Requirement:
You might have a requirement where you need to allow certain types of traffic to a set of destinations rather than just denying or permitting traffic as a whole in a Downloadable User Role. Starting from version WC.16.06.0006 Aruba Switches support Netdestinations and Netservices within DUR using which you can use to achieve this use-case .
Solution:We can define a Netdestination and NetService within a DUR which will allow us to achieve this use case.
Configuration:You need to configure the DUR (Downloadable User Role) as shown below to allow UDP 1812,1813, FTP, DHCP,DNS,SSH,SMTP and TCP port 5000 traffic to a set of destinations shown below
netdestination "YT-Net"
network 10.0.0.0/8 position 1
network 172.16.0.0/16 position 2
network 199.26.9.0/24 position 3
network 199.26.10.0/23 position 4
network 199.26.12.0/22 position 5
exit
netservice "allowrad" udp 1812 1813
netservice "allowftp" tcp 21
netservice "allowdhcp" udp 67 68
netservice "allowdns" udp 53
netservice "service-ftp" tcp 20 21
netservice "svc-ssh" tcp 22
netservice "svc-smtp" tcp 25 465
netservice "port5k" tcp 5000
class ipv4 "allow-service"
12 match alias-src "any" alias-dst "YT-Net" alias-srvc allowrad
14 match alias-src "any" alias-dst "YT-Net" alias-srvc allowftp
16 match alias-src "any" alias-dst "YT-Net" alias-srvc allowdhcp
18 match alias-src "any" alias-dst "YT-Net" alias-srvc service-ftp
20 match alias-src "any" alias-dst "YT-Net" alias-srvc svc-ssh
22 match alias-src "any" alias-dst "YT-Net" alias-srvc svc-smtp
24 match alias-src "any" alias-dst "YT-Net" alias-srvc port5k
exit
policy user "allow-service"
10 class ipv4 "allow-service" action permit
exit
aaa authorization user-role name "netdestrole"
policy "allow-service"
vlan-id 20
exit
In the ClearPass you need to chose Aruba Downloadable Enforcement
The Role configuration mode is Advanced and and the product is ArubaOS-Switch as shown below
You need to click on attributes and select the Attribute Name as HPE-CPPM-Role(27) and paste the content of the DUR in the Value as shown below
Note : This article assumes that the other pieces of configuration required for DUR are already in place. If you need assistance configuring DUR you can use the link below to configure DUR
https://community.arubanetworks.com/aruba/attachments/aruba/CampusSwitching/3907/2/ClearPass_Solution-Guide_Wired-Policy-Enforcement_v2018-01.pdf
VerificationOnce this DUR is returned you would be able to see the DUR on the Switch when you execute the command
"show port-access clients detailed"