Wired Intelligent Edge (Campus Switching and Routing)

Downloadable User Role configuration in Aruba OS CX with mac-authentication

MVP
MVP
Requirement:
DUR configuration is used in the switch to download the profile configuration sent from the RADIUS server and to apply this configuration within the role to the respective client port.

The profile applied to the clients may include dynamic vlan/ACL/captive portal . These dynamic configurations will be removed from the port soon after the client session ends.


Solution:
1. Add the radius sever in the switch using the host IP or using the FQDN






2.Enable mac authentication globally and for respective ports






3. Upload the root certificate used in Clearpass on the switch, this root certificate will be used during the DUR process as the switch needs to trust the root CA that signs the certificate in Clearpass



5. Configure the Clearpass with corresponding services , profiles and policies

--Aruba Downloadable Role Enforcement

--Role Configuration mode as Advanced
--Product as Mobility Access Switch

6.Configure the below within the profile that will be applied to the client
--Configure the Attribute Type as: Radius:Aruba
--Name as Aruba-CPPM-Role
--Value as (DUR commands)

7.Check the reachability of Clearpass from the switch and connect a client to the port with authentication enabled.


Configuration:
Switch configuration:

radius-server host x.x.x.x key ciphertext AQBapVWcNJavUClNBQenFaJwwRrR+nWcJUvsQlHUbuaiOvlDCAAAAMCnYwT2Ful+ clearpass-username prakash clearpass-password ciphertext AQBapVWcNJavUClNBQenFaJwwRrR+nWcJUvsQlHUbuaiOvlDCAAAAMCnYwT2Ful+
aaa authentication allow-fail-through
aaa group server radius cppm
    server x.x.x.x

aaa authentication port-access dot1x authenticator
    radius server-group ARUBA
aaa authentication port-access mac-auth
    radius server-group cppm
    enable

interface 1/1/15
    no shutdown
    no routing
    vlan access 1
    aaa authentication port-access client-limit 2
    aaa authentication port-access dot1x authenticator
        max-eapol-requests 1
        enable
    aaa authentication port-access mac-auth
        enable

Configuration in Clearpass:

1. Configure the service with appropriate service condition




2.Apply appropriate policy with the suitable conditions to match the client request to respective profile




3. DUR profile configuration






Verification
The user-role from the Clearpass will be downloaded in the switch and can be verified using below command




Check the application of the role to respective port




Version history
Revision #:
1 of 1
Last update:
‎04-29-2020 01:25 PM
Updated by: