Downloadable User Role configuration in Aruba OS CX with mac-authentication

By esupport posted Apr 29, 2020 04:25 PM

  
Requirement:
DUR configuration is used in the switch to download the profile configuration sent from the RADIUS server and to apply this configuration within the role to the respective client port.

The profile applied to the clients may include dynamic vlan/ACL/captive portal . These dynamic configurations will be removed from the port soon after the client session ends.


Solution:
1. Add the radius sever in the switch using the host IP or using the FQDN






2.Enable mac authentication globally and for respective ports






3. Upload the root certificate used in Clearpass on the switch, this root certificate will be used during the DUR process as the switch needs to trust the root CA that signs the certificate in Clearpass



5. Configure the Clearpass with corresponding services , profiles and policies

--Aruba Downloadable Role Enforcement

--Role Configuration mode as Advanced
--Product as Mobility Access Switch

6.Configure the below within the profile that will be applied to the client
--Configure the Attribute Type as: Radius:Aruba
--Name as Aruba-CPPM-Role
--Value as (DUR commands)

7.Check the reachability of Clearpass from the switch and connect a client to the port with authentication enabled.


Configuration:
Switch configuration:

radius-server host x.x.x.x key ciphertext AQBapVWcNJavUClNBQenFaJwwRrR+nWcJUvsQlHUbuaiOvlDCAAAAMCnYwT2Ful+ clearpass-username prakash clearpass-password ciphertext AQBapVWcNJavUClNBQenFaJwwRrR+nWcJUvsQlHUbuaiOvlDCAAAAMCnYwT2Ful+
aaa authentication allow-fail-through
aaa group server radius cppm
    server x.x.x.x

aaa authentication port-access dot1x authenticator
    radius server-group ARUBA
aaa authentication port-access mac-auth
    radius server-group cppm
    enable

interface 1/1/15
    no shutdown
    no routing
    vlan access 1
    aaa authentication port-access client-limit 2
    aaa authentication port-access dot1x authenticator
        max-eapol-requests 1
        enable
    aaa authentication port-access mac-auth
        enable

Configuration in Clearpass:

1. Configure the service with appropriate service condition




2.Apply appropriate policy with the suitable conditions to match the client request to respective profile




3. DUR profile configuration






Verification
The user-role from the Clearpass will be downloaded in the switch and can be verified using below command




Check the application of the role to respective port




10 comments
106 views

Comments

Apr 29, 2021 07:37 PM

Still does not work in 10.07 it appears. 

Also, you do not need the ROOT CA imported. Only the Intermediate or issuing authority.

crypto pki ta-profile clearpass

ta-certificate

<paste in Intermediate CA in PEM format>

Once this was completed DURs started working again.

EDIT:

If you use a wildcard certificate for HTTPs services in CPPM. Your CN/SAN does not need to match either. It seems to properly process that.

Mar 15, 2021 10:52 AM

*** Resolution of: Certificate SAN/CN doesn't match the peer name 1.1.1.1 ***

  • Install an HTTPS Certificate on your ClearPass. Your CN or your SAN should match with the hostname setup on your Radius switch configuration.

  • Install one of the two certificates ROOT CA/Intermediate CA on the switch too:
crypto pki ta-profile XXXX
import ta-certificate "certificate"
CTRL+D

  • Try to use hostnames instead of IPs in your Radius switch configuration (be sure DNS is setup with AAA record and PTR)

Example :

aaa group server radius CPPM-RAD
server cppm1.arulab.ch
server cppm2.arulab.ch

Instead of :
aaa group server radius CPPM-RAD
server x.x.x.x
server y.y.y.y


Enjoy,

It works. (I Hope for you ;) )

__
Ck

Mar 10, 2021 01:51 PM

Thanks for the post !

I have the same issue about this error (tested with 6200F and 6300M in 10.06 version.) :

Type : clearpass
Status: Failed, Server Certificate Invalid

If i understood well:

  • Automatic Certificate Download is not working on AOS-CX only for AOS ?

    In my case I just want to build a lab for demos, do I need to deploy certificates on ClearPass and switches ? Or is it possible to use self-signed certificate ?
In case of self-signed is accepted, which certificate should be imported to the switches ?

Thanks.

Nov 03, 2020 05:36 PM

Hello, after a lot of troubleshooting, we found the fix to this exact issue.

In regards to the Issue: port-accessd[3300]: Event|7709|LOG_WARN|MSTR|1|Certificate cppm.tsclab.com.au rejected due to verification failure (20)

Resolution:
The Common Name of the certificate MUST match the radius-server host DNS entry in the switch.


We originally used the same HTTPS certificate with multiple SANs of all of our appliance names which no longer work when using UBT with ArubaOS-CX.

In our large deployment, we ended up having to generate individual certificates for each ClearPass appliance as the Common Name and then used the same SANs to assist us with WebUI management and captive-portal redirections.

Changing the ClearPass Hostname and or FQDN did not change the outcome in our testing.

Hope this helps the next!

-Mat

Oct 01, 2020 04:35 AM

Hi,

 

I have a TAC running for this issue. When you enable debugging on the switch you get more insight:

To enable debug

debug portaccess role

debug portaccess dot1x all

debug portaccess radius

debug destination buffer

 

To view debug

show debug  buffer

 

To disable debug

no debug portaccess role

no debug portaccess dot1x all

no debug portaccess radius

 

In my case debugging shows:

2020-10-01:08:56:14.669600|port-accessd|LOG_ERR|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|Certificate subject name doesn't match the expected peer's hostname.

 

 

Oct 01, 2020 04:27 AM

Yeah I think the auto download only works with AOS, not ACX, not 100% sure on that. But, I only upload the root-CA to the switch as I'm not using an intermediate. You will probably need the Intermediate and the root-CA or the switch might think its invalid.

Oct 01, 2020 03:25 AM

Hi

 

thanks for the feedback.

ntp will not be the problem.

but I believe dns will be.

I did configure to use the external dns. but I do have the impression that the switch wil not do name resolving. I test it with a ping to hostname. but nothing happens.

 

I will try it to user a dns host list on the switch.

 

question about the certificate. I am using release 10.05.00011. so I do have to install the certificate manually ?

I just need to install the intermediate CA certificate from the clearpass ?

 

regards

 

Sep 30, 2020 08:19 PM

Hi dirkve, sorry i actually sorted out my problem. I had 2 issues. Time was not in sync which is required for certificate based stuff and second, I had to set the radius server on the switch using the DNS name, not the IP so it that it matched the CN/SAN on the certificate.

 

if you don't have DNS on the switch, set an 'ip dns host' entry so it can resolve the name without DNS.

Sep 30, 2020 11:14 AM

Hi,

 

I have the same issue as gfirth77.

 

have someone any idea's ?

 

regards

 

Sep 23, 2020 03:08 AM

Hi, I have been trying to get this going on a 6300M in my lab with no success. I have uploaded the root CA as the TA profile and setup the downloadable roles in ClearPass. I am getting this error;

 

port-accessd[3300]: Event|7709|LOG_WARN|MSTR|1|Certificate cppm.tsclab.com.au rejected due to verification failure (20)

 

And the output of the downloaded role on the switch;

 

Name : TSCLAB_802_1X_Wired_6300___302-3111-1
Type : clearpass
Status: Failed, Server Certificate Invalid

 

The downloadable roles works fine on the 2930 series using the same root CA and the same ClearPass server. Unfortunately there is next to no information out there on the Aruba CX platform. Thanks.