This will probably be fully supported soon. However I did find a workaround after chasing trough logs and testing various combinations.
What it seems is that the controller will use the switch radius server as the server to download the role from (radius server is passed along to the controller during the "open tunnel" command).
However the controller only supports IP address for radius server and thus you will see "serverip=0.0.0.0" during show tunneled-node-mgr tracebuf on the controller.
To make DUR work on the switch you typically would use fqdn of clearpass as the radius server to make HTTPS for DUR work (certificate check).
So here comes the catch, the switch uses fqdn for radius server to make DUR work, the radius server is passed along to the controller which only supports IP, then in turn fails to download the role from cppm due to (probably) cert error or simply ignoring the radius server passed along from the switch.
So then what does work? Well, using IP address for cppm on the switch radius server definition which require the IP of cppm to be in the SAN part of the cppm HTTPS certificate.
When this is done, serverip= on the controller is populated with the cppm server IP and DUR to switch which in turn calls DUR to controller works fine.
This is obviously is not how things are supposed to work and for sure not a supported method :)
I recall reading in a releasenote that this should now be fixed, but I don't recall which at the moment..
------------------------------
Helge Rossvoll
------------------------------
Original Message:
Sent: Sep 22, 2021 02:44 PM
From: Scott Nyer
Subject: Downloadable User role for controller pushed by DUR via AOS-CX switches
The 6.9.4 release notes mentions the new VSA "ARUBA‑UBT‑Gateway‑CPPM-Role" used for the secondary role on the GW, but also states:
ClearPass does not yet support a downloadable primary role along with a downloadable secondary role. As part of these enhancements: (CP‑39005, CP‑39008, CP‑39510, CP‑40475)
Does anyone have any feedback on when that will be available? Currently on CX v10.08 and CPPM v6.10.1 I am unable to use DUR for both the switches primary role + the gateway's secondary role. I have it working with DUR for the CX role, then LUR for the gateway role. (note that this does works for AOS-S)
Thanks
------------------------------
Scott Nyer
Original Message:
Sent: Dec 04, 2020 03:16 PM
From: Alexis La Goutte
Subject: Downloadable User role for controller pushed by DUR via AOS-CX switches
Thanks for remember/feedback :)
------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...
PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)
PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..
ACEP / ACMX #107 / ACDX #1281
Original Message:
Sent: Dec 03, 2020 08:19 AM
From: Helge Rossvoll
Subject: Downloadable User role for controller pushed by DUR via AOS-CX switches
Finally in CPPM 6.9.4 and AOS-CX 10.06.0010 this is now supported.
Yet to be tested, but latest release notes sure looks promising
------------------------------
Helge Rossvoll
Original Message:
Sent: Feb 01, 2020 03:27 AM
From: Helge Rossvoll
Subject: Downloadable User role for controller pushed by DUR via AOS-CX switches
Working with a design for a setup which includes MM, MC, CPPM along with 6300 AOS-CX switches.
I don't have a 6300 to test with yet, but I'd like to prepare as much as I can.
I've been digging a bit, but not found any definitive answer yet to how you would do DURs for AOS-CX with dynamic secondary user role for UBT.
What I normaly do when 2930's for example are deployed I use the Aruba Downloadable Role Enforcement and create the DUR for the controller (product: Mobility Controller) which contain at least VLAN and an ACL.
Then I create another DUR for the switch (Product: ArubaOS-Switch) which is pretty much empty except for setting the Secondary Role Type to Dynamic and choosing the above Controller Downloadable Role.
So then comes the question, how do you go about doing the same with an AOS-CX switch?
I read somewhere that future CPPM releases AOS-CX will pop up in the "Product" list when creating the enforcement profile, so I take it that mean I can't use the ArubaOS-Switch one.
Could this be pushed via Aruba-CPPM-Role to the AOS-CX switch, if so, any thoughts to how it should look like?