Wireless Access

Reply
Contributor I
Posts: 24
Registered: ‎06-21-2012

How do you pass user role from Clearpass to Wireless Controller?

For some reason I cannot get the controller to pick up the user role from Clearpass

MVP
Posts: 4,225
Registered: ‎07-20-2011

Re: How do you pass user role from Clearpass to Wireless Controller?

Make sure that user-role has been created on the controller side

User-role TEST-ROLE

and in the clearpass side you need ti créate an Aruba radius enforcement profile using the Aruba vsa TEST-ROLE
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 8,321
Registered: ‎09-08-2010

Re: How do you pass user role from Clearpass to Wireless Controller?

Are you trying to do a downloadable role?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 24
Registered: ‎06-21-2012

Re: How do you pass user role from Clearpass to Wireless Controller?

[ Edited ]

I am having a little difficulty understanding this.  I have set up the following roles in Clearpass (image attached):

 

UNT-Employee

UNT-Guest

UNT-Student

 

I have set up the following role mapping in Clearpass based on the wirelessRole attribute that is passed from our LDAP servers (image attached):

 

untst = UNT-Student

untfs = UNT-Employee

untguest = UNT-Guest

 

So my problem is that the role is assigned correctly in Clearpass, but the controller throws everyone into the default guest role.  Isn't the role supposed to be passed to the controller?  I have even set up role-mapping on the controller to look at the aruba-CPPM role, but this is not working.

 

What would the enforcement profile have to do with role-mapping?  Also, I am not sure what downloadable roles are...

 

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: How do you pass user role from Clearpass to Wireless Controller?

Ah!  You are confusing Clearpass roles with the controller roles.  

 

A role in clearpass is like an internal derivation which then can be used for an action.  

 

Look at Enforcement Profles, here you create an "action" which is the Aruba-User-Role RADIUS VSA.  Add a new enforcement profile and there should be an option for Aruba Role.  Then, you can name it to match what's on the controller.  

 

The Clearpass role is used as a condition to send this action.  Look at the enforcement policy.  All this really is are "IF THEN" statements. 

 

IF the conditions on the left are met, send the action(s) on the right.  The actions are enforcement profiles.  These conditions are things like the roles you created or any other variables you see listed when you go ahead and create an enforcement policy...

 

To leverage those roles, the call up for them in the enforcement policy is "TIPS:ROLE EQUALS <value>"  TIPS is the call out for clearpass roles

 

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor I
Posts: 24
Registered: ‎06-21-2012

Re: How do you pass user role from Clearpass to Wireless Controller?

So using the enforcement profile works.  Thanks everyone!  Still it seems that there should be some way to map the role on the wireless controller end instead of having to have the exact same named role set up.  I would like to name the roles something descriptive rather than being forced to use what is passed from Clearpass.  If anyone has any nifty ideas i'd be interested...

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: How do you pass user role from Clearpass to Wireless Controller?

Well -depending on your Aruba code, Clearpass does support creating the roles and values FOR THE CONTROLLER and you can then "push" this config thorugh policy to the Aruba controller.  There are examples on our support site and user guides to assist with this feature.  

 

The reason why you need to create the roles on Clearpass (and it may seem redundant) is that Clearpass ITSELF is role based with policy similar to our controller BUT Clearpass is also vendor agnostic so that you can bring role-based access to other vendors' equipment that may not allow you to be as policy driven as the Aruba ecosystem.

 

Hope this makes sense.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor I
Posts: 24
Registered: ‎06-21-2012

Re: How do you pass user role from Clearpass to Wireless Controller?

The problem I have is that I am having to deal with codes that are used in the wirelessRoll attribute in our directory services that are passed to me (this is an old system with many different codes that have been used over time that map to only a few actual roles for my purposes).  I have set up role mapping on ClearPass to deal with these, but since that has nothing to do with what is passed to the controller it was pretty much wasted time at this point.  The only way I have figured out to make it work so far is by creating an enforcement profile that uses the value for the wirelessRole attribute that is passed (I don't think there is any way to map it at this point in the system).  It would be nice to be able to key off of this value when it is passed to the wireless controller and map it to a meaningful value like "Employee" or "Student"

MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: How do you pass user role from Clearpass to Wireless Controller?

So it sounds like you figured out how to configure an enforcement profile that contains a controller role, is that right? Is it working for you?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Search Airheads
Showing results for 
Search instead for 
Did you mean: