Working with a design for a setup which includes MM, MC, CPPM along with 6300 AOS-CX switches.
I don't have a 6300 to test with yet, but I'd like to prepare as much as I can.
I've been digging a bit, but not found any definitive answer yet to how you would do DURs for AOS-CX with dynamic secondary user role for UBT.
What I normaly do when 2930's for example are deployed I use the Aruba Downloadable Role Enforcement and create the DUR for the controller (product: Mobility Controller) which contain at least VLAN and an ACL.
Then I create another DUR for the switch (Product: ArubaOS-Switch) which is pretty much empty except for setting the Secondary Role Type to Dynamic and choosing the above Controller Downloadable Role.
So then comes the question, how do you go about doing the same with an AOS-CX switch?
I read somewhere that future CPPM releases AOS-CX will pop up in the "Product" list when creating the enforcement profile, so I take it that mean I can't use the ArubaOS-Switch one.
Could this be pushed via Aruba-CPPM-Role to the AOS-CX switch, if so, any thoughts to how it should look like?
If you know the "hidden" name of the DUR, it will work. By hidden name I mean the name ClearPass internally use for the downloadable role: ROLENAME-<id>-<version>.
As an example, the following will not work:
port-access role ubt-role-1
gateway-zone zone testilabra gateway-role userrole
But if you know the values, the following does work:
port-access role ubt-role-1
gateway-zone zone testilabra gateway-role userrole-3060-4
You can find the <id> by looking at the URL when editing the enforcement profile under ClearPass, but I didn't find a way to get the <version> part other than applying the role to a 2930F and getting the name.
Check my previous question: https://community.arubanetworks.com/t5/Wired-Intelligent-Edge-Campus/ArubaOS-CX-dynamic-segmentation/td-p/636649
there's an example for configuring UBT with 6300.
I have tested this with 6300F and the switch downloaded the role from CPPM and created the tunnel to the controller.
ArubaOS-switches use HPE RADIUS Attributes, ArubaOS-CX switches use ARUBA RADIUS Attributes instead. So for downloadable user roles with ArubaOS-CX switches and CPPM 6.8 you currently need to select in the "Aruba Downloadable Role Enforcement" the "Role Configuration Mode" = "Advanced" and as "Product" = "Mobility Access Switch". Here you can configure the Aruba-CPPM-Role RADIUS Attribute required for ArubaOS-CX switches, see screenshot.
Even though I was able to set the roles, and the tunnels go up, the mobility controller is not showing the client inside the user-table (both with DUR or static role).
After some minutes, the client also vanishes on the CX switch.
it is already available.. but there is no yet GUI on ClearPass...
Well, the main thing being single place for role definitions, being CPPM.
So downloadable roles for both the switch, controller as well as wireless clients.
If you want to update any role definitions, its all in one place regardless of what type of client we're talking about.
Its my preferred method so I got a bit surprised when I discovered this feature is not yet available for AOS-CX platform (works perfectly fine on AOS switches).
Ok, this is something I might not have known from before either.
Reffering to the picture you posted. The role "iot", if thats not defined at the controller will the controller by default then assume it should download the role content from clearpass (as long as you have defined clearpass credentials)?
Then in turn create a profile named iot with content as shown in my Pic3?
EDIT: upon further investigation this doesn't seem to be the case, if the secondary (controller) role is not predefined on the controller the user will end up with an invalid role error and placed in the intial role for default-tunneled-user aaa profile.
With DUR do you mean that controller would dowload the role from CPPM so you wouldn't have to configure it on the controller before?
What is your use case for this? I'm wondering for our case as we're planning on using 6300F's with UBT, as we have one controller pair to terminate the switches I've just configured the roles and policies beforehand on the controllers
Finally got it confirmed. This is simply not supported in AOS-CX switches at the current time.
The feature to call for dynamic secondary user role or in other words, let the mobility controller know that the role for the user needs to be downloaded, is a feature thats coming possibly in AOS-CX 10.5.
Thanks, got the hang of things with static roles for the controller side, same as your example
Now just waiting for the AOS-CX release which includes support for DUR for the gateway-role
We are trying to configure UBT with Sw 6300 with downloadable secondary roles but it does not work, reading the comments I see that downloadable secondary roles are not compatible with ArubaOS-CX until possibly version 10.05, which is already listed but in the release note does not explain some correction or that this functionality has been added.
