Security

I think I saw a previous thread on a similar subject, but my search ability is failing me.  I have a customer that would like to do the following:

• Client connects to switch port and authentication is performed (802.1x, MAB, etc)
• Based on policy decision by ClearPass, in certain scenarios, client is tunneled to controller (BYOD as example) with UBT2.0 config and reserved VLAN
• When tunneled to controller, client is steered to same VLAN as wireless clients (per campus - and they have over 40 campuses)
• Primary and secondary role are both configured as dynamic (secondary role being dynamic not a hard requirement)

So for instance, if BYOD client at campus XYZ connects to switch port and authenticates via captive portal, client is dropped in tunnel and is placed on named VLAN "XYZ-BYOD" on the controller.

What I would like to do is send a separate enforcement profile to the controller with RADIUS:Aruba Aruba-Named-User-Vlan = "x" where the value of "x" can include a CPPM variable like %{Device:Location}-BYOD.  But the secondary role assignment on the controller is not a RADIUS auth - it's an API call to ClearPass, so RADIUS VSA is not applicable there AFAIK.  Also, within the secondary role, I don't believe I can place a variable like the above inside the role definition, whether in standard, or advanced configuration mode (possible I fat-fingered something there).

One way I can get this to work, for "byod-student" role as an example, is to create 40 copies of the secondary role enforcement profile, one for each campus, with the appropriate VLAN in each.  Then create 40 copies of the primary role enforcement profile, with the corresponding secondary role profile selected.  In the primary role profile, I would limit it to the defined switch device group for that campus.  Now in the enforcement policy, for the rule that handles "byod-student", I would list all 40 enforcement profiles, and only the one pertinent to that device group would take effect.

I have tested this and it works. Downsides is that this is ugly at scale, and it means I now have 40 unique downloadable roles on the controller per actual desired user-role, with the only distinction being the VLAN defined therein.

Hoping someone has a more elegant solution and I'm just missing something pretty simple.  Thanks for any help in advance.

The idea of named VLANs is that they provide abstraction and make your configuration and deployment easier. By including the site name XYZ in the VLAN name XYZ-BYOD, you take away the benefit. If you name the VLAN the same, BYOD would be a good choice, and then at site XYZ configure the VLAN-id with it on the switch, and at another site for the same name a different VLAN, then you have the benefit of using named VLANs as you can return the same role and VLAN, and when tunneled use the same VLAN at the controller (single VLAN architecture). Having roles and VLANs at the same time is a bit redundant and increases complexity.

It's not fully sure if that is possible in your case, but that is how it is intended to be used.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
------------------------------

Original Message:
Sent: Nov 12, 2020 10:18 PM
From: Joel McCotter
Subject: Downloadable secondary role with VLAN steering based on CPPM variable

I think I saw a previous thread on a similar subject, but my search ability is failing me.  I have a customer that would like to do the following:

• Client connects to switch port and authentication is performed (802.1x, MAB, etc)
• Based on policy decision by ClearPass, in certain scenarios, client is tunneled to controller (BYOD as example) with UBT2.0 config and reserved VLAN
• When tunneled to controller, client is steered to same VLAN as wireless clients (per campus - and they have over 40 campuses)
• Primary and secondary role are both configured as dynamic (secondary role being dynamic not a hard requirement)

So for instance, if BYOD client at campus XYZ connects to switch port and authenticates via captive portal, client is dropped in tunnel and is placed on named VLAN "XYZ-BYOD" on the controller.

What I would like to do is send a separate enforcement profile to the controller with RADIUS:Aruba Aruba-Named-User-Vlan = "x" where the value of "x" can include a CPPM variable like %{Device:Location}-BYOD.  But the secondary role assignment on the controller is not a RADIUS auth - it's an API call to ClearPass, so RADIUS VSA is not applicable there AFAIK.  Also, within the secondary role, I don't believe I can place a variable like the above inside the role definition, whether in standard, or advanced configuration mode (possible I fat-fingered something there).

One way I can get this to work, for "byod-student" role as an example, is to create 40 copies of the secondary role enforcement profile, one for each campus, with the appropriate VLAN in each.  Then create 40 copies of the primary role enforcement profile, with the corresponding secondary role profile selected.  In the primary role profile, I would limit it to the defined switch device group for that campus.  Now in the enforcement policy, for the rule that handles "byod-student", I would list all 40 enforcement profiles, and only the one pertinent to that device group would take effect.

I have tested this and it works. Downsides is that this is ugly at scale, and it means I now have 40 unique downloadable roles on the controller per actual desired user-role, with the only distinction being the VLAN defined therein.

Hoping someone has a more elegant solution and I'm just missing something pretty simple.  Thanks for any help in advance.