Requirement:
DUR configuration is used in the switch to download the profile configuration sent from the RADIUS server and to apply this configuration within the role to the respective client port. The profile applied to the clients may include dynamic vlan/ACL/captive portal . These dynamic configurations will be removed from the port soon after the client session ends.
1. Add the radius sever in the switch using the host IP or using the FQDN 2.Enable mac authentication globally and for respective ports 3. Upload the root certificate used in Clearpass on the switch, this root certificate will be used during the DUR process as the switch needs to trust the root CA that signs the certificate in Clearpass 5. Configure the Clearpass with corresponding services , profiles and policies --Aruba Downloadable Role Enforcement --Role Configuration mode as Advanced --Product as Mobility Access Switch 6.Configure the below within the profile that will be applied to the client --Configure the Attribute Type as: Radius:Aruba --Name as Aruba-CPPM-Role --Value as (DUR commands) 7.Check the reachability of Clearpass from the switch and connect a client to the port with authentication enabled.
Switch configuration: radius-server host x.x.x.x key ciphertext AQBapVWcNJavUClNBQenFaJwwRrR+nWcJUvsQlHUbuaiOvlDCAAAAMCnYwT2Ful+ clearpass-username prakash clearpass-password ciphertext AQBapVWcNJavUClNBQenFaJwwRrR+nWcJUvsQlHUbuaiOvlDCAAAAMCnYwT2Ful+ aaa authentication allow-fail-through aaa group server radius cppm server x.x.x.x aaa authentication port-access dot1x authenticator radius server-group ARUBA aaa authentication port-access mac-auth radius server-group cppm enable interface 1/1/15 no shutdown no routing vlan access 1 aaa authentication port-access client-limit 2 aaa authentication port-access dot1x authenticator max-eapol-requests 1 enable aaa authentication port-access mac-auth enable Configuration in Clearpass: 1. Configure the service with appropriate service condition 2.Apply appropriate policy with the suitable conditions to match the client request to respective profile 3. DUR profile configuration
The user-role from the Clearpass will be downloaded in the switch and can be verified using below command Check the application of the role to respective port
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.