Aruba-CPPM-Role.
  3. In the Value field, enter the attribute for the downloadable-role.
  4. Click the save icon to save the attribute.
  5. Click Save to save the enforcement profile.


The fields are described in Figure 4 and Table 4.

 

Figure 4  Enforcement Profiles Attributes Tab

 

Step 2b Configuration » Enforcement » Profiles » Add Enforcement Profile_thumb_300_0.png

 

Table 4: Enforcement Profiles Attributes Tab

 

 

Container

Description

Type

Type is any RADIUS vendor dictionary that is pre-packaged with Policy Manager, or imported by the Administrator. This field is pre-populated with the dictionary names.

Name

Name is the name of the attribute from the dictionary selected in the Type field. The attribute names are pre-populated from the dictionary.

Value

Value is attribute for the downloadable role. You can enter free-form text to define the role and policy.

NOTE: The maximum limit for free form text is 16,000 bytes.

 

Adding Enforcement Policy

 

  1. From Configuration > Enforcement > Policies page, click Add Enforcement Policy.
  2. On the Enforcement tab, enter the name of the enforcement policy.
  3. From the Default Profile drop-down list, select [Deny Access Profile].Keep the rest of the fields as default.

  4. Click Next.


The fields are described in Figure 5 and Table 5.

 

Figure 5  Enforcement Policies Enforcement Tab

 

Step 3a Configuration » Enforcement » Policies » Add_thumb_300_0.png

 

Table 5: Enforcement Policies Enforcement Tab

 

 

Container

Description

Name

Specify the name of the enforcement policy.

Default Profile

An Enforcement Policy applies Conditions (roles, health, and time attributes) against specific values associated with those attributes to determine the Enforcement Profile. If none of the rules matches, Policy Manager applies the Default Profile.

See Adding Enforcement Profile to add a new profile.

5. On the Rules tab, click Add Rule.
  6. On the Rules Editor pop-up, select the appropriate values in the Conditions section and click the save icon.
  7. In the Enforcement Profiles section, select the RADIUS enforcement profile that you created in step Adding Enforcement Profile from the Profile Names drop-down list.

8. Click Save.

 

The fields are described in Figure 6 and Table 6.

Figure 6  Enforcement Policies Rules Editor

Step 3b Configuration » Enforcement » Policies » Add » Add Rule_thumb_300_0.png

Table 6: Enforcement Policies Rules Editor

 

Container

Description

Type

The rules editor appears throughout the Policy Manager interface. It exposes different

namespace dictionaries depending on Service type. When working with service rules, you can select Authentication namespace dictionary

Name

Drop-down list of attributes present in the selected namespace. In this example, select Source.

Operator

Drop-down list of context-appropriate (with respect to the attribute) operators. In this example, select EQUALS.

Value

Drop-down list of the Authentication source database. In this example, select [Local User Repository].

Profile Names

Name of the RADIUS enforcement profile.

Adding Services

  1. From the Configuration > Services page, click the Add Service link.
  2. On the Service tab, select 802.1X Wired from the Type drop-down-list.
  3. In the Name field, enter the name of the service.Keep the rest of the fields as default.

  4. Click Next.


The fields are described in Figure 7 and Table 7.

 

Figure 7  Service Tab

 

Step 4a Configuration » Services » Add  Service_thumb_300_0.png

 

Table 7: Service Tab

 

Container

Description

Type

Select the desired service type from the drop down menu. In this example, select802.1X Wired.

Name

Specify the name of the service.

5. On the Authentication tab, select [Local User Repository] [Local SQL DB] from the Authentication Sources drop-down list.Keep the rest of the fields as default.

  6. Click Next twice.


The fields are displayed in Figure 8.

 

Figure 8  Authentication Tab

 

Step 4b Configuration » Services » Add » Authentication_thumb_300_0.png

 

 

7. On the Enforcement tab, select the enforcement policy that you created in step Adding Enforcement Policy from the Enforcement Policy drop-down list.Keep the rest of the fields as default.

  8. Click Save.


The fields are displayed in Figure 9.

 

Figure 9  Enforcement Tab

 

Step 4c Configuration » Services » Add » Enforcement_thumb_300_0.png

 

For more configuration details on CPPM, see the ClearPass Policy Manager 6.2 User Guide.

Mobility Access Switch Configuration

Configuring CPPM Server on Mobility Access Switch

(host) (config) #aaa authentication-server radius cppm_server

(host) (RADIUS Server "cppm_server") #host <ip_address_of_cppm_server>

(host) (RADIUS Server "cppm_server") #key <shared_secret>

Configuring Server Group to include CPPM Server

(host) (config) #aaa server-group cppm_grp

(host) (Server Group "cppm_grp") #auth-server cppm_server

Configuring 802.1X Profile

(host) (config) #aaa authentication dot1x cppm_dot1x_prof

Configuring AAA Profile

(host) (config) #aaa profile cppm_aaa_prof

(host) (AAA Profile "cppm_aaa_prof") #authentication-dot1x cppm_dot1x_prof

(host) (AAA Profile "cppm_aaa_prof") #dot1x-server-group cppm_grp

(host) (AAA Profile "cppm_aaa_prof") #download-role

 

Show AAA Profile

 

(host) #show aaa profile cppm_aaa_prof

 

 

 

AAA Profile "cppm_aaa_prof"

 

---------------------------

 

Parameter Value

 

--------- -----

 

Initial role logon

 

MAC Authentication Profile N/A

 

MAC Authentication Default Role guest

 

MAC Authentication Server Group default

 

802.1X Authentication Profile cppm_dot1x_prof

 

802.1X Authentication Default Role guest

 

802.1X Authentication Server Group cppm_grp

 

Download Role from ClearPass Enabled

 

L2 Authentication Fail Through Enabled

 

RADIUS Accounting Server Group N/A

 

RADIUS Interim Accounting Disabled

 

XML API server N/A

 

AAA unreachable role N/A

 

RFC 3576 server N/A

 

User derivation rules N/A

 

SIP authentication role N/A

 

Enforce DHCP Disabled

 

Authentication Failure Blacklist Time 3600 sec

 

 

 

 

 

 

 

 

 

Version history
Revision #:
1 of 1
Last update:
‎08-07-2014 06:44 AM
Updated by:
 
Labels (1)
Contributors
Tags (1)
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.