Captive Portal on ArubaOS Switches with Downloadable Roles using CPPM

By esupport posted Mar 29, 2018 08:00 PM


Implementing wired captive portal on Aruba OS Switches without any manual role configuration on the Switch.


We can achieve that by the use of Downloadable roles from ClearPass.


The CPPM version for this needs to be atleast 6.6 or greater and the Switch version needs to be greater than 16.04. This has been tested and found to be working in WC.16.05.0004 on a 2930F. The same configuration should work with other models as well like the 3810,5400 Series.


The configuration covered in this article is specific to Captive portal with Downloadable Roles.

All the configuration needed to implement Generic Downloadable Roles is covered in detail in the document, ClearPass_Solution-Guide_Wired-Policy-Enforcement_v2018-01, from this link from page numbers 15-46. The same document is also attached to this article.


Once you follow the document and you are done with the configuration, please verify that all the points mentioned below are done

  • Configuring the Radius server as CPPM on the Switch
  • Configuring the ports for the desired authentication(MAC or Dot1x or both)
  • Configuring the Trust Anchor Profile on the Switch with the ClearPass HTTPS signing certificate
  • Configuring the username/password for the Switch to download the role from CPPM using HTTPS
  • Enabling User Roles and User Role download on the Switch

To implement captive portal with Downloadable Roles the configuration on the ClearPass is what would change. You need to do the following configuration on the ClearPass

You need to create a new enforcement profile on the ClearPass of type "Aruba Downloadable Role Enforcement" with the Role Configuration mode as advanced

Once the advanced mode is selected you would see an attributes tab and the attribute we would use  is Radius:Hewlett-Packard-Enterprise, HPE-CPPM-Role (27) and the complete role configuration needs to go into that attribute as shown below


The sample role configuration for Captive portal with DUR(Downloadable User Roles) is shown below

class ipv4 DNS
match udp any any eq 53
class ipv4 DHCP
match udp any any eq 67
class ipv4 CLEARPASS-WEB
match tcp any host eq 80
match tcp any host eq 443
class ipv4 WEB-TRAFFIC
match tcp any any eq 80
match tcp any any eq 443

aaa authentication captive-portal profile use-radius-vsa url

class ipv4 DNS action permit
class ipv4 DHCP action permit
class ipv4 CLEARPASS-WEB action permit
class ipv4 WEB-TRAFFIC action redirect captive-portal

aaa authorization user-role name CP-Initial
captive-portal-profile use-radius-vsa
vlan-id 20


Also find the export of the enforcement profile that contains this DUR attached to this article, the password for which is "aruba123".

The "aaa authentication captive-portal profile use-radius-vsa url" is the Captive portal URL, is the ClearPass server in the above configuration.

Once you configure this enforcement profile, please make sure that you are returning this enforcement profile for all users who are supposed to be redirected to Captive portal.












Once the user connects we can see that ClearPass is returning the DUR as expected


In the switch if we enable debugging for security user-profile-mib by running this command "debug security user-profile-mib" and choosing the "debug destination <session|buffer>  we can see the following messages 

0000:01:27:42.61 UMIB mdcaCtrl: Sending message to authentication task for
   client with request-id 36
0000:01:27:42.61 UMIB mdcaCtrl:Removing DUR Client with request-id 36 for
   downloadable user role CP_Role_DUR-3147-4 from waiting queue as the role is
0000:01:27:42.61 UMIB mcppmTask:Copying downloaded userRole CP_Role_DUR-3147-4
   to RamFs is success
0000:01:27:42.58 UMIB mcppmTask:Parsing of downloaded userRole
   CP_Role_DUR-3147-4 is success
0000:01:27:42.58 UMIB mcppmTask:Download of userRole CP_Role_DUR-3147-4 is

You can check the URL and the full contents of the role that was returned by using the command "show port-access clients detailed" which should look like below


Aruba-2930F-24G-PoEP-4SFP# show port-access clients detailed

 Port Access Client Status Detail

  Client Base Details :
   Port            : 21                    Authentication Type : mac-based
   Client Status   : authenticated         Session Time        : 426 seconds
   Client Name     : 204747cb84a6          Session Timeout     : 0 seconds
   MAC Address     : 204747-cb84a6
   IP              :
Downloaded user roles are preceded by *

 User Role Information

   Name                              : *CP_Role_DUR-3147-4
   Type                              : downloaded
   Reauthentication Period (seconds) : 0
   Untagged VLAN                     : 20
   Tagged VLANs                      :
   Captive Portal Profile            : use-radius-vsa_CP_Role_DUR-3147-4
     URL                             :
   Policy                            : CLEARPASS-REDIRECT_CP_Role_DUR-3147-4

Statements for policy "CLEARPASS-REDIRECT_CP_Role_DUR-3147-4"
policy user "CLEARPASS-REDIRECT_CP_Role_DUR-3147-4"
     10 class ipv4 "DNS_CP_Role_DUR-3147-4" action permit
     20 class ipv4 "DHCP_CP_Role_DUR-3147-4" action permit
     30 class ipv4 "CLEARPASS-WEB_CP_Role_DUR-3147-4" action permit
     40 class ipv4 "WEB-TRAFFIC_CP_Role_DUR-3147-4" action redirect captive-portal

Statements for class IPv4 "DNS_CP_Role_DUR-3147-4"
class ipv4 "DNS_CP_Role_DUR-3147-4"
     10 match udp eq 53

Statements for class IPv4 "DHCP_CP_Role_DUR-3147-4"
class ipv4 "DHCP_CP_Role_DUR-3147-4"
     10 match udp eq 67

Statements for class IPv4 "CLEARPASS-WEB_CP_Role_DUR-3147-4"
class ipv4 "CLEARPASS-WEB_CP_Role_DUR-3147-4"
     10 match tcp eq 80
     20 match tcp eq 443

Statements for class IPv4 "WEB-TRAFFIC_CP_Role_DUR-3147-4"
class ipv4 "WEB-TRAFFIC_CP_Role_DUR-3147-4"
     10 match tcp eq 80
     20 match tcp eq 443

   Tunnelednode Server Redirect      : Disabled
   Secondary Role Name               :




1 comment


Apr 04, 2018 01:43 PM

Thank you for this helpful and timely article. You fill in a key missing configuration in the Wired Access documentation: the "authentication profile" line, without which the the DUR doesn't work. I did get a wired client redirected but now am unsure how to get their role to changed in the wired switch. I think I'm stuck at the circled portion below. My CPPM currently points to my wireless mobility controller which according to the DUR ACL the client cannot access. What should happen after the client gets the receipt from Guest? I really appreciate your write-up on this!