Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

How to limit bandwidth in 802.1X with CPPM

This thread has been viewed 5 times

  • 1.  How to limit bandwidth in 802.1X with CPPM

    Posted Nov 22, 2017 06:31 AM

    Hi community,

     

    This seems to be a basic question but I don't know how to do it with CPPM. I tried to look at Aruba-defined Radius attributes but can't find anything related to QoS. Could you please share some tips / guideline on how to implement QoS (or at least limit bandwidth) in 802.1X with CPPM?

     

    Thank you,



  • 2.  RE: How to limit bandwidth in 802.1X with CPPM

    EMPLOYEE
    Posted Nov 22, 2017 08:05 AM
    It's done on the controller in the user role.


  • 3.  RE: How to limit bandwidth in 802.1X with CPPM

    Posted Nov 22, 2017 09:52 AM

    Hi Tim,

     

    I'm configuring the controller to download roles from CPPM, and it seems that only session ACL works with downloadable roles. Do I have to give up this feature and use locally-defined roles on controller instead?

     

    Thank you,



  • 4.  RE: How to limit bandwidth in 802.1X with CPPM

    EMPLOYEE
    Posted Nov 22, 2017 10:26 AM
    Can you please provide an example from the controller side of what you're trying to use with downloadable user roles?


  • 5.  RE: How to limit bandwidth in 802.1X with CPPM

    Posted Nov 22, 2017 11:04 AM

    I'm using downloadable roles to send back ACL definition (which defines default internal tools that users are authorized to access) to the controller. Another requirement is that each user should be limited to 20M of bandwidth. I tried using policer profile in downloadable roles (available in CPPM configuration) but the controller always complained "unsupported keyword" when it encounters cir command received from CPPM. So I guess only session ACL currently works with downloadable roles.

     

    If I want to satisfy the requirement of 20M of bandwidth per user, I think the only way to do it is to define role locally on the controller, as you have mentioned. Downloadable roles and locally defined role probably cannot work and complement each other. Or am I missing something?

     

    Thank you,

     

     



  • 6.  RE: How to limit bandwidth in 802.1X with CPPM

    EMPLOYEE
    Posted Nov 22, 2017 11:33 AM

    It is not available in the UI mode (Standard Mode) but you can use Advanced Mode in the DUR enforcement profile to define this configuration.



  • 7.  RE: How to limit bandwidth in 802.1X with CPPM

    Posted Nov 22, 2017 11:51 PM

    Well, that's exactly what I did. The following configuration was generated:

     

    policer-profile abc
        cbs 5
        cir 5
        ebs 10
        exceed-action permit
        violate-action drop
    !
    user-role cppmrole
        policer-profile abc
    !

     

    But from the log messages on the controller, it complained that cir and ebs are unsupported keywords when it attempts to download role from CPPM. I'm running ArubaOS 8.2 on the controller.

     

    Thank you,



  • 8.  RE: How to limit bandwidth in 802.1X with CPPM

    Posted Oct 19, 2020 11:34 AM

    Old thread, I can open a new if needed. Question is the same. 

     

    Tim - Can you provide or reference an example of configuring an Advanced DUR enforcement profile to set Bandwidth Upstream and Downstream? 

     

    Following the OP question, this would be a for a Mobility Controller AAA configured to 'Download Role from CPPM'. 

     

    Thanks!