Wired Intelligent Edge

Are there any documentation for dynamic segmentation on 6300 series switches? I only found some CLI commands from the Command line interface guide but other than that not much, and it seems that the syntax has changed from 2930F etc. Does returning secondary user role still work?

Hi,

 

The ArubaOS-CX 10.04 Security Guide (6300, 6400 Switch Series) will help in this.

 

It will have all the configuration syntax for 802.1x and MAC with.

Only thing Security Guide has about dynamic segmentation is this:

 

port-access role gateway-zone

 

Configures the per-role gateway zone details needed for user-based tunneling (UBT). For more information
on UBT, see the Fundamentals Guide.

 

This migh have something to do with a feature previously known as scondary role, but manual does very poor job explaining the usage. Fundamentals Guide doesn't have anything on Dynamic Segmentation either.

 

As this Dynamic Segmentation is one of the main features always advertised I though it would be documented somewhere. 

I wonder who marked Raghunandan's answer as a solution? As it clearly is not the solution as the security guide doesn't have anything on dynamic segmentation

If someone else is wondering how to configure Dynamic Segmentation on 6300, here's some configs:

 

 

ubt-client-vlan 4094
ubt zone ubtlab vrf default
    primary-controller ip 10.1.5.61
    backup-controller ip 10.1.5.62
    enable

 

 

VLAN 4094 has to exist, but doesn't need to be added on any interface (not needed towards the controller)

 

As ClearPass doesn't seem to support ArubaOS-CX with downloadable role profiles, you need to create Generic RADIUS profile and return this:

 

 

Radius:Aruba	Aruba-CPPM-Role	= 

port-access role ubt-role-1
gateway-zone zone testilabra gateway-role userrole

 

 

Doesn't seem to matter what you enter as port-access role, but gateway-role must match to some role in the controllers

 

After these configure the ports with MAC or 802.1X authentication, those commands seem to be in the Security Guide

 

Root/intermediate CA certificates need to be installed on the switch with crypto pki ta-profile command

<hoping below 63xx ubt configuration will help setup quickly>

aaa group server radius cppm

server cppmexample1

server cppmexample2

radius dyn-authorization enable

radius dyn-authorization client <>

 

ip source-interface ubt interface vlan1

ubt-client-vlan 3

 

ubt zone zone1 vrf default

primary-controller ip x.x.x.x

backup-controller ip x.x.x.x

sac-heartbeat-interval 1

uac-keepalive-interval 60

aaa authentication port-access dot1x authenticator

radius server-group cppm

aaa authentication port-access mac-auth

radius server-group cppm

enable

 

ntp server x.x.x.x

ntp enable

 

interface 1/1/2

no shutdown

no routing

vlan access 1

aaa authentication port-access dot1x authenticator

enable

aaa authentication port-access mac-auth

enable

 

Quick show cmds:

show ubt state

show ubt users port

<Quick 63xx ubt cfg>

It would be nice to have these in the manuals too

The Airheads YouTube channel has a new series on Dynamic Segmentation.

 

https://www.youtube.com/watch?v=EcDb8DyqZTE

It is for ArubaOS-S (2930 for example) not for ArubaOS-CX series

The fundamentals guide released on December 2019 for AOS-CX 10.4 has a session about the commands to be used to configure UBT. Anyway it still lacking a session describing the steps required to have UBT configured and working on the switch.

 

https://support.hpe.com/hpesc/public/docDisplay?docId=a00091682en_us

 

Hello, 

can you please tell me if new Aruba OS-CX 6000 series switches supports dynaic segmentation ? i did not find documents with compatible hardware list.

thanks ahead

------------------------------
Temur Kalandia
------------------------------

Original Message:
Sent: Feb 19, 2020 04:18 AM
From: Jukka Aaltonen
Subject: ArubaOS-CX dynamic segmentation

If someone else is wondering how to configure Dynamic Segmentation on 6300, here's some configs:

 

 

ubt-client-vlan 4094ubt zone ubtlab vrf default    primary-controller ip 10.1.5.61    backup-controller ip 10.1.5.62    enable

 

 

VLAN 4094 has to exist, but doesn't need to be added on any interface (not needed towards the controller)

 

As ClearPass doesn't seem to support ArubaOS-CX with downloadable role profiles, you need to create Generic RADIUS profile and return this:

 

 

Radius:Aruba	Aruba-CPPM-Role	= port-access role ubt-role-1gateway-zone zone testilabra gateway-role userrole

 

 

Doesn't seem to matter what you enter as port-access role, but gateway-role must match to some role in the controllers

 

After these configure the ports with MAC or 802.1X authentication, those commands seem to be in the Security Guide

 

Root/intermediate CA certificates need to be installed on the switch with crypto pki ta-profile command

You can check the feature navigator to find out that starting the 6200 there is support for User Based tunnels, which are one component of Dynamic segmentation. The 6000 series do not support tunneling.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Feb 07, 2022 08:14 AM
From: Temur Kalandia
Subject: ArubaOS-CX dynamic segmentation

Hello, 

can you please tell me if new Aruba OS-CX 6000 series switches supports dynaic segmentation ? i did not find documents with compatible hardware list.

thanks ahead

------------------------------
Temur Kalandia

Original Message:
Sent: Feb 19, 2020 04:18 AM
From: Jukka Aaltonen
Subject: ArubaOS-CX dynamic segmentation

If someone else is wondering how to configure Dynamic Segmentation on 6300, here's some configs:

 

 

ubt-client-vlan 4094ubt zone ubtlab vrf default    primary-controller ip 10.1.5.61    backup-controller ip 10.1.5.62    enable

 

 

VLAN 4094 has to exist, but doesn't need to be added on any interface (not needed towards the controller)

 

As ClearPass doesn't seem to support ArubaOS-CX with downloadable role profiles, you need to create Generic RADIUS profile and return this:

 

 

Radius:Aruba	Aruba-CPPM-Role	= port-access role ubt-role-1gateway-zone zone testilabra gateway-role userrole

 

 

Doesn't seem to matter what you enter as port-access role, but gateway-role must match to some role in the controllers

 

After these configure the ports with MAC or 802.1X authentication, those commands seem to be in the Security Guide

 

Root/intermediate CA certificates need to be installed on the switch with crypto pki ta-profile command

many thanks Herman.

Feature navigator was very useful. i did know about it before.

------------------------------
Temur Kalandia
------------------------------

Original Message:
Sent: Feb 08, 2022 08:56 AM
From: Herman Robers
Subject: ArubaOS-CX dynamic segmentation

You can check the feature navigator to find out that starting the 6200 there is support for User Based tunnels, which are one component of Dynamic segmentation. The 6000 series do not support tunneling.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Feb 07, 2022 08:14 AM
From: Temur Kalandia
Subject: ArubaOS-CX dynamic segmentation

Hello, 

can you please tell me if new Aruba OS-CX 6000 series switches supports dynaic segmentation ? i did not find documents with compatible hardware list.

thanks ahead

------------------------------
Temur Kalandia

Original Message:
Sent: Feb 19, 2020 04:18 AM
From: Jukka Aaltonen
Subject: ArubaOS-CX dynamic segmentation

If someone else is wondering how to configure Dynamic Segmentation on 6300, here's some configs:

 

 

ubt-client-vlan 4094ubt zone ubtlab vrf default    primary-controller ip 10.1.5.61    backup-controller ip 10.1.5.62    enable

 

 

VLAN 4094 has to exist, but doesn't need to be added on any interface (not needed towards the controller)

 

As ClearPass doesn't seem to support ArubaOS-CX with downloadable role profiles, you need to create Generic RADIUS profile and return this:

 

 

Radius:Aruba	Aruba-CPPM-Role	= port-access role ubt-role-1gateway-zone zone testilabra gateway-role userrole

 

 

Doesn't seem to matter what you enter as port-access role, but gateway-role must match to some role in the controllers

 

After these configure the ports with MAC or 802.1X authentication, those commands seem to be in the Security Guide

 

Root/intermediate CA certificates need to be installed on the switch with crypto pki ta-profile command