Wired Intelligent Edge

last person joined: 5 days ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

AOS-CX Local User Role (LUR) simple steps to Configure!

This thread has been viewed 93 times
  • 1.  AOS-CX Local User Role (LUR) simple steps to Configure!

    Posted Jul 18, 2020 09:04 AM

    Good day!

    Prior condition or prerequisite:

    Let's Start


    Step1:Validate Radius-server is configured properly and radius-server trackable as expected.


    BLDG02-F1(config)# radius-server host aoss-cppm.tmelab.net tracking enable vrf mgmt

    BLDG02-F1(config)# radius-server host aoss-cppm.tmelab.net clearpass-username HELLOUSERNAME clearpass-password plaintext HELLOPASSWD vrf mgmt

    BLDG02-F1(config)# radius-server host aoss-cppm.tmelab.net key plaintext KEYENTER vrf mgmt

    BLDG02-F1(config)# radius-server tracking interval 60


    BLDG02-F1# sh radius-server detail
    ******* Global RADIUS Configuration *******

    Shared-Secret: None
    Timeout: 5
    Auth-Type: pap
    Retries: 1
    TLS Timeout: 5
    Tracking Time Interval (seconds): 60
    Tracking Retries: 5
    Tracking User-name: radius-tracking-user
    Tracking Password: None
    Number of Servers: 1

    ****** RADIUS Server Information ******
    Server-Name : aoss-cppm.tmelab.net
    Auth-Port : 1812
    Accounting-Port : 1813
    VRF : mgmt
    TLS Enabled : No
    Shared-Secret : AQBapdAz4irjSK61Zg/CFArsNYWKbn1LObqDD/v9SH1eMQ6ABQAAADY26liu
    Timeout (default) : 5
    Retries (default) : 1
    Auth-Type (default) : pap
    Server-Group (default) : radius
    Default-Priority : 1
    Tracking : enabled
    Tracking-Mode : any
    Reachability-Status : reachable
    ClearPass-Username : admin
    ClearPass-Password : AQBapYv/u3/YfG9vYRpFxmOTtsFLIWxuAX442RdG9j11jsZ6CQAAACZ5Y2/BK9FmhQ==


    BLDG02-F1# sh running-config interface mgmt
    interface mgmt
    no shutdown
    ip static


    Note: I am using Aruba Clearpass as Radius-server, please find radius-tracking snapshot as below



    Step2: Let's configure LUR on CX Switch


    BLDG02-F1# sh running-config port-access

    port-access role phone_role
    description lur_mac_auth
    auth-mode client-mode
    client-inactivity timeout 400
    poe-priority critical
    reauth-period 3000


    Step3: Let's enable authentication (mac-auth is enough for this case), let's enabled both dot1x and mac-auth.


    BLDG02-F1(config)#aaa authentication port-access mac-auth enable

    BLDG02-F1(config)#  aaa authentication port-access dot1x authenticator enable

    Step4: Let's enabled mac-auth on cliented connected interface.


    BLDG02-F1# sh running-config interface 1/1/5
    interface 1/1/5
    no shutdown
    vlan access 1
    BLDG02-F1# sh mac-address-table
    MAC age-time : 300 seconds
    Number of MAC addresses : 6

    MAC Address VLAN Type Port
    2c:41:38:7f:27:05 1 dynamic 1/1/5
    90:20:c2:dc:85:00 195 dynamic 1/1/52
    90:20:c2:dc:85:00 197 dynamic 1/1/52
    90:20:c2:dc:85:00 198 dynamic 1/1/52
    90:20:c2:dc:85:00 199 dynamic 1/1/52
    90:20:c2:dc:85:00 200 dynamic 1/1/52

    BLDG02-F1# sh running-config interface 1/1/5
    interface 1/1/5
    no shutdown
    vlan access 1

    BLDG02-F1# conf t


    BLDG02-F1(config-if)#aaa authentication port-access mac-auth enable

    BLDG02-F1(config-if)# end

    BLDG02-F1# sh running-config interface 1/1/5
    interface 1/1/5
    no shutdown
    vlan access 1
    aaa authentication port-access mac-auth


    Step6: Let's add and configure CX switch, client Profiles, Policies and Services on Radius-server Clearpass.

    Please note that same name as configured on CX switch is configured on radius-server. Screen snapshot is below:








    Step6: Time to validate, we are ready to authenticate mac-auth client and assigned LUR.




    BLDG02-F1# sh port-access clients

    Port Access Clients
    Port MAC Address Onboarded Status Role
    1/1/5 2c:41:38:7f:27:05 mac-auth Success phone_role

    BLDG02-F1# sh port-access clients interface 1/1/5
    detail Show detailed Port Access Client information.
    BLDG02-F1# sh port-access clients interface 1/1/5 detail

    Port Access Client Status Details:

    Client 2c:41:38:7f:27:05, 2c41387f2705
    Session Details
    Port : 1/1/5
    Session Time : 172s
    IPv4 Address :
    IPv6 Address :

    Authentication Details
    Status : mac-auth Authenticated
    Auth Precedence : dot1x - Not attempted, mac-auth - Authenticated

    Authorization Details
    Role : phone_role
    Status : Applied

    Role Information:

    Name : phone_role
    Type : local
    Reauthentication Period : 3000 secs
    Authentication Mode : client-mode
    Session Timeout :
    Client Inactivity Timeout : 400 secs
    Description : lur_mac_auth
    Gateway Zone :
    UBT Gateway Role :
    Access VLAN :
    Native VLAN :
    Allowed Trunk VLANs :
    Access VLAN Name :
    Native VLAN Name :
    Allowed Trunk VLAN Names :
    MTU :
    QOS Trust Mode :
    STP Administrative Edge Port :
    PoE Priority : critical
    Captive Portal Profile :
    Policy :



    Thank you,


  • 2.  RE: AOS-CX Local User Role (LUR) simple steps to Configure!
    Best Answer

    Posted Jul 20, 2020 07:33 AM

    Hi Yash


    Do you plan to publish somewhere ? like github page or other ?