Colourless port with Dynamic Segmentation, using Centralized Policy Orchestration
06-01-2018 08:56 AM - last edited on 06-02-2018 12:46 AM by cappalli
Setting up Colourless port with Dynamic Segmentation, using Centralized Policy Orchestration:
The post lists the steps involved in setting up “Colourless port with Dynamic Segmentation” on ArubaOS-Switch.
We will be using Downloadable User Roles in ClearPass, for Centralized Policy and access control.
This post would be useful for Aruba Partner Engineers and Customers who are trying to implement this capability.
What we will be achieving?
Employee laptop performing 802.1X Authentication:
- Placed in VLAN 29 and bridged locally on switch.
IoT Device like Security Camera, authorized based on profiled information:
- Placed in VLAN 30 and tunnelled to the Controller for Stateful firewall / DPI
The following are the Bill of Materials for the above setup:
7005 Mobility Controllers - 184.108.40.206_64659
2930M Aruba Switch - WC.16.05.0007
Server with VMWare ESXi VSphere 6.5 running the following VMs
Mobility Master - 220.127.116.11_64659
ClearPass server - 6.7.3
7010 Mobility Controller X 3 - 18.104.22.168_64659
2930F Aruba Switches - WC.16.05.0007
Windows laptop - Windows 10
Wired PoE IP Camera
Configure the Basic components like NTP, uplinks and VLANs
NTP is required as accurate time plays a critical role in network authentication.
Uplinks and Default Gateway:
These VLANs should only be created/defined. No IP address should be added and the VLAN should not be tied to any port.
Define the ClearPass server as RADIUS server and dynamic authorization client:
radius-server host 192.168.26.52 key Aruba123!
radius-server host 192.168.26.52 dyn-authorization
aaa server-group radius "ClearPass" host 192.168.26.52
Enable global functions and configurations:
ip source-interface radius vlan 17
ip client-tracker trusted
Configuring User-Based Tunneling (UBT)
Enable AAA functions:
aaa accounting network start-stop radius server-group "ClearPass"
aaa authorization user-role enable download
aaa authentication port-access eap-radius server-group "ClearPass"
aaa authentication mac-based chap-radius server-group "ClearPass"
aaa port-access authenticator 2-24
aaa port-access authenticator 2-24 tx-period 10
aaa port-access authenticator 2-24 supplicant-timeout 10
aaa port-access authenticator 2-24 client-limit 32
aaa port-access authenticator active
aaa port-access mac-based 2-24
aaa port-access mac-based 2-24 addr-limit 32
Other Requirements for DUR:
To support downloadable user roles, the signing CA of the ClearPass HTTPS certificate must be added to the switch and marked as trusted. By default, the following CA are installed in the ArubaOS-Switch.
I will be using the HTTPS Server Certificate signed by GeoTrust in ClearPass.
DURs also require a ClearPass read-only user account to download the user role configuration. Configure the expected username and password for the account.
radius-server cppm identity s-admin key Aruba123!
Bring UP the ClearPass Server, Install the License and configure all the basic settings.
Now let’s configure things specific to this Demo
Goto “Configuration -> Network -> Devices” and add the Dynamic Segmentation Switch as the NAD.
Create Local Users:
Create local users under "Configuration -> Identity -> Local Users"
user1 / Aruba123!
Goto "Configuration -> Profile and Network Scan -> Network Scan" and add the subnets you wanted to scan.
Ensure you point the "IP helper address" to Clearpass Server on user VLAN.
Read Only User Account:
Under "Administration -> Users and Privileges -> Admin Users" configure the read-only user account. This will be used by the ArubaOS-Switch to download the user role configuration.
Goto "Administration -> Certificates -> Certificate Store" and Click on "Import Certificate"Verify the Same:
Creating the Enforcement Profiles:
Goto "Configuration -> Enforcement -> Profiles"
Add an "Aruba Downloadable Role Enforcement" Profile.
Select “Role Configuration Mode = Advanced”
Select “Product = ArubaOS-Switch”
Create the Type, Name and Value as follows
Edutech 802.1X Wired Service:
Enforcement Policy Details
(Tips:Role EQUALS [User Authenticated])
Edutech Device MAC Authentication Service:
Enforcement Policy Details
(Endpoint:Device Type EQUALS Printer)
(Endpoint:Device Type EQUALS Camera)
Refer the following post for
- Bringing up the Mobility Master
- Installing the license.
- Placing the 3 X 7010 Controllers into Cluster. Ensure that 192.168.17.179 is Cluster Leader.
- Creating an SSID on AP335 for management purpose.
Once you have done that, Ensure that you have the following roles in the controller under,
Managed Network -> Cluster Group name -> Configuration -> Roles and Policies -> Roles
Camera: Define Session based ACL as per your requirement. Eg: Provide access to camera only from certain subnet.
Time to Test:
Please connect the Employee Laptop and Camera to any port on the 2930F Switch.
Verification Commands on Switch:
Verification Commands on the Controller:
Pre-Sales people can demonstrate this functionality using a Switch Monitor Web App.
Hope you find this useful. Please post your feedback!