Wired Intelligent Edge (Campus Switching and Routing)

Using Device attributes like (admin-edge port) with the help of user-roles on an Aruba OS switch


It might at times be required to send some device-level attributes to an Aruba OS switch port where a client just authenticated when a Downloadable user role is sent from Clearpass.

An example could be configuring the port with spanning-tree admin edge port configuration. 


It is now possible to send device attributes down to client ports which just authenticated using LUR( local user role) or DUR( downloadable user-roles) from Clearpass. 

This feature was introduced on Aruba OS switches from code. 16.08. 

 The following device attributes are available which can be configured in a User-role either locally on the switch using LUR or sent rom Clearpass using DUR

Device Attributes:            
  PoE Allocation By Class    
  PoE Priority                  

Here we are going to show you one of the examples, i.e Spanning tree admin-edge-port utilizing the downloadable user roles( DUR) via Clearpass acting as a radius server


We are taking an example where an end client is getting authenticated on port 38 using mac-based authentication on an Aruba 2930F switch. 

We are using Clearpass as a radius server using DUR( downloadable user roles) for the client which gets authenticated.

Aruba 2930F is running version: WC.16.09.0010

The Aruba 2930F switch is already setup for DUR to function.

You can visit the Access security guide for your switch model for configuration requirement on Aruba OS switch for DUR to work. 

Next, we need to create a profile on clearpass with Type as: Radius:Hewlett Packard Enterprise, Name: HPE-CPPM-ROLE and under value, we are using the following configuration: 

class ipv4 "Allow-All"
10 match ip any any
policy user "Employee-allow-all"
10 class ipv4 "Allow-All" action permit
aaa authorization user-role name "Employee"
policy "Employee-allow-all"


From the Aruba 2930F switch: 

Client is connected to port 38.

R19-41U-2930F-TOR-2# show running-config interface 38

Running configuration:

interface 38
   name "R20-27U-2540-1_PORT-24"
   tagged vlan 227
   aaa port-access mac-based
   aaa port-access mac-based addr-limit 2


On the Access Tracker on Clearpass we verify that our client was authenticated and the mentioned user role and the correct profile/user role is pushed to the switch: 


We start a debug for user-profile-mib, for our visibility of the DUR download process .

Please see below when we attempt to download the user role by re authenticating the client at port 38, user role " user_test_dur-3099-30"  gets downloaded after a successful authentication of the client. 

R19-41U-2930F-TOR-2(config)# debug security user-profile-mib

R19-41U-2930F-TOR-2(config)# debug destination session

R19-41U-2930F-TOR-2(config)# aaa port-access mac 38 reauthenticate


0004:08:35:33.39 UMIB mSnmpCtrl:removing dca client 8030e0-946268 for port 38.

R19-41U-2930F-TOR-2(config)# 0004:08:35:34.51 UMIB tRadiusR:Received ClearPass downloadable user role vsa for

   client with request-id 123 and assigned user role is : user_test_dur-3099-30

0004:08:35:34.51 UMIB mdcaCtrl:New node is created for the downloadable user

   role user_test_dur-3099-30

0004:08:35:34.51 UMIB mdcaCtrl:DUR Client with request-id 123 is added to

   waiting queue for downloadable user role user_test_dur-3099-30 in INITIAL


0004:08:35:34.51 UMIB mdcaCtrl:Posting event to cppm task to  download the

   userRole user_test_dur-3099-30

0004:08:35:34.51 UMIB mcppmTask:cppmHttpTransferFile: File download has started.

0004:08:35:34.63 UMIB mcppmTask:Download of userRole user_test_dur-3099-30 is


0004:08:35:34.63 UMIB mcppmTask:Parsing of downloaded userRole

   user_test_dur-3099-30 is success

0004:08:35:34.65 UMIB mcppmTask:Copying downloaded userRole

   user_test_dur-3099-30 to RamFs is success

0004:08:35:34.69 UMIB mdcaCtrl:Removing DUR Client with request-id 123 for

   downloadable user role user_test_dur-3099-30 from waiting queue as the role

   is downloaded

0004:08:35:34.69 UMIB mdcaCtrl: Sending message to authentication task for

   client with request-id 123

0004:08:35:34.69 UMIB mdcaCtrl:Removing previous downloadable user role version

   user_test_dur-3099-29_7Z4q as no clients are mapped to that version

0004:08:35:34.69 UMIB mdcaCtrl: Deleting the downloadable user role

   user_test_dur-3099-29 from config record

0004:08:35:34.70 UMIB mWebAuth:added new dca client 8030e0-946268 for new client

   port 38.

0004:08:35:34.70 UMIB mWebAuth:Client Mac 8030E0-946268, accessMode MacAuth


To validate the authentication status of port 38: 

We are able to see that the user role "user_test_dur-3099-30" and the device attribute (amin-edge port) are now applied to the client on port 38, which can be verified from the below  commands:

R19-41U-2930F-TOR-2(config)# show port-access clients 38 detailed


 Port Access Client Status Detail


  Client Base Details :

   Port            : 38                    Authentication Type : mac-based

   Client Status   : authenticated         Session Time        : 60 seconds

   Client Name     : 8030e0946268          Session Timeout     : 0 seconds

   MAC Address     : 8030e0-946268

   IP              : n/a


   Auth Order      : Not Set

   Auth Priority   : Not Set

   LMA Fallback    : Disabled


Downloaded user roles are preceded by *


 User Role Information


   Name                              : *user_test_dur-3099-30

   Type                              : downloaded

   Reauthentication Period (seconds) : 0

   Cached Reauth Period (seconds)    : 0

   Logoff Period (seconds)           : 300

   Untagged VLAN                     :

   Tagged VLANs                      : 227


   Captive Portal Profile            :

   Policy                            : Employee-allow-all_user_test_dur-3099-30


Statements for policy "Employee-allow-all_user_test_dur-3099-30"

policy user "Employee-allow-all_user_test_dur-3099-30"

     10 class ipv4 "Allow-All_user_test_dur-3099-30" action permit




Statements for class IPv4 "Allow-All_user_test_dur-3099-30"

class ipv4 "Allow-All_user_test_dur-3099-30"

     10 match ip



   Tunnelednode Server Redirect      : Disabled

   Secondary Role Name               :

   Device Attributes                 : Enabled

     PoE Allocation By Class         : Disabled

     PoE Priority                    :

     Admin-edge-port                 : Enabled

     Port-mode                       : Disabled


Tovwrify now that the admin-edge config has taken affect on port 38: 


R19-41U-2930F-TOR-2(config)# show spanning-tree 38 detail

 Status and Counters - CST Port(s) Detailed Information

 Note : * indicates values dynamically overridden by user-role

  Port                      : 38
  Status                    : Up
  BPDU Protection           : No
  BPDU Filtering            : No
  PVST Protection           : No
  PVST Filtering            : No
  Errant BPDU Count         : 0
  Root Guard                : No
  Loop Guard                : No
  TCN Guard                 : No
  MST Region Boundary       : Yes
  External Path Cost        : 0
  External Root Path Cost   : 40000
  Administrative Hello Time : Global
  Operational Hello Time    : 2
  AdminEdgePort             : *Yes
  Auto Edge Port            : Yes
  OperEdgePort              : Yes
  AdminPointToPointMAC      : True
  OperPointToPointMAC       : Yes
  Aged BPDUs Count          : 0
  Loop-back BPDUs Count     : 0
  TC ACK Flag Transmitted   : 0
  TC ACK Flag Received      : 0
  Topology Changes Detected : 0
  Topology Changes Tx       : 0
  Topology Changes Rx       : 0

  MST        MST        CFG        CFG        TCN        TCN
  BPDUs Tx   BPDUs Rx   BPDUs Tx   BPDUs Rx   BPDUs Tx   BPDUs Rx
  ---------- ---------- ---------- ---------- ---------- ----------
  181805     0          0          0          0          0



Version history
Revision #:
1 of 1
Last update:
‎04-27-2020 12:34 PM
Updated by: