Security

Reply
Highlighted
Contributor II

Does the IAP support 215 downloadable roles (DUR) of Clearpass?

Hi, I would like to know if an IAP 215 in virtual controller supports downloading Roles (DUR) from Clearpass in an 802.1X environment, if you need a specific IAP version or what is the best practice since I am doing this configuration in the same way but in Switch's and there it works fine.
Thank you.

Guru Elite

Re: Does the IAP support 215 downloadable roles (DUR) of Clearpass?

Aruba Instant does not currently support DUR.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Does the IAP support 215 downloadable roles (DUR) of Clearpass?

Hi,

 

Is it accurate that ArubaOS 8.4.x with Airwave 8.2.8.1 supports DURs for the IAPs?

 

I'm mocking up in the lab a PoC for an upcoming project, where in my lab -  an IAP cluster (215 and 303H) is managed by Airwave (8.2.8.1) and I successfully use DUR with an Aruba switch (2930F), to have the Instant download its role.

 

My next step is to try and get the InstantVC through Airwave (which seems to have a setting on the SSID to "Download Role") to work with DUR for different client VLANs.

 

Using the Aruba-CPPM-Role VSA and the following syntax:

user-role DUR_IAP_DomainUser
vlan 130
!

I seem to see "success" on CPPM as to the enforcement profile pushed, but fall to wrong VLAN, there is no role downloaded as seen on the VC.


Am I missing anything? Is what I'm trying possible?

 

Thanks,
Evan
 

MVP Expert

Re: Does the IAP support 215 downloadable roles (DUR) of Clearpass?

Hi Evan,

 

Do you have check the IAP log ?




PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info


PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info


PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)


PowerArubaIAP: Powershell Module to use Aruba Instant AP




ACMP 6.4 / ACMX #107 / ACCP 6.5
Occasional Contributor II

Re: Does the IAP support 215 downloadable roles (DUR) of Clearpass?

Hello,

 

I did notice 2 useful errors:

 

Dldb Role: Instant_DUR_Lab_Domain_User-3093-6 Invalid downloadable role, role name length invalid

This is the name of the enforcement profile in CPPM.

Attached is a snippet of it's value.

 

Dldb Role: ArubaLabSecure Cannot be assigned downloadable role, role with same name exists in config

This is the name of the SSID, I don't have this anywhere on CPPM, it's the built-in user role that gets created when an SSID is created, I guess?

 

I can try to change the name to a smaller length and see what it says..

Occasional Contributor II

Re: Does the IAP support 215 downloadable roles (DUR) of Clearpass?

Further update on this, smaller lenght in DUR name resulted in the below error:

Dldb Role: IAP_DomUs-3093-8 Cannot be assigned downloadable role, role is in error state

 Again, CPPM has the user successfully authenticated and proper enforcement profile assigned, but due to the error in the DUR - user gets dropped in the untagged (AP mgmt) VLAN.

 

ReadOnly account has been rechecked, exists properly on CPPM and group config in Airwave/VC.

MVP Expert

Re: Does the IAP support 215 downloadable roles (DUR) of Clearpass?

Hi,

 

Do you have try of don't use _ on Profile name ?




PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info


PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info


PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)


PowerArubaIAP: Powershell Module to use Aruba Instant AP




ACMP 6.4 / ACMX #107 / ACCP 6.5
Occasional Contributor II

Re: Does the IAP support 215 downloadable roles (DUR) of Clearpass?

No, but I guess I could give it a try..

 

I would not see this as a problem, my wired profiles have _ and the ArubaOS switch works just fine.

Occasional Contributor II

Re: Does the IAP support 215 downloadable roles (DUR) of Clearpass?


@alagoutte wrote:

Hi,

 

Do you have try of don't use _ on Profile name ?


 

Same result - just tested this.

 

I'm leaning towards thinking that it's not supported on IAP with VC deployment, to extend DUR to wireless clients.

 

One reason is that the DUR templates on CPPM include only 3 products, and all 3 are wired (ArubaOS switch, MAS switch and Mobility Controller).

 

Tim Cappalli also mentioned above in this thread that Aruba Instant does not currently support DUR - dated back in September though.

MVP Expert

Re: Does the IAP support 215 downloadable roles (DUR) of Clearpass?

What release of ClearPass do you are using ?




PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info


PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info


PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)


PowerArubaIAP: Powershell Module to use Aruba Instant AP




ACMP 6.4 / ACMX #107 / ACCP 6.5
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: