Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Regular Contributor II

Tunneled Node DUR - Secondary Role

Looking at a design where we are using Aruba Switches configured for UBT and DUR and Controllers to Terminate Tunneled Node we typically have the switch DUR with the Secondary Role to use on the controller. With this configuration, the Controller needs to have a locally defined User Role that matches the Secondary Role passed to it. 

 

I want to continue to make configurations as dynamic as possible. In other deployments, such as a Wireless Controller deployment, we can configure AAA to Download User Role from Clearpass. This eases the Administrative overhead needed from the customers perspective so they can create all Roles in Clearpass and not require them to be created on the Controller (another touch point). 

 

Anyone know if it is possible to somehow use UBT and Tunneled Node with or without a Secondary User role and instead have the controller Download the role from Clearpass? They only way I can see this working is if the AAA profile forced the user/device to perform a secondary authentication to trigger the controller DUR... which would likely cause issues. 

 

This would be great especially in deployment where a customer is using Controllers and Clearpass for Wired and Wireless authentication. We now just define a single User Role that fits both! Pipe dream for now I think. 


AMFX/ACEX #69
Aruba Partner Ambassador

Accepted Solutions
Highlighted
Aruba Employee

Re: Tunneled Node DUR - Secondary Role

Hi,

 

You can have dynamic DUR on both the switch and controller.

 

For example, in my lab I have this

ayman_mukaddam_1-1589976062983.png

 

On ClearPass, you reference a Controller Downloadable Role

 

ayman_mukaddam_0-1589975965375.png

 

In the AAA profile on the controller, make sure you enable download role from Clearpass and add the proper username/password...

 

I think this is covered here https://www.youtube.com/watch?v=UjTwOAq0QmM

 

 

View solution in original post


All Replies
Highlighted
Aruba Employee

Re: Tunneled Node DUR - Secondary Role

Hi,

 

You can have dynamic DUR on both the switch and controller.

 

For example, in my lab I have this

ayman_mukaddam_1-1589976062983.png

 

On ClearPass, you reference a Controller Downloadable Role

 

ayman_mukaddam_0-1589975965375.png

 

In the AAA profile on the controller, make sure you enable download role from Clearpass and add the proper username/password...

 

I think this is covered here https://www.youtube.com/watch?v=UjTwOAq0QmM

 

 

View solution in original post

Highlighted
Regular Contributor II

Re: Tunneled Node DUR - Secondary Role

This rocks! I dont know how long the Dynamic Option for the Secondary Role type has been around but I am so glad you have shared it. Thank you so much. Works great! Pipe dream realized


AMFX/ACEX #69
Aruba Partner Ambassador
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: