Wireless Access

last person joined: 19 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

How do you pass user role from Clearpass to Wireless Controller?

This thread has been viewed 5 times

  • 1.  How do you pass user role from Clearpass to Wireless Controller?

    Posted May 14, 2014 03:04 PM

    For some reason I cannot get the controller to pick up the user role from Clearpass



  • 2.  RE: How do you pass user role from Clearpass to Wireless Controller?

    Posted May 14, 2014 03:27 PM
    Make sure that user-role has been created on the controller side

    User-role TEST-ROLE

    and in the clearpass side you need ti créate an Aruba radius enforcement profile using the Aruba vsa TEST-ROLE


  • 3.  RE: How do you pass user role from Clearpass to Wireless Controller?

    EMPLOYEE
    Posted May 14, 2014 03:29 PM
    Are you trying to do a downloadable role?


  • 4.  RE: How do you pass user role from Clearpass to Wireless Controller?

    Posted May 14, 2014 04:22 PM

    I am having a little difficulty understanding this.  I have set up the following roles in Clearpass (image attached):

     

    UNT-Employee

    UNT-Guest

    UNT-Student

     

    I have set up the following role mapping in Clearpass based on the wirelessRole attribute that is passed from our LDAP servers (image attached):

     

    untst = UNT-Student

    untfs = UNT-Employee

    untguest = UNT-Guest

     

    So my problem is that the role is assigned correctly in Clearpass, but the controller throws everyone into the default guest role.  Isn't the role supposed to be passed to the controller?  I have even set up role-mapping on the controller to look at the aruba-CPPM role, but this is not working.

     

    What would the enforcement profile have to do with role-mapping?  Also, I am not sure what downloadable roles are...

     



  • 5.  RE: How do you pass user role from Clearpass to Wireless Controller?

    EMPLOYEE
    Posted May 14, 2014 04:45 PM

    Ah!  You are confusing Clearpass roles with the controller roles.  

     

    A role in clearpass is like an internal derivation which then can be used for an action.  

     

    Look at Enforcement Profles, here you create an "action" which is the Aruba-User-Role RADIUS VSA.  Add a new enforcement profile and there should be an option for Aruba Role.  Then, you can name it to match what's on the controller.  

     

    The Clearpass role is used as a condition to send this action.  Look at the enforcement policy.  All this really is are "IF THEN" statements. 

     

    IF the conditions on the left are met, send the action(s) on the right.  The actions are enforcement profiles.  These conditions are things like the roles you created or any other variables you see listed when you go ahead and create an enforcement policy...

     

    To leverage those roles, the call up for them in the enforcement policy is "TIPS:ROLE EQUALS <value>"  TIPS is the call out for clearpass roles

     



  • 6.  RE: How do you pass user role from Clearpass to Wireless Controller?

    Posted May 19, 2014 11:52 AM

    So using the enforcement profile works.  Thanks everyone!  Still it seems that there should be some way to map the role on the wireless controller end instead of having to have the exact same named role set up.  I would like to name the roles something descriptive rather than being forced to use what is passed from Clearpass.  If anyone has any nifty ideas i'd be interested...



  • 7.  RE: How do you pass user role from Clearpass to Wireless Controller?

    EMPLOYEE
    Posted May 19, 2014 12:04 PM

    Well -depending on your Aruba code, Clearpass does support creating the roles and values FOR THE CONTROLLER and you can then "push" this config thorugh policy to the Aruba controller.  There are examples on our support site and user guides to assist with this feature.  

     

    The reason why you need to create the roles on Clearpass (and it may seem redundant) is that Clearpass ITSELF is role based with policy similar to our controller BUT Clearpass is also vendor agnostic so that you can bring role-based access to other vendors' equipment that may not allow you to be as policy driven as the Aruba ecosystem.

     

    Hope this makes sense.



  • 8.  RE: How do you pass user role from Clearpass to Wireless Controller?

    Posted May 19, 2014 12:40 PM

    The problem I have is that I am having to deal with codes that are used in the wirelessRoll attribute in our directory services that are passed to me (this is an old system with many different codes that have been used over time that map to only a few actual roles for my purposes).  I have set up role mapping on ClearPass to deal with these, but since that has nothing to do with what is passed to the controller it was pretty much wasted time at this point.  The only way I have figured out to make it work so far is by creating an enforcement profile that uses the value for the wirelessRole attribute that is passed (I don't think there is any way to map it at this point in the system).  It would be nice to be able to key off of this value when it is passed to the wireless controller and map it to a meaningful value like "Employee" or "Student"



  • 9.  RE: How do you pass user role from Clearpass to Wireless Controller?

    Posted May 19, 2014 10:26 PM

    So it sounds like you figured out how to configure an enforcement profile that contains a controller role, is that right? Is it working for you?