Original Message:
Sent: Jul 19, 2024 09:06 AM
From: davidwk
Subject: UBT not working with 9004 gateway
DURs are the better solution so if that's what you're going for let's get that working. First off, create an admin user in ClearPass that has the privilege level of "Aruba User Role Download". Then in your CX switch there are a few changes to make:
- The RADIUS servers need to be added by hostname rather than IP address. Also when adding the RADIUS servers you need to specify the username and password of the user you just created in Clearpass. Remove your existing RADIUS servers and re-add both of them with the command
radius-server host <hostname> key plaintext <RADIUS key> clearpass-username <username> clearpass-password plaintext <password>
- Your RADIUS server group will still be referencing the servers by IP address. Re-create the server group adding the servers by hostname instead.
- You need to enable dynamic authorization and then add the ClearPass servers as dynamic authorization clients to allow the switch to download the roles from ClearPass. You'll need to do this for both servers
radius dyn-authorization enableradius dyn-authorization client <hostname> secret-key plaintext <RADIUS key>
- The switch won't automatically trust the SSL certificate of the ClearPass server so you have to add it manually. If you're using a CA-signed certificate add the CA root cert here. If you're using a self-signed certificate just add that but remember that every time you replace that certificate you'll need to come back and add the new one to this switch. The following commands will prompt you to paste in the certificate
crypto pki ta-profile clearpassta-certificate
- Finally, make sure that ClearPass is returning the role in the Radius:Aruba:Aruba-CPPM-Role VSA
I think that's all. If everything works right, you should see clients and roles showing up in the results of the following two commands.
show port-access clientsshow port-access role clearpass
Good luck! Let me know how it works
Original Message:
Sent: Jul 19, 2024 08:41 AM
From: EnzoJ
Subject: UBT not working with 9004 gateway
I tried it with DURs.
But can try with LURS, keep you updated with that.
So configuration is ok.
I opened already a TAC-case, but no progress on that ticket.
Original Message:
Sent: Jul 19, 2024 08:26 AM
From: davidwk
Subject: UBT not working with 9004 gateway
I think your UBT setup is correct, you just never used it anywhere. You need to create a role for any device that should be using UBT and assign it to any connected device. There are two main ways of doing that. The first is with Downloadable User Roles (DURs) where your ClearPass server returns the user role with the authentication response. That's more complicated but also able to do much more granular role assignments. The second method is with using Local User Roles (LURs). To do that you just need to create a user role and have port-access use it as the authenticated role for any authenticated device.
I use DURs in my setup so I can't actually test this config but I'm pretty sure this is all you need
port-access role Tunneled-Rolegateway-zone zone user gateway-role <role name on the gateway>vlan access 3999session-timeout 28800reauth-period 7100interface 1/1/2aaa authentication port-access auth-role Tunneled-Role
Original Message:
Sent: Jul 19, 2024 08:02 AM
From: EnzoJ
Subject: UBT not working with 9004 gateway
Hey David,
CX switch & gateway are managed by Central.
In attachment you can see the show running config of the switch & gateway.
I only removed the password for privacy reasons. But it's a test-setup.
So gateway & switch are directly connected to each other.
Gateway is also performing tunnels to another VPNC.
Original Message:
Sent: Jul 19, 2024 07:43 AM
From: davidwk
Subject: UBT not working with 9004 gateway
Is your CX switch managed by Central or just the gateway? Can you post your full config from the CX switch?
Original Message:
Sent: Jul 19, 2024 06:05 AM
From: EnzoJ
Subject: UBT not working with 9004 gateway
Hey everyone,
I have advanced with security licenses on the gateway and advanced switch licenses.
I want to setup a UBT to my local branch gateway which is 9004.
It's a aos10 setup managed by Central.
Running version 10.6.0.2 & 10.13.1031
I configured on the aos-cx switch a clean ubt-client-van 3999
I configured ip source for ubt with his management IP.
I created a ubt zone with primary controller ip which is reachable via the switch.
This is the output of show ubt state:
Local Conductor Server (LCS) State:
LCS Type IP Address State Role
---------------------------------------------------------------------
Primary : 10.10.250.1 ready_for_bootstrap operational_primary
Switch Anchor Controller (SAC) State:
IP Address MAC Address State
-----------------------------------------------------------------
Active : 10.10.250.1 f0:1a:a0:79:0c:b6 registered
On the controller I always get that the SAC is 0.0.0.0:
The ip: 10.10.101.3 is my switch.
The show tunneled-node-mgr I see always following error:
ul 18 14:55:38 --> SW Bootstrap Req 10.10.101.3 ec:67:94:d6:45:40 rsvd-vid=1 sacMode=1 sacIP=0.0.0.0 flags=1 mtu=1500 Jul 18 14:55:38 <-- SW Bootstrap Ack 10.10.101.3 Status=29:Switch Bootstrap Failed, Req sent to non controller or non cluster IP.
Jul 18 14:55:48 --> SW Bootstrap Req 10.10.101.3 ec:67:94:d6:45:40 rsvd-vid=1 sacMode=1 sacIP=0.0.0.0 flags=1 mtu=1500
Jul 18 14:55:48 sos SW hb tun created 10.10.101.3 tunnel 9.
Jul 18 14:55:48 <-- SW Bootstrap Ack 10.10.101.3 SBY=0.0.0.0
What I'm doing wrong, or why it isn't working?