Wired Intelligent Edge

last person joined: 10 hours ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

Downloadable User role for controller pushed by DUR via AOS-CX switches

This thread has been viewed 70 times
  • 1.  Downloadable User role for controller pushed by DUR via AOS-CX switches

    Posted Feb 01, 2020 03:27 AM

    Working with a design for a setup which includes MM, MC, CPPM along with 6300 AOS-CX switches.

    I don't have a 6300 to test with yet, but I'd like to prepare as much as I can.

    I've been digging a bit, but not found any definitive answer yet to how you would do DURs for AOS-CX with dynamic secondary user role for UBT.

     

    What I normaly do when 2930's for example are deployed I use the Aruba Downloadable Role Enforcement and create the DUR for the controller (product: Mobility Controller) which contain at least VLAN and an ACL.

    Then I create another DUR for the switch (Product: ArubaOS-Switch) which is pretty much empty except for setting the Secondary Role Type to Dynamic and choosing the above Controller Downloadable Role.

     

    So then comes the question, how do you go about doing the same with an AOS-CX switch?

    I read somewhere that future CPPM releases AOS-CX will pop up in the "Product" list when creating the enforcement profile, so I take it that mean I can't use the ArubaOS-Switch one.

     

    Could this be pushed via Aruba-CPPM-Role to the AOS-CX switch, if so, any thoughts to how it should look like?



  • 2.  RE: Downloadable User role for controller pushed by DUR via AOS-CX switches

    Posted Feb 04, 2020 05:45 AM
      |   view attached

    ArubaOS-switches use HPE RADIUS Attributes, ArubaOS-CX switches use ARUBA RADIUS Attributes instead. So for downloadable user roles with ArubaOS-CX switches and CPPM 6.8 you currently need to select in the "Aruba Downloadable Role Enforcement" the "Role Configuration Mode" = "Advanced" and as "Product" = "Mobility Access Switch". Here you can configure the Aruba-CPPM-Role RADIUS Attribute required for ArubaOS-CX switches, see screenshot.



  • 3.  RE: Downloadable User role for controller pushed by DUR via AOS-CX switches

    Posted Feb 04, 2020 06:03 AM

    After I posted this I had a dialog with TAC, which mentioned that I could just do it the same way as I have done previously (on 2930Ms for example)

     

    As in use the ArubaOS-Switch DUR enforcement profile, then below "role configuration" choose "Secondary Role Type: Dynamic" then, "Controller Downloadable Role:" and choose the controller enforcement profile.

     

    It didn't sound right since I already knew, as you mention also, that AOS-CX uses the aruba attributes while the 2930 for example uses HPE.

     

    Basing off your screenshot, how would you do DUR for the role the enduser gets on the controller?

    The whole idea here being DUR for both the switch and controller. No prefdefined roles on switch or the controller.

     



  • 4.  RE: Downloadable User role for controller pushed by DUR via AOS-CX switches

    Posted Feb 04, 2020 07:21 AM

    The secondary role (userrole on the controller) is either already statically configured on the controller or the controller can dynamically request the role (and content of the role)  from Clearpass. So you may question how the controller know what role to apply for a specific DUR user. This is communicated through the control protocol between switch and controller at the moment the user sucessfully authenticated on the switch. The configuration on the controller/Clearpass side is done as it has always been for Controller DUR, see https://community.arubanetworks.com/t5/Controller-Based-WLANs/Downloading-an-undefined-role-from-ClearPass-to-Controller/ta-p/243661 



  • 5.  RE: Downloadable User role for controller pushed by DUR via AOS-CX switches

    Posted Feb 04, 2020 07:28 AM

    You may also have a look here where it is shown in detail: 


    Aruba User Based Tunneling with Dynamic User Roles
    https://www.youtube.com/watch?v=UjTwOAq0QmM

     

    or here on page 29 ff:
    Technical Whitepaper:  User Roles and User-Based Tunneling
    https://community.arubanetworks.com/aruba/attachments/aruba/CampusSwitching/4032/2/ArubaOS-Switch%20User-Based%20Tunneling%20Technical%20Whitepaper.pdf

     



  • 6.  RE: Downloadable User role for controller pushed by DUR via AOS-CX switches

    Posted Feb 04, 2020 07:43 AM

    I might not express my issue/question properly, sorry for that.

