Security

Reply
MVP Expert

CPPM - downloadable user roles and PORT based auth

Got an ArubaOS switch install with downloadable user roles.

Works great except for their AP's which have bridged SSID's. Converting those to tunneled is not an option.

 

I've been trying to get this working but am so far failing.

I've gotten so far to push a DUR with vlan-id and several vlan-id-tagged but since every WLAN user still gets the second wired auth that doesn't help much.

2930F# sho port-access clients 
Downloaded user roles are preceded by *

 Port Access Client Status

  Port  Client Name   MAC Address       IP Address      User Role         Type  VLAN                                                   
  ----- ------------- ----------------- --------------- ----------------- ----- -------------------------------------------------------
  1                   14abc5-f7af85     n/a                               8021X 151                                                    
  1     14abc5f7af85  14abc5-f7af85     n/a             *dur_logon_unm... MAC   151                                                    
  1     Access Points 484ae9-cf0620     10.6.50.186     *dur_access_po... MAC   152, 153, 150                                          
 
2930F# sho vlans ports 1 detail 

 Status and Counters - VLAN Information - for ports 1

  VLAN ID Name                 | Status     Voice Jumbo Mode    
  ------- -------------------- + ---------- ----- ----- --------
  150     WIFI_MGMT            | Port-based No    No    Untagged
  151     GUEST                | Port-based No    No    Auto    
  152     INTERNET             | Port-based No    No    Tagged  
  153     WIFI_DATA            | Port-based No    No    Tagged  

 

I've also tried pushing hpe vsa HPE-Port-MA-Port-Mode (14) and/or HPE-Port-Dot1x-Port-Mode (13)  as port-based at the same time but this seems to break the DUR config.

 

So, is this possible what I am trying to do here?

Or will I have to rip out all the DUR config or change the AP ports to unauthenticated? OR will I have to manually set all the ports with APs to port-based?


Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Super Contributor I

Re: CPPM - doanloadable user roles and PORT based auth

With switch version 16.08 we have the device options available.

 

Example config for a bridge AP user role

 

aaa authorization user-role name "cap-bridge"
   vlan-id 10
   vlan-id-tagged 20-30
   device
      port-mode
      exit
   exit

 


Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
MVP Expert

Re: CPPM - doanloadable user roles and PORT based auth

Thank you,

 

I found a reference to port-mode for IAPs in the 16.08 security guide but couldn't find the exact syntax.. 

I only needed the device option before port-mode.  Works like a charm with it now.

Thank you!

 

 


Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Highlighted
Guru Elite

Re: CPPM - doanloadable user roles and PORT based auth

These are all available in standard mode in CPPM 6.8.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: