Wired Intelligent Edge (Campus Switching and Routing)

 View Only
last person joined: one year ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of HPE Aruba Networking switching devices, and find ways to improve security across your network.
Back to Library

Downloadable User Role configuration in Aruba OS CX with mac-authentication 

Apr 29, 2020 04:25 PM

Requirement:

DUR configuration is used in the switch to download the profile configuration sent from the RADIUS server and to apply this configuration within the role to the respective client port.

The profile applied to the clients may include dynamic vlan/ACL/captive portal . These dynamic configurations will be removed from the port soon after the client session ends.


Solution:
1. Add the radius sever in the switch using the host IP or using the FQDN






2.Enable mac authentication globally and for respective ports






3. Upload the root certificate used in Clearpass on the switch, this root certificate will be used during the DUR process as the switch needs to trust the root CA that signs the certificate in Clearpass



5. Configure the Clearpass with corresponding services , profiles and policies

--Aruba Downloadable Role Enforcement

--Role Configuration mode as Advanced
--Product as Mobility Access Switch

6.Configure the below within the profile that will be applied to the client
--Configure the Attribute Type as: Radius:Aruba
--Name as Aruba-CPPM-Role
--Value as (DUR commands)

7.Check the reachability of Clearpass from the switch and connect a client to the port with authentication enabled.


Configuration:
Switch configuration:

radius-server host x.x.x.x key ciphertext AQBapVWcNJavUClNBQenFaJwwRrR+nWcJUvsQlHUbuaiOvlDCAAAAMCnYwT2Ful+ clearpass-username prakash clearpass-password ciphertext AQBapVWcNJavUClNBQenFaJwwRrR+nWcJUvsQlHUbuaiOvlDCAAAAMCnYwT2Ful+
aaa authentication allow-fail-through
aaa group server radius cppm
    server x.x.x.x

aaa authentication port-access dot1x authenticator
    radius server-group ARUBA
aaa authentication port-access mac-auth
    radius server-group cppm
    enable

interface 1/1/15
    no shutdown
    no routing
    vlan access 1
    aaa authentication port-access client-limit 2
    aaa authentication port-access dot1x authenticator
        max-eapol-requests 1
        enable
    aaa authentication port-access mac-auth
        enable

Configuration in Clearpass:

1. Configure the service with appropriate service condition




2.Apply appropriate policy with the suitable conditions to match the client request to respective profile




3. DUR profile configuration


Verification
The user-role from the Clearpass will be downloaded in the switch and can be verified using below command




Check the application of the role to respective port

Statistics
0 Favorited
136 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.