    This part is all ok and doing so is easily enough achived with ArubaOS switches like 2930Ms for example.

    Attached an example on how this could be done with ArubaOS switch.

     

    From the guide that you also mention:
    "
    Creating a Controller Downloadable User Role
    This feature allows the secondary role on the controller, which will be used by the tunneled clients, to be downloaded to the controller from ClearPass. This effectively eliminates the need to configure the secondary role on potentially multiple controller clusters in a large campus network. Now, the secondary role can be configured in ClearPass, downloaded to the Mobility Controller, and the switch notified via a new VSA “HPE-CPPM-Secondary-Role”.
    "

     

    The VSA HPE-CPPM-Secondary-Role is essentialy what I do in attached Pic1+Pic2.
    So then comes the question I've been wondering about, how would the switch side role look like when we want to achive the same thing, just on AOS-CX switch.



  • 7.  RE: Downloadable User role for controller pushed by DUR via AOS-CX switches

    Posted Feb 05, 2020 10:48 AM

    On ArubaOS-Switches you have the possibility to assign the secondary (controller) role in two ways via RADIUS:

     

    1. Using a separate RADIUS attribute like you mentioned with "HPE-CPPM-Secondary-Role"
    2. Providing the secondary (controller) role inside the primary (switch) role definition.

    On ArubaOS-CX switches option 1 would use the "Aruba-UBT-Gateway-Role" RADIUS attribute ((Aruba Vendor ID 14823, Attribute Type 53)).
    Nevertheless option 2 is from my point of view much easier than option 1. So in the original picture I posted you see the primary role (“iot-s”) which also includes the secondary role (“iot”).  This secondary (controller) role is called gateway role on ArubaOS-CX. So there is no need for a separate RADIUS attribute for the secondary role as the secondary (controller/gateway) role name is included in the primary role.



  • 8.  RE: Downloadable User role for controller pushed by DUR via AOS-CX switches

    Posted Feb 05, 2020 11:37 AM

    Ok, this is something I might not have known from before either.

    Reffering to the picture you posted. The role "iot", if thats not defined at the controller will the controller by default then assume it should download the role content from clearpass (as long as you have defined clearpass credentials)?

     

    Then in turn create a profile named iot with content as shown in my Pic3?

     

    EDIT: upon further investigation this doesn't seem to be the case, if the secondary (controller) role is not predefined on the controller the user will end up with an invalid role error and placed in the intial role for default-tunneled-user aaa profile.



  • 9.  RE: Downloadable User role for controller pushed by DUR via AOS-CX switches

    Posted Feb 20, 2020 02:48 AM

    Finally got it confirmed. This is simply not supported in AOS-CX switches at the current time.

    The feature to call for dynamic secondary user role or in other words, let the mobility controller know that the role for the user needs to be downloaded, is a feature thats coming possibly in AOS-CX 10.5.



  • 10.  RE: Downloadable User role for controller pushed by DUR via AOS-CX switches

    Posted Feb 20, 2020 09:10 AM

    Check my previous question: https://community.arubanetworks.com/t5/Wired-Intelligent-Edge-Campus/ArubaOS-CX-dynamic-segmentation/td-p/636649

     

    there's an example for configuring UBT with 6300.

     

    I have tested this with 6300F and the switch downloaded the role from CPPM and created the tunnel to the controller.



  • 11.  RE: Downloadable User role for controller pushed by DUR via AOS-CX switches

    Posted Feb 20, 2020 09:14 AM

    Thanks, got the hang of things with static roles for the controller side, same as your example

    port-access role ubt-role-1
    gateway-zone zone testilabra gateway-role userrole

    Now just waiting for the AOS-CX release which includes support for DUR for the gateway-role



  • 12.  RE: Downloadable User role for controller pushed by DUR via AOS-CX switches

    Posted Feb 20, 2020 09:17 AM

    With DUR do you mean that controller would dowload the role from CPPM so you wouldn't have to configure it on the controller before?

     

    What is your use case for this? I'm wondering for our case as we're planning on using 6300F's with UBT, as we have one controller pair to terminate the switches I've just configured the roles and policies beforehand on the controllers



  • 13.  RE: Downloadable User role for controller pushed by DUR via AOS-CX switches

    Posted Feb 20, 2020 09:25 AM

    Well, the main thing being single place for role definitions, being CPPM.

    So downloadable roles for both the switch, controller as well as wireless clients.

    If you want to update any role definitions, its all in one place regardless of what type of client we're talking about.

    Its my preferred method so I got a bit surprised when I discovered this feature is not yet available for AOS-CX platform (works perfectly fine on AOS switches).



  • 14.  RE: Downloadable User role for controller pushed by DUR via AOS-CX switches

    Posted Feb 20, 2020 02:43 PM

    it is already available.. but there is no yet GUI on ClearPass...



  • 15.  RE: Downloadable User role for controller pushed by DUR via AOS-CX switches

    Posted Feb 20, 2020 02:50 PM

    It was confirmed by Aruba yesterday afternoon, this feature, telling the controller to download <rolename> as part of the information sent from the switch to the controller is not available in the current version of AOS-CX. For now, only staticly defined roles on the controller is supported.

    However it will be in the next release or the one after.

     



  • 16.  RE: Downloadable User role for controller pushed by DUR via AOS-CX switches

    Posted Feb 21, 2020 01:11 PM

    If you know the "hidden" name of the DUR, it will work. By hidden name I mean the name ClearPass internally use for the downloadable role: ROLENAME-<id>-<version>.

    As an example, the following will not work:

     

     

    port-access role ubt-role-1
    gateway-zone zone testilabra gateway-role userrole

     

     But if you know the values, the following does work:

     

    port-access role ubt-role-1
    gateway-zone zone testilabra gateway-role userrole-3060-4

     

     You can find the <id> by looking at the URL when editing the enforcement profile under ClearPass, but I didn't find a way to get the <version> part other than applying the role to a 2930F and getting the name.



  • 17.  RE: Downloadable User role for controller pushed by DUR via AOS-CX switches

    Posted Feb 25, 2020 07:42 AM

    Even though I was able to set the roles, and the tunnels go up, the mobility controller is not showing the client inside the user-table (both with DUR or static role).

    After some minutes, the client also vanishes on the CX switch.



  • 18.  RE: Downloadable User role for controller pushed by DUR via AOS-CX switches

    Posted Mar 10, 2020 08:25 AM

    Correct, because AOS-CX doesn't support this as of yet.
    The mobility controller doesn't know of the role userrole-3060-4 (or userrole for that matter), which in turn makes it fail.
    The tunnel will come up because you define a gateway-role, however since the controller doesn't have the rolename it then fails.

     

    My guess is that when Aruba adds support for this you will find an attribute called something like "secondary-gateway-role" which will tell the controller to download the role from CPPM.

     

    port-access role ubt-role-1
    gateway-zone zone testilabra secondary-gateway-role mc-employee-role

     

    With CPPM credentials setup on the controller it will then ask CPPM to provide the role mc-employee-role.
    Having my hopes up for this feature in 10.05



  • 19.  RE: Downloadable User role for controller pushed by DUR via AOS-CX switches

    Posted Jul 27, 2020 07:40 PM

    We are trying to configure UBT with Sw 6300 with downloadable secondary roles but it does not work, reading the comments I see that downloadable secondary roles are not compatible with ArubaOS-CX until possibly version 10.05, which is already listed but in the release note does not explain some correction or that this functionality has been added.

     

    We are confused if this is possible or not, since some comments say that if it is possible (we have not been able to, it only works with local roles in the controller), has anyone already managed to configure this? (Downloadable secondary roles with ArubaOS-CX).



  • 20.  RE: Downloadable User role for controller pushed by DUR via AOS-CX switches

    Posted Dec 03, 2020 08:19 AM
    Finally in CPPM 6.9.4 and AOS-CX 10.06.0010 this is now supported.
    Yet to be tested, but latest release notes sure looks promising

    ------------------------------
    Helge Rossvoll
    ------------------------------



  • 21.  RE: Downloadable User role for controller pushed by DUR via AOS-CX switches

    Posted Dec 04, 2020 03:16 PM
    Thanks for remember/feedback :)

    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------



  • 22.  RE: Downloadable User role for controller pushed by DUR via AOS-CX switches

    Posted Sep 22, 2021 02:45 PM
    The 6.9.4 release notes mentions the new VSA "ARUBA‑UBT‑Gateway‑CPPM-Role" used for the secondary role on the GW, but also states:

    ClearPass does not yet support a downloadable primary role along with a downloadable secondary role. As part of these enhancements: (CP‑39005, CP‑39008, CP‑39510, CP‑40475)

    Does anyone have any feedback on when that will be available? Currently on CX v10.08 and CPPM v6.10.1 I am unable to use DUR for both the switches primary role + the gateway's secondary role. I have it working with DUR for the CX role, then LUR for the gateway role. (note that this does works for AOS-S)

    Thanks


    ------------------------------
    Scott Nyer
    ------------------------------



  • 23.  RE: Downloadable User role for controller pushed by DUR via AOS-CX switches

    Posted Sep 23, 2021 08:49 AM
    Please reach out to your local ClearPass SE. Roadmap items cannot be discussed on a public forum.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 24.  RE: Downloadable User role for controller pushed by DUR via AOS-CX switches

    Posted Sep 23, 2021 03:23 PM
    This will probably be fully supported soon. However I did find a workaround after chasing trough logs and testing various combinations.
    What it seems is that the controller will use the switch radius server as the server to download the role from (radius server is passed along to the controller during the "open tunnel" command).
    However the controller only supports IP address for radius server and thus you will see "serverip=0.0.0.0" during show tunneled-node-mgr tracebuf on the controller.
    To make DUR work on the switch you typically would use fqdn of clearpass as the radius server to make HTTPS for DUR work (certificate check).

    So here comes the catch, the switch uses fqdn for radius server to make DUR work, the radius server is passed along to the controller which only supports IP, then in turn fails to download the role from cppm due to (probably) cert error or simply ignoring the radius server passed along from the switch.

    So then what does work? Well, using IP address for cppm on the switch radius server definition which require the IP of cppm to be in the SAN part of the cppm HTTPS certificate.
    When this is done, serverip= on the controller is populated with the cppm server IP and DUR to switch which in turn calls DUR to controller works fine.

    This is obviously is not how things are supposed to work and for sure not a supported method :)
    I recall reading in a releasenote that this should now be fixed, but I don't recall which at the moment..

    ------------------------------
    Helge Rossvoll
    ------------------------------



  • 25.  RE: Downloadable User role for controller pushed by DUR via AOS-CX switches

    Posted 3 days ago
    I can confirm this works now without any workarounds required. CX version 10.8 + CPPM version 6.10.2

    From 6.10.2 Release Notes:
    As part of ArubaOS-CX 10.08 feature integration with ClearPass Policy Manager, some further enhancements are introduced in downloadable user roles (DUR) in support of end-to-end primary and secondary role download using the ArubaOS-CX Switch and the Mobility Controller. On the Configuration > Enforcement > Profiles > Add > Profile tab, if Aruba Downloadable Role Enforcement is selected as the template and AOS-CX is selected as the product: (CP‑41789, CP‑43448)

    - When the Role Configuration Mode is Advanced, support is now added for selecting the Aruba-UBT-Gateway-CPPM-Role attribute on the Attributes tab when Aruba-CPPM-Role is also selected.

    - When the Role Configuration Mode is Standard, support is now added for listing Gateway Downloadable Role user profiles when the Secondary Role Type is set to Dynamic on the Role Configuration tab.

    Note that there was an additional line of config needed on the CX users' interfaces for this to work:

    aaa authentication port-access radius-override enable

    ------------------------------
    Scott Nyer
    ------------------------------