Wired Intelligent Edge

 View Only
last person joined: 2 days ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

Aruba Clearpass with ArubaOS Switch - User Role

This thread has been viewed 26 times
  • 1.  Aruba Clearpass with ArubaOS Switch - User Role

    Posted Oct 20, 2022 10:27 AM
    Hello,

    I have an Aruba Clearpass and would like to configure secure authentication for the access ports on an ArubaOS switch.

    Currently I only tell the switch the VLAN ID for the different roles via the radius attribute. This works without any problems.

    But as soon as I have activated the following command on the switch this variant does not work anymore:
    aaa authorization user-role enable

    Is there no way to drive a mixed configuration either only communicating the VLAN ID or a user role?

    I also got the following error message when I defined a profile locally on the switch and wanted to assign it via Clearpass:
    dca: Failed to apply user role to 8021X client XXXXXXX on port 5: user role is invalid.

    My switch configuration:

    radius-server host 10.X.X.8 key "XXXXXX"
    radius-server host 10.X.X..8 dyn-authorization
    radius-server host 10.X.X.8 time-window 0
    radius-server host 10.X.X.9 key "XXXXXX"
    radius-server host 10.X.X.9 dyn-authorization
    radius-server host 10.X.X.9 time-window 0
    radius-server timeout 2

    aaa server-group radius "Clearpass" host 10.X.X.8
    aaa server-group radius "Clearpass" host 10.X.X.9
    aaa accounting update periodic 5
    aaa accounting network start-stop radius server-group "Clearpass"
    aaa authorization user-role name "LUR_Staff_IT"
    vlan-id 34
    exit
    aaa authentication port-access eap-radius authorized

    My port configuration:

    interface 5
    tagged vlan 7
    untagged vlan 1
    aaa port-access authenticator
    aaa port-access authenticator auth-vid 36
    aaa port-access authenticator client-limit 2
    aaa port-access mac-based
    aaa port-access mac-based unauth-vid 36
    aaa port-access local-mac
    aaa port-access local-mac addr-limit 2
    aaa port-access mixed
    aaa port-access auth-order authenticator mac-based local-mac
    aaa port-access auth-priority authenticator mac-based
    exit


    Thanks for your help.

    David


  • 2.  RE: Aruba Clearpass with ArubaOS Switch - User Role

    Posted Oct 20, 2022 11:07 AM
    Hi David,

    Can you share the RADIUS response that you're returning from CPPM?  I'm guessing there's a mismatch between the role name returned from CPPM and the name of the Local User Role you've defined in the config.


  • 3.  RE: Aruba Clearpass with ArubaOS Switch - User Role

    EMPLOYEE
    Posted Oct 21, 2022 01:47 AM
    You need this command for to enable user-role authz
    aaa authorization user-role enable

    and  you can use HPE-user-role and RADIUS IETF attribute.
    Note that for AOS-S switches you need HPE-user-role
    Here is the sample enforcement profile that sends back user-role called dot1x.



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 4.  RE: Aruba Clearpass with ArubaOS Switch - User Role

    Posted Oct 24, 2022 03:59 AM
    Thank you for your answers.

    That I need the command "aaa authorization user-role enable" is known.

    With the "HPE User Role" it worked.

    But one more question:
    Is it not possible to combine User-Role and the classic Radius Assigned VLAN? Or is only one or the other possible?


  • 5.  RE: Aruba Clearpass with ArubaOS Switch - User Role

    EMPLOYEE
    Posted Oct 24, 2022 05:31 AM
    I would not do that, which makes it easier to troubleshoot. Also note that you can assign VLAN in a user role.
    Here is an example

    aaa authorization user-role name ap-access
     policy aruba-cap
     reauth-period 120
     vlan-id 11      <<<<<<<<<<<<



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 6.  RE: Aruba Clearpass with ArubaOS Switch - User Role

    EMPLOYEE
    Posted Oct 24, 2022 06:47 AM
    When in user-role mode, the VLAN should be assigned through the user-role.

    As far as I know, with ArubaOS-Switch, you will get a conflict situation when sending a role and VLAN in the same response and it just does not work.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: Aruba Clearpass with ArubaOS Switch - User Role

    Posted Nov 03, 2022 06:25 AM

    Herman !!!!!!!

    Thank you master.

    2 days I am spending on that issue and you fix it for Me in a second.
    User role with assigned vlan (Via enforcement policy) didn't work for me.
    As soon as I delete the vlan entry on the enforcement policy, all worked perfectly.  



    ------------------------------
    Best regards,
    Alon Haber
    ------------------------------