Security

 View Only
last person joined: 3 days ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Local User Role | Radius:Hewlett-Packard-Enterprise or Radius:Aruba

This thread has been viewed 26 times
  • 1.  Local User Role | Radius:Hewlett-Packard-Enterprise or Radius:Aruba

    Posted Sep 19, 2022 10:24 AM
    Hello everyone

    i'm testing out local user role with cppm for IP Phones, IPcams, Printers and Users

    which Raduis attribute to use for ArubaOS switch WB.16.03 for enforcement profile for each role

    Radius:Hewlett-Packard-Enterprise HPE-User-Role = healthy_user_role

    or
    Radius:Aruba Aruba-User-Role = healthy_user_role

    class ipv4 "permit-all"
    10 match ip any any

    policy user healthy_policy
    10 class ipv4 permit-all action permit


    aaa authorization user-role name healthy_user_role
    policy healthy_policy
    reauth-period 86400
    vlan-id 3
    exit

    aaa authorization user-role name healthy_cam_accesscontrol_role
    policy healthy_policy
    reauth-period 86400
    vlan-id 75


    aaa authorization user-role name healthy_printers_role
    policy healthy_policy
    reauth-period 86400
    vlan-id 33


    aaa authorization user-role name healthy_phones_role
    policy healthy_policy
    reauth-period 86400
    vlan-id-tagged 11

    ------------------------------
    BR,
    Mohanad
    ------------------------------


  • 2.  RE: Local User Role | Radius:Hewlett-Packard-Enterprise or Radius:Aruba

    Posted Sep 19, 2022 06:15 PM
    I tested (Radius:Hewlett-Packard-Enterprise HPE-User-Role = healthy_user_role) and worked

    ------------------------------
    BR,
    Mohanad
    ------------------------------



  • 3.  RE: Local User Role | Radius:Hewlett-Packard-Enterprise or Radius:Aruba

    EMPLOYEE
    Posted Sep 20, 2022 08:00 AM
    thats right.
    keep this technote handy it covers all the wired enforcement scenarios
    https://support.hpe.com/hpesc/public/docDisplay?docId=a00091135en_us

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 4.  RE: Local User Role | Radius:Hewlett-Packard-Enterprise or Radius:Aruba

    Posted Sep 20, 2022 08:12 AM
    it's amazing document , i have switched from VLAN enforcement to user-role but many users with denyall role and i review the logs

    many logs:
    W 09/20/22 11:29:42 00700 idm: ST1-CMDR: ACL error - unable to create ACL entry,
    index 20, client 98E743C8C4F7, port 1/15

    Event ID: 700
    (Severity: Warning) Message ACL error - unable to create ACL entry- index <index>- client <mac_address>- port <port_ num=""> Platforms
    KB, WB, WC, YA, YB, YC
    Category IDM
    Severity Warning
    Description This log event informs that there is ACL error since ACL entry can not be created with an
    index for a client on a port. </port_></mac_address></index>

    ------------------------------
    BR,
    Mohanad
    ------------------------------



  • 5.  RE: Local User Role | Radius:Hewlett-Packard-Enterprise or Radius:Aruba

    Posted Sep 20, 2022 10:41 AM
    that role will be applied when the desired user role cannot be applied (many reasons for that).

    Can you share a screenshot of the role and ACL being returned via RADIUS?

    ------------------------------
    ACNSA | ACEA | ACCP | ACMP
    ------------------------------