Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Occasional Contributor II

Re: Downloadable User role for controller pushed by DUR via AOS-CX switches

Thanks, got the hang of things with static roles for the controller side, same as your example

port-access role ubt-role-1
gateway-zone zone testilabra gateway-role userrole

Now just waiting for the AOS-CX release which includes support for DUR for the gateway-role

Highlighted

Re: Downloadable User role for controller pushed by DUR via AOS-CX switches

With DUR do you mean that controller would dowload the role from CPPM so you wouldn't have to configure it on the controller before?

 

What is your use case for this? I'm wondering for our case as we're planning on using 6300F's with UBT, as we have one controller pair to terminate the switches I've just configured the roles and policies beforehand on the controllers

Highlighted
Occasional Contributor II

Re: Downloadable User role for controller pushed by DUR via AOS-CX switches

Well, the main thing being single place for role definitions, being CPPM.

So downloadable roles for both the switch, controller as well as wireless clients.

If you want to update any role definitions, its all in one place regardless of what type of client we're talking about.

Its my preferred method so I got a bit surprised when I discovered this feature is not yet available for AOS-CX platform (works perfectly fine on AOS switches).

Highlighted
MVP Guru Elite

Re: Downloadable User role for controller pushed by DUR via AOS-CX switches

it is already available.. but there is no yet GUI on ClearPass...



PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)

PowerArubaIAP: Powershell Module to use Aruba Instant AP

PowerArubaMC: Powershell Module to use Mobility Controller / Master


ACMP 6.4 / ACMX #107 / ACCP 6.5 / ACSP
Highlighted
Occasional Contributor II

Re: Downloadable User role for controller pushed by DUR via AOS-CX switches

It was confirmed by Aruba yesterday afternoon, this feature, telling the controller to download <rolename> as part of the information sent from the switch to the controller is not available in the current version of AOS-CX. For now, only staticly defined roles on the controller is supported.

However it will be in the next release or the one after.

 

Highlighted
Frequent Contributor II

Re: Downloadable User role for controller pushed by DUR via AOS-CX switches

If you know the "hidden" name of the DUR, it will work. By hidden name I mean the name ClearPass internally use for the downloadable role: ROLENAME-<id>-<version>.

As an example, the following will not work:

 

 

port-access role ubt-role-1
gateway-zone zone testilabra gateway-role userrole

 

 But if you know the values, the following does work:

 

port-access role ubt-role-1
gateway-zone zone testilabra gateway-role userrole-3060-4

 

 You can find the <id> by looking at the URL when editing the enforcement profile under ClearPass, but I didn't find a way to get the <version> part other than applying the role to a 2930F and getting the name.

Highlighted
Frequent Contributor II

Re: Downloadable User role for controller pushed by DUR via AOS-CX switches

Even though I was able to set the roles, and the tunnels go up, the mobility controller is not showing the client inside the user-table (both with DUR or static role).

After some minutes, the client also vanishes on the CX switch.

Highlighted
Occasional Contributor II

Re: Downloadable User role for controller pushed by DUR via AOS-CX switches

Correct, because AOS-CX doesn't support this as of yet.
The mobility controller doesn't know of the role userrole-3060-4 (or userrole for that matter), which in turn makes it fail.
The tunnel will come up because you define a gateway-role, however since the controller doesn't have the rolename it then fails.

 

My guess is that when Aruba adds support for this you will find an attribute called something like "secondary-gateway-role" which will tell the controller to download the role from CPPM.

 

port-access role ubt-role-1
gateway-zone zone testilabra secondary-gateway-role mc-employee-role

 

With CPPM credentials setup on the controller it will then ask CPPM to provide the role mc-employee-role.
Having my hopes up for this feature in 10.05

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: