Wired Intelligent Edge (Campus Switching and Routing)

Downloadable User Role (DUR) with Netdestinations in ArubaOS Switches

MVP Expert
MVP Expert
Requirement:

You might have a requirement where you need to allow certain types of traffic to a set of destinations rather than just denying or permitting traffic as a whole in a Downloadable User Role. Starting from version WC.16.06.0006 Aruba Switches support Netdestinations and Netservices within DUR using which you can use to achieve this use-case .

 



Solution:

We can define a Netdestination and NetService within a DUR which will allow us to achieve this use case. 



Configuration:

You need to configure the DUR (Downloadable User Role) as shown below to allow UDP 1812,1813, FTP, DHCP,DNS,SSH,SMTP and TCP port 5000 traffic to a set of destinations shown below 

netdestination "YT-Net"

network 10.0.0.0/8 position 1

network 172.16.0.0/16 position 2

network 199.26.9.0/24 position 3

network 199.26.10.0/23 position 4

network 199.26.12.0/22 position 5

exit

netservice "allowrad" udp 1812 1813

netservice "allowftp" tcp 21

netservice "allowdhcp" udp 67 68

netservice "allowdns" udp 53

netservice  "service-ftp" tcp 20 21

netservice  "svc-ssh" tcp 22

netservice  "svc-smtp" tcp 25 465

netservice "port5k" tcp 5000

class ipv4 "allow-service"

12 match alias-src "any" alias-dst "YT-Net" alias-srvc allowrad

14 match alias-src "any" alias-dst "YT-Net" alias-srvc allowftp

16 match alias-src "any" alias-dst "YT-Net" alias-srvc allowdhcp

18 match alias-src "any" alias-dst "YT-Net" alias-srvc service-ftp

20 match alias-src "any" alias-dst "YT-Net" alias-srvc svc-ssh

22 match alias-src "any" alias-dst "YT-Net" alias-srvc svc-smtp

24 match alias-src "any" alias-dst "YT-Net" alias-srvc port5k

exit

policy user "allow-service"

10 class ipv4 "allow-service" action permit

exit

aaa authorization user-role name "netdestrole"

policy "allow-service"

vlan-id 20

exit

In the ClearPass you need to chose Aruba Downloadable Enforcement 

The Role configuration mode is Advanced and and the product is ArubaOS-Switch as shown below 

 

 

You need to click on attributes and select the Attribute Name as HPE-CPPM-Role(27) and paste the content of the DUR in the Value as shown below

 

 

Note : This article assumes that the other pieces of configuration required for DUR are already in place. If you need assistance configuring DUR you can use the link below to configure DUR 

https://community.arubanetworks.com/aruba/attachments/aruba/CampusSwitching/3907/2/ClearPass_Solution-Guide_Wired-Policy-Enforcement_v2018-01.pdf

 



Verification

Once this DUR is returned you would be able to see the DUR on the Switch when you execute the command 

"show port-access clients detailed"

Version history
Revision #:
1 of 1
Last update:
‎02-26-2019 07:19 AM
Updated by:
 
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: