Aruba Downloadable User Roles

Reading Time: 16 minutes

This post is all about Aruba Downloadable User Roles and how to use them for wired and wireless access with dot1x and mac authentication.

If you use Downloadable User Roles, you get a central point of configuration for all access-related configurations. ClearPass, which is used as the radius server, will have all the roles available. Access devices like switches or access points can download those roles from there. If you need to change a role, you can do that on ClearPass. No need to change anything on your access devices. This makes it simple and easy to use. And only if it is easy to use it will be used by an organization and enhance security.

How does it Work

For Downloadable User Roles to work you need ClearPass. Below is the process flow for Downloadable User Roles:

Downloadable User Role Flow Chart
Downloadable User Role Flow Chart

The first step to apply a Downloadable User Roles (DUR) is an authentication. It can be either a MAC authentication for devices that do not support any stronger authentication or an 802.1x authentication. The access device will send a radius request to ClearPass and will get an answer (Radius Accept) from ClearPass, including the Downloadable Role Information. This is just a Radius VSA including the name of the role and a version number.

If the role name together with the version number is already on the access device, the cached version is used and applied to the client. If the role name is not on the device or the version has changed the role is downloaded from ClearPass using HTTPS and applied to the client.

Downloadable User Roles: Prepare ClearPass

As you see in the flow chart above, the access device will download the role from ClearPass using HTTPS. To allow this, HTTPS traffic between the access device and ClearPass needs to be allowed. The access device also needs a username and a password to download the roles. To create this user login to ClearPass and go to “Administration–>Users and Privileges–>Admins Users” and create a new “Read-only Administrator”:

Downloadable User Role - Add DUR User
Downloadable User Role – Add DUR User

This user will be configured on the access devices to download roles from ClearPass.

Downloadable User Roles with ArubaOS Switches

Let’s start with ArubaOS Switches (formerly known as ProCurve Switches). They support Downloadable User Roles since version 16.04.008. I’m testing with 16.10.0010.

First, we need to configure some radius basics for the switch:

ip client-tracker

This will allow the switch to get the IP address of connected clients and will help with troubleshooting and monitoring.

I also set the radius source interface to be my management interface:

ip source-interface radius vlan 100

Next, you need to configure the radius server itself. But before some more detailed information. As the switch will use HTTPS to download the role, the switch needs to trust the HTTPS certificate on the ClearPass server. Therefore you need to import the root CA, which has signed your HTTPS certificate for ClearPass. Fortunately, this happens automatically if configured correctly. First, here is my list of trusted root CA’s on my switch before I configured ClearPass as the radius server:

show crypto pki ta-profile

  Profile Name    Profile Status                 CRL Configured  OCSP Configured
  --------------- ------------------------------ --------------- ---------------
  IDEVID_ROOT     Root Certificate Installed
  COMODO_RSA_CA   Root Certificate Installed     No              No
  GEOTRUST_CA     Root Certificate Installed     No              No
  ARUBA_CA        Root Certificate Installed     No              No
  CUSTOM_CA       Root Certificate Installed     No              No

Now, you can add ClearPass as the radius server:

radius-server host clearpass-a.arubalab.net key aruba123 clearpass
radius-server host clearpass-a.arubalab.net dyn-authorization
radius-server host clearpass-a.arubalab.net time-window plus-or-minus-time-window 30
aaa server-group radius cppm host clearpass-a.arubalab.net

The commands above will add all needed config settings to the switch. The first one adds ClearPass as a radius server and makes the switch aware, that it is a ClearPass server. This also enables the switch to download the HTTPS CA certificate from ClearPass.

The second command enables dynamic authorization (CoA) for that radius server. The third command sets a time window for CoA packets. Just in case, the clock is not running in sync.

The last command adds the radius server to a group of servers. You can add multiple radius servers to the switch using the commands above.

Now, let’s check the Root CA list again:

show crypto pki ta-profile

  Profile Name    Profile Status                 CRL Configured  OCSP Configured
  --------------- ------------------------------ --------------- ---------------
  IDEVID_ROOT     Root Certificate Installed
  COMODO_RSA_CA   Root Certificate Installed     No              No
  GEOTRUST_CA     Root Certificate Installed     No              No
  ARUBA_CA        Root Certificate Installed     No              No
  USERTrust RS... Root Certificate Installed     No              No
  CUSTOM_CA       Root Certificate Installed     No              No

As you can see, the 5th entry is new. This is the one that signed my HTTPS certificate. In the logs it would look like this:

I 11/16/20 06:06:40 05811 CADownload: ST2-CMDR: Successfully downloaded the
            certificate from clearpass-a.arubalab.net server
I 11/16/20 06:06:40 05809 CADownload: ST2-CMDR: Successfully resolved Fqdn
            clearpass-a.arubalab.net to Ip address 10.104.104.41

The next step is to configure the user to download the roles. You configured this user already on ClearPass. So now you just need to add this user to the switch:

radius-server cppm identity dur-user key aruba123

The next commands will enable authentication on the switch. It now depends on what you would like to do. I will do MAC authentication and 802.1x. If you just need one of the two, you can skip the other:

aaa authentication port-access eap-radius server-group "cppm"
aaa authentication mac-based chap-radius server-group "cppm"

I will also use accounting:

aaa accounting network start-stop radius server-group "cppm"
aaa accounting update periodic 5

Accounting is important, as ClearPass will use this to determine which session is active and therefore consumes a license. You can adapt periodic accounting updates to your needs. In my case, I set this to 5 minutes.

The last step, for the global configuration, is to enable roles and downloadable user roles:

aaa authorization user-role enable
aaa authorization user-role enable download

Let’s start the authentication before we will go into the port config:

aaa port-access authenticator active

The final step is to enable authentication for the desired ports. I will enable mac auth and 802.1x on the ports:

aaa port-access mac-based 2/20
aaa port-access authenticator 2/20

Downloadable User Roles: ClearPass Configuration for ArubaOS Switches

This section covers the ClearPass part for Downloadable Roles for ArubaOS Switches. I will not cover the creation of services and policies and other ClearPass-related stuff. I will create a profile, which can be used in a policy for an authentication service. But I assume that you know how to create policies and services within ClearPass.

Go to ClearPass and “Configuration–>Enforcement–>Profiles” and create a new “Aruba Downloadable Role Enforcement”:

Downloadable User Role - Add DUR Enforcement Profile
Downloadable User Role – Add DUR Enforcement Profile

The important part is the “Template” and the “Product”. The “Name” should be a good hint for the use of the profile. I use the “Advanced” “Role Configuration Mode”. This allows to directly enter the information. With “Standard” you get a nice GUI to enter your stuff. Click “Next” to get to the “Attributes”:

Downloadable User Role - Add DUR Enforcement Profile Attributes
Downloadable User Role – Add DUR Enforcement Profile Attributes

Below is the content of the text box:

class ipv4 dns
10 match udp any any eq 53
20 match udp any eq 53 any
exit
class ipv4 dhcp
10 match udp any any eq 67
20 match udp any eq 67 any
exit
class ipv4 internal
10 match ip any 10.0.0.0/8
20 match ip any 192.168.1.0/24
30 match ip any 192.168.2.0/24
exit
class ipv4 all
10 match ip any any
exit
class ipv4 web
10 match tcp any any eq 80 
20 match tcp any eq 80 any
30 match tcp any any eq 443
40 match tcp any eq 443 any
exit
class ipv4 vlan107
10 match IP any 10.107.107.0/24
exit
policy user sma
10 class ipv4 dns action permit
20 class ipv4 dhcp action permit
30 class ipv4 web action permit
40 class ipv4 vlan107 action permit
50 class ipv4 internal action deny
60 class ipv4 all action permit
exit
aaa authorization user-role name FloLan-SMA
policy sma
reauth-period 86400
vlan-name SMA
exit

First, I create some classes like DNS, DHCP, internal networks, an all class, a web class, and a class for VLAN 107. This is to use those classes for the policy. Here I have the policy “sma” which allows DNS, DHCP, web, and traffic within VLAN 107, but denies traffic to my internal networks. The last line is an allow-all rule.

The role port is the last block, which assigns the policy to the role and sets the “reauth-period” to one day (86400 seconds).

