Colourless port with Dynamic Segmentation, using Centralized Policy Orchestration


Setting up Colourless port with Dynamic Segmentation, using Centralized Policy Orchestration:

The post lists the steps involved in setting up “Colourless port with Dynamic Segmentation” on ArubaOS-Switch.

We will be using Downloadable User Roles in ClearPass, for Centralized Policy and access control.

This post would be useful for Aruba Partner Engineers and Customers who are trying to implement this capability.


What we will be achieving?

Employee laptop performing 802.1X Authentication:

  • Placed in VLAN 29 and bridged locally on switch.

IoT Device like Security Camera, authorized based on profiled information:

  • Placed in VLAN 30 and tunnelled to the Controller for Stateful firewall / DPI

Network Diagram:Network Diagram.jpg



The following are the Bill of Materials for the above setup:

7005 Mobility Controllers            -   

2930M Aruba Switch                    -             WC.16.05.0007

Server with VMWare ESXi VSphere 6.5 running the following VMs

Mobility Master              -   

ClearPass server             -             6.7.3

7010 Mobility Controller X 3       -   

2930F Aruba Switches                  -             WC.16.05.0007

Windows laptop                            -             Windows 10

Wired PoE IP Camera



ArubaOS-Switch Configuration:

Configure the Basic components like NTP, uplinks and VLANs

NTP is required as accurate time plays a critical role in network authentication.NTP.jpg

Uplinks and Default Gateway:Uplink and Default Gateway.jpg

User VLANs:

These VLANs should only be created/defined. No IP address should be added and the VLAN should not be tied to any port.User VLANs.jpg



Define the ClearPass server as RADIUS server and dynamic authorization client:

radius-server host key Aruba123!             

radius-server host dyn-authorization

aaa server-group radius "ClearPass" host


Enable global functions and configurations:

ip source-interface radius vlan 17

ip client-tracker trusted


Configuring User-Based Tunneling (UBT)



   mode role-based                                     



Enable AAA functions:

aaa accounting network start-stop radius server-group "ClearPass"

aaa authorization user-role enable download

aaa authentication port-access eap-radius server-group "ClearPass"

aaa authentication mac-based chap-radius server-group "ClearPass"


Port configuration:

aaa port-access authenticator 2-24

aaa port-access authenticator 2-24 tx-period 10             

aaa port-access authenticator 2-24 supplicant-timeout 10

aaa port-access authenticator 2-24 client-limit 32

aaa port-access authenticator active

aaa port-access mac-based 2-24             

aaa port-access mac-based 2-24 addr-limit 32


Other Requirements for DUR:

To support downloadable user roles, the signing CA of the ClearPass HTTPS certificate must be added to the switch and marked as trusted. By default, the following CA are installed in the ArubaOS-Switch.Trusted CA.jpg

 I will be using the HTTPS Server Certificate signed by GeoTrust in ClearPass.


DURs also require a ClearPass read-only user account to download the user role configuration. Configure the expected username and password for the account.

radius-server cppm identity s-admin key Aruba123!



Clearpass Configuration:

Bring UP the ClearPass Server, Install the License and configure all the basic settings.

Now let’s configure things specific to this Demo

Defining NAD:

Goto “Configuration -> Network -> Devices” and add the Dynamic Segmentation Switch as the NAD.Adding the NAD.jpg

Create Local Users:

Create local users under "Configuration -> Identity -> Local Users"

user1 / Aruba123!


Profiler Settings:

Goto "Configuration -> Profile and Network Scan -> Network Scan" and add the subnets you wanted to scan.

Ensure you point the "IP helper address" to Clearpass Server on user VLAN.


Read Only User Account:

Under "Administration -> Users and Privileges -> Admin Users" configure the read-only user account. This will be used by the ArubaOS-Switch to download the user role configuration.Read-Only-Users.jpg

Install Certificate:

Goto "Administration -> Certificates -> Certificate Store" and Click on "Import Certificate"import Certificate.jpgVerify the Same:Public Cert.jpg



Creating the Enforcement Profiles:

Goto "Configuration -> Enforcement -> Profiles"

Add an "Aruba Downloadable Role Enforcement" Profile.

Select “Role Configuration Mode = Advanced”

Select “Product = ArubaOS-Switch”

Create the Type, Name and Value as follows

For Employee:dur_employee.jpg

For Camera:dur_camera.jpg


Creating Services:

Edutech 802.1X Wired Service:Dot1x service.jpg

Enforcement Policy Details



Enforcement Profiles


(Tips:Role  EQUALS  [User Authenticated]) 
AND  (Tips:Role  EQUALS  [Employee])



Edutech Device MAC Authentication Service:Mac-auth Service.jpg

Enforcement Policy Details



Enforcement Profiles


(Endpoint:Device Type  EQUALS  Printer)



(Endpoint:Device Type  EQUALS  Camera)




Controller Configuration:

Refer the following post for

  • Bringing up the Mobility Master
  • Installing the license.
  • Placing the 3 X 7010 Controllers into Cluster. Ensure that is Cluster Leader.
  • Creating an SSID on AP335 for management purpose.

Once you have done that, Ensure that you have the following roles in the controller under,

Managed Network -> Cluster Group name -> Configuration -> Roles and Policies -> Roles

Camera: Define Session based ACL as per your requirement. Eg: Provide access to camera only from certain subnet.Controller Roles.jpg



Time to Test:

Please connect the Employee Laptop and Camera to any port on the 2930F Switch.


Verification Commands on Switch:Verification Commands1.jpg 

Verification Commands2.jpg


Verification Commands on the Controller:Verification Commands3.jpg


Pre-Sales people can demonstrate this functionality using a Switch Monitor Web App.Further Demo.jpg



Hope you find this useful. Please post your feedback!


Kapildev Erampu





Guru Elite

Re: Colourless port with Dynamic Segmentation, using Centralized Policy Orchestration

Couple of comments:

1) The UBT VLAN should not have ANY IP addresses on the switch, including helper

2) The MAC Auth service should be using [Allow All MAC Auth] not [MAC Auth]

3) The role download admin user should now use the Aruba User Role Download role in 6.7.3+

4) Why do you have so many EAP methods defined in your 802.1X service?

| Tim Cappalli | Aruba Security | @timcappalli | |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

Re: Colourless port with Dynamic Segmentation, using Centralized Policy Orchestration

Thanks for the review and comments Tim Cappalli.
Regarding Question No 4, I used the "802.1X Wired" Template, So the "Authentication Methods" in it were the defaults. I forget the remove the unnecessary EAP methods.




New Contributor

Re: Colourless port with Dynamic Segmentation, using Centralized Policy Orchestration

Thanks Kapil for this well-written guide. I am new to Aruba (coming from Cisco background) and such guides are very helpful in conducting POC. Please keep them coming.




Re: Colourless port with Dynamic Segmentation, using Centralized Policy Orchestration

Thanks for your feedback Tariq :)

Search Airheads
Showing results for 
Search instead for 
Did you mean: