Security

 View Only
Expand all | Collapse all

Downlodable ACL for CX

This thread has been viewed 54 times
  • 1.  Downlodable ACL for CX

    Posted May 09, 2024 11:08 PM

    hello guys 

    I was wondering if i could do this for cx just like i do it for cisco switches?

    There is no gateway so no UBT 

    i can use NAS-Filter-Rule  but the problem with this is with the long ACLs 

    I cannot modify them the order or something like that, i have to delete a lot of acls just to add a new acl.   imaging a really long ACL? 

    it was really easy with the Downloadable ACL feature i have of cisco on the clearpass because i have a box to edith all this but with NAS-Filter i dont have it.

    Any Clearpass guru that can help me ? or guide me with a feature that clearpass mostlikely will have i mean if it have it for cisco, if should have it for aruba cx i guess

    Thanks!



  • 2.  RE: Downlodable ACL for CX

    Posted May 10, 2024 07:03 AM

    yes it should also work with CX switches, however the better way is to use user-roles 

    check this technote "Aruba ClearPass Wired Enforcement for CX switches – Part1"



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: Downlodable ACL for CX

    Posted May 10, 2024 09:28 AM

    I was checking the technote but the idea is not using the roles in all their switches, if I don't have the UBT we don't have a way to centralize  the rules 

    If use roles without UBT then I would need to configure those roles on each switches, and there are a lot of switches, and every time I need to modify something I would need to go into all the switches and modify it.

    With Nas-filter it works centralized but the problem is that I have no way to modify it, and if you use Nas-filter there is no box I can use like the Cisco downloadable role

    Now my question is what should work with CX Switches? Sorry Ariyap I didn't understand this part.  If you mean using the same Cisco downloadable enforcement as if it was a Cisco switch? but instead of putting the Cisco ACL which is like this:

    permit ip any host x.x.x.x
    permit ip any host y.y.y.y.y
    deny ip any 10.0.0.0 0.255.255.255

    Permit IP any any 

    i put it like CX like this?

    permit in ip from any to x.x.x.x

    permit in ip from any to y.y.y.y

    deny in ip from any to 10.0.0.0/8

    permit in ip from any to any 

    If it's likes i just said as far i remember i had to put instead of NAS ip-rule something of Nas Cisco and then Cisco downloadable ACL, does that work even if I put NAS Cisco?

    Well i haven't check if there is something similar on Aruba Nas for a downlodable ACL 




  • 4.  RE: Downlodable ACL for CX

    Posted May 10, 2024 08:46 PM

    With Aruba CX switches you can either use local user roles (LUR) or downloadable user roles (DUR). With LUR you need to configure local user roles on the switches which can be done either using CLI (painful) or your network mgmt like Central or Airwave.

    DUR approach downloads the user role and associated ACL, etc from ClearPass. for that you need the switches to trust the certificate that signs the ClearPass server cert. that is covered in my CX wired enforcement part5 technote. 

    if you want to use IETF RADIUS VSA then you can refer to the CX wired enforcement part3 technote. Here is the screenshot for a guest captive portal.

    Also while building your ClearPass enforcement policy you could also check for NAD vendor and then use the appropriate enforcement profile for that NAD.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 5.  RE: Downlodable ACL for CX

    Posted May 14, 2024 11:59 AM

    I replied to your other post but here is how I do them.  To me this is much simpler than the method that ariyap listed.  You just need to copy and past the same config that you would use in the CLI:

    Here is what would work with the question you asked directly (people on this forum are terrible at answering questions directly).

    class ip all
        10 match any any any
    class ip dhcp-server
        10 match udp any any eq dhcp-server
    class ip dns
        10 match udp any any eq dns
    class ip rfc1918
        10 match any any 192.168.0.0/255.255.0.0
        20 match any any 10.0.0.0/255.0.0.0
        30 match any any 172.16.0.0/255.240.0.0
    class ipv6 all
        10 match any any any
     
     
    port-access policy deny-internal
        10 class ip dns
        20 class ip dhcp-server
        30 class ip rfc1918 action drop
        40 class ipv6 all action drop
        50 class ip all
     
     
    port-access role GUEST-ACCESS
        description GUEST-ACCESS
        associate policy deny-internal
        auth-mode client-mode
        client-inactivity timeout none
        stp-admin-edge-port
        vlan access XXX





  • 6.  RE: Downlodable ACL for CX

    Posted May 14, 2024 12:27 PM

    Thanks, I got a question i saw that with this I need to install a certificate on the switch to make this work. where do I get this certificate and install it? 

