Requirement:
It might at times be required to send some device-level attributes to an Aruba OS switch port where a client just authenticated when a Downloadable user role is sent from Clearpass.
An example could be configuring the port with spanning-tree admin edge port configuration.
Solution:It is now possible to send device attributes down to client ports which just authenticated using LUR( local user role) or DUR( downloadable user-roles) from Clearpass.
This feature was introduced on Aruba OS switches from code. 16.08.
The following device attributes are available which can be configured in a User-role either locally on the switch using LUR or sent rom Clearpass using DUR
Device Attributes:
PoE Allocation By Class
PoE Priority
Admin-edge-port
Port-mode
Here we are going to show you one of the examples, i.e Spanning tree admin-edge-port utilizing the downloadable user roles( DUR) via Clearpass acting as a radius server
Configuration:We are taking an example where an end client is getting authenticated on port 38 using mac-based authentication on an Aruba 2930F switch.
We are using Clearpass as a radius server using DUR( downloadable user roles) for the client which gets authenticated.
Aruba 2930F is running version: WC.16.09.0010
The Aruba 2930F switch is already setup for DUR to function.
You can visit the Access security guide for your switch model for configuration requirement on Aruba OS switch for DUR to work.
Next, we need to create a profile on clearpass with Type as: Radius:Hewlett Packard Enterprise, Name: HPE-CPPM-ROLE and under value, we are using the following configuration:
class ipv4 "Allow-All"
10 match ip any any
exit
policy user "Employee-allow-all"
10 class ipv4 "Allow-All" action permit
exit
aaa authorization user-role name "Employee"
policy "Employee-allow-all"
device
admin-edge-port
exit
From the Aruba 2930F switch:
Client is connected to port 38.
R19-41U-2930F-TOR-2# show running-config interface 38
Running configuration:
interface 38
name "R20-27U-2540-1_PORT-24"
tagged vlan 227
aaa port-access mac-based
aaa port-access mac-based addr-limit 2
exit
VerificationOn the Access Tracker on Clearpass we verify that our client was authenticated and the mentioned user role and the correct profile/user role is pushed to the switch:
We start a debug for user-profile-mib, for our visibility of the DUR download process .
Please see below when we attempt to download the user role by re authenticating the client at port 38, user role " user_test_dur-3099-30" gets downloaded after a successful authentication of the client.
R19-41U-2930F-TOR-2(config)# debug security user-profile-mib
R19-41U-2930F-TOR-2(config)# debug destination session
R19-41U-2930F-TOR-2(config)# aaa port-access mac 38 reauthenticate
0004:08:35:33.39 UMIB mSnmpCtrl:removing dca client 8030e0-946268 for port 38.
R19-41U-2930F-TOR-2(config)# 0004:08:35:34.51 UMIB tRadiusR:Received ClearPass downloadable user role vsa for
client with request-id 123 and assigned user role is : user_test_dur-3099-30
0004:08:35:34.51 UMIB mdcaCtrl:New node is created for the downloadable user
role user_test_dur-3099-30
0004:08:35:34.51 UMIB mdcaCtrl:DUR Client with request-id 123 is added to
waiting queue for downloadable user role user_test_dur-3099-30 in INITIAL
state
0004:08:35:34.51 UMIB mdcaCtrl:Posting event to cppm task to download the
userRole user_test_dur-3099-30
0004:08:35:34.51 UMIB mcppmTask:cppmHttpTransferFile: File download has started.
0004:08:35:34.63 UMIB mcppmTask:Download of userRole user_test_dur-3099-30 is
success
0004:08:35:34.63 UMIB mcppmTask:Parsing of downloaded userRole
user_test_dur-3099-30 is success
0004:08:35:34.65 UMIB mcppmTask:Copying downloaded userRole
user_test_dur-3099-30 to RamFs is success
0004:08:35:34.69 UMIB mdcaCtrl:Removing DUR Client with request-id 123 for
downloadable user role user_test_dur-3099-30 from waiting queue as the role
is downloaded
0004:08:35:34.69 UMIB mdcaCtrl: Sending message to authentication task for
client with request-id 123
0004:08:35:34.69 UMIB mdcaCtrl:Removing previous downloadable user role version
user_test_dur-3099-29_7Z4q as no clients are mapped to that version
0004:08:35:34.69 UMIB mdcaCtrl: Deleting the downloadable user role
user_test_dur-3099-29 from config record
0004:08:35:34.70 UMIB mWebAuth:added new dca client 8030e0-946268 for new client
port 38.
0004:08:35:34.70 UMIB mWebAuth:Client Mac 8030E0-946268, accessMode MacAuth
To validate the authentication status of port 38:
We are able to see that the user role "user_test_dur-3099-30" and the device attribute (amin-edge port) are now applied to the client on port 38, which can be verified from the below commands:
R19-41U-2930F-TOR-2(config)# show port-access clients 38 detailed
Port Access Client Status Detail
Client Base Details :
Port : 38 Authentication Type : mac-based
Client Status : authenticated Session Time : 60 seconds
Client Name : 8030e0946268 Session Timeout : 0 seconds
MAC Address : 8030e0-946268
IP : n/a
Auth Order : Not Set
Auth Priority : Not Set
LMA Fallback : Disabled
Downloaded user roles are preceded by *
User Role Information
Name : *user_test_dur-3099-30
Type : downloaded
Reauthentication Period (seconds) : 0
Cached Reauth Period (seconds) : 0
Logoff Period (seconds) : 300
Untagged VLAN :
Tagged VLANs : 227
Captive Portal Profile :
Policy : Employee-allow-all_user_test_dur-3099-30
Statements for policy "Employee-allow-all_user_test_dur-3099-30"
policy user "Employee-allow-all_user_test_dur-3099-30"
10 class ipv4 "Allow-All_user_test_dur-3099-30" action permit
exit
Statements for class IPv4 "Allow-All_user_test_dur-3099-30"
class ipv4 "Allow-All_user_test_dur-3099-30"
10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
Tunnelednode Server Redirect : Disabled
Secondary Role Name :
Device Attributes : Enabled
PoE Allocation By Class : Disabled
PoE Priority :
Admin-edge-port : Enabled
Port-mode : Disabled
Tovwrify now that the admin-edge config has taken affect on port 38:
R19-41U-2930F-TOR-2(config)# show spanning-tree 38 detail
Status and Counters - CST Port(s) Detailed Information
Note : * indicates values dynamically overridden by user-role
Port : 38
Status : Up
BPDU Protection : No
BPDU Filtering : No
PVST Protection : No
PVST Filtering : No
Errant BPDU Count : 0
Root Guard : No
Loop Guard : No
TCN Guard : No
MST Region Boundary : Yes
External Path Cost : 0
External Root Path Cost : 40000
Administrative Hello Time : Global
Operational Hello Time : 2
AdminEdgePort : *Yes
Auto Edge Port : Yes
OperEdgePort : Yes
AdminPointToPointMAC : True
OperPointToPointMAC : Yes
Aged BPDUs Count : 0
Loop-back BPDUs Count : 0
TC ACK Flag Transmitted : 0
TC ACK Flag Received : 0
Topology Changes Detected : 0
Topology Changes Tx : 0
Topology Changes Rx : 0
MST MST CFG CFG TCN TCN
BPDUs Tx BPDUs Rx BPDUs Tx BPDUs Rx BPDUs Tx BPDUs Rx
---------- ---------- ---------- ---------- ---------- ----------
181805 0 0 0 0 0