Captive Portal on ArubaOS Switches with Downloadable Roles using CPPM

By esupport posted Mar 29, 2018 08:00 PM

  
Mark as Inappropriate
Requirement:

Implementing wired captive portal on Aruba OS Switches without any manual role configuration on the Switch.



Solution:

We can achieve that by the use of Downloadable roles from ClearPass.



Configuration:

The CPPM version for this needs to be atleast 6.6 or greater and the Switch version needs to be greater than 16.04. This has been tested and found to be working in WC.16.05.0004 on a 2930F. The same configuration should work with other models as well like the 3810,5400 Series.

 

The configuration covered in this article is specific to Captive portal with Downloadable Roles.

All the configuration needed to implement Generic Downloadable Roles is covered in detail in the document, ClearPass_Solution-Guide_Wired-Policy-Enforcement_v2018-01, from this link from page numbers 15-46. The same document is also attached to this article.

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=28803

 

Once you follow the document and you are done with the configuration, please verify that all the points mentioned below are done

  • Configuring the Radius server as CPPM on the Switch
  • Configuring the ports for the desired authentication(MAC or Dot1x or both)
  • Configuring the Trust Anchor Profile on the Switch with the ClearPass HTTPS signing certificate
  • Configuring the username/password for the Switch to download the role from CPPM using HTTPS
  • Enabling User Roles and User Role download on the Switch

To implement captive portal with Downloadable Roles the configuration on the ClearPass is what would change. You need to do the following configuration on the ClearPass

You need to create a new enforcement profile on the ClearPass of type "Aruba Downloadable Role Enforcement" with the Role Configuration mode as advanced

Once the advanced mode is selected you would see an attributes tab and the attribute we would use  is Radius:Hewlett-Packard-Enterprise, HPE-CPPM-Role (27) and the complete role configuration needs to go into that attribute as shown below

 

The sample role configuration for Captive portal with DUR(Downloadable User Roles) is shown below

class ipv4 DNS
match udp any any eq 53
exit
class ipv4 DHCP
match udp any any eq 67
exit
class ipv4 CLEARPASS-WEB
match tcp any host 10.17.164.149 eq 80
match tcp any host 10.17.164.149 eq 443
exit
class ipv4 WEB-TRAFFIC
match tcp any any eq 80
match tcp any any eq 443
exit

aaa authentication captive-portal profile use-radius-vsa url https://10.17.164.149/guest/switchcp.php

policy user CLEARPASS-REDIRECT
class ipv4 DNS action permit
class ipv4 DHCP action permit
class ipv4 CLEARPASS-WEB action permit
class ipv4 WEB-TRAFFIC action redirect captive-portal
exit

aaa authorization user-role name CP-Initial
captive-portal-profile use-radius-vsa
policy CLEARPASS-REDIRECT
vlan-id 20
exit

 

Also find the export of the enforcement profile that contains this DUR attached to this article, the password for which is "aruba123".

The "aaa authentication captive-portal profile use-radius-vsa url" is the Captive portal URL, 10.17.164.149 is the ClearPass server in the above configuration.

Once you configure this enforcement profile, please make sure that you are returning this enforcement profile for all users who are supposed to be redirected to Captive portal.

 

 

 

 

 

 

 

 

 

 



Verification

Once the user connects we can see that ClearPass is returning the DUR as expected

 

In the switch if we enable debugging for security user-profile-mib by running this command "debug security user-profile-mib" and choosing the "debug destination <session|buffer>  we can see the following messages 

0000:01:27:42.61 UMIB mdcaCtrl: Sending message to authentication task for
   client with request-id 36
0000:01:27:42.61 UMIB mdcaCtrl:Removing DUR Client with request-id 36 for
   downloadable user role CP_Role_DUR-3147-4 from waiting queue as the role is
   downloaded
0000:01:27:42.61 UMIB mcppmTask:Copying downloaded userRole CP_Role_DUR-3147-4
   to RamFs is success
0000:01:27:42.58 UMIB mcppmTask:Parsing of downloaded userRole
   CP_Role_DUR-3147-4 is success
0000:01:27:42.58 UMIB mcppmTask:Download of userRole CP_Role_DUR-3147-4 is
   success

You can check the URL and the full contents of the role that was returned by using the command "show port-access clients detailed" which should look like below

 

Aruba-2930F-24G-PoEP-4SFP# show port-access clients detailed

 Port Access Client Status Detail

  Client Base Details :
   Port            : 21                    Authentication Type : mac-based
   Client Status   : authenticated         Session Time        : 426 seconds
   Client Name     : 204747cb84a6          Session Timeout     : 0 seconds
   MAC Address     : 204747-cb84a6
   IP              : 10.1.20.5
Downloaded user roles are preceded by *

 User Role Information

   Name                              : *CP_Role_DUR-3147-4
   Type                              : downloaded
   Reauthentication Period (seconds) : 0
   Untagged VLAN                     : 20
   Tagged VLANs                      :
   Captive Portal Profile            : use-radius-vsa_CP_Role_DUR-3147-4
     URL                             : https://10.17.164.149/guest/switchcp.php
   Policy                            : CLEARPASS-REDIRECT_CP_Role_DUR-3147-4

Statements for policy "CLEARPASS-REDIRECT_CP_Role_DUR-3147-4"
policy user "CLEARPASS-REDIRECT_CP_Role_DUR-3147-4"
     10 class ipv4 "DNS_CP_Role_DUR-3147-4" action permit
     20 class ipv4 "DHCP_CP_Role_DUR-3147-4" action permit
     30 class ipv4 "CLEARPASS-WEB_CP_Role_DUR-3147-4" action permit
     40 class ipv4 "WEB-TRAFFIC_CP_Role_DUR-3147-4" action redirect captive-portal
   exit


Statements for class IPv4 "DNS_CP_Role_DUR-3147-4"
class ipv4 "DNS_CP_Role_DUR-3147-4"
     10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
   exit


Statements for class IPv4 "DHCP_CP_Role_DUR-3147-4"
class ipv4 "DHCP_CP_Role_DUR-3147-4"
     10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
   exit


Statements for class IPv4 "CLEARPASS-WEB_CP_Role_DUR-3147-4"
class ipv4 "CLEARPASS-WEB_CP_Role_DUR-3147-4"
     10 match tcp 0.0.0.0 255.255.255.255 10.17.164.149 0.0.0.0 eq 80
     20 match tcp 0.0.0.0 255.255.255.255 10.17.164.149 0.0.0.0 eq 443
   exit


Statements for class IPv4 "WEB-TRAFFIC_CP_Role_DUR-3147-4"
class ipv4 "WEB-TRAFFIC_CP_Role_DUR-3147-4"
     10 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 80
     20 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 443
   exit

   Tunnelednode Server Redirect      : Disabled
   Secondary Role Name               :

 

 

 


Attachments:
CP-Role_DUR_AOS_Switch.zip
ClearPass_Solution-Guide_Wired-Policy-Enforcement_v2018-01.pdf
1 comment
3 views

Comments

vtran
Apr 04, 2018 01:43 PM

Thank you for this helpful and timely article. You fill in a key missing configuration in the Wired Access documentation: the "authentication profile" line, without which the the DUR doesn't work. I did get a wired client redirected but now am unsure how to get their role to changed in the wired switch. I think I'm stuck at the circled portion below. My CPPM currently points to my wireless mobility controller which according to the DUR ACL the client cannot access. What should happen after the client gets the receipt from Guest? I really appreciate your write-up on this!