    I just need to install it on the switches? i mean the certificate? I don't need to do anything with the certificate on the clearpass?




  • 7.  RE: Downlodable ACL for CX

    Posted May 14, 2024 01:26 PM

    To get that particular return to work you have to configure the switch to support downloadable user roles.  There are a few threads here on how to do that, along with various other guides and videos for the process.

    The certificate in question is to set the trust anchor (ta-profile) for the HTTPS certificate used by ClearPass.  You also have to configure the username and password that the switch will use when contacting ClearPass for the download, along with properly defining the RADIUS server so that the certificate validation will work.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 8.  RE: Downlodable ACL for CX
    Best Answer

    Posted May 14, 2024 03:45 PM
    Edited by cdelarosa May 23, 2024 05:15 PM

    Here is what you will need setup for DUR:

    This cert will be the CA cert that you are using for your cppm https cert.  Just grab the PEM data from the public key.

    (Config for the CX switch)
    crypto pki ta-profile cp
        ta-certificate
            -----BEGIN CERTIFICATE-----
            -----END CERTIFICATE-----
            END_OF_CERTIFICATE

    radius-server host %cppm.1.host% key plaintext %radius.password%  tracking enable clearpass-username %cppm.dur.user% clearpass-password plaintext %cppm.dur.user.password% vrf MGMT
    radius-server host %cppm.1.host% key plaintext %radius.password% tracking enable clearpass-username %cppm.dur.user% clearpass-password plaintext %cppm.dur.user.password% vrf MGMT

    You have to create a DUR user in Clearpass under:
    Administration -> Admin Users

    You may not need to specify the vrf if you are using the default vrf or you have a 6100/4100i switch.




  • 9.  RE: Downlodable ACL for CX

    Posted May 14, 2024 01:22 PM

    That method is using a DUR rather than applying an ACL through the return attributes, which is what the original question asked for, and requires the additional setup for supporting DUR.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 10.  RE: Downlodable ACL for CX

    Posted May 14, 2024 01:52 PM

    Thanks guys im reading about all this and looks crazy all the things you can do with it, I also saw how to configure it, and it seems easy

    I just need to test it 

    I will keep reading its really interesting 

    Thanks again 




  • 11.  RE: Downlodable ACL for CX

    Posted May 14, 2024 03:35 PM

    "That method is using a DUR rather than applying an ACL through the return attributes, which is what the original question asked for, and requires the additional setup for supporting DUR."

    That is fair and I glossed over that.  Thank you for specifying/clarifying the need for DUR/ta-cert on the switches.




  • 12.  RE: Downlodable ACL for CX

    Posted May 14, 2024 06:40 PM
    Edited by cdelarosa May 14, 2024 06:40 PM

    Thank you guys i read about DUR today and I find it useful 

    I can't wait to try it

    After reading and looking at Mflowers, and others post and also some documentation I saw how to configure it and what I can do with it.  Seems useful, you can even send vlans and other things 

    Thanks again guys, I ll see if I can try this, this week 




  • 13.  RE: Downlodable ACL for CX

    Posted May 14, 2024 07:04 PM

    Note that there is an NAE agent that downloads the server certificate this as well, which makes it easier and you don't need to do the manual way. 

    You can ask your local Aruba SE for it.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 14.  RE: Downlodable ACL for CX

    Posted May 23, 2024 05:15 PM

    I just come to thank everyone 

    This works, and it's so useful I like it 

    I did a test with a stack and worked like a charm, it downloaded ACLs I had, VLANs and other things

    Kudos everyone!