Security

Hi, I would like to know if an IAP 215 in virtual controller supports downloading Roles (DUR) from Clearpass in an 802.1X environment, if you need a specific IAP version or what is the best practice since I am doing this configuration in the same way but in Switch's and there it works fine.
Thank you.

Aruba Instant does not currently support DUR.

Hi,

 

Is it accurate that ArubaOS 8.4.x with Airwave 8.2.8.1 supports DURs for the IAPs?

 

I'm mocking up in the lab a PoC for an upcoming project, where in my lab -  an IAP cluster (215 and 303H) is managed by Airwave (8.2.8.1) and I successfully use DUR with an Aruba switch (2930F), to have the Instant download its role.

 

My next step is to try and get the InstantVC through Airwave (which seems to have a setting on the SSID to "Download Role") to work with DUR for different client VLANs.

 

Using the Aruba-CPPM-Role VSA and the following syntax:

user-role DUR_IAP_DomainUser
vlan 130
!

I seem to see "success" on CPPM as to the enforcement profile pushed, but fall to wrong VLAN, there is no role downloaded as seen on the VC.

Am I missing anything? Is what I'm trying possible?

 

Thanks,
Evan
 

Hi Evan,

 

Do you have check the IAP log ?

Hello,

 

I did notice 2 useful errors:

 

Dldb Role: Instant_DUR_Lab_Domain_User-3093-6 Invalid downloadable role, role name length invalid

This is the name of the enforcement profile in CPPM.

Attached is a snippet of it's value.

 

Dldb Role: ArubaLabSecure Cannot be assigned downloadable role, role with same name exists in config

This is the name of the SSID, I don't have this anywhere on CPPM, it's the built-in user role that gets created when an SSID is created, I guess?

 

I can try to change the name to a smaller length and see what it says..

Further update on this, smaller lenght in DUR name resulted in the below error:

Dldb Role: IAP_DomUs-3093-8 Cannot be assigned downloadable role, role is in error state

 Again, CPPM has the user successfully authenticated and proper enforcement profile assigned, but due to the error in the DUR - user gets dropped in the untagged (AP mgmt) VLAN.

 

ReadOnly account has been rechecked, exists properly on CPPM and group config in Airwave/VC.

Hi,

 

Do you have try of don't use _ on Profile name ?

No, but I guess I could give it a try..

 

I would not see this as a problem, my wired profiles have _ and the ArubaOS switch works just fine.

---

@alagoutte wrote:

Hi,

 

Do you have try of don't use _ on Profile name ?

---

 

Same result - just tested this.

 

I'm leaning towards thinking that it's not supported on IAP with VC deployment, to extend DUR to wireless clients.

 

One reason is that the DUR templates on CPPM include only 3 products, and all 3 are wired (ArubaOS switch, MAS switch and Mobility Controller).

 

Tim Cappalli also mentioned above in this thread that Aruba Instant does not currently support DUR - dated back in September though.

What release of ClearPass do you are using ?

I thought I mentioned it, my bad.

 

I initially tried with 6.7.8 and yesterday upgraded to 6.8.0 (latest), same results.

Downloadable User Roles are supported starting in Instant 8.4.0. On the ClearPass side, advanced mode must be used.

Hi Tim,

 

Yes, the DUR profile has been created using the advanced mode, Mobility Controller template and syntax such as: Aruba-CPPM-Role = user-role ABC vlan xxx 

 

All products involved run the latest codes, and I even imported CPPM's signing CA certificate to the VC's trusted zone, similarly to how it's needed on the Aruba switch side.

 

Anything obvious I'm missing, that would cause the error seen on Instant, even though CPPM applies the proper enforcement policy?