Wired Intelligent Edge

last person joined: 2 days ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Expand all | Collapse all

AOS-CX Local User Role (LUR) simple steps to Configure!

This thread has been viewed 130 times
  • 1.  AOS-CX Local User Role (LUR) simple steps to Configure!

    Posted Jul 18, 2020 09:04 AM

    Good day!

    Prior condition or prerequisite:

    Let's Start


    Step1:Validate Radius-server is configured properly and radius-server trackable as expected.


    BLDG02-F1(config)# radius-server host aoss-cppm.tmelab.net tracking enable vrf mgmt

    BLDG02-F1(config)# radius-server host aoss-cppm.tmelab.net clearpass-username HELLOUSERNAME clearpass-password plaintext HELLOPASSWD vrf mgmt

    BLDG02-F1(config)# radius-server host aoss-cppm.tmelab.net key plaintext KEYENTER vrf mgmt

    BLDG02-F1(config)# radius-server tracking interval 60


    BLDG02-F1# sh radius-server detail
    ******* Global RADIUS Configuration *******

    Shared-Secret: None
    Timeout: 5
    Auth-Type: pap
    Retries: 1
    TLS Timeout: 5
    Tracking Time Interval (seconds): 60
    Tracking Retries: 5
    Tracking User-name: radius-tracking-user
    Tracking Password: None
    Number of Servers: 1

    ****** RADIUS Server Information ******
    Server-Name : aoss-cppm.tmelab.net
    Auth-Port : 1812
    Accounting-Port : 1813
    VRF : mgmt
    TLS Enabled : No
    Shared-Secret : AQBapdAz4irjSK61Zg/CFArsNYWKbn1LObqDD/v9SH1eMQ6ABQAAADY26liu
    Timeout (default) : 5
    Retries (default) : 1
    Auth-Type (default) : pap
    Server-Group (default) : radius
    Default-Priority : 1
    Tracking : enabled
    Tracking-Mode : any
    Reachability-Status : reachable
    ClearPass-Username : admin
    ClearPass-Password : AQBapYv/u3/YfG9vYRpFxmOTtsFLIWxuAX442RdG9j11jsZ6CQAAACZ5Y2/BK9FmhQ==


    BLDG02-F1# sh running-config interface mgmt
    interface mgmt
    no shutdown
    ip static


    Note: I am using Aruba Clearpass as Radius-server, please find radius-tracking snapshot as below



    Step2: Let's configure LUR on CX Switch


    BLDG02-F1# sh running-config port-access

    port-access role phone_role
    description lur_mac_auth
    auth-mode client-mode
    client-inactivity timeout 400
    poe-priority critical
    reauth-period 3000


    Step3: Let's enable authentication (mac-auth is enough for this case), let's enabled both dot1x and mac-auth.


    BLDG02-F1(config)#aaa authentication port-access mac-auth enable

    BLDG02-F1(config)#  aaa authentication port-access dot1x authenticator enable

    Step4: Let's enabled mac-auth on cliented connected interface.


    BLDG02-F1# sh running-config interface 1/1/5
    interface 1/1/5
    no shutdown
    vlan access 1
    BLDG02-F1# sh mac-address-table
    MAC age-time : 300 seconds
    Number of MAC addresses : 6

    MAC Address VLAN Type Port
    2c:41:38:7f:27:05 1 dynamic 1/1/5
    90:20:c2:dc:85:00 195 dynamic 1/1/52
    90:20:c2:dc:85:00 197 dynamic 1/1/52
    90:20:c2:dc:85:00 198 dynamic 1/1/52
    90:20:c2:dc:85:00 199 dynamic 1/1/52
    90:20:c2:dc:85:00 200 dynamic 1/1/52

    BLDG02-F1# sh running-config interface 1/1/5
    interface 1/1/5
    no shutdown
    vlan access 1

    BLDG02-F1# conf t


    BLDG02-F1(config-if)#aaa authentication port-access mac-auth enable

    BLDG02-F1(config-if)# end

    BLDG02-F1# sh running-config interface 1/1/5
    interface 1/1/5
    no shutdown
    vlan access 1
    aaa authentication port-access mac-auth


    Step6: Let's add and configure CX switch, client Profiles, Policies and Services on Radius-server Clearpass.

    Please note that same name as configured on CX switch is configured on radius-server. Screen snapshot is below:








    Step6: Time to validate, we are ready to authenticate mac-auth client and assigned LUR.




    BLDG02-F1# sh port-access clients

    Port Access Clients
    Port MAC Address Onboarded Status Role
    1/1/5 2c:41:38:7f:27:05 mac-auth Success phone_role

    BLDG02-F1# sh port-access clients interface 1/1/5
    detail Show detailed Port Access Client information.
    BLDG02-F1# sh port-access clients interface 1/1/5 detail

    Port Access Client Status Details:

    Client 2c:41:38:7f:27:05, 2c41387f2705
    Session Details
    Port : 1/1/5
    Session Time : 172s
    IPv4 Address :
    IPv6 Address :

    Authentication Details
    Status : mac-auth Authenticated
    Auth Precedence : dot1x - Not attempted, mac-auth - Authenticated

    Authorization Details
    Role : phone_role
    Status : Applied

    Role Information:

    Name : phone_role
    Type : local
    Reauthentication Period : 3000 secs
    Authentication Mode : client-mode
    Session Timeout :
    Client Inactivity Timeout : 400 secs
    Description : lur_mac_auth
    Gateway Zone :
    UBT Gateway Role :
    Access VLAN :
    Native VLAN :
    Allowed Trunk VLANs :
    Access VLAN Name :
    Native VLAN Name :
    Allowed Trunk VLAN Names :
    MTU :
    QOS Trust Mode :
    STP Administrative Edge Port :
    PoE Priority : critical
    Captive Portal Profile :
    Policy :



    Thank you,


  • 2.  RE: AOS-CX Local User Role (LUR) simple steps to Configure!
    Best Answer

    Posted Jul 20, 2020 07:33 AM

    Hi Yash


    Do you plan to publish somewhere ? like github page or other ?