Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM - downloadable user roles and PORT based auth

This thread has been viewed 16 times

  • 1.  CPPM - downloadable user roles and PORT based auth

    MVP
    Posted May 17, 2019 08:35 AM

    Got an ArubaOS switch install with downloadable user roles.

    Works great except for their AP's which have bridged SSID's. Converting those to tunneled is not an option.

     

    I've been trying to get this working but am so far failing.

    I've gotten so far to push a DUR with vlan-id and several vlan-id-tagged but since every WLAN user still gets the second wired auth that doesn't help much.

    2930F# sho port-access clients 
Downloaded user roles are preceded by *

 Port Access Client Status

  Port  Client Name   MAC Address       IP Address      User Role         Type  VLAN                                                   
  ----- ------------- ----------------- --------------- ----------------- ----- -------------------------------------------------------
  1                   14abc5-f7af85     n/a                               8021X 151                                                    
  1     14abc5f7af85  14abc5-f7af85     n/a             *dur_logon_unm... MAC   151                                                    
  1     Access Points 484ae9-cf0620     10.6.50.186     *dur_access_po... MAC   152, 153, 150                                          
 
2930F# sho vlans ports 1 detail 

 Status and Counters - VLAN Information - for ports 1

  VLAN ID Name                 | Status     Voice Jumbo Mode    
  ------- -------------------- + ---------- ----- ----- --------
  150     WIFI_MGMT            | Port-based No    No    Untagged
  151     GUEST                | Port-based No    No    Auto    
  152     INTERNET             | Port-based No    No    Tagged  
  153     WIFI_DATA            | Port-based No    No    Tagged

     

    I've also tried pushing hpe vsa HPE-Port-MA-Port-Mode (14) and/or HPE-Port-Dot1x-Port-Mode (13)  as port-based at the same time but this seems to break the DUR config.

     

    So, is this possible what I am trying to do here?

    Or will I have to rip out all the DUR config or change the AP ports to unauthenticated? OR will I have to manually set all the ports with APs to port-based?



  • 2.  RE: CPPM - downloadable user roles and PORT based auth
    Best Answer

    Posted May 17, 2019 08:52 AM

    With switch version 16.08 we have the device options available.

     

    Example config for a bridge AP user role

     

    aaa authorization user-role name "cap-bridge"
   vlan-id 10
   vlan-id-tagged 20-30
   device
      port-mode
      exit
   exit

     



  • 3.  RE: CPPM - downloadable user roles and PORT based auth

    MVP
    Posted May 17, 2019 09:11 AM

    Thank you,

     

    I found a reference to port-mode for IAPs in the 16.08 security guide but couldn't find the exact syntax.. 

    I only needed the device option before port-mode.  Works like a charm with it now.

    Thank you!

     

     



  • 4.  RE: CPPM - downloadable user roles and PORT based auth

    EMPLOYEE
    Posted May 20, 2019 05:29 PM
    These are all available in standard mode in CPPM 6.8.