Yes correct they don't support the VRF commands, but it seems the 6000s and the 6100s do not support Downloadable User Roles. Which was news to me!
Original Message:
Sent: Aug 15, 2024 11:19 AM
From: Herman Robers
Subject: AOS-CX Downloadable User Role (DUR) simple steps to Configure!
The similar command works for me on a 6300F switch running 10.14.1000. What is the error that you see?
Unsure what model the PL is, but I think 6000 and 6100s don't support a management vrf. If you leave out the vrf mgmt from the end, or put in a vrf name that does exist, it may work.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Aug 14, 2024 09:57 AM
From: michael.wright@xpo.com
Subject: AOS-CX Downloadable User Role (DUR) simple steps to Configure!
Hello,
I understand this is an old post, but i was wondering if anyone could confirm the new command for creating a Clearpass Downloadable user account on the switch?
E.G - this command no longer works on PL.10.14.1000.
radius-server host aoss-cppm.tmelab.net key ciphertext AQBapdAz4irjSK61Zg/CFArsNYWKbn1LObqDD/v9SH1eMQ6ABQAAADY26liu tracking enable clearpass-username admin clearpass-password ciphertext AQBapYv/u3/YfG9vYRpFxmOTtsFLIWxuAX442RdG9j11jsZ6CQAAACZ5Y2/BK9FmhQ== vrf mgmt
Original Message:
Sent: Jul 23, 2020 07:56 AM
From: Yash
Subject: AOS-CX Downloadable User Role (DUR) simple steps to Configure!
Good day!
AOS-CX Downloadable User Role (DUR) simple steps to Configure!
Prior condition or prerequisite:
Note 1: DUR is Aruba solution, means it works with Aruba Clearpass Radius-Server.
Note 2: Simple DUR CX Switch required configuration is attached at the end. Step by Step process is below:
Step1: Configuring/Installing TA-Certificate on CX switches.
Example of installing ta-certificate.
BLDG02-F1(config)#crypto pki ta-profile cp
ta-certificate
-----BEGIN CERTIFICATE-----
MIIDYzCCAkugAwIBAgIQZiDAdPhWQqNE3PpMDBcTBjANBgkqhkiG9w0BAQsFADBE
MRMwEQYKCZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGdG1lbGFiMRUw
EwYDVQQDEwx0bWVsYWItQUQtQ0EwHhcNMTcwMzI5MDExMzA4WhcNMjIwMzI5MDEy
MzA4WjBEMRMwEQYKCZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGdG1l
bGFiMRUwEwYDVQQDEwx0bWVsYWItQUQtQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDrdqdR2QQm4Lo3i/X9bvTu41cf3sVFzPFn727zlgrYySXWtyvW
M3Jzf6P3FsqQzrsaP+QhlNsYMTrY2Yiccm7C9gNshpx95elzXsZ2TBP88qoUPD9F
jH42YgnqAN61+opmct8aRgSJhTtKv+WEolVtLgL9/CL3zmvmbpz3oyYjF9W3lesp
D52BeEbPqsBrALbYQypxJJLonZuueM7ePhSYbPnbrGuV8M9BiDyEyQ87OUYGgq7J
krwjrer+BKYFIxqJQDHbY96ozbaUScv8nOylpUrH56r3jT5Xn05JDdOIJvBKniYK
ZxIK+m4Mv2XS0zxuZBG1F1YDl/bcQ353jazbAgMBAAGjUTBPMAsGA1UdDwQEAwIB
hjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQuBjOz0LpCALxkgy9bWbziV+1D
UDAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQsFAAOCAQEAydVR86YZez9N
uIvJOftLczu0y3YfGoA5PK88Yv3TSMv+gxK5yiceU2HkV3PvVeCXyN9Nn9EUKLJ8
87/BqDTsNKKD20axHNk/w2p5I8LY6g/Y8t3N84gXx3439+GezBdlxznEmWAhebAQ
/JMnp+aD9Xhw9tgGeDXMB/GIhx0PCK22VbRUoDeZP3o+LmdB2fOdqhfN8+e2OMpz
AGsBGGEJJWqOKSUkHC25Jkl0RfyymdxuWEflHofbF2DjSWheR023A5dA6a5WkxTV
7WxwC8ekitnlY5BT2ZHV1LXLUsgvuN3j8G2+yvYiS6Z/da3ORb6Grm79sqZpzlKZ
XWjU/zVxBQ==
-----END CERTIFICATE-----
END_OF_CERTIFICATE
BLDG02-F1# show crypto pki ta-profile
TA Profile Name TA Certificate Revocation Check
-------------------------------- -------------------- ----------------
cp Installed, valid disabled
BLDG02-F1#
!#Use below command to see certificate validity and more details:
BLDG02-F1# show crypto pki ta-profile cp
!#no role is configured on CX switch
BLDG02-F1# show running-config port-access
BLDG02-F1#
If you have questions regarding how to generate these certificate, please leave your comments, will cover in next write up.
