Wired Intelligent Edge

 View Only

  • 1.  Tunneled Node DUR - Secondary Role

    Posted May 20, 2020 07:48 AM

    Looking at a design where we are using Aruba Switches configured for UBT and DUR and Controllers to Terminate Tunneled Node we typically have the switch DUR with the Secondary Role to use on the controller. With this configuration, the Controller needs to have a locally defined User Role that matches the Secondary Role passed to it. 

     

    I want to continue to make configurations as dynamic as possible. In other deployments, such as a Wireless Controller deployment, we can configure AAA to Download User Role from Clearpass. This eases the Administrative overhead needed from the customers perspective so they can create all Roles in Clearpass and not require them to be created on the Controller (another touch point). 

     

    Anyone know if it is possible to somehow use UBT and Tunneled Node with or without a Secondary User role and instead have the controller Download the role from Clearpass? They only way I can see this working is if the AAA profile forced the user/device to perform a secondary authentication to trigger the controller DUR... which would likely cause issues. 

     

    This would be great especially in deployment where a customer is using Controllers and Clearpass for Wired and Wireless authentication. We now just define a single User Role that fits both! Pipe dream for now I think. 



  • 2.  RE: Tunneled Node DUR - Secondary Role
    Best Answer

    Posted May 20, 2020 08:10 AM

    Hi,

     

    You can have dynamic DUR on both the switch and controller.

     

    For example, in my lab I have this

    ayman_mukaddam_1-1589976062983.png

     

    On ClearPass, you reference a Controller Downloadable Role

     

    ayman_mukaddam_0-1589975965375.png

     

    In the AAA profile on the controller, make sure you enable download role from Clearpass and add the proper username/password...

     

    I think this is covered here https://www.youtube.com/watch?v=UjTwOAq0QmM

     

     



  • 3.  RE: Tunneled Node DUR - Secondary Role

    Posted May 20, 2020 09:02 PM

    This rocks! I dont know how long the Dynamic Option for the Secondary Role type has been around but I am so glad you have shared it. Thank you so much. Works great! Pipe dream realized



  • 4.  RE: Tunneled Node DUR - Secondary Role

    Posted Aug 31, 2020 05:42 AM

    Hi,

     

    little hyjack on this threath. I'm trying to realise the dynamic secondary role and I followed the video but but when I sent the enforcement profile I get  TUNNELED_NODE_SERVER virtual LAN enabled, directly followed by TUNNELED_NODE_SERVER virtual LAN disabled in the switch log.

     

    The tunnel is not established. show port-access client is empty. Clearpass did sent the enforcement so client is authenticated.

     

    tunnel is up, both tunneled-node-server state on switch and show tunneled-node-mgr tunneled-nodes show the right info

     

    I tried adding the reserved vlan to the DUR but that didn't resolve the issue.

     

    Switch 2930F f/w 16.10.0009

    WLC 7210 f/w 8.5.0.3 (MM managed)

    Clearpass version 6.8.3

     

    thanks,

    Erik

     

     

     



  • 5.  RE: Tunneled Node DUR - Secondary Role

    Posted Aug 31, 2020 05:57 AM

    Strike that. I messed up in the policies and the controller rejected the dynamic secondary DUR

     

    rgds,
    Erik



Related Content