If a device get’s this returned in ClearPass, the switch will download the role from ClearPass and apply this role to the device.

show port-access clients

Downloaded user roles are preceded by *

 Port Access Client Status

  Port  Client Name   MAC Address       IP Address      User Role         Type  VLAN
  ----- ------------- ----------------- --------------- ----------------- ----- -------------------------------------------------------
  2/20  SUNNY ISLAND  0040ad-a4c0e0     10.107.107.148  *FloLan_SMA_Ro... MAC   107
  2/20  SUNNY TRIP... 0040ad-ab95ad     10.107.107.149  *FloLan_SMA_Ro... MAC   107
  2/20  Sunny Home... 00d093-49c0d1     10.107.107.150  *FloLan_SMA_Ro... MAC   107

You can even have more details:

show port-access clients detailed

  Client Base Details :
   Port            : 2/20                  Authentication Type : mac-based
   Client Status   : authenticated         Session Time        : 31529 seconds
   Client Name     : SUNNY ISLAND          Session Timeout     : 86400 seconds
   MAC Address     : 0040ad-a4c0e0
   IP              : 10.107.107.148

   Auth Order      : Not Set
   Auth Priority   : Not Set
   LMA Fallback    : Disabled

Downloaded user roles are preceded by *

 User Role Information

   Name                              : *FloLan_SMA_Role-3036-5
   Type                              : downloaded
   Reauthentication Period (seconds) : 86400
   Cached Reauth Period (seconds)    : 0
   Logoff Period (seconds)           : 300
   Untagged VLAN                     : 107
   Tagged VLANs                      :
   Captive Portal Profile            :
   Policy                            : sma_FloLan_SMA_Role-3036-5


Statements for policy "sma_FloLan_SMA_Role-3036-5"
policy user "sma_FloLan_SMA_Role-3036-5"
     10 class ipv4 "dns_FloLan_SMA_Role-3036-5" action permit
     20 class ipv4 "dhcp_FloLan_SMA_Role-3036-5" action permit
     30 class ipv4 "web_FloLan_SMA_Role-3036-5" action permit
     40 class ipv4 "vlan107_FloLan_SMA_Role-3036-5" action permit
     50 class ipv4 "internal_FloLan_SMA_Role-3036-5" action deny
     60 class ipv4 "all_FloLan_SMA_Role-3036-5" action permit
   exit



Statements for class IPv4 "dns_FloLan_SMA_Role-3036-5"
class ipv4 "dns_FloLan_SMA_Role-3036-5"
     10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
     20 match udp 0.0.0.0 255.255.255.255 eq 53 0.0.0.0 255.255.255.255
   exit



Statements for class IPv4 "dhcp_FloLan_SMA_Role-3036-5"
class ipv4 "dhcp_FloLan_SMA_Role-3036-5"
     10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
     20 match udp 0.0.0.0 255.255.255.255 eq 67 0.0.0.0 255.255.255.255
   exit



Statements for class IPv4 "web_FloLan_SMA_Role-3036-5"
class ipv4 "web_FloLan_SMA_Role-3036-5"
     10 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 80
     20 match tcp 0.0.0.0 255.255.255.255 eq 80 0.0.0.0 255.255.255.255
     30 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 443
     40 match tcp 0.0.0.0 255.255.255.255 eq 443 0.0.0.0 255.255.255.255
   exit



Statements for class IPv4 "vlan107_FloLan_SMA_Role-3036-5"
class ipv4 "vlan107_FloLan_SMA_Role-3036-5"
     10 match ip 0.0.0.0 255.255.255.255 10.107.107.0 0.0.0.255
   exit



Statements for class IPv4 "internal_FloLan_SMA_Role-3036-5"
class ipv4 "internal_FloLan_SMA_Role-3036-5"
     10 match ip 0.0.0.0 255.255.255.255 10.0.0.0 0.255.255.255
     20 match ip 0.0.0.0 255.255.255.255 192.168.1.0 0.0.0.255
     30 match ip 0.0.0.0 255.255.255.255 192.168.2.0 0.0.0.255
   exit



Statements for class IPv4 "all_FloLan_SMA_Role-3036-5"
class ipv4 "all_FloLan_SMA_Role-3036-5"
     10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
   exit

   Tunnelednode Server Redirect      : Disabled
   Secondary Role Name               :
   Device Attributes                 : Disabled

Here you can see all the details which were downloaded from ClearPass.

To make the picture complete, below are the ClearPass settings.

The Policy used to select the role:

Downloadable User Role - Policy
Downloadable User Role – Policy

And the services bringing everything together:

Downloadable User Role - Service
Downloadable User Role – Service

As you see in the screenshots above, the rest of the ClearPass configuration is straightforward. Nothing special. And if you need to change the role, simply change the profile with the role and new users will use this new configuration.

Downloadable User Role with Aruba CX Switches

Let’s do the same with an Aruba CX switch. I will use a 6300 running 10.06.0112.

First, you need to add the ClearPass HTTPS root certificate (or signing) to the certificate store on the switch. Unfortunately, there is no automatic way like we have with the ArubaOS-S switches, but it is also just a copy-paste thing. Use the following command to create a new ta profile with the root (or signing) ca:

CX-6300-Selm(config)# crypto pki ta-profile clearpass
CX-6300-Selm(config-ta-clearpass)# ta-certificate
Paste the certificate in PEM format below, then hit enter and ctrl-D:
CX-6300-Selm(config-ta-cert)# -----BEGIN CERTIFICATE-----
CX-6300-Selm(config-ta-cert)# MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
CX-6300-Selm(config-ta-cert)# iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
CX-6300-Selm(config-ta-cert)# cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
CX-6300-Selm(config-ta-cert)# BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
CX-6300-Selm(config-ta-cert)# MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCR0IxGzAZBgNV
CX-6300-Selm(config-ta-cert)# BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
CX-6300-Selm(config-ta-cert)# ChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFJTQSBEb21haW4g
CX-6300-Selm(config-ta-cert)# VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
CX-6300-Selm(config-ta-cert)# AQ8AMIIBCgKCAQEA1nMz1tc8INAA0hdFuNY+B6I/x0HuMjDJsGz99J/LEpgPLT+N
CX-6300-Selm(config-ta-cert)# TQEMgg8Xf2Iu6bhIefsWg06t1zIlk7cHv7lQP6lMw0Aq6Tn/2YHKHxYyQdqAJrkj
CX-6300-Selm(config-ta-cert)# eocgHuP/IJo8lURvh3UGkEC0MpMWCRAIIz7S3YcPb11RFGoKacVPAXJpz9OTTG0E
CX-6300-Selm(config-ta-cert)# oKMbgn6xmrntxZ7FN3ifmgg0+1YuWMQJDgZkW7w33PGfKGioVrCSo1yfu4iYCBsk
CX-6300-Selm(config-ta-cert)# Haswha6vsC6eep3BwEIc4gLw6uBK0u+QDrTBQBbwb4VCSmT3pDCg/r8uoydajotY
CX-6300-Selm(config-ta-cert)# uK3DGReEY+1vVv2Dy2A0xHS+5p3b4eTlygxfFQIDAQABo4IBbjCCAWowHwYDVR0j
CX-6300-Selm(config-ta-cert)# BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFI2MXsRUrYrhd+mb
CX-6300-Selm(config-ta-cert)# +ZsF4bgBjWHhMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G
CX-6300-Selm(config-ta-cert)# A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYGBFUdIAAw
CX-6300-Selm(config-ta-cert)# CAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0
CX-6300-Selm(config-ta-cert)# LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2Bggr
CX-6300-Selm(config-ta-cert)# BgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNv
CX-6300-Selm(config-ta-cert)# bS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov
CX-6300-Selm(config-ta-cert)# L29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMr9hvQ5Iw0/H
CX-6300-Selm(config-ta-cert)# ukdN+Jx4GQHcEx2Ab/zDcLRSmjEzmldS+zGea6TvVKqJjUAXaPgREHzSyrHxVYbH
CX-6300-Selm(config-ta-cert)# 7rM2kYb2OVG/Rr8PoLq0935JxCo2F57kaDl6r5ROVm+yezu/Coa9zcV3HAO4OLGi
CX-6300-Selm(config-ta-cert)# H19+24rcRki2aArPsrW04jTkZ6k4Zgle0rj8nSg6F0AnwnJOKf0hPHzPE/uWLMUx
CX-6300-Selm(config-ta-cert)# RP0T7dWbqWlod3zu4f+k+TY4CFM5ooQ0nBnzvg6s1SQ36yOoeNDT5++SR2RiOSLv
CX-6300-Selm(config-ta-cert)# xvcRviKFxmZEJCaOEDKNyJOuB56DPi/Z+fVGjmO+wea03KbNIaiGCpXZLoUmGv38
CX-6300-Selm(config-ta-cert)# sbZXQm2V0TP2ORQGgkE49Y9Y3IBbpNV9lXj9p5v//cWoaasm56ekBYdbqbe4oyAL
CX-6300-Selm(config-ta-cert)# l6lFhd2zi+WJN44pDfwGF/Y4QA5C5BIG+3vzxhFoYt/jmPQT2BVPi7Fp2RBgvGQq
CX-6300-Selm(config-ta-cert)# 6jG35LWjOhSbJuMLe/0CjraZwTiXWTb2qHSihrZe68Zk6s+go/lunrotEbaGmAhY
CX-6300-Selm(config-ta-cert)# LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5
CX-6300-Selm(config-ta-cert)# yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K
CX-6300-Selm(config-ta-cert)# 00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
CX-6300-Selm(config-ta-cert)# -----END CERTIFICATE-----
CX-6300-Selm(config-ta-cert)#
CX-6300-Selm(config-ta-cert)#
The certificate you are importing has the following attributes:
Subject: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
Issuer:  C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
Serial Number: 0x7D5B5126B476BA11DB74160BBC530DA7
TA certificate import is allowed only once for a TA profile
Do you want to accept this certificate (y/n)? y

