Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Occasional Contributor II

Downloadable User role for controller pushed by DUR via AOS-CX switches

Working with a design for a setup which includes MM, MC, CPPM along with 6300 AOS-CX switches.

I don't have a 6300 to test with yet, but I'd like to prepare as much as I can.

I've been digging a bit, but not found any definitive answer yet to how you would do DURs for AOS-CX with dynamic secondary user role for UBT.

 

What I normaly do when 2930's for example are deployed I use the Aruba Downloadable Role Enforcement and create the DUR for the controller (product: Mobility Controller) which contain at least VLAN and an ACL.

Then I create another DUR for the switch (Product: ArubaOS-Switch) which is pretty much empty except for setting the Secondary Role Type to Dynamic and choosing the above Controller Downloadable Role.

 

So then comes the question, how do you go about doing the same with an AOS-CX switch?

I read somewhere that future CPPM releases AOS-CX will pop up in the "Product" list when creating the enforcement profile, so I take it that mean I can't use the ArubaOS-Switch one.

 

Could this be pushed via Aruba-CPPM-Role to the AOS-CX switch, if so, any thoughts to how it should look like?

Highlighted
Aruba Employee

Re: Downloadable User role for controller pushed by DUR via AOS-CX switches

ArubaOS-switches use HPE RADIUS Attributes, ArubaOS-CX switches use ARUBA RADIUS Attributes instead. So for downloadable user roles with ArubaOS-CX switches and CPPM 6.8 you currently need to select in the "Aruba Downloadable Role Enforcement" the "Role Configuration Mode" = "Advanced" and as "Product" = "Mobility Access Switch". Here you can configure the Aruba-CPPM-Role RADIUS Attribute required for ArubaOS-CX switches, see screenshot.

Highlighted
Occasional Contributor II

Re: Downloadable User role for controller pushed by DUR via AOS-CX switches

After I posted this I had a dialog with TAC, which mentioned that I could just do it the same way as I have done previously (on 2930Ms for example)

 

As in use the ArubaOS-Switch DUR enforcement profile, then below "role configuration" choose "Secondary Role Type: Dynamic" then, "Controller Downloadable Role:" and choose the controller enforcement profile.

 

It didn't sound right since I already knew, as you mention also, that AOS-CX uses the aruba attributes while the 2930 for example uses HPE.

 

Basing off your screenshot, how would you do DUR for the role the enduser gets on the controller?

The whole idea here being DUR for both the switch and controller. No prefdefined roles on switch or the controller.

 

Highlighted
Aruba Employee

Re: Downloadable User role for controller pushed by DUR via AOS-CX switches

The secondary role (userrole on the controller) is either already statically configured on the controller or the controller can dynamically request the role (and content of the role)  from Clearpass. So you may question how the controller know what role to apply for a specific DUR user. This is communicated through the control protocol between switch and controller at the moment the user sucessfully authenticated on the switch. The configuration on the controller/Clearpass side is done as it has always been for Controller DUR, see https://community.arubanetworks.com/t5/Controller-Based-WLANs/Downloading-an-undefined-role-from-ClearPass-to-Controller/ta-p/243661 

Highlighted
Aruba Employee

Re: Downloadable User role for controller pushed by DUR via AOS-CX switches

You may also have a look here where it is shown in detail: 


Aruba User Based Tunneling with Dynamic User Roles
https://www.youtube.com/watch?v=UjTwOAq0QmM

 

or here on page 29 ff:
Technical Whitepaper:  User Roles and User-Based Tunneling
https://community.arubanetworks.com/aruba/attachments/aruba/CampusSwitching/4032/2/ArubaOS-Switch%20User-Based%20Tunneling%20Technical%20Whitepaper.pdf

 

Highlighted
Occasional Contributor II

Re: Downloadable User role for controller pushed by DUR via AOS-CX switches

I might not express my issue/question properly, sorry for that.

This part is all ok and doing so is easily enough achived with ArubaOS switches like 2930Ms for example.

Attached an example on how this could be done with ArubaOS switch.

 

From the guide that you also mention:
"
Creating a Controller Downloadable User Role
This feature allows the secondary role on the controller, which will be used by the tunneled clients, to be downloaded to the controller from ClearPass. This effectively eliminates the need to configure the secondary role on potentially multiple controller clusters in a large campus network. Now, the secondary role can be configured in ClearPass, downloaded to the Mobility Controller, and the switch notified via a new VSA “HPE-CPPM-Secondary-Role”.
"

 

The VSA HPE-CPPM-Secondary-Role is essentialy what I do in attached Pic1+Pic2.
So then comes the question I've been wondering about, how would the switch side role look like when we want to achive the same thing, just on AOS-CX switch.

Highlighted
Aruba Employee

Re: Downloadable User role for controller pushed by DUR via AOS-CX switches

On ArubaOS-Switches you have the possibility to assign the secondary (controller) role in two ways via RADIUS:

 

  1. Using a separate RADIUS attribute like you mentioned with "HPE-CPPM-Secondary-Role"
  2. Providing the secondary (controller) role inside the primary (switch) role definition.

On ArubaOS-CX switches option 1 would use the "Aruba-UBT-Gateway-Role" RADIUS attribute ((Aruba Vendor ID 14823, Attribute Type 53)).
Nevertheless option 2 is from my point of view much easier than option 1. So in the original picture I posted you see the primary role (“iot-s”) which also includes the secondary role (“iot”).  This secondary (controller) role is called gateway role on ArubaOS-CX. So there is no need for a separate RADIUS attribute for the secondary role as the secondary (controller/gateway) role name is included in the primary role.

Highlighted
Occasional Contributor II

Re: Downloadable User role for controller pushed by DUR via AOS-CX switches

Ok, this is something I might not have known from before either.

Reffering to the picture you posted. The role "iot", if thats not defined at the controller will the controller by default then assume it should download the role content from clearpass (as long as you have defined clearpass credentials)?

 

Then in turn create a profile named iot with content as shown in my Pic3?

 

EDIT: upon further investigation this doesn't seem to be the case, if the secondary (controller) role is not predefined on the controller the user will end up with an invalid role error and placed in the intial role for default-tunneled-user aaa profile.

Highlighted
Occasional Contributor II

Re: Downloadable User role for controller pushed by DUR via AOS-CX switches

Finally got it confirmed. This is simply not supported in AOS-CX switches at the current time.

The feature to call for dynamic secondary user role or in other words, let the mobility controller know that the role for the user needs to be downloaded, is a feature thats coming possibly in AOS-CX 10.5.

Highlighted

Re: Downloadable User role for controller pushed by DUR via AOS-CX switches

Check my previous question: https://community.arubanetworks.com/t5/Wired-Intelligent-Edge-Campus/ArubaOS-CX-dynamic-segmentation/td-p/636649

 

there's an example for configuring UBT with 6300.

 

I have tested this with 6300F and the switch downloaded the role from CPPM and created the tunnel to the controller.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: