Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted

ArubaOS-CX dynamic segmentation

Are there any documentation for dynamic segmentation on 6300 series switches? I only found some CLI commands from the Command line interface guide but other than that not much, and it seems that the syntax has changed from 2930F etc. Does returning secondary user role still work?

Highlighted
Aruba Employee

Re: ArubaOS-CX dynamic segmentation

Hi,

 

The ArubaOS-CX 10.04 Security Guide (6300, 6400 Switch Series) will help in this.

 

It will have all the configuration syntax for 802.1x and MAC with.

Highlighted

Re: ArubaOS-CX dynamic segmentation

Only thing Security Guide has about dynamic segmentation is this:

 

port-access role gateway-zone

 

Configures the per-role gateway zone details needed for user-based tunneling (UBT). For more information
on UBT, see the Fundamentals Guide.

 

This migh have something to do with a feature previously known as scondary role, but manual does very poor job explaining the usage. Fundamentals Guide doesn't have anything on Dynamic Segmentation either.

 

As this Dynamic Segmentation is one of the main features always advertised I though it would be documented somewhere. 

Highlighted

Re: ArubaOS-CX dynamic segmentation

I wonder who marked Raghunandan's answer as a solution? As it clearly is not the solution as the security guide doesn't have anything on dynamic segmentation

Highlighted

Re: ArubaOS-CX dynamic segmentation

If someone else is wondering how to configure Dynamic Segmentation on 6300, here's some configs:

 

 

ubt-client-vlan 4094
ubt zone ubtlab vrf default
    primary-controller ip 10.1.5.61
    backup-controller ip 10.1.5.62
    enable

 

 

VLAN 4094 has to exist, but doesn't need to be added on any interface (not needed towards the controller)

 

As ClearPass doesn't seem to support ArubaOS-CX with downloadable role profiles, you need to create Generic RADIUS profile and return this:

 

 

Radius:Aruba	Aruba-CPPM-Role	= 

port-access role ubt-role-1
gateway-zone zone testilabra gateway-role userrole

 

 

Doesn't seem to matter what you enter as port-access role, but gateway-role must match to some role in the controllers

 

After these configure the ports with MAC or 802.1X authentication, those commands seem to be in the Security Guide

 

Root/intermediate CA certificates need to be installed on the switch with crypto pki ta-profile command

Highlighted
Aruba Employee

Re: ArubaOS-CX dynamic segmentation

<hoping below 63xx ubt configuration will help setup quickly>

aaa group server radius cppm

server cppmexample1

server cppmexample2

radius dyn-authorization enable

radius dyn-authorization client <>

 

ip source-interface ubt interface vlan1

ubt-client-vlan 3

 

ubt zone zone1 vrf default

primary-controller ip x.x.x.x

backup-controller ip x.x.x.x

sac-heartbeat-interval 1

uac-keepalive-interval 60

aaa authentication port-access dot1x authenticator

radius server-group cppm

aaa authentication port-access mac-auth

radius server-group cppm

enable

 

ntp server x.x.x.x

ntp enable

 

interface 1/1/2

no shutdown

no routing

vlan access 1

aaa authentication port-access dot1x authenticator

enable

aaa authentication port-access mac-auth

enable

 

Quick show cmds:

show ubt state

show ubt users port

<Quick 63xx ubt cfg>

Highlighted

Re: ArubaOS-CX dynamic segmentation

It would be nice to have these in the manuals too

Highlighted
New Contributor

Re: ArubaOS-CX dynamic segmentation

The Airheads YouTube channel has a new series on Dynamic Segmentation.

 

https://www.youtube.com/watch?v=EcDb8DyqZTE

Highlighted

Re: ArubaOS-CX dynamic segmentation

It is for ArubaOS-S (2930 for example) not for ArubaOS-CX series

Highlighted
Contributor II

Re: ArubaOS-CX dynamic segmentation

The fundamentals guide released on December 2019 for AOS-CX 10.4 has a session about the commands to be used to configure UBT. Anyway it still lacking a session describing the steps required to have UBT configured and working on the switch.

 

https://support.hpe.com/hpesc/public/docDisplay?docId=a00091682en_us

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: