Security

Reply
Occasional Contributor II

ClearPass DUR for Instant VC deployment

Hi,

 

Do you know if Instant VC (mnaged through Airwave - Instant GUI) supports DUR from CPPM - all running latest codes?

 

Environment in my lab consists of an IAP cluster (215 and 303H), running ArubaOS 8.4.0, managed by Airwave (8.2.8.1) and I successfully use DUR with CPPM (6.8.0) an Aruba switch (8.4.0), to have the Instant download its own role.

 

Trying now to get the InstantVC through Airwave (which seems to have a setting on the SSID to "Download Role") to work with DUR for different client VLANs - extending this to the wireless.

 

Using the Aruba-CPPM-Role VSA and the following syntax:

user-role DUR_IAP_DomainUser
vlan 130
!

I seem to see "success" on CPPM as to the enforcement profile pushed, but fall to wrong VLAN, there is no role downloaded as seen on the VC.

 

The following is seen in the VC logs:

Dldb Role: IAP_DomUs-3093-8 Cannot be assigned downloadable role, role is in error state

CPPM has the user successfully authenticated and proper enforcement profile assigned, but due to the error in the DUR - user gets dropped in the untagged (AP mgmt) VLAN.

 

ReadOnly account exists properly on CPPM and group config in Airwave/VC.

 

Is what I'm trying to do even possible, or I'm going down a wrong path?

 

Appreciate any feedback.

Occasional Contributor II

Re: ClearPass DUR for Instant VC deployment

Further update on this, I have uploaded the CPPM's signing CA certificate on the VC trusted root (similarly to how it's done and needed on the Aruba switch), but still the same error.

MVP Guru

Re: ClearPass DUR for Instant VC deployment

Maybe the following video may help: https://www.youtube.com/watch?v=HwSHPxz7B5o It shows how to setup Aruba Instant with Downloadable User roles.

 

Three additional suggestions:

- Make sure the clock is set and synced on the IAP and ClearPass

- Make sure that you enter the ClearPass when configured as RADIUS server in the Instant AP as hostname (like cppm.yourdomain.com), not as IP.

- Use the Aruba Instant WebUI to create a valid role, extract that from the CLI configuration, and enter that in ClearPass. I can imagine that a user role with just a VLAN is not a complete definition and access rules might be required to have a valid role.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Highlighted
Occasional Contributor II

Re: ClearPass DUR for Instant VC deployment


@Herman Robers wrote:

Maybe the following video may help: https://www.youtube.com/watch?v=HwSHPxz7B5o It shows how to setup Aruba Instant with Downloadable User roles.

 

Three additional suggestions:

- Make sure the clock is set and synced on the IAP and ClearPass

- Make sure that you enter the ClearPass when configured as RADIUS server in the Instant AP as hostname (like cppm.yourdomain.com), not as IP.

- Use the Aruba Instant WebUI to create a valid role, extract that from the CLI configuration, and enter that in ClearPass. I can imagine that a user role with just a VLAN is not a complete definition and access rules might be required to have a valid role.


 

Thanks for the suggestions and link!

 

Clock is synced, but I'll check the hostname of CPPM instead of IP as radius server config.

 

Regarding the last part of the valid role - the syntax I used was what the CPPM template for Aruba DUR includes, when you select Mobility Controller template.

The options are only switches (Aruba and MAS) and then Mobility Controller.

 

Occasional Contributor II

Re: ClearPass DUR for Instant VC deployment

Hi,

 

I followed the steps on the link -  added the FQDN of CPPM on the Instant GUI config as well as the ArubaOS switch.

I successfully download the public CA cert of CPPM, as before.

 

I've modified my enforcement profile to look like this: 

Radius:Aruba:Aruba-CPPM-Roleinstant_dur-3099-6
wlan access-rule instant_dur
utf8
index 9
rule any any match any any any permit
vlan 130

which I modeled off the Instant CLI.

 

Still I see the request successfully on CPPM, but below is the error log on the IAP:

Apr  8 13:03:19  stm[4811]: <199802> <ERRS> |AP Lab-Aruba215@10.10.120.106 stm|  auth_cppm_api.c, auth_curl_perform:126: Dldb Role instant_dur-3099-6: Curl response with HTTP code: 0
Apr  8 13:03:19  stm[4811]: <124830> <ERRS> |AP Lab-Aruba215@10.10.120.106 stm|  Dldb Role instant_dur-3099-6: Users dequeued, role in incomplete state
Apr  8 13:03:20  stm[4811]: <522280> <ERRS> |AP Lab-Aruba215@10.10.120.106 stm|  MAC=40:d3:ae:3b:bd:c8  Dldb Role: instant_dur-3099-6 Cannot be assigned downloadable role, role is in error state
Apr  8 13:03:20  cli[4787]: <541004> <WARN> |AP Lab-Aruba215@10.10.120.106 cli|  recv_stm_sta_update: receive station msg, mac-40:d3:ae:3b:bd:c8 bssid-04:bd:88:60:7b:10 essid-ArubaLabSecure timestamp-1554743000-453872.
Apr  8 13:03:20  cli[4787]: <541004> <WARN> |AP Lab-Aruba215@10.10.120.106 cli|  recv_stm_sta_update: receive station msg, mac-40:d3:ae:3b:bd:c8 bssid-04:bd:88:60:7b:10 essid-ArubaLabSecure timestamp-1554743000-474544

 NTP and DNS are not issues, the certificate of CPPM is shown on Instant CLI.

 

I'll get a sniffer trace and examine more the Radius response, but are there any pointers at that stage?

 

MVP Guru

Re: ClearPass DUR for Instant VC deployment

From the log line: 

Curl response with HTTP code: 0

I would guess that you have an issue with the server certificate on the ClearPass server, which might be that it is not trusted, an invalid root CA (not in ClearPass Trust list), expired, etc, which prevent the HTTPS session to be established. Otherwise, I would have expected a 3 digit HTTP code as they should be 3-digits.

 

If you can't figure out yourself quickly what to fix, please work with Aruba TAC.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Occasional Contributor II

Re: ClearPass DUR for Instant VC deployment


@Herman Robers wrote:

From the log line: 

Curl response with HTTP code: 0

I would guess that you have an issue with the server certificate on the ClearPass server, which might be that it is not trusted, an invalid root CA (not in ClearPass Trust list), expired, etc, which prevent the HTTPS session to be established. Otherwise, I would have expected a 3 digit HTTP code as they should be 3-digits.

 

If you can't figure out yourself quickly what to fix, please work with Aruba TAC.


Hi,

 

I am the Aruba partner - but I might be able to reach out to an Aruba SE if I can't figure it out myself.

 

To expand on your comment, does the IAP process DUR similarly to an ArubaOS switch?

 

I mean, the IAP would need to have CPPM's issuing CA installed in its trusted zone, like the switch does, right?

 

Because I've got all the wired setup, perfectly working with DUR (i.e. Dot1X, VoIP, IoT, IAP as wired client etc), so I'm a little confused as to what am I missing on the IAP, to facilitate this.

 

Thanks for the useful pointers!

MVP Guru

Re: ClearPass DUR for Instant VC deployment

I stand corrected on the root CA download. You are completely right and I mixed up server and IAP side. I assume that you do have a CA issued certificate on ClearPass, as I would expect possible issues with a self-signed certificate on the ClearPass as it doesn't have a root CA.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: