Who Me Too'd this topic

Colourless port with Dynamic Segmentation, using Centralized Policy Orchestration


Setting up Colourless port with Dynamic Segmentation, using Centralized Policy Orchestration:

The post lists the steps involved in setting up “Colourless port with Dynamic Segmentation” on ArubaOS-Switch.

We will be using Downloadable User Roles in ClearPass, for Centralized Policy and access control.

This post would be useful for Aruba Partner Engineers and Customers who are trying to implement this capability.


What we will be achieving?

Employee laptop performing 802.1X Authentication:

  • Placed in VLAN 29 and bridged locally on switch.

IoT Device like Security Camera, authorized based on profiled information:

  • Placed in VLAN 30 and tunnelled to the Controller for Stateful firewall / DPI

Network Diagram:Network Diagram.jpg



The following are the Bill of Materials for the above setup:

7005 Mobility Controllers            -   

2930M Aruba Switch                    -             WC.16.05.0007

Server with VMWare ESXi VSphere 6.5 running the following VMs

Mobility Master              -   

ClearPass server             -             6.7.3

7010 Mobility Controller X 3       -   

2930F Aruba Switches                  -             WC.16.05.0007

Windows laptop                            -             Windows 10

Wired PoE IP Camera



ArubaOS-Switch Configuration:

Configure the Basic components like NTP, uplinks and VLANs

NTP is required as accurate time plays a critical role in network authentication.NTP.jpg

Uplinks and Default Gateway:Uplink and Default Gateway.jpg

User VLANs:

These VLANs should only be created/defined. No IP address should be added and the VLAN should not be tied to any port.User VLANs.jpg



Define the ClearPass server as RADIUS server and dynamic authorization client:

radius-server host key Aruba123!             

radius-server host dyn-authorization

aaa server-group radius "ClearPass" host


Enable global functions and configurations:

ip source-interface radius vlan 17

ip client-tracker trusted


Configuring User-Based Tunneling (UBT)



   mode role-based                                     



Enable AAA functions:

aaa accounting network start-stop radius server-group "ClearPass"

aaa authorization user-role enable download

aaa authentication port-access eap-radius server-group "ClearPass"

aaa authentication mac-based chap-radius server-group "ClearPass"


Port configuration:

aaa port-access authenticator 2-24

aaa port-access authenticator 2-24 tx-period 10             

aaa port-access authenticator 2-24 supplicant-timeout 10

aaa port-access authenticator 2-24 client-limit 32

aaa port-access authenticator active

aaa port-access mac-based 2-24             

aaa port-access mac-based 2-24 addr-limit 32


Other Requirements for DUR:

To support downloadable user roles, the signing CA of the ClearPass HTTPS certificate must be added to the switch and marked as trusted. By default, the following CA are installed in the ArubaOS-Switch.Trusted CA.jpg

 I will be using the HTTPS Server Certificate signed by GeoTrust in ClearPass.


DURs also require a ClearPass read-only user account to download the user role configuration. Configure the expected username and password for the account.

radius-server cppm identity s-admin key Aruba123!



Clearpass Configuration:

Bring UP the ClearPass Server, Install the License and configure all the basic settings.

Now let’s configure things specific to this Demo

Defining NAD:

Goto “Configuration -> Network -> Devices” and add the Dynamic Segmentation Switch as the NAD.Adding the NAD.jpg

Create Local Users:

Create local users under "Configuration -> Identity -> Local Users"

user1 / Aruba123!


Profiler Settings:

Goto "Configuration -> Profile and Network Scan -> Network Scan" and add the subnets you wanted to scan.

Ensure you point the "IP helper address" to Clearpass Server on user VLAN.


Read Only User Account:

Under "Administration -> Users and Privileges -> Admin Users" configure the read-only user account. This will be used by the ArubaOS-Switch to download the user role configuration.Read-Only-Users.jpg

Install Certificate:

Goto "Administration -> Certificates -> Certificate Store" and Click on "Import Certificate"import Certificate.jpgVerify the Same:Public Cert.jpg



Creating the Enforcement Profiles:

Goto "Configuration -> Enforcement -> Profiles"

Add an "Aruba Downloadable Role Enforcement" Profile.

Select “Role Configuration Mode = Advanced”

Select “Product = ArubaOS-Switch”

Create the Type, Name and Value as follows

For Employee:dur_employee.jpg

For Camera:dur_camera.jpg


Creating Services:

Edutech 802.1X Wired Service:Dot1x service.jpg

Enforcement Policy Details



Enforcement Profiles


(Tips:Role  EQUALS  [User Authenticated]) 
AND  (Tips:Role  EQUALS  [Employee])



Edutech Device MAC Authentication Service:Mac-auth Service.jpg

Enforcement Policy Details



Enforcement Profiles


(Endpoint:Device Type  EQUALS  Printer)



(Endpoint:Device Type  EQUALS  Camera)




Controller Configuration:

Refer the following post for

  • Bringing up the Mobility Master
  • Installing the license.
  • Placing the 3 X 7010 Controllers into Cluster. Ensure that is Cluster Leader.
  • Creating an SSID on AP335 for management purpose.

Once you have done that, Ensure that you have the following roles in the controller under,

Managed Network -> Cluster Group name -> Configuration -> Roles and Policies -> Roles

Camera: Define Session based ACL as per your requirement. Eg: Provide access to camera only from certain subnet.Controller Roles.jpg



Time to Test:

Please connect the Employee Laptop and Camera to any port on the 2930F Switch.


Verification Commands on Switch:Verification Commands1.jpg 

Verification Commands2.jpg


Verification Commands on the Controller:Verification Commands3.jpg


Pre-Sales people can demonstrate this functionality using a Switch Monitor Web App.Further Demo.jpg



Hope you find this useful. Please post your feedback!


Kapildev Erampu





Who Me Too'd this topic