Security

Hello,

I'm having an issue whereby I'm sending downloadable user roles from ClearPass to an Aruba Switch (2930F - v16.09.003). Specifically, I've created a profile for an access point to boot on a colorless port. I can see that the AP works as intended in a statically assigned port and the AP will boot on the untagged VLAN but I'm unable to connect to and SSID that's using the tagged VLAN on the switch.

In this example the AP should boot on VLAN 100 and clients should associate to VLAN 101. Yet it seems the switch is not handling the tagged port traffic correctly.

Is there anything special that needs to be done to get DUR working for an access point regarding the tagged vlans?

Aruba-Lab-SW1# show port-access clients 6 detailed

 Port Access Client Status Detail

  Client Base Details :
   Port            : 6                     Authentication Type : mac-based
   Client Status   : authenticated         Session Time        : 603 seconds
   Client Name     : 20a6cdc05a98          Session Timeout     : 28800 seconds
   MAC Address     : 20a6cd-c05a98
   IP              : 172.16.100.10

   Auth Order      : Not Set
   Auth Priority   : Not Set
   LMA Fallback    : Disabled

Downloaded user roles are preceded by *

 User Role Information

   Name                              : *Aruba_DUR_Access_Point-3021-3
   Type                              : downloaded
   Reauthentication Period (seconds) : 28800
   Cached Reauth Period (seconds)    : 0
   Logoff Period (seconds)           : 300
   Untagged VLAN                     : 100
   Tagged VLANs                      : 101
   Captive Portal Profile            :
   Policy                            :
   Tunnelednode Server Redirect      : Disabled
   Secondary Role Name               :
   Device Attributes                 : Disabled

The role I'm sending from ClearPass is the following:

aaa authorization user-role name "DUR-Access-Point"
reauth-period 28800
vlan-name "LAB-MGMT"
vlan-name-tagged "LAB-Corp"
exit

I also recognize that what I'm attempting to do may not be possible if the switch is attempting to authenticate every individual MAC address that connects to a given port. Or if there's a way to disable this, that would be helpful/great.

You have to send back the port mode attribute introduced with WC.16.08. This is available on ClearPass in the standard downloadable user role configuration since 6.8. It is explained in the Access Security Guide of the Switch:
http://h22208.www2.hpe.com/eginfolib/Aruba/16.09/5200-5908/index.html#GUID-C6553916-956F-4830-BA98-A127FC63677D.html

Also check the attached picture.

It is an IAP!

I tried sending back HPE-Port-Dot1x-Port-Mode and HPE-Port-Macauth-Client-Limit and the switch complained.

Thanks Holger! This worked perfectly!

aaa authorization user-role name "DUR-Access-Point"
reauth-period 28800
vlan-name "LAB-MGMT"
vlan-name-tagged "LAB-Corp"
device
port-mode
exit
exit