Wired

last person joined: 2 hours ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

User authorization on AOS-switches: default or role-based approach?

Jump to Best Answer
  • 1.  User authorization on AOS-switches: default or role-based approach?

    Posted Apr 26, 2019 04:56 PM

    Hi community,

     

    When authenticating users on AOS-switches there are two approaches:

     

    1. Default: the RADIUS server such as ClearPass has settings such as VLAN assignments and ACLs configured on it as RADIUS standard attributes or vendor-specific VSAs. When a user successfully authenticates, ClearPass sends these attributes in the Access-Accept message to the switch, and the switch then applies them.
    2. Role-based authorization: the RADIUS server can simply send the switch the name of the user’s role in the Access-Accept message. The role name matches a role configured on the switch, and this role defines settings such as VLAN assignment, ACL, rate limit, and QoS priority, which the switch then applies to the user session.

    If I am not going to use per-user tunneled-node, which imposes the switch to use role-based authorization, which approach shall I use? Which one is better? What are the upsides and downsides of each one?

     

    Regards,

    Julián



  • 2.  RE: User authorization on AOS-switches: default or role-based approach?
    Best Answer

    Posted Apr 26, 2019 05:32 PM

    Role based is almost always recommended, you do not need to do user-based tunneling to use user roles.  We've added many attributes to user roles as well in ArubaOS-Switch 16.08.  It's much easier to pass a user role back than multiple VSAs.

     

    User roles can contain:

    QoS/ACL Policy

    Rate Limits

    PoE settings

    Port-mode (for APs)

    VLAN Assignment

    Reauth timers

     

    However, either way will work.

     

    Link to User role section in the Access Security Guide.

    http://h22208.www2.hpe.com/eginfolib/Aruba/16.08/5200-5488/index.html#Local_User_Roles.html

     

    Justin



  • 3.  RE: User authorization on AOS-switches: default or role-based approach?

    Posted Apr 26, 2019 07:19 PM
    Validated designs and testing on the policy side are only done using user roles.


  • 4.  RE: User authorization on AOS-switches: default or role-based approach?

    Posted Apr 29, 2019 09:46 AM
    Hi,

    And I guess it's simpler to use DUR configured once and centralized on CPPM than configure the same roles distributed on every switch... Am I right?

    Regards,
    Julián