Security

Reply
MVP Expert

Re: ClearPass Solution Guide: Wired Policy Enforcement


@Udimonk wrote:

Hello all,

 

I've ran into a limitation on 2930F switches with local user-roles. When I try to define a new user-role I get the following error:

 

"The maximum number of local user roles allowed is 32".

 

This is a big problem since our customer is using more then 32 vlan's on their access layer. I personally don't want to go back to the days of having to manually configure a port so I'm working with support to get this resolved. Also posting here since I didn't find this particular limit anywhere in docs or community posts.

 

I'm considering to try downloadable user roles if it allows me to add more then 32 user-roles to the switches, but I don't know if that'll let me pass the limitation. More testing requried ;-)


What your configuration ?

a user-role = a vlan ?

 

(May be better to open a new topic..)




PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info


PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info


PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)


PowerArubaIAP: Powershell Module to use Aruba Instant AP




ACMP 6.4 / ACMX #107 / ACCP 6.5
Highlighted
Contributor I

Re: ClearPass Solution Guide: Wired Policy Enforcement

Exactly. Our ClearPass cluster is returning generic role names that are tied to local user-roles on the switches. We have a few special roles that have wired captive portal ACL's active, mostly for guest users.

 

I've included one of the switch configs. I have opened a new topic, for those interested link is below. I'll update it once we find a working solution with support. So far it's been verified in their labs.

 

https://community.arubanetworks.com/t5/Wired-Intelligent-Edge-Campus/2930F-max-local-user-roles/td-p/487076

MVP Expert

Re: ClearPass Solution Guide: Wired Policy Enforcement

I look it is the same POLICY actually...

i think, we need to look for return vlan(-id or name) by ClearPass...




PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info


PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info


PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)


PowerArubaIAP: Powershell Module to use Aruba Instant AP




ACMP 6.4 / ACMX #107 / ACCP 6.5
Guru Elite

Re: ClearPass Solution Guide: Wired Policy Enforcement

I would recommend you reach out to your Aruba team to hear about some potential future improvements to the solution.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: ClearPass Solution Guide: Wired Policy Enforcement

Hi Tim,

 

First, thanks for your availability and continued support on these forums.

 

In the comware section of the solution guide, you recommend disbaling the multicast-trigger feature, because it can cause issues with IP phones.

 

I actualy experienced the opposite, with Aastra phones. The phones would not reauthenticate unless multicast-trigger was enable. Finaly we enabled both multicast and unicast trigger on the ports.

 

First question, could you ellaborate on why multicast-trigger could cause issues with phones in particular ?

 

Second question, do think enabling both multi/unicast-trigger could cause undesired side effects ?

 

Thanks a lot for your insights.

 

Regards,

Sacha B.
Occasional Contributor II

Re: ClearPass Solution Guide: Wired Policy Enforcement

Is it possible to configure the authentication of guests with captive portal, without the need for Switch 5130 EI to be layer 3?

Contributor I

Re: ClearPass Solution Guide: Wired Policy Enforcement

No, you wouldn't be able to redirect clients to a different IP.

 

Best you can achieve in my opinion is to permit https port 443 and have users browse to the portal themselves. After that you can register the user, appoint VLANs/ACLs and let the user reconnect by either sending a Change of Authorization (CoA) or asking the user to unplug and replug themselves

Frequent Contributor II

Re: ClearPass Solution Guide: Wired Policy Enforcement

Hi!

 

Will the guide be updated after the new firmware release ?

Also this new feature isn't available in 2920-switches in the latest release, any idea if it will be available in the future ?

 

"Starting with 16.08
release, users can specify the order and priority for Authentication methods."

ACMP | ACCP
MVP Expert

Re: ClearPass Solution Guide: Wired Policy Enforcement

Yes, there is also new feature of 16.08 (like download root certificate for ClearPass...)




PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info


PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info


PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)


PowerArubaIAP: Powershell Module to use Aruba Instant AP




ACMP 6.4 / ACMX #107 / ACCP 6.5
New Contributor

Re: ClearPass Solution Guide: Wired Policy Enforcement

Hi TIM ,

 

In that document mentioned as by selecting a HEWLET PACKET ENTERPRISE in nas vendor setting , user request will be craft to web authentication service .

 

Can you  please clarify how the request is caterigorized as Web auth and enforcing a endpoint attribute and Bouce the host port  ???

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: