Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted

User authorization on AOS-switches: default or role-based approach?

Hi community,

 

When authenticating users on AOS-switches there are two approaches:

 

  1. Default: the RADIUS server such as ClearPass has settings such as VLAN assignments and ACLs configured on it as RADIUS standard attributes or vendor-specific VSAs. When a user successfully authenticates, ClearPass sends these attributes in the Access-Accept message to the switch, and the switch then applies them.
  2. Role-based authorization: the RADIUS server can simply send the switch the name of the user’s role in the Access-Accept message. The role name matches a role configured on the switch, and this role defines settings such as VLAN assignment, ACL, rate limit, and QoS priority, which the switch then applies to the user session.

If I am not going to use per-user tunneled-node, which imposes the switch to use role-based authorization, which approach shall I use? Which one is better? What are the upsides and downsides of each one?

 

Regards,

Julián

Re: User authorization on AOS-switches: default or role-based approach?

Role based is almost always recommended, you do not need to do user-based tunneling to use user roles.  We've added many attributes to user roles as well in ArubaOS-Switch 16.08.  It's much easier to pass a user role back than multiple VSAs.

 

User roles can contain:

QoS/ACL Policy

Rate Limits

PoE settings

Port-mode (for APs)

VLAN Assignment

Reauth timers

 

However, either way will work.

 

Link to User role section in the Access Security Guide.

http://h22208.www2.hpe.com/eginfolib/Aruba/16.08/5200-5488/index.html#Local_User_Roles.html

 

Justin

Guru Elite

Re: User authorization on AOS-switches: default or role-based approach?

Validated designs and testing on the policy side are only done using user roles.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

Re: User authorization on AOS-switches: default or role-based approach?

Hi,

And I guess it's simpler to use DUR configured once and centralized on CPPM than configure the same roles distributed on every switch... Am I right?

Regards,
Julián
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: