Hi!
I just tested a very similar scenario. My goal is to have a switch with all access ports preconfigured and homogenous and have the ports be dynamically assigned the config once they see a device connect.
I have made a config where there are 2 dummy VLAN, one is "restricted" and one is "fail". I have assigned them each to a role. I also created a "user" and "employee" vlan (which CPPM can assign). Then I had roles with "phone", "camera", "AP" and had them each separate named VLAN.
The workflow works like this: all ports have a RADIUS MAC authentication port access configuration on them and have been assigned VLAN 1 by default (also dummy vlan). When a device connects, it sends a RADIUS request to the CPPM and CPPM answers with a tunnel ID of the vlan we want to assign, which means that the client is in the MAC repository of CPPM and is a valid PC user and gets put in to the CPPM specified VLAN and gets access to its VLAN resources. If the user is not a valid user, then CPPM sends back a deny. Port is configured to fall into "restricted" role and its VLAN if radius reply is deny. If radius doesn't respond, then it falls into the "fail" role by default (easier for debugging to see if radius is actually responding).
After this, the profiling is applied. It checks the mac rules to see if device is AP, Camera or ip-phone and if the mac address (or oui) is specified then it applies that role and the port is reconfigured to the vlan that is specified in the phone role.
Example config:
#specify the RADIUS server
radius-server host [ip of CPPM] key plaintext [shared key]
aaa group server radius grp-radius
server [ip of CPPM]
#specify the vlans
vlan 1
name default
vlan 20
name WIFI
vlan 30
name MGMT
vlan 40
name restricted
vlan 50
name fail
vlan 60
name guest
vlan 70
name employee
vlan 80
name user
vlan 90
name ipphone
vlan 100
name camera
#specify the mac device profile groups
mac-group aruba_ap
seq 20 match mac-oui 80:8d:b7
mac-group camera
seq 20 match mac-oui [camera-oui]
mac-group ipphone
seq 20 match mac-oui [ipphone]
port-access role fail
vlan access 50
port-access role restricted
vlan access 40
port-access role ipphone
vlan access 90
port-access role camera
vlan access 100
#using instant AP, so the vlans that the SSIDs use have to be tagged on the IAP port that is why this role is different
port-access role aruba_ap
vlan trunk native 20
vlan trunk allowed 20,60,70
#associate the device profiles with the roles
port-access device-profile aruba_ap
enable
associate role aruba_ap
associate mac-group aruba_ap
port-access device-profile camera
enable
associate role camera
associate mac-group camera
port-access device-profile ipphone
enable
associate role ipphone
associate mac-group ipphone
port-access port-security enable
#define the port security as mac-auth (of course you can use other methoodlike certificates, but for testing I used MAC)
aaa authentication port-access mac-auth
radius server-group grp-radius
enable
#same config on all access interfaces. Here we define the deny and fail vlans to apply if radius fails or denys.
interface 1/1/2
no shutdown
vlan access 1
aaa authentication port-access critical-role fail
aaa authentication port-access reject-role restricted
aaa authentication port-access mac-auth
Of course if you have a working radius server then it would be easier to just have everything on the radius server and have it send back the AP, Phone and camera vlans too, but there are scenarios where the user management (Radius side) and network and device management (camera, AP, phone) is two different departments and legally they are not working together. For this cases you can use this config to implement two solutions at the same time. When you have opportunity to use radius for everything, then you should not use this hybrid solution but stick to centralized management. When you don't have a radius then you can use device profiling to make your life easier.
Hope this helps.
Br.:
Daniel
Original Message:
Sent: Aug 16, 2023 07:26 PM
From: ivan.kalcho
Subject: Device Profiles Tutorial for CX switches
Is there way to use this feature to override a port config for an already pre-configured port? For example we currently have an AP installed that is bridged traffic and the ports are trunk, we want to auto-update the ports to access once we install the new AP. Or if we already have one type of device on it and we unplug it and plug in a different one, can it switch the port over? I tested it with one device and it seems like the port configuration has higher priority than the port-access device-profile. I was wondering if there is an additional option to override whatever config is on that port.
Original Message:
Sent: Jul 01, 2020 06:38 AM
From: ariyap
Subject: Device Profiles Tutorial for CX switches
Here is a short technote to demonstrate "Device profile" feature for CX 6200/6300/6400 switches. Device profile was a popular feature in AOS-S switch like 2930F/M and the aim of the feature is to automatically discover the key devices that are connected to the switch port using LLDP/CDP and to enable automatic configuration of the switch ports in which they are connected without the need for authentication.
This technote will demo device profile feature for when an Aruba AP is connected dynamically changing switch port configuration for
- PoE Priority
- Trunk mode
- Native VLAN
- Allowed VLAN
- QoS Trust boundary
Hope you'll find it useful and as always please send through your feedback for improvements.