Afterward, check the ta-profiles on the switch:

CX-6300-Selm(config)# show crypto pki ta-profile

TA Profile Name                  TA Certificate       Revocation Check
-------------------------------- -------------------- ----------------
clearpass                        Installed, valid     disabled

The next step is to add the radius server to the config as well:

radius-server host clearpass-a.arubalab.net key ciphertext AQBapVWcNJavUClNBQenFaJwwRrR+nWcJUvsQlHUbuaiOvlDCAAAAMCnYwT2Ful+ clearpass-username dur-user clearpass-password ciphertext AQBapVWcNJavUClNBQenFaJwwRrR+nWcJUvsQlHUbuaiOvlDCAAAAMCnYwT2Ful+ vrf mgmt
radius-server host clearpass-b.arubalab.net key ciphertext AQBapVWcNJavUClNBQenFaJwwRrR+nWcJUvsQlHUbuaiOvlDCAAAAMCnYwT2Ful+ clearpass-username dur-user clearpass-password ciphertext AQBapVWcNJavUClNBQenFaJwwRrR+nWcJUvsQlHUbuaiOvlDCAAAAMCnYwT2Ful+ vrf mgmt
!

To use them for authentication, add them to a group:

aaa group server radius cppm
    server clearpass-a.arubalab.net vrf mgmt
    server clearpass-b.arubalab.net vrf mgmt

Now, enable authentication (I do MAC auth and dot1x) globally:

aaa authentication port-access dot1x authenticator
    radius server-group cppm
    enable
aaa authentication port-access mac-auth
    radius server-group cppm
    enable

I also enabled accounting:

aaa accounting port-access start-stop interim 5 group cppm

This will enable accounting with interim updates every 5 minutes.

To get also the IP information for all clients it is wise to enable the client tracker on CX as well:

client track ip

The last step is to enable authentication on a per port basis. Take the following as an example:

interface 1/1/16
    no shutdown
    description Uplink_SMA
    no routing
    vlan access 1
    aaa authentication port-access client-limit 10
    aaa authentication port-access dot1x authenticator
        enable
    aaa authentication port-access mac-auth
        enable

Downloadable User Roles: ClearPass Configuration for Aruba CX Switches

Now let’s head over to ClearPass and create some profiles. I will use the same service and policy as with the ArubaOS Switches above. Please take a look there for the basic configuration and use the following paragraphs to create the CX-specific user role profiles.

Create a new enforcement profile like the one below:

Downloadable User Role - Add DUR Enforcement Profile for CX
Downloadable User Role – Add DUR Enforcement Profile for CX

The important part is the “Template”, using the “Aruba Downloadable Role Enforcement” and the “Product” with “AOS-CX”. I also use the “Advanced” “Role Configuration Mode” as this will allow me to use all available features and not only those available in ClearPass. I have created the same profiles as for the AOS-S switches above to show the differences and some examples. The first one is with a simple access VLAN and policy. Together with some basic settings for the port:

Downloadable User Role - Simple DUR for CX
Downloadable User Role – Simple DUR for CX

The above one is quite obvious. The only thing to note, in the policy, the “action permit” is the default value and there is no need to have it in the DUR.

Let’s take some more complex examples like this one with many classes for the policy, used within the role:

class ip dns
10 match udp any any eq 53
20 match udp any eq 53 any

class ip dhcp
10 match udp any any eq 67
20 match udp any eq 67 any

class ip internal
10 match ip any 10.0.0.0/8
20 match ip any 192.168.1.0/24
30 match ip any 192.168.2.0/24

class ip all
10 match ip any any

class ip web
10 match tcp any any eq 80 
20 match tcp any eq 80 any
30 match tcp any any eq 443
40 match tcp any eq 443 any

class ip vlan107
10 match IP any 10.107.107.0/24

port-access policy sma
10 class ip dns
20 class ip dhcp
30 class ip web
40 class ip vlan107
50 class ip internal action drop
60 class ip all

port-access role SMA
associate policy sma
auth-mode client-mode
stp-admin-edge-port
vlan access name SMA
reauth-period 86400

Both examples are using an access VLAN. If you need tagged VLANs as well it can get tricky. Took me an hour to figure out how to work with trunks in downloadable user roles and VLAN names. But for my IAP’s this is necessary:

class ip allow-all
10 match ip any any

port-access policy iap
10 class ip allow-all

port-access role FloLan-IAP
associate policy iap
reauth-period 86400
vlan trunk native name IAP_Management
vlan trunk allowed name IAP_Management
vlan trunk allowed name old_vlan
auth-mode device-mode
stp-admin-edge-port

The one, which made me headaches was the “vlan trunk allowed name” one. But simply using the command multiple times for all your VLANs does the trick.

On the CX switches, you can check if everything is working with the following commands.

First check if the user is authenticated:

CX-6300-Selm# show port-access clients

Port Access Clients

Status codes: d device-mode

----------------------------------------------------------------------------------
  Port     MAC-Address       Onboarding     Status      Role
                             Method
----------------------------------------------------------------------------------
d 1/1/5    48:4a:e9:c1:5e:8a dot1x          Success     FloLan_IAP-3059-8
d 1/1/7    90:4c:81:cf:3c:22 dot1x          Success     FloLan_IAP-3059-8
  1/1/12   b8:e9:37:40:d4:11 mac-auth       Success     FloLan_Sonos-3058-2
  1/1/13   94:9f:3e:44:52:f2 mac-auth       Success     FloLan_Sonos-3058-2
  1/1/13   48:a6:b8:a9:d7:fa mac-auth       Success     FloLan_Sonos-3058-2
  1/1/14   94:9f:3e:86:75:cc mac-auth       Success     FloLan_Sonos-3058-2
  1/1/15   94:9f:3e:86:75:e8 mac-auth       Success     FloLan_Sonos-3058-2
  1/1/16   00:40:ad:ab:95:ad mac-auth       Success     FloLan_SMA-3057-6
  1/1/16   00:40:ad:a4:c0:e0 mac-auth       Success     FloLan_SMA-3057-6
  1/1/16   00:d0:93:49:c0:d1 mac-auth       Success     FloLan_SMA-3057-6

To get more details on the roles you can use the following command:

CX-6300-Selm# show port-access role clearpass

Role Information:

Name  : FloLan_IAP-3059-8
Type  : clearpass
Status: Completed
----------------------------------------------
    Reauthentication Period             : 86400 secs
    Cached Reauthentication Period      :
    Authentication Mode                 : device-mode
    Session Timeout                     :
    Client Inactivity Timeout           :
    Description                         :
    Gateway Zone                        :
    UBT Gateway Role                    :
    UBT Gateway Clearpass Role          :
    Access VLAN                         :
    Native VLAN                         :
    Allowed Trunk VLANs                 :
    Access VLAN Name                    :
    Native VLAN Name                    : IAP_Management
    Allowed Trunk VLAN Names            : IAP_Management,
                                          old_vlan
    VLAN Group Name                     :
    MTU                                 :
    QOS Trust Mode                      :
    STP Administrative Edge Port        : true
    PoE Priority                        :
    Captive Portal Profile              :
    Policy                              : iap_FloLan_IAP-3059-8

For all details you can also use the command for a specific port like this:

CX-6300-Selm# show port-access clients interface 1/1/5 detail

Port Access Client Status Details:

Client 48:4a:e9:c1:5e:8a, IAP-345
============================
  Session Details
  ---------------
    Port         : 1/1/5
    Session Time : 31400s
    IPv4 Address : 10.102.102.149
    IPv6 Address :

  VLAN Details
  ------------
    VLAN Group Name :
    VLANs Assigned  :
      Access          :
      Native Untagged :
      Allowed Trunk   :

  Authentication Details
  ----------------------
    Status          : dot1x Authenticated
    Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted

  Authorization Details
  ----------------------
    Role   : FloLan_IAP-3059-8
    Status : Applied


Role Information:

Name  : FloLan_IAP-3059-8
Type  : clearpass
Status: Completed
----------------------------------------------
    Reauthentication Period             : 86400 secs
    Cached Reauthentication Period      :
    Authentication Mode                 : device-mode
    Session Timeout                     :
    Client Inactivity Timeout           :
    Description                         :
    Gateway Zone                        :
    UBT Gateway Role                    :
    UBT Gateway Clearpass Role          :
    Access VLAN                         :
    Native VLAN                         :
    Allowed Trunk VLANs                 :
    Access VLAN Name                    :
    Native VLAN Name                    : IAP_Management
    Allowed Trunk VLAN Names            : IAP_Management,
                                          old_vlan
    VLAN Group Name                     :
    MTU                                 :
    QOS Trust Mode                      :
    STP Administrative Edge Port        : true
    PoE Priority                        :
    Captive Portal Profile              :
    Policy                              : iap_FloLan_IAP-3059-8


Access Policy Details:

Policy Name   : iap_FloLan_IAP-3059-8
Policy Type   : Downloaded
Policy Status : Applied

SEQUENCE    CLASS                        TYPE ACTION
----------- ---------------------------- ---- ----------------------------------
10          allow-all_FloLan_IAP-3059-8  ipv4 permit


Class Details:

class ip allow-all_FloLan_IAP-3059-8
    10 match any any any

Downloadable User Role with Aruba Instant AP IAP

Next is the IAP. They support DUR as well. I will use Central to manage my IAP’s but DUR also works with IAP’s alone or if they are managed by AirWave.

To make the IAP work with DUR you need to add the read-only admin for ClearPass (which could be the same as with the switches above) to the radius configuration in the IAP. To add this user to the radius server in central go to the group with your IAP’s and go to “Devices” and stay with the “Access Points” tab. Now select the config button in the right upper corner of the screen and stay with “WLANs”. The configuration to add the user is directly within the SSID in the roles section. So either create a new SSID or modify an existing SSID and select “Downloadable Role” in the roles section. Now you can add the user to your radius servers:

Downloadable User Role - Add DUR User in Central
Downloadable User Role – Add DUR User in Central

That’s all you need. You can now switch to ClearPass and create the profiles for your roles.

Downloadable User Roles: ClearPass Configuration for Aruba Instant AP’s

For the IAP’s the ClearPass configuration is as simple as for the ArubaOS Switches above. First, you need to create an Enforcement Profile. Go to “Configuration–>Enforcement–>Profiles” and create a new one:

Downloadable User Role - Add DUR Profile for IAP's
Downloadable User Role – Add DUR Profile for IAP’s

The important part is the “Template”. Select the “Aruba Downloadable Role Enforcement” in the drop-down menu. Also make sure, to select “Advanced” for the “Role Configuration Mode”. Click the “Attributes” tab and create your role. My role looks like this:

wlan access-rule FloLan-Guest
captive-portal external profile "FloLan-Guest_CPPM"
rule 10.104.104.21 255.255.255.255 match udp 53 53 permit
rule 10.104.104.22 255.255.255.255 match udp 53 53 permit
rule 10.104.104.40 255.255.255.255 match tcp 443 443 permit
rule 10.104.104.41 255.255.255.255 match tcp 443 443 permit
rule 10.104.104.42 255.255.255.255 match tcp 443 443 permit
rule any any match any any any deny
exit

There are two things to know about the role above and IAP’s role assignment.

