Cloud Managed Networks

Has anyone here got this working with IAP clusters?

Following the instructions here https://help.central.arubanetworks.com/latest/documentation/online_help/content/access-points/cfg/networks/downloadable_roles.htm

When I enable DUR in the Access portion the WLAN setup, it just sets itself back to 'Unrestricted' for Access, unless I configure a role assignment rules. Shouldn't this work without that?

The only other part I am not sure about is the certificate communications. We have a public signed certificate for the RADIUS and HTTPS services on clearpass (2 separate certs). I think I need to get one onto the VC in Central as well?

I am running
Clearpass v6.8.9
AP515/535s 8.6.0.9

Thanks in advance

------------------------------
Kevin
------------------------------

Check this video. With the change that in newer versions of Instant like 8.6, you can configure all from the WebUI.

If you return the role names, or DUR, from the ClearPass, you can leave the access to unrestricted, or apply a network policy that blocks most of the traffic in can you don't return a role. It is expected that if you don't do any role-assignment for 'role-based' and don't have a network based policy, that the UI jumps back to unrestricted. The Aruba-User-Role attributes, and the CPPM-User-Role just overrides whatever is set for the access policy locally on the AP. What you describe sounds like expected and not an issue.

For 802.1X, you don't need a certificate on the Instant AP.

For DUR, you need a signed certificate on the ClearPass HTTPS, and you need to configure the ClearPass RADIUS in the IAP based on the hostname, which should match one of the SANs in your HTTPS certificate on ClearPass.

For Guest operations, like captive portal, you will need a public trusted certificate on the IAP to prevent certificate warnings for your guests. If your AP is in Central, you can assign the 'aruba_default' certificate, which will push a trusted certificate from Central, or you can upload your own to Central and deploy that.
If you don't use the captive portal, no certificate is needed on the IAP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 06, 2021 10:36 AM
From: Kevin Goyins
Subject: Downloadable User Roles

Has anyone here got this working with IAP clusters?

Following the instructions here https://help.central.arubanetworks.com/latest/documentation/online_help/content/access-points/cfg/networks/downloadable_roles.htm

When I enable DUR in the Access portion the WLAN setup, it just sets itself back to 'Unrestricted' for Access, unless I configure a role assignment rules. Shouldn't this work without that?

The only other part I am not sure about is the certificate communications. We have a public signed certificate for the RADIUS and HTTPS services on clearpass (2 separate certs). I think I need to get one onto the VC in Central as well?

I am running
Clearpass v6.8.9
AP515/535s 8.6.0.9

Thanks in advance

------------------------------
Kevin
------------------------------

Sorry it took a few days here, I was just able to test this yesterday and it is working, although I think I need to do some configuration tweaks to get it working the way i want it to.

Thank you!

------------------------------
Kevin
------------------------------

Original Message:
Sent: Aug 09, 2021 06:05 AM
From: Herman Robers
Subject: Downloadable User Roles

Check this video. With the change that in newer versions of Instant like 8.6, you can configure all from the WebUI.

If you return the role names, or DUR, from the ClearPass, you can leave the access to unrestricted, or apply a network policy that blocks most of the traffic in can you don't return a role. It is expected that if you don't do any role-assignment for 'role-based' and don't have a network based policy, that the UI jumps back to unrestricted. The Aruba-User-Role attributes, and the CPPM-User-Role just overrides whatever is set for the access policy locally on the AP. What you describe sounds like expected and not an issue.

For 802.1X, you don't need a certificate on the Instant AP.

For DUR, you need a signed certificate on the ClearPass HTTPS, and you need to configure the ClearPass RADIUS in the IAP based on the hostname, which should match one of the SANs in your HTTPS certificate on ClearPass.

For Guest operations, like captive portal, you will need a public trusted certificate on the IAP to prevent certificate warnings for your guests. If your AP is in Central, you can assign the 'aruba_default' certificate, which will push a trusted certificate from Central, or you can upload your own to Central and deploy that.
If you don't use the captive portal, no certificate is needed on the IAP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 06, 2021 10:36 AM
From: Kevin Goyins
Subject: Downloadable User Roles

Has anyone here got this working with IAP clusters?

Following the instructions here https://help.central.arubanetworks.com/latest/documentation/online_help/content/access-points/cfg/networks/downloadable_roles.htm

When I enable DUR in the Access portion the WLAN setup, it just sets itself back to 'Unrestricted' for Access, unless I configure a role assignment rules. Shouldn't this work without that?

The only other part I am not sure about is the certificate communications. We have a public signed certificate for the RADIUS and HTTPS services on clearpass (2 separate certs). I think I need to get one onto the VC in Central as well?

I am running
Clearpass v6.8.9
AP515/535s 8.6.0.9

Thanks in advance

------------------------------
Kevin
------------------------------