Wired Intelligent Edge

last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

User authorization on AOS-switches: default or role-based approach?

This thread has been viewed 1 times

  • 1.  User authorization on AOS-switches: default or role-based approach?

    Posted Apr 26, 2019 04:56 PM

    Hi community,

     

    When authenticating users on AOS-switches there are two approaches:

     

    1. Default: the RADIUS server such as ClearPass has settings such as VLAN assignments and ACLs configured on it as RADIUS standard attributes or vendor-specific VSAs. When a user successfully authenticates, ClearPass sends these attributes in the Access-Accept message to the switch, and the switch then applies them.
    2. Role-based authorization: the RADIUS server can simply send the switch the name of the user’s role in the Access-Accept message. The role name matches a role configured on the switch, and this role defines settings such as VLAN assignment, ACL, rate limit, and QoS priority, which the switch then applies to the user session.

    If I am not going to use per-user tunneled-node, which imposes the switch to use role-based authorization, which approach shall I use? Which one is better? What are the upsides and downsides of each one?

     

    Regards,

    Julián



  • 2.  RE: User authorization on AOS-switches: default or role-based approach?
    Best Answer

    EMPLOYEE
    Posted Apr 26, 2019 05:32 PM

    Role based is almost always recommended, you do not need to do user-based tunneling to use user roles.  We've added many attributes to user roles as well in ArubaOS-Switch 16.08.  It's much easier to pass a user role back than multiple VSAs.

     

    User roles can contain:

    QoS/ACL Policy

    Rate Limits

    PoE settings

    Port-mode (for APs)

    VLAN Assignment

    Reauth timers

     

    However, either way will work.

     

    Link to User role section in the Access Security Guide.

    http://h22208.www2.hpe.com/eginfolib/Aruba/16.08/5200-5488/index.html#Local_User_Roles.html

     

    Justin



  • 3.  RE: User authorization on AOS-switches: default or role-based approach?

    EMPLOYEE
    Posted Apr 26, 2019 07:19 PM
    Validated designs and testing on the policy side are only done using user roles.


  • 4.  RE: User authorization on AOS-switches: default or role-based approach?

    Posted Apr 29, 2019 09:46 AM
    Hi,

    And I guess it's simpler to use DUR configured once and centralized on CPPM than configure the same roles distributed on every switch... Am I right?

    Regards,
    Julián