Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass DUR for Instant VC deployment

This thread has been viewed 20 times

  • 1.  ClearPass DUR for Instant VC deployment

    Posted Apr 04, 2019 10:04 AM

    Hi,

     

    Do you know if Instant VC (mnaged through Airwave - Instant GUI) supports DUR from CPPM - all running latest codes?

     

    Environment in my lab consists of an IAP cluster (215 and 303H), running ArubaOS 8.4.0, managed by Airwave (8.2.8.1) and I successfully use DUR with CPPM (6.8.0) an Aruba switch (8.4.0), to have the Instant download its own role.

     

    Trying now to get the InstantVC through Airwave (which seems to have a setting on the SSID to "Download Role") to work with DUR for different client VLANs - extending this to the wireless.

     

    Using the Aruba-CPPM-Role VSA and the following syntax:

    user-role DUR_IAP_DomainUser
    vlan 130
    !

    I seem to see "success" on CPPM as to the enforcement profile pushed, but fall to wrong VLAN, there is no role downloaded as seen on the VC.

     

    The following is seen in the VC logs:

    Dldb Role: IAP_DomUs-3093-8 Cannot be assigned downloadable role, role is in error state

    CPPM has the user successfully authenticated and proper enforcement profile assigned, but due to the error in the DUR - user gets dropped in the untagged (AP mgmt) VLAN.

     

    ReadOnly account exists properly on CPPM and group config in Airwave/VC.

     

    Is what I'm trying to do even possible, or I'm going down a wrong path?

     

    Appreciate any feedback.



  • 2.  RE: ClearPass DUR for Instant VC deployment

    Posted Apr 04, 2019 01:17 PM

    Further update on this, I have uploaded the CPPM's signing CA certificate on the VC trusted root (similarly to how it's done and needed on the Aruba switch), but still the same error.



  • 3.  RE: ClearPass DUR for Instant VC deployment

    EMPLOYEE
    Posted Apr 05, 2019 03:55 AM

    Maybe the following video may help: https://www.youtube.com/watch?v=HwSHPxz7B5o It shows how to setup Aruba Instant with Downloadable User roles.

     

    Three additional suggestions:

    - Make sure the clock is set and synced on the IAP and ClearPass

    - Make sure that you enter the ClearPass when configured as RADIUS server in the Instant AP as hostname (like cppm.yourdomain.com), not as IP.

    - Use the Aruba Instant WebUI to create a valid role, extract that from the CLI configuration, and enter that in ClearPass. I can imagine that a user role with just a VLAN is not a complete definition and access rules might be required to have a valid role.



  • 4.  RE: ClearPass DUR for Instant VC deployment

    Posted Apr 08, 2019 08:47 AM
    @Herman Robers wrote:

    Maybe the following video may help: https://www.youtube.com/watch?v=HwSHPxz7B5o It shows how to setup Aruba Instant with Downloadable User roles.

     

    Three additional suggestions:

    - Make sure the clock is set and synced on the IAP and ClearPass

    - Make sure that you enter the ClearPass when configured as RADIUS server in the Instant AP as hostname (like cppm.yourdomain.com), not as IP.

    - Use the Aruba Instant WebUI to create a valid role, extract that from the CLI configuration, and enter that in ClearPass. I can imagine that a user role with just a VLAN is not a complete definition and access rules might be required to have a valid role.

     

    Thanks for the suggestions and link!

     

    Clock is synced, but I'll check the hostname of CPPM instead of IP as radius server config.

     

    Regarding the last part of the valid role - the syntax I used was what the CPPM template for Aruba DUR includes, when you select Mobility Controller template.

    The options are only switches (Aruba and MAS) and then Mobility Controller.

     



  • 5.  RE: ClearPass DUR for Instant VC deployment

    Posted Apr 08, 2019 01:13 PM

    Hi,

     

    I followed the steps on the link -  added the FQDN of CPPM on the Instant GUI config as well as the ArubaOS switch.

    I successfully download the public CA cert of CPPM, as before.

     

    I've modified my enforcement profile to look like this: 

    Radius:Aruba:Aruba-CPPM-Roleinstant_dur-3099-6
    wlan access-rule instant_dur
    utf8
    index 9
    rule any any match any any any permit
    vlan 130

    which I modeled off the Instant CLI.

     

    Still I see the request successfully on CPPM, but below is the error log on the IAP:

    Apr  8 13:03:19  stm[4811]: <199802> <ERRS> |AP Lab-Aruba215@10.10.120.106 stm|  auth_cppm_api.c, auth_curl_perform:126: Dldb Role instant_dur-3099-6: Curl response with HTTP code: 0
Apr  8 13:03:19  stm[4811]: <124830> <ERRS> |AP Lab-Aruba215@10.10.120.106 stm|  Dldb Role instant_dur-3099-6: Users dequeued, role in incomplete state
    Apr  8 13:03:20  stm[4811]: <522280> <ERRS> |AP Lab-Aruba215@10.10.120.106 stm|  MAC=40:d3:ae:3b:bd:c8  Dldb Role: instant_dur-3099-6 Cannot be assigned downloadable role, role is in error state
Apr  8 13:03:20  cli[4787]: <541004> <WARN> |AP Lab-Aruba215@10.10.120.106 cli|  recv_stm_sta_update: receive station msg, mac-40:d3:ae:3b:bd:c8 bssid-04:bd:88:60:7b:10 essid-ArubaLabSecure timestamp-1554743000-453872.
Apr  8 13:03:20  cli[4787]: <541004> <WARN> |AP Lab-Aruba215@10.10.120.106 cli|  recv_stm_sta_update: receive station msg, mac-40:d3:ae:3b:bd:c8 bssid-04:bd:88:60:7b:10 essid-ArubaLabSecure timestamp-1554743000-474544

     NTP and DNS are not issues, the certificate of CPPM is shown on Instant CLI.

     

    I'll get a sniffer trace and examine more the Radius response, but are there any pointers at that stage?

     



  • 6.  RE: ClearPass DUR for Instant VC deployment

    EMPLOYEE
    Posted Apr 09, 2019 05:05 AM

    From the log line: 

    Curl response with HTTP code: 0

    I would guess that you have an issue with the server certificate on the ClearPass server, which might be that it is not trusted, an invalid root CA (not in ClearPass Trust list), expired, etc, which prevent the HTTPS session to be established. Otherwise, I would have expected a 3 digit HTTP code as they should be 3-digits.

     

    If you can't figure out yourself quickly what to fix, please work with Aruba TAC.



  • 7.  RE: ClearPass DUR for Instant VC deployment

    Posted Apr 09, 2019 02:28 PM
    @Herman Robers wrote:

    From the log line: 

    Curl response with HTTP code: 0

    I would guess that you have an issue with the server certificate on the ClearPass server, which might be that it is not trusted, an invalid root CA (not in ClearPass Trust list), expired, etc, which prevent the HTTPS session to be established. Otherwise, I would have expected a 3 digit HTTP code as they should be 3-digits.

     

    If you can't figure out yourself quickly what to fix, please work with Aruba TAC.

    Hi,

     

    I am the Aruba partner - but I might be able to reach out to an Aruba SE if I can't figure it out myself.

     

    To expand on your comment, does the IAP process DUR similarly to an ArubaOS switch?

     

    I mean, the IAP would need to have CPPM's issuing CA installed in its trusted zone, like the switch does, right?

     

    Because I've got all the wired setup, perfectly working with DUR (i.e. Dot1X, VoIP, IoT, IAP as wired client etc), so I'm a little confused as to what am I missing on the IAP, to facilitate this.

     

    Thanks for the useful pointers!



  • 8.  RE: ClearPass DUR for Instant VC deployment

    EMPLOYEE
    Posted Apr 10, 2019 04:25 AM

    I stand corrected on the root CA download. You are completely right and I mixed up server and IAP side. I assume that you do have a CA issued certificate on ClearPass, as I would expect possible issues with a self-signed certificate on the ClearPass as it doesn't have a root CA.