Downloading an undefined role from ClearPass to Controller
In order to provide per-user level access, user roles can be created when a user has been successfully authenticated.During the configuration of a remote access policy, administrator can define a role that should be assigned to the user after successful authentication. If the Role is not defined in the controller, the role can not be mapped to the user hence we need a solution where we can download a relevant Role from the server.
In RADIUS authentication, when server (ClearPass) successfully authenticates a user, the user is assigned a user role (role name) by the server (ClearPass) and if the role is not defined on the controller, the role attributes can also be automatically downloaded from ClearPass.
This feature supports roles obtained by the following authentication methods:
- 802.1X (wireless and wired users)
- MAC authentication
- Captive Portal
ClearPass does not perform any error checking to confirm accuracy of the role definition (policy mapped to the user role). Controller will validate the policy before downloading.
How to enable :
1. Navigate to the Configuration > Security > Authentication > AAA Profiles.
2. Select an AAA profile.
3. Check the Download Role from CPPM check box to enable role download.
Providing CPPM credentials:
It is mandatory ( From ClearPass 6.4 ) to specify ClearPass credentials for downloading the Role
Configuring ClearPass :
A Role can be defined and mapped trough an Enforcement profile as shown bellow.
- We should select “ Aruba Downloadable Role Enforcement” from Template dropdown list.
- Add Aruba controller IP in the Device list ( First create a group, Ex “My_Devices” and add the IP address to that group)
Defining and mapping the Policy to the Role :
- Define a policy ( ACL) by selecting type of ACL (Stateless ACL/Session ACL/Ethertype)
- Add the policy to the Role ( Ex Test_policy)
- Add the VLAN and CP profile as per the requirement.
Summary of Enforcement Profile :
Define and Enforcement Policy :
A policy/ Rules required to pickup this Enforcement profile,
- Create a new enforcement policy and define a condition for picking the Profile
Defining a Service :
Finally we have to define a Service to handle this Authentication
- Define a service by selecting an appropriate template ( Ex Aruba 802.1x Wireless/ Aruba 802.1x Wired/Aruba Guest etc..)
- Select desired type of Auth types ( EAP-PEAP, MSCHAP V2 etc..)
- Select the Enforcement profile
On successful Authentication, ClearPass will push the Role along with the policy to the controller as shown below.
Role is being downloaded to the controller :
Role is downloaded and a policy is created :
- aruba downloadable role enforcement
- arubaos 6.4
- authenticated role
- authenticated role from cppm
- cppm 6.3
- cppm 6.4
- cppm 6.5
- cppm enforcement
- defining a policy in cppm
- defining a role in cppm
- download role enforcement profile
- downloading role
- enforcement policy
- enforcement profile
- Mobility controller
- role downloading from cppm
- role enforcement
- role through cppm radius response