Step2: Radius-server configuration
Please refer to below post and configure Radius server.
https://community.arubanetworks.com/t5/Wired-Intelligent-Edge-Campus/AOS-CX-Radius-server-simple-steps-to-Configure/m-p/663009#M10219
BLDG02-F1# sh radius-server
Unreachable servers are preceded by *
******* Global RADIUS Configuration *******
Shared-Secret: None
Timeout: 5
Auth-Type: pap
Retries: 1
TLS Timeout: 5
Tracking Time Interval (seconds): 60
Tracking Retries: 5
Tracking User-name: radius-tracking-user
Tracking Password: None
Number of Servers: 1
-------------------------------------------------------------------------------------------------
SERVER NAME | TLS | PORT | VRF
-------------------------------------------------------------------------------------------------
aoss-cppm.tmelab.net | | 1812 | mgmt
-------------------------------------------------------------------------------------------------
BLDG02-F1#
BLDG02-F1# ping aoss-cppm.tmelab.net vrf mgmt repetitions 1
PING aoss-cppm.tmelab.net (10.5.8.12) 100(128) bytes of data.
108 bytes from 10.5.8.12: icmp_seq=1 ttl=61 time=0.545 ms
--- aoss-cppm.tmelab.net ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.545/0.545/0.545/0.000 ms
BLDG02-F1#
Step3: Make sure Client is connected to CX switch
BLDG02-F1# sh mac-address-table port
PORTS List of Ports [e.g. 1/1/1 or 1/1/1-1/1/3 or lag1]
BLDG02-F1# sh mac-address-table port 1/1/5
MAC age-time : 300 seconds
Number of MAC addresses : 1
MAC Address VLAN Type Port
--------------------------------------------------------------
2c:41:38:7f:27:05 1 dynamic 1/1/5
BLDG02-F1#
BLDG02-F1# sh running-config interface 1/1/5
interface 1/1/5
no shutdown
vlan access 1
exit
BLDG02-F1#
Step4: Configure 802.1x or mac-auth on client connected interface
!# Enable on global mode and then on connected interface as below.
BLDG02-F1(config)# aaa authentication port-access mac-auth enable
BLDG02-F1(config-if)# aaa authentication port-access mac-auth enable
BLDG02-F1# sh running-config interface 1/1/5
interface 1/1/5
no shutdown
vlan access 1
aaa authentication port-access mac-auth
enable
exit
BLDG02-F1#
Step4: Configure Profile, Policies and Service on Clearpass.
Note that every configuration should be exactly same as local role
Let's add this profile to policies in clearpass.
Let's add this policies into a service
Let's Validate:
BLDG02-F1# show port-access clients detail
Port Access Client Status Details:
Client 2c:41:38:7f:27:05, 2c41387f2705
============================
Session Details
---------------
Port : 1/1/5
Session Time : 918s
IPv4 Address :
IPv6 Address :
Authentication Details
----------------------
Status : mac-auth Authenticated
Auth Precedence : dot1x - Not attempted, mac-auth - Authenticated
Authorization Details
----------------------
Role : DUR_PY_CX-3099-2
Status : Applied
Role Information:
Name : DUR_PY_CX-3099-2
Type : clearpass
Status: Completed
----------------------------------------------
Reauthentication Period : 3000 secs
Authentication Mode : client-mode
Session Timeout :
Client Inactivity Timeout : 400 secs
Description : DUR_CPMM_mac_auth
Gateway Zone :
UBT Gateway Role :
Access VLAN :
Native VLAN :
Allowed Trunk VLANs :
Access VLAN Name :
Native VLAN Name :
Allowed Trunk VLAN Names :
MTU :
QOS Trust Mode :
STP Administrative Edge Port :
PoE Priority : critical
Captive Portal Profile :
Policy :
BLDG02-F1#
BLDG02-F1# sh aaa authentication port-access interface all client-status
Port Access Client Status Details
Client 2c:41:38:7f:27:05, 2c41387f2705
============================
Session Details
---------------
Port : 1/1/5
Session Time : 1060s
IPv4 Address :
IPv6 Address :
Authentication Details
----------------------
Status : mac-auth Authenticated
Auth Precedence : dot1x - Not attempted, mac-auth - Authenticated
Authorization Details
----------------------
Role : DUR_PY_CX-3099-2
Status : Applied
BLDG02-F1#
BLDG02-F1# sh port-access clients
Port Access Clients
--------------------------------------------------------------------------------
Port MAC Address Onboarded Status Role
Method
--------------------------------------------------------------------------------
1/1/5 2c:41:38:7f:27:05 mac-auth Success DUR_PY_CX-3099-2
BLDG02-F1#
Thank you,
Yash