We are confused if this is possible or not, since some comments say that if it is possible (we have not been able to, it only works with local roles in the controller), has anyone already managed to configure this? (Downloadable secondary roles with ArubaOS-CX).
After I posted this I had a dialog with TAC, which mentioned that I could just do it the same way as I have done previously (on 2930Ms for example)
As in use the ArubaOS-Switch DUR enforcement profile, then below "role configuration" choose "Secondary Role Type: Dynamic" then, "Controller Downloadable Role:" and choose the controller enforcement profile.
It didn't sound right since I already knew, as you mention also, that AOS-CX uses the aruba attributes while the 2930 for example uses HPE.
Basing off your screenshot, how would you do DUR for the role the enduser gets on the controller?
The whole idea here being DUR for both the switch and controller. No prefdefined roles on switch or the controller.
The secondary role (userrole on the controller) is either already statically configured on the controller or the controller can dynamically request the role (and content of the role) from Clearpass. So you may question how the controller know what role to apply for a specific DUR user. This is communicated through the control protocol between switch and controller at the moment the user sucessfully authenticated on the switch. The configuration on the controller/Clearpass side is done as it has always been for Controller DUR, see https://community.arubanetworks.com/t5/Controller-Based-WLANs/Downloading-an-undefined-role-from-ClearPass-to-Controller/ta-p/243661
You may also have a look here where it is shown in detail:
Aruba User Based Tunneling with Dynamic User Roleshttps://www.youtube.com/watch?v=UjTwOAq0QmM
or here on page 29 ff:Technical Whitepaper: User Roles and User-Based Tunnelinghttps://community.arubanetworks.com/aruba/attachments/aruba/CampusSwitching/4032/2/ArubaOS-Switch%20User-Based%20Tunneling%20Technical%20Whitepaper.pdf
On ArubaOS-Switches you have the possibility to assign the secondary (controller) role in two ways via RADIUS:
On ArubaOS-CX switches option 1 would use the "Aruba-UBT-Gateway-Role" RADIUS attribute ((Aruba Vendor ID 14823, Attribute Type 53)).Nevertheless option 2 is from my point of view much easier than option 1. So in the original picture I posted you see the primary role (“iot-s”) which also includes the secondary role (“iot”). This secondary (controller) role is called gateway role on ArubaOS-CX. So there is no need for a separate RADIUS attribute for the secondary role as the secondary (controller/gateway) role name is included in the primary role.
I might not express my issue/question properly, sorry for that.
This part is all ok and doing so is easily enough achived with ArubaOS switches like 2930Ms for example.
Attached an example on how this could be done with ArubaOS switch.
From the guide that you also mention:"Creating a Controller Downloadable User RoleThis feature allows the secondary role on the controller, which will be used by the tunneled clients, to be downloaded to the controller from ClearPass. This effectively eliminates the need to configure the secondary role on potentially multiple controller clusters in a large campus network. Now, the secondary role can be configured in ClearPass, downloaded to the Mobility Controller, and the switch notified via a new VSA “HPE-CPPM-Secondary-Role”."
The VSA HPE-CPPM-Secondary-Role is essentialy what I do in attached Pic1+Pic2.So then comes the question I've been wondering about, how would the switch side role look like when we want to achive the same thing, just on AOS-CX switch.
It was confirmed by Aruba yesterday afternoon, this feature, telling the controller to download <rolename> as part of the information sent from the switch to the controller is not available in the current version of AOS-CX. For now, only staticly defined roles on the controller is supported.
However it will be in the next release or the one after.
Correct, because AOS-CX doesn't support this as of yet.The mobility controller doesn't know of the role userrole-3060-4 (or userrole for that matter), which in turn makes it fail.The tunnel will come up because you define a gateway-role, however since the controller doesn't have the rolename it then fails.
My guess is that when Aruba adds support for this you will find an attribute called something like "secondary-gateway-role" which will tell the controller to download the role from CPPM.
port-access role ubt-role-1
gateway-zone zone testilabra secondary-gateway-role mc-employee-role
With CPPM credentials setup on the controller it will then ask CPPM to provide the role mc-employee-role.Having my hopes up for this feature in 10.05
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.