Implementing wired captive portal on Aruba OS Switches without any manual role configuration on the Switch.
We can achieve that by the use of Downloadable roles from ClearPass.
The CPPM version for this needs to be atleast 6.6 or greater and the Switch version needs to be greater than 16.04. This has been tested and found to be working in WC.16.05.0004 on a 2930F. The same configuration should work with other models as well like the 3810,5400 Series.
The configuration covered in this article is specific to Captive portal with Downloadable Roles.
All the configuration needed to implement Generic Downloadable Roles is covered in detail in the document, ClearPass_Solution-Guide_Wired-Policy-Enforcement_v2018-01, from this link from page numbers 15-46. The same document is also attached to this article.
Once you follow the document and you are done with the configuration, please verify that all the points mentioned below are done
- Configuring the Radius server as CPPM on the Switch
- Configuring the ports for the desired authentication(MAC or Dot1x or both)
- Configuring the Trust Anchor Profile on the Switch with the ClearPass HTTPS signing certificate
- Configuring the username/password for the Switch to download the role from CPPM using HTTPS
- Enabling User Roles and User Role download on the Switch
To implement captive portal with Downloadable Roles the configuration on the ClearPass is what would change. You need to do the following configuration on the ClearPass
You need to create a new enforcement profile on the ClearPass of type "Aruba Downloadable Role Enforcement" with the Role Configuration mode as advanced
Once the advanced mode is selected you would see an attributes tab and the attribute we would use is Radius:Hewlett-Packard-Enterprise, HPE-CPPM-Role (27) and the complete role configuration needs to go into that attribute as shown below
The sample role configuration for Captive portal with DUR(Downloadable User Roles) is shown below
class ipv4 DNS
match udp any any eq 53
class ipv4 DHCP
match udp any any eq 67
class ipv4 CLEARPASS-WEB
match tcp any host 10.17.164.149 eq 80
match tcp any host 10.17.164.149 eq 443
class ipv4 WEB-TRAFFIC
match tcp any any eq 80
match tcp any any eq 443
aaa authentication captive-portal profile use-radius-vsa url https://10.17.164.149/guest/switchcp.php
policy user CLEARPASS-REDIRECT
class ipv4 DNS action permit
class ipv4 DHCP action permit
class ipv4 CLEARPASS-WEB action permit
class ipv4 WEB-TRAFFIC action redirect captive-portal
aaa authorization user-role name CP-Initial
Also find the export of the enforcement profile that contains this DUR attached to this article, the password for which is "aruba123".
The "aaa authentication captive-portal profile use-radius-vsa url" is the Captive portal URL, 10.17.164.149 is the ClearPass server in the above configuration.
Once you configure this enforcement profile, please make sure that you are returning this enforcement profile for all users who are supposed to be redirected to Captive portal.
Once the user connects we can see that ClearPass is returning the DUR as expected
In the switch if we enable debugging for security user-profile-mib by running this command "debug security user-profile-mib" and choosing the "debug destination <session|buffer> we can see the following messages
0000:01:27:42.61 UMIB mdcaCtrl: Sending message to authentication task for
client with request-id 36
0000:01:27:42.61 UMIB mdcaCtrl:Removing DUR Client with request-id 36 for
downloadable user role CP_Role_DUR-3147-4 from waiting queue as the role is
0000:01:27:42.61 UMIB mcppmTask:Copying downloaded userRole CP_Role_DUR-3147-4
to RamFs is success
0000:01:27:42.58 UMIB mcppmTask:Parsing of downloaded userRole
CP_Role_DUR-3147-4 is success
0000:01:27:42.58 UMIB mcppmTask:Download of userRole CP_Role_DUR-3147-4 is
You can check the URL and the full contents of the role that was returned by using the command "show port-access clients detailed" which should look like below
Aruba-2930F-24G-PoEP-4SFP# show port-access clients detailed
Port Access Client Status Detail
Client Base Details :
Port : 21 Authentication Type : mac-based
Client Status : authenticated Session Time : 426 seconds
Client Name : 204747cb84a6 Session Timeout : 0 seconds
MAC Address : 204747-cb84a6
IP : 10.1.20.5
Downloaded user roles are preceded by *
User Role Information
Name : *CP_Role_DUR-3147-4
Type : downloaded
Reauthentication Period (seconds) : 0
Untagged VLAN : 20
Tagged VLANs :
Captive Portal Profile : use-radius-vsa_CP_Role_DUR-3147-4
URL : https://10.17.164.149/guest/switchcp.php
Policy : CLEARPASS-REDIRECT_CP_Role_DUR-3147-4
Statements for policy "CLEARPASS-REDIRECT_CP_Role_DUR-3147-4"
policy user "CLEARPASS-REDIRECT_CP_Role_DUR-3147-4"
10 class ipv4 "DNS_CP_Role_DUR-3147-4" action permit
20 class ipv4 "DHCP_CP_Role_DUR-3147-4" action permit
30 class ipv4 "CLEARPASS-WEB_CP_Role_DUR-3147-4" action permit
40 class ipv4 "WEB-TRAFFIC_CP_Role_DUR-3147-4" action redirect captive-portal
Statements for class IPv4 "DNS_CP_Role_DUR-3147-4"
class ipv4 "DNS_CP_Role_DUR-3147-4"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
Statements for class IPv4 "DHCP_CP_Role_DUR-3147-4"
class ipv4 "DHCP_CP_Role_DUR-3147-4"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
Statements for class IPv4 "CLEARPASS-WEB_CP_Role_DUR-3147-4"
class ipv4 "CLEARPASS-WEB_CP_Role_DUR-3147-4"
10 match tcp 0.0.0.0 255.255.255.255 10.17.164.149 0.0.0.0 eq 80
20 match tcp 0.0.0.0 255.255.255.255 10.17.164.149 0.0.0.0 eq 443
Statements for class IPv4 "WEB-TRAFFIC_CP_Role_DUR-3147-4"
class ipv4 "WEB-TRAFFIC_CP_Role_DUR-3147-4"
10 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 80
20 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 443
Tunnelednode Server Redirect : Disabled
Secondary Role Name :