First, I included a “captive-portal” profile within the role. This captive portal profile needs to be configured on the IAP already. There is currently no chance to download this profile as well, and the captive profile name is not allowed to have spaces within the name. With spaces in the name, it will not work.

Secondly, you cannot enforce a VLAN within the role. You need to send the VLAN as the “Aruba-User-Vlan” attribute together with the role VSA in your radius accept message.

My policy for this looks like this:

Downloadable User Role - DUR Policy with VLAN
Downloadable User Role – DUR Policy with VLAN

I use the created DUR profile and a VLAN profile for the action in the last policy line. This is a simple default policy that will always be triggered if all of the above will fail.

In the access tracker it will look like this:

Downloadable User Role - Access Tracker Entry for IAP
Downloadable User Role – Access Tracker Entry for IAP

It is the role and the VLAN in the response.

Downloadable User Role with Aruba Controller

The configuration of Downloadable User Role with an Aruba Controller is nearly the same as with an Aruba Instant AP.

First, you need to add the dur-user to your radius server configuration. Go to “Configuration–>Authentication–>Auth Servers” and select your radius server to add the dur-user:

Downloadable User Role - Add CPPM Credentials
Downloadable User Role – Add CPPM Credentials

Check the “CPPM credentials” checkbox and enter the username and the password. This will allow the controller to download the role from ClearPass using the dur-user.

The next step is to create a new AAA Profile with DUR enabled. Go to “Configuration–>Authentication–>AAA Profiles” and create a new profile or change an existing one. If you change an existing profile, please save it to a different, new profile using the “Submit As” button:

Downloadable User Role - Create a AAA Profile with DUR enabled
Downloadable User Role – Create a AAA Profile with DUR enabled

You simply need to check the “Download Role from CPPM” checkbox, to enable the download of roles from ClearPass.

You can now use this profile for your SSID’s to start authenticating clients. I will use a wired user to test the authentication and apply the policy to the VLAN, to which the user is attached. But the mechanism is the same if you would use wireless users.

Downloadable User Roles: ClearPass configuration for an Aruba Controller

For the ClearPass configuration, I assume that the configurations, done before are still there, so I will only show the Enforcement Profile, which is used to allow access to the network for the client.

To create a new Enforcement Profile in ClearPass go to “Configuration–>Enforcement–>Profiles” and use the “Add” button in the right upper corner. This time, I will use the standard mode to show you this one as well:

Downloadable User Roles - Add DUR Enforcement Profile for an Aruba Controller
Downloadable User Roles – Add DUR Enforcement Profile for an Aruba Controller

In the “Product” select box select “Mobility Controller” and use “Standard” for the “Role Configuration Mode”. Do not forget to enter a good “Name” and select “Aruba Downloadable Role Enforcement” for the “Template”. Click “Next” to get to the “Role Configuration”:

Downloadable User Roles - Role Configuration for Aruba Controller
Downloadable User Roles – Role Configuration for Aruba Controller

I did nothing special here. I do a 5 minutes reauth interval using the “Re-authentication Interval Time” and set the “VLAN” to 10. I also added a very simple “allow-all” “ACL”. It simply does what it says. Click “Next” to get to the summary screen:

Downloadable User Roles - Enforcement Profile Summary for Aruba Controller
Downloadable User Roles – Enforcement Profile Summary for Aruba Controller

Add this profile to your service and you can start to authenticate clients:

Downloadable User Roles - Radius Response for an Aruba Controller
Downloadable User Roles – Radius Response for an Aruba Controller

On the controller, you can see this as well:

Downloadable User Roles - Client View on the Aruba Controller
Downloadable User Roles – Client View on the Aruba Controller

This concludes this post about Downloadable User Roles. Did you use DUR’s in your environment?

If you find this post useful, leave me a comment and share your feedback with me. If you would like to give me a favor, share this post with your friends and your social media contacts. This would really help to make this blog more popular and help others to find the information above more easily using search engines.

2 thoughts on “Aruba Downloadable User Roles”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: