Wireless Access

Reply
Highlighted
Contributor II

ClearPass and Controller Roles

Worked with support yesterday configuring ClearPass to be our new radius server over Windows.  We got everything set up so if a user is in a Windows group "students" Clear Pass assigns Role-Student and passes to controller.  Controller has a role called Role-Student as well and user should get this but is getting guest role which is default in ClearPass service.  Finally, tech stopped and said it was a controller issue and passed me to them.  I know this should be simple so if anyone has ideas for me to check let me know.  Thanks and stay safe out there.

Highlighted
Guru Elite

Re: ClearPass and Controller Roles

"Finally, tech stopped and said it was a controller issue and passed me to them".  Passed you to who?

 

Either way, you need an enforcement profile that returns the Aruba-User-Role attribute to the controller to set the role upon authentication.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Contributor II

Re: ClearPass and Controller Roles

ClearPass support passed me to controller support.

 

I have the following enforcement policy in Cpass:

 

Radius:ArubaAruba-User-Role=Role-Student

This is the same name as the role on controller.

Highlighted
Contributor II

Re: ClearPass and Controller Roles

So when my test user connected to SSID this is the radius response in ClearPass which looks correct -

 

Radius:Aruba:Aruba-User-RoleRole-Student

However, when you look on controller the user is assigned the guest role and placed in guest VLAN

Highlighted
Guru Elite

Re: ClearPass and Controller Roles

Not to correct you, but you would configure that in an Enforcement Profile in Clearpass.

 

In the "Output" and "Alerts" tab in the Access Tracker, does it show that ClearPass is returning that attribute to the controller?  If it is, you need to type "show user ip <ip address of user> | include Role" on the controller to see how the role was set on the user:

 

(Babarella) #show user ip 192.168.1.114 | include Role
This operation can take a while depending on number of users. Please be patient ....
Role: authenticated (how: ROLE_DERIVATION_DOT1X), ACL: 96/0

 

Lastly, you need to do a "aaa user delete <ip address of user>", and disconnect the user's WLAN card after you make changes on ClearPass, so that you will not be using cached information.

 

The flow:

ClearPass returns an "Accept" and the Aruba-User-Role attribute.  That will be reflected in the access tracker in the "output" and maybe the "alerts" tab in ClearPass.  That Attribute automatically sets the role on the controller and you don't need to do anything on the controller side.

"show user ip" should show you how the user obtained the role.

use "aaa user delete" between changes to disconnect the user so that you are not using cached info"

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Guru Elite

Re: ClearPass and Controller Roles

Lastly the Aruba-User-Role attribute is case sensitive.  If you do not type the role name in clear pass exactly as it is defined on the controller the user will simply obtain the default 802.1x role in the AAA profile, which is typically guest.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Contributor II

Re: ClearPass and Controller Roles

Show user

 

Profiles AAA:OpenDoors_aaa_prof, dot1x:OpenDoors_dot1_aut, mac: CP:n/a def-role: 'guest' via-auth-profile:''
Reauth-interval from role: 0

 

I do see on CPass user authenticated and got the correct enforcement profile but guest role for some reason.  Also see

Radius:Aruba:Aruba-User-Role

Role-FacStaff

 

as radius response on Cpass

 

 

Highlighted
Guru Elite

Re: ClearPass and Controller Roles

This is the portion that is needed:

 

Role: authenticated (how: ROLE_DERIVATION_DOT1X), ACL: 96/0


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Contributor II

Re: ClearPass and Controller Roles

Can you expand a little on this?  Not enough coffee yet.

Highlighted
Guru Elite

Re: ClearPass and Controller Roles

show user ip <ip address of user> will say how the role for the user was derived.

 

You are probably misspelling the role name in ClearPass.  It has to be exact when it is passed to the controller, otherwise you will obtain the default role.

 

I would continue to work with TAC in parallel so that you can get specific advice and instruction from someone who has your logs and access to your system....  over here, we are just guessing what could be wrong and that is very inefficient.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: