Aruba Downloadable User Roles

Reading Time: 16 minutes

This post is all about Aruba Downloadable User Roles and how to use them for wired and wireless access with dot1x and mac authentication.

If you use Downloadable User Roles, you get a central point of configuration for all access-related configurations. ClearPass, which is used as the radius server, will have all the roles available. Access devices like switches or access points can download those roles from there. If you need to change a role, you can do that on ClearPass. No need to change anything on your access devices. This makes it simple and easy to use. And only if it is easy to use it will be used by an organization and enhance security.

How does it Work

For Downloadable User Roles to work you need ClearPass. Below is the process flow for Downloadable User Roles:

Downloadable User Role Flow Chart
Downloadable User Role Flow Chart

The first step to apply a Downloadable User Roles (DUR) is an authentication. It can be either a MAC authentication for devices that do not support any stronger authentication or an 802.1x authentication. The access device will send a radius request to ClearPass and will get an answer (Radius Accept) from ClearPass, including the Downloadable Role Information. This is just a Radius VSA including the name of the role and a version number.

If the role name together with the version number is already on the access device, the cached version is used and applied to the client. If the role name is not on the device or the version has changed the role is downloaded from ClearPass using HTTPS and applied to the client.

Downloadable User Roles: Prepare ClearPass

As you see in the flow chart above, the access device will download the role from ClearPass using HTTPS. To allow this, HTTPS traffic between the access device and ClearPass needs to be allowed. The access device also needs a username and a password to download the roles. To create this user login to ClearPass and go to “Administration–>Users and Privileges–>Admins Users” and create a new “Read-only Administrator”:

Downloadable User Role - Add DUR User
Downloadable User Role – Add DUR User

This user will be configured on the access devices to download roles from ClearPass.

Downloadable User Roles with ArubaOS Switches

Let’s start with ArubaOS Switches (formerly known as ProCurve Switches). They support Downloadable User Roles since version 16.04.008. I’m testing with 16.10.0010.

First, we need to configure some radius basics for the switch:

ip client-tracker

This will allow the switch to get the IP address of connected clients and will help with troubleshooting and monitoring.

I also set the radius source interface to be my management interface:

ip source-interface radius vlan 100

Next, you need to configure the radius server itself. But before some more detailed information. As the switch will use HTTPS to download the role, the switch needs to trust the HTTPS certificate on the ClearPass server. Therefore you need to import the root CA, which has signed your HTTPS certificate for ClearPass. Fortunately, this happens automatically if configured correctly. First, here is my list of trusted root CA’s on my switch before I configured ClearPass as the radius server:

show crypto pki ta-profile

  Profile Name    Profile Status                 CRL Configured  OCSP Configured
  --------------- ------------------------------ --------------- ---------------
  IDEVID_ROOT     Root Certificate Installed
  COMODO_RSA_CA   Root Certificate Installed     No              No
  GEOTRUST_CA     Root Certificate Installed     No              No
  ARUBA_CA        Root Certificate Installed     No              No
  CUSTOM_CA       Root Certificate Installed     No              No

Now, you can add ClearPass as the radius server:

radius-server host clearpass-a.arubalab.net key aruba123 clearpass
radius-server host clearpass-a.arubalab.net dyn-authorization
radius-server host clearpass-a.arubalab.net time-window plus-or-minus-time-window 30
aaa server-group radius cppm host clearpass-a.arubalab.net

The commands above will add all needed config settings to the switch. The first one adds ClearPass as a radius server and makes the switch aware, that it is a ClearPass server. This also enables the switch to download the HTTPS CA certificate from ClearPass.

The second command enables dynamic authorization (CoA) for that radius server. The third command sets a time window for CoA packets. Just in case, the clock is not running in sync.

The last command adds the radius server to a group of servers. You can add multiple radius servers to the switch using the commands above.

Now, let’s check the Root CA list again:

show crypto pki ta-profile

  Profile Name    Profile Status                 CRL Configured  OCSP Configured
  --------------- ------------------------------ --------------- ---------------
  IDEVID_ROOT     Root Certificate Installed
  COMODO_RSA_CA   Root Certificate Installed     No              No
  GEOTRUST_CA     Root Certificate Installed     No              No
  ARUBA_CA        Root Certificate Installed     No              No
  USERTrust RS... Root Certificate Installed     No              No
  CUSTOM_CA       Root Certificate Installed     No              No

As you can see, the 5th entry is new. This is the one that signed my HTTPS certificate. In the logs it would look like this:

I 11/16/20 06:06:40 05811 CADownload: ST2-CMDR: Successfully downloaded the
            certificate from clearpass-a.arubalab.net server
I 11/16/20 06:06:40 05809 CADownload: ST2-CMDR: Successfully resolved Fqdn
            clearpass-a.arubalab.net to Ip address 10.104.104.41

The next step is to configure the user to download the roles. You configured this user already on ClearPass. So now you just need to add this user to the switch:

radius-server cppm identity dur-user key aruba123

The next commands will enable authentication on the switch. It now depends on what you would like to do. I will do MAC authentication and 802.1x. If you just need one of the two, you can skip the other:

aaa authentication port-access eap-radius server-group "cppm"
aaa authentication mac-based chap-radius server-group "cppm"

I will also use accounting:

aaa accounting network start-stop radius server-group "cppm"
aaa accounting update periodic 5

Accounting is important, as ClearPass will use this to determine which session is active and therefore consumes a license. You can adapt periodic accounting updates to your needs. In my case, I set this to 5 minutes.

The last step, for the global configuration, is to enable roles and downloadable user roles:

aaa authorization user-role enable
aaa authorization user-role enable download

Let’s start the authentication before we will go into the port config:

aaa port-access authenticator active

The final step is to enable authentication for the desired ports. I will enable mac auth and 802.1x on the ports:

aaa port-access mac-based 2/20
aaa port-access authenticator 2/20

Downloadable User Roles: ClearPass Configuration for ArubaOS Switches

This section covers the ClearPass part for Downloadable Roles for ArubaOS Switches. I will not cover the creation of services and policies and other ClearPass-related stuff. I will create a profile, which can be used in a policy for an authentication service. But I assume that you know how to create policies and services within ClearPass.

Go to ClearPass and “Configuration–>Enforcement–>Profiles” and create a new “Aruba Downloadable Role Enforcement”:

Downloadable User Role - Add DUR Enforcement Profile
Downloadable User Role – Add DUR Enforcement Profile

The important part is the “Template” and the “Product”. The “Name” should be a good hint for the use of the profile. I use the “Advanced” “Role Configuration Mode”. This allows to directly enter the information. With “Standard” you get a nice GUI to enter your stuff. Click “Next” to get to the “Attributes”:

Downloadable User Role - Add DUR Enforcement Profile Attributes
Downloadable User Role – Add DUR Enforcement Profile Attributes

Below is the content of the text box:

class ipv4 dns
10 match udp any any eq 53
20 match udp any eq 53 any
exit
class ipv4 dhcp
10 match udp any any eq 67
20 match udp any eq 67 any
exit
class ipv4 internal
10 match ip any 10.0.0.0/8
20 match ip any 192.168.1.0/24
30 match ip any 192.168.2.0/24
exit
class ipv4 all
10 match ip any any
exit
class ipv4 web
10 match tcp any any eq 80 
20 match tcp any eq 80 any
30 match tcp any any eq 443
40 match tcp any eq 443 any
exit
class ipv4 vlan107
10 match IP any 10.107.107.0/24
exit
policy user sma
10 class ipv4 dns action permit
20 class ipv4 dhcp action permit
30 class ipv4 web action permit
40 class ipv4 vlan107 action permit
50 class ipv4 internal action deny
60 class ipv4 all action permit
exit
aaa authorization user-role name FloLan-SMA
policy sma
reauth-period 86400
vlan-name SMA
exit

First, I create some classes like DNS, DHCP, internal networks, an all class, a web class, and a class for VLAN 107. This is to use those classes for the policy. Here I have the policy “sma” which allows DNS, DHCP, web, and traffic within VLAN 107, but denies traffic to my internal networks. The last line is an allow-all rule.

The role port is the last block, which assigns the policy to the role and sets the “reauth-period” to one day (86400 seconds).

If a device get’s this returned in ClearPass, the switch will download the role from ClearPass and apply this role to the device.

show port-access clients

Downloaded user roles are preceded by *

 Port Access Client Status

  Port  Client Name   MAC Address       IP Address      User Role         Type  VLAN
  ----- ------------- ----------------- --------------- ----------------- ----- -------------------------------------------------------
  2/20  SUNNY ISLAND  0040ad-a4c0e0     10.107.107.148  *FloLan_SMA_Ro... MAC   107
  2/20  SUNNY TRIP... 0040ad-ab95ad     10.107.107.149  *FloLan_SMA_Ro... MAC   107
  2/20  Sunny Home... 00d093-49c0d1     10.107.107.150  *FloLan_SMA_Ro... MAC   107

You can even have more details:

show port-access clients detailed

  Client Base Details :
   Port            : 2/20                  Authentication Type : mac-based
   Client Status   : authenticated         Session Time        : 31529 seconds
   Client Name     : SUNNY ISLAND          Session Timeout     : 86400 seconds
   MAC Address     : 0040ad-a4c0e0
   IP              : 10.107.107.148

   Auth Order      : Not Set
   Auth Priority   : Not Set
   LMA Fallback    : Disabled

Downloaded user roles are preceded by *

 User Role Information

   Name                              : *FloLan_SMA_Role-3036-5
   Type                              : downloaded
   Reauthentication Period (seconds) : 86400
   Cached Reauth Period (seconds)    : 0
   Logoff Period (seconds)           : 300
   Untagged VLAN                     : 107
   Tagged VLANs                      :
   Captive Portal Profile            :
   Policy                            : sma_FloLan_SMA_Role-3036-5


Statements for policy "sma_FloLan_SMA_Role-3036-5"
policy user "sma_FloLan_SMA_Role-3036-5"
     10 class ipv4 "dns_FloLan_SMA_Role-3036-5" action permit
     20 class ipv4 "dhcp_FloLan_SMA_Role-3036-5" action permit
     30 class ipv4 "web_FloLan_SMA_Role-3036-5" action permit
     40 class ipv4 "vlan107_FloLan_SMA_Role-3036-5" action permit
     50 class ipv4 "internal_FloLan_SMA_Role-3036-5" action deny
     60 class ipv4 "all_FloLan_SMA_Role-3036-5" action permit
   exit



Statements for class IPv4 "dns_FloLan_SMA_Role-3036-5"
class ipv4 "dns_FloLan_SMA_Role-3036-5"
     10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
     20 match udp 0.0.0.0 255.255.255.255 eq 53 0.0.0.0 255.255.255.255
   exit



Statements for class IPv4 "dhcp_FloLan_SMA_Role-3036-5"
class ipv4 "dhcp_FloLan_SMA_Role-3036-5"
     10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
     20 match udp 0.0.0.0 255.255.255.255 eq 67 0.0.0.0 255.255.255.255
   exit



Statements for class IPv4 "web_FloLan_SMA_Role-3036-5"
class ipv4 "web_FloLan_SMA_Role-3036-5"
     10 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 80
     20 match tcp 0.0.0.0 255.255.255.255 eq 80 0.0.0.0 255.255.255.255
     30 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 443
     40 match tcp 0.0.0.0 255.255.255.255 eq 443 0.0.0.0 255.255.255.255
   exit



Statements for class IPv4 "vlan107_FloLan_SMA_Role-3036-5"
class ipv4 "vlan107_FloLan_SMA_Role-3036-5"
     10 match ip 0.0.0.0 255.255.255.255 10.107.107.0 0.0.0.255
   exit



Statements for class IPv4 "internal_FloLan_SMA_Role-3036-5"
class ipv4 "internal_FloLan_SMA_Role-3036-5"
     10 match ip 0.0.0.0 255.255.255.255 10.0.0.0 0.255.255.255
     20 match ip 0.0.0.0 255.255.255.255 192.168.1.0 0.0.0.255
     30 match ip 0.0.0.0 255.255.255.255 192.168.2.0 0.0.0.255
   exit



Statements for class IPv4 "all_FloLan_SMA_Role-3036-5"
class ipv4 "all_FloLan_SMA_Role-3036-5"
     10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
   exit

   Tunnelednode Server Redirect      : Disabled
   Secondary Role Name               :
   Device Attributes                 : Disabled

Here you can see all the details which were downloaded from ClearPass.

To make the picture complete, below are the ClearPass settings.

The Policy used to select the role:

Downloadable User Role - Policy
Downloadable User Role – Policy

And the services bringing everything together:

Downloadable User Role - Service
Downloadable User Role – Service

As you see in the screenshots above, the rest of the ClearPass configuration is straightforward. Nothing special. And if you need to change the role, simply change the profile with the role and new users will use this new configuration.

Downloadable User Role with Aruba CX Switches

Let’s do the same with an Aruba CX switch. I will use a 6300 running 10.06.0112.

First, you need to add the ClearPass HTTPS root certificate (or signing) to the certificate store on the switch. Unfortunately, there is no automatic way like we have with the ArubaOS-S switches, but it is also just a copy-paste thing. Use the following command to create a new ta profile with the root (or signing) ca:

CX-6300-Selm(config)# crypto pki ta-profile clearpass
CX-6300-Selm(config-ta-clearpass)# ta-certificate
Paste the certificate in PEM format below, then hit enter and ctrl-D:
CX-6300-Selm(config-ta-cert)# -----BEGIN CERTIFICATE-----
CX-6300-Selm(config-ta-cert)# MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
CX-6300-Selm(config-ta-cert)# iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
CX-6300-Selm(config-ta-cert)# cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
CX-6300-Selm(config-ta-cert)# BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
CX-6300-Selm(config-ta-cert)# MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCR0IxGzAZBgNV
CX-6300-Selm(config-ta-cert)# BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
CX-6300-Selm(config-ta-cert)# ChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFJTQSBEb21haW4g
CX-6300-Selm(config-ta-cert)# VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
CX-6300-Selm(config-ta-cert)# AQ8AMIIBCgKCAQEA1nMz1tc8INAA0hdFuNY+B6I/x0HuMjDJsGz99J/LEpgPLT+N
CX-6300-Selm(config-ta-cert)# TQEMgg8Xf2Iu6bhIefsWg06t1zIlk7cHv7lQP6lMw0Aq6Tn/2YHKHxYyQdqAJrkj
CX-6300-Selm(config-ta-cert)# eocgHuP/IJo8lURvh3UGkEC0MpMWCRAIIz7S3YcPb11RFGoKacVPAXJpz9OTTG0E
CX-6300-Selm(config-ta-cert)# oKMbgn6xmrntxZ7FN3ifmgg0+1YuWMQJDgZkW7w33PGfKGioVrCSo1yfu4iYCBsk
CX-6300-Selm(config-ta-cert)# Haswha6vsC6eep3BwEIc4gLw6uBK0u+QDrTBQBbwb4VCSmT3pDCg/r8uoydajotY
CX-6300-Selm(config-ta-cert)# uK3DGReEY+1vVv2Dy2A0xHS+5p3b4eTlygxfFQIDAQABo4IBbjCCAWowHwYDVR0j
CX-6300-Selm(config-ta-cert)# BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFI2MXsRUrYrhd+mb
CX-6300-Selm(config-ta-cert)# +ZsF4bgBjWHhMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G
CX-6300-Selm(config-ta-cert)# A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYGBFUdIAAw
CX-6300-Selm(config-ta-cert)# CAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0
CX-6300-Selm(config-ta-cert)# LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2Bggr
CX-6300-Selm(config-ta-cert)# BgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNv
CX-6300-Selm(config-ta-cert)# bS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov
CX-6300-Selm(config-ta-cert)# L29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMr9hvQ5Iw0/H
CX-6300-Selm(config-ta-cert)# ukdN+Jx4GQHcEx2Ab/zDcLRSmjEzmldS+zGea6TvVKqJjUAXaPgREHzSyrHxVYbH
CX-6300-Selm(config-ta-cert)# 7rM2kYb2OVG/Rr8PoLq0935JxCo2F57kaDl6r5ROVm+yezu/Coa9zcV3HAO4OLGi
CX-6300-Selm(config-ta-cert)# H19+24rcRki2aArPsrW04jTkZ6k4Zgle0rj8nSg6F0AnwnJOKf0hPHzPE/uWLMUx
CX-6300-Selm(config-ta-cert)# RP0T7dWbqWlod3zu4f+k+TY4CFM5ooQ0nBnzvg6s1SQ36yOoeNDT5++SR2RiOSLv
CX-6300-Selm(config-ta-cert)# xvcRviKFxmZEJCaOEDKNyJOuB56DPi/Z+fVGjmO+wea03KbNIaiGCpXZLoUmGv38
CX-6300-Selm(config-ta-cert)# sbZXQm2V0TP2ORQGgkE49Y9Y3IBbpNV9lXj9p5v//cWoaasm56ekBYdbqbe4oyAL
CX-6300-Selm(config-ta-cert)# l6lFhd2zi+WJN44pDfwGF/Y4QA5C5BIG+3vzxhFoYt/jmPQT2BVPi7Fp2RBgvGQq
CX-6300-Selm(config-ta-cert)# 6jG35LWjOhSbJuMLe/0CjraZwTiXWTb2qHSihrZe68Zk6s+go/lunrotEbaGmAhY
CX-6300-Selm(config-ta-cert)# LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5
CX-6300-Selm(config-ta-cert)# yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K
CX-6300-Selm(config-ta-cert)# 00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
CX-6300-Selm(config-ta-cert)# -----END CERTIFICATE-----
CX-6300-Selm(config-ta-cert)#
CX-6300-Selm(config-ta-cert)#
The certificate you are importing has the following attributes:
Subject: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
Issuer:  C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
Serial Number: 0x7D5B5126B476BA11DB74160BBC530DA7
TA certificate import is allowed only once for a TA profile
Do you want to accept this certificate (y/n)? y

Afterward, check the ta-profiles on the switch:

CX-6300-Selm(config)# show crypto pki ta-profile

TA Profile Name                  TA Certificate       Revocation Check
-------------------------------- -------------------- ----------------
clearpass                        Installed, valid     disabled

The next step is to add the radius server to the config as well:

radius-server host clearpass-a.arubalab.net key ciphertext AQBapVWcNJavUClNBQenFaJwwRrR+nWcJUvsQlHUbuaiOvlDCAAAAMCnYwT2Ful+ clearpass-username dur-user clearpass-password ciphertext AQBapVWcNJavUClNBQenFaJwwRrR+nWcJUvsQlHUbuaiOvlDCAAAAMCnYwT2Ful+ vrf mgmt
radius-server host clearpass-b.arubalab.net key ciphertext AQBapVWcNJavUClNBQenFaJwwRrR+nWcJUvsQlHUbuaiOvlDCAAAAMCnYwT2Ful+ clearpass-username dur-user clearpass-password ciphertext AQBapVWcNJavUClNBQenFaJwwRrR+nWcJUvsQlHUbuaiOvlDCAAAAMCnYwT2Ful+ vrf mgmt
!

To use them for authentication, add them to a group:

aaa group server radius cppm
    server clearpass-a.arubalab.net vrf mgmt
    server clearpass-b.arubalab.net vrf mgmt

Now, enable authentication (I do MAC auth and dot1x) globally:

aaa authentication port-access dot1x authenticator
    radius server-group cppm
    enable
aaa authentication port-access mac-auth
    radius server-group cppm
    enable

I also enabled accounting:

aaa accounting port-access start-stop interim 5 group cppm

This will enable accounting with interim updates every 5 minutes.

To get also the IP information for all clients it is wise to enable the client tracker on CX as well:

client track ip

The last step is to enable authentication on a per port basis. Take the following as an example:

interface 1/1/16
    no shutdown
    description Uplink_SMA
    no routing
    vlan access 1
    aaa authentication port-access client-limit 10
    aaa authentication port-access dot1x authenticator
        enable
    aaa authentication port-access mac-auth
        enable

Downloadable User Roles: ClearPass Configuration for Aruba CX Switches

Now let’s head over to ClearPass and create some profiles. I will use the same service and policy as with the ArubaOS Switches above. Please take a look there for the basic configuration and use the following paragraphs to create the CX-specific user role profiles.

Create a new enforcement profile like the one below:

Downloadable User Role - Add DUR Enforcement Profile for CX
Downloadable User Role – Add DUR Enforcement Profile for CX

The important part is the “Template”, using the “Aruba Downloadable Role Enforcement” and the “Product” with “AOS-CX”. I also use the “Advanced” “Role Configuration Mode” as this will allow me to use all available features and not only those available in ClearPass. I have created the same profiles as for the AOS-S switches above to show the differences and some examples. The first one is with a simple access VLAN and policy. Together with some basic settings for the port:

Downloadable User Role - Simple DUR for CX
Downloadable User Role – Simple DUR for CX

The above one is quite obvious. The only thing to note, in the policy, the “action permit” is the default value and there is no need to have it in the DUR.

Let’s take some more complex examples like this one with many classes for the policy, used within the role:

class ip dns
10 match udp any any eq 53
20 match udp any eq 53 any

class ip dhcp
10 match udp any any eq 67
20 match udp any eq 67 any

class ip internal
10 match ip any 10.0.0.0/8
20 match ip any 192.168.1.0/24
30 match ip any 192.168.2.0/24

class ip all
10 match ip any any

class ip web
10 match tcp any any eq 80 
20 match tcp any eq 80 any
30 match tcp any any eq 443
40 match tcp any eq 443 any

class ip vlan107
10 match IP any 10.107.107.0/24

port-access policy sma
10 class ip dns
20 class ip dhcp
30 class ip web
40 class ip vlan107
50 class ip internal action drop
60 class ip all

port-access role SMA
associate policy sma
auth-mode client-mode
stp-admin-edge-port
vlan access name SMA
reauth-period 86400

Both examples are using an access VLAN. If you need tagged VLANs as well it can get tricky. Took me an hour to figure out how to work with trunks in downloadable user roles and VLAN names. But for my IAP’s this is necessary:

class ip allow-all
10 match ip any any

port-access policy iap
10 class ip allow-all

port-access role FloLan-IAP
associate policy iap
reauth-period 86400
vlan trunk native name IAP_Management
vlan trunk allowed name IAP_Management
vlan trunk allowed name old_vlan
auth-mode device-mode
stp-admin-edge-port

The one, which made me headaches was the “vlan trunk allowed name” one. But simply using the command multiple times for all your VLANs does the trick.

On the CX switches, you can check if everything is working with the following commands.

First check if the user is authenticated:

CX-6300-Selm# show port-access clients

Port Access Clients

Status codes: d device-mode

----------------------------------------------------------------------------------
  Port     MAC-Address       Onboarding     Status      Role
                             Method
----------------------------------------------------------------------------------
d 1/1/5    48:4a:e9:c1:5e:8a dot1x          Success     FloLan_IAP-3059-8
d 1/1/7    90:4c:81:cf:3c:22 dot1x          Success     FloLan_IAP-3059-8
  1/1/12   b8:e9:37:40:d4:11 mac-auth       Success     FloLan_Sonos-3058-2
  1/1/13   94:9f:3e:44:52:f2 mac-auth       Success     FloLan_Sonos-3058-2
  1/1/13   48:a6:b8:a9:d7:fa mac-auth       Success     FloLan_Sonos-3058-2
  1/1/14   94:9f:3e:86:75:cc mac-auth       Success     FloLan_Sonos-3058-2
  1/1/15   94:9f:3e:86:75:e8 mac-auth       Success     FloLan_Sonos-3058-2
  1/1/16   00:40:ad:ab:95:ad mac-auth       Success     FloLan_SMA-3057-6
  1/1/16   00:40:ad:a4:c0:e0 mac-auth       Success     FloLan_SMA-3057-6
  1/1/16   00:d0:93:49:c0:d1 mac-auth       Success     FloLan_SMA-3057-6

To get more details on the roles you can use the following command:

CX-6300-Selm# show port-access role clearpass

Role Information:

Name  : FloLan_IAP-3059-8
Type  : clearpass
Status: Completed
----------------------------------------------
    Reauthentication Period             : 86400 secs
    Cached Reauthentication Period      :
    Authentication Mode                 : device-mode
    Session Timeout                     :
    Client Inactivity Timeout           :
    Description                         :
    Gateway Zone                        :
    UBT Gateway Role                    :
    UBT Gateway Clearpass Role          :
    Access VLAN                         :
    Native VLAN                         :
    Allowed Trunk VLANs                 :
    Access VLAN Name                    :
    Native VLAN Name                    : IAP_Management
    Allowed Trunk VLAN Names            : IAP_Management,
                                          old_vlan
    VLAN Group Name                     :
    MTU                                 :
    QOS Trust Mode                      :
    STP Administrative Edge Port        : true
    PoE Priority                        :
    Captive Portal Profile              :
    Policy                              : iap_FloLan_IAP-3059-8

For all details you can also use the command for a specific port like this:

CX-6300-Selm# show port-access clients interface 1/1/5 detail

Port Access Client Status Details:

Client 48:4a:e9:c1:5e:8a, IAP-345
============================
  Session Details
  ---------------
    Port         : 1/1/5
    Session Time : 31400s
    IPv4 Address : 10.102.102.149
    IPv6 Address :

  VLAN Details
  ------------
    VLAN Group Name :
    VLANs Assigned  :
      Access          :
      Native Untagged :
      Allowed Trunk   :

  Authentication Details
  ----------------------
    Status          : dot1x Authenticated
    Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted

  Authorization Details
  ----------------------
    Role   : FloLan_IAP-3059-8
    Status : Applied


Role Information:

Name  : FloLan_IAP-3059-8
Type  : clearpass
Status: Completed
----------------------------------------------
    Reauthentication Period             : 86400 secs
    Cached Reauthentication Period      :
    Authentication Mode                 : device-mode
    Session Timeout                     :
    Client Inactivity Timeout           :
    Description                         :
    Gateway Zone                        :
    UBT Gateway Role                    :
    UBT Gateway Clearpass Role          :
    Access VLAN                         :
    Native VLAN                         :
    Allowed Trunk VLANs                 :
    Access VLAN Name                    :
    Native VLAN Name                    : IAP_Management
    Allowed Trunk VLAN Names            : IAP_Management,
                                          old_vlan
    VLAN Group Name                     :
    MTU                                 :
    QOS Trust Mode                      :
    STP Administrative Edge Port        : true
    PoE Priority                        :
    Captive Portal Profile              :
    Policy                              : iap_FloLan_IAP-3059-8


Access Policy Details:

Policy Name   : iap_FloLan_IAP-3059-8
Policy Type   : Downloaded
Policy Status : Applied

SEQUENCE    CLASS                        TYPE ACTION
----------- ---------------------------- ---- ----------------------------------
10          allow-all_FloLan_IAP-3059-8  ipv4 permit


Class Details:

class ip allow-all_FloLan_IAP-3059-8
    10 match any any any

Downloadable User Role with Aruba Instant AP IAP

Next is the IAP. They support DUR as well. I will use Central to manage my IAP’s but DUR also works with IAP’s alone or if they are managed by AirWave.

To make the IAP work with DUR you need to add the read-only admin for ClearPass (which could be the same as with the switches above) to the radius configuration in the IAP. To add this user to the radius server in central go to the group with your IAP’s and go to “Devices” and stay with the “Access Points” tab. Now select the config button in the right upper corner of the screen and stay with “WLANs”. The configuration to add the user is directly within the SSID in the roles section. So either create a new SSID or modify an existing SSID and select “Downloadable Role” in the roles section. Now you can add the user to your radius servers:

Downloadable User Role - Add DUR User in Central
Downloadable User Role – Add DUR User in Central

That’s all you need. You can now switch to ClearPass and create the profiles for your roles.

Downloadable User Roles: ClearPass Configuration for Aruba Instant AP’s

For the IAP’s the ClearPass configuration is as simple as for the ArubaOS Switches above. First, you need to create an Enforcement Profile. Go to “Configuration–>Enforcement–>Profiles” and create a new one:

Downloadable User Role - Add DUR Profile for IAP's
Downloadable User Role – Add DUR Profile for IAP’s

The important part is the “Template”. Select the “Aruba Downloadable Role Enforcement” in the drop-down menu. Also make sure, to select “Advanced” for the “Role Configuration Mode”. Click the “Attributes” tab and create your role. My role looks like this:

wlan access-rule FloLan-Guest
captive-portal external profile "FloLan-Guest_CPPM"
rule 10.104.104.21 255.255.255.255 match udp 53 53 permit
rule 10.104.104.22 255.255.255.255 match udp 53 53 permit
rule 10.104.104.40 255.255.255.255 match tcp 443 443 permit
rule 10.104.104.41 255.255.255.255 match tcp 443 443 permit
rule 10.104.104.42 255.255.255.255 match tcp 443 443 permit
rule any any match any any any deny
exit

There are two things to know about the role above and IAP’s role assignment.

First, I included a “captive-portal” profile within the role. This captive portal profile needs to be configured on the IAP already. There is currently no chance to download this profile as well, and the captive profile name is not allowed to have spaces within the name. With spaces in the name, it will not work.

Secondly, you cannot enforce a VLAN within the role. You need to send the VLAN as the “Aruba-User-Vlan” attribute together with the role VSA in your radius accept message.

My policy for this looks like this:

Downloadable User Role - DUR Policy with VLAN
Downloadable User Role – DUR Policy with VLAN

I use the created DUR profile and a VLAN profile for the action in the last policy line. This is a simple default policy that will always be triggered if all of the above will fail.

In the access tracker it will look like this:

Downloadable User Role - Access Tracker Entry for IAP
Downloadable User Role – Access Tracker Entry for IAP

It is the role and the VLAN in the response.

Downloadable User Role with Aruba Controller

The configuration of Downloadable User Role with an Aruba Controller is nearly the same as with an Aruba Instant AP.

First, you need to add the dur-user to your radius server configuration. Go to “Configuration–>Authentication–>Auth Servers” and select your radius server to add the dur-user:

Downloadable User Role - Add CPPM Credentials
Downloadable User Role – Add CPPM Credentials

Check the “CPPM credentials” checkbox and enter the username and the password. This will allow the controller to download the role from ClearPass using the dur-user.

The next step is to create a new AAA Profile with DUR enabled. Go to “Configuration–>Authentication–>AAA Profiles” and create a new profile or change an existing one. If you change an existing profile, please save it to a different, new profile using the “Submit As” button:

Downloadable User Role - Create a AAA Profile with DUR enabled
Downloadable User Role – Create a AAA Profile with DUR enabled

You simply need to check the “Download Role from CPPM” checkbox, to enable the download of roles from ClearPass.

You can now use this profile for your SSID’s to start authenticating clients. I will use a wired user to test the authentication and apply the policy to the VLAN, to which the user is attached. But the mechanism is the same if you would use wireless users.

Downloadable User Roles: ClearPass configuration for an Aruba Controller

For the ClearPass configuration, I assume that the configurations, done before are still there, so I will only show the Enforcement Profile, which is used to allow access to the network for the client.

To create a new Enforcement Profile in ClearPass go to “Configuration–>Enforcement–>Profiles” and use the “Add” button in the right upper corner. This time, I will use the standard mode to show you this one as well:

Downloadable User Roles - Add DUR Enforcement Profile for an Aruba Controller
Downloadable User Roles – Add DUR Enforcement Profile for an Aruba Controller

In the “Product” select box select “Mobility Controller” and use “Standard” for the “Role Configuration Mode”. Do not forget to enter a good “Name” and select “Aruba Downloadable Role Enforcement” for the “Template”. Click “Next” to get to the “Role Configuration”:

Downloadable User Roles - Role Configuration for Aruba Controller
Downloadable User Roles – Role Configuration for Aruba Controller

I did nothing special here. I do a 5 minutes reauth interval using the “Re-authentication Interval Time” and set the “VLAN” to 10. I also added a very simple “allow-all” “ACL”. It simply does what it says. Click “Next” to get to the summary screen:

Downloadable User Roles - Enforcement Profile Summary for Aruba Controller
Downloadable User Roles – Enforcement Profile Summary for Aruba Controller

Add this profile to your service and you can start to authenticate clients:

Downloadable User Roles - Radius Response for an Aruba Controller
Downloadable User Roles – Radius Response for an Aruba Controller

On the controller, you can see this as well:

Downloadable User Roles - Client View on the Aruba Controller
Downloadable User Roles – Client View on the Aruba Controller

This concludes this post about Downloadable User Roles. Did you use DUR’s in your environment?

If you find this post useful, leave me a comment and share your feedback with me. You can also buy me Pizza, using the “Buy me a Pizza” button on the right, to support this blog and keep the IT gremlin happy.
If you would like to do me a favor, share this post with your friends and social media contacts. This would really help to make this blog more popular and help others to find the information above more easily using search engines.

26 thoughts on “Aruba Downloadable User Roles”

    • Hi Michael,

      That is correct. But for a full-featured solution, you should always use 2930 or better.

      BR
      Florian

      Reply
  1. Hello Florian,

    I follow the step but not working for me when I use the command:
    show crypto pki ta-profile

    it says my Certificate is Pending I don’t why.

    any help?

    thank you

    Reply
    • Hi Mohammad,

      Have you checked the logs of your device? If something goes wrong it should be mentioned there.

      BR
      Florian

      Reply
  2. Hello Florian,

    yes, I Fix the problem it was HTTPS from Clearpass not enabled.

    after that, it Works.

    Like always thank you

    Reply
  3. Do you know what the limits for the number of DUR are on an Aruba Controller? Is this listed somewhere (user guide doesn’t seem to have it)?

    Reply
    • Hi Ryan,

      thanks for the question. You can find the limits somewhere in documentation, but it is much easier to go to the Aruba Feature Navigator:
      https://feature-navigator.arubanetworks.com/
      Just select the switch, toggle the “Scale Numbers” toggle and search for “Port Access Security”. There you will find the numbers; you are looking for.
      For example, the numbers for the 6300 switch:
      Downloadable User Roles per port
      10.04.0001 256
      Downloadable User Roles per system
      10.04.0001 1017

      Hope this help.

      BR
      Florian

      Reply
  4. Hi,
    Great article. One question. … while you can specify a reauth time, what about accounting interim intervals, where you want the controller ( in my case) to send back accounting data every “n” seconds. On the controller, you have two AAA options
    Server provided reauth interval
    use termination-action attriburte from the server
    Which when using radius attributes I check.
    I then send back Session-Timeout = xxx secs ,Acc-Interim-Interval = yyy secs and termination-action=1

    Do i still need the 2 controller setings if i use DUR?
    How can I set up the Scct settings
    Rgds
    Alex

    Reply
    • Hi Alex,

      I’m not 100% that I understand your request.

      First, you can enable Radius interim Accounting per AAA profile. Just look into the profile and search for “RADIUS Interim Accounting:”.
      The frequency can only be configured globally using the “User interim stats frequency:” option in the “Authentication Timers” section. It is not possible to set those on roles basis. Never checked if it works if you send those back, together with the role.
      If you use those with local roles on the controller, I would assume that you need them with DUR as well.

      BR
      Florian

      Reply
  5. This article is extremely helpful, thanks for taking the time to write it all up!

    I ran into one issue with my APs I wanted to share: I got a little over-descriptive in my enforcement profile names in CPPM, and it turns out there is a 32 character limit on the DUR names in Instant OS. The roles will not download if this is exceeded. It took a bit of log parsing to figure that out so might be worth mentioning here!

    I also have a question for you about the ‘device’ configuration options in the DURs: does this overwrite what is configured on the port itself? For instance, if I configure STP admin-edge-mode on all my ports, but do not include that in my DUR, is the result that it is enabled or disabled?

    I ask because if I run ‘show port-access clients detail’ I see under the role description “Device Attributes/Admin-edge-port: disabled” since my DUR for instant APs is setting only port-mode and PoE priority.

    Reply
    • Hi Geoff,

      The problem with this limitation is, that ClearPass will add some extra characters to the role name. You need to take them into consideration as well.

      That is an interesting question. I’ve never checked on this one. My understanding would be, that everything, which is not configured in the role will not change anything in the port configuration. But I can check during the next week. Need to implement some DUR setup next week đŸ™‚

      BR
      Florian

      Reply
  6. Hi Florian,

    toller Artikel, ich werde versuchen, es auf Aruba 6200 und Clearpass zu implementieren, und dir sagen, ob es funktioniert oder nicht.

    Reply
    • Hey Ventsi,

      Danke fĂ¼r das Feedback. Mit dem 6200er sollte es genauso funktionieren. Ich hatte einen 6300er aber auf dem 6200er ist es das gleiche.

      BR
      Florian

      Reply
  7. Hi Florian,
    Got an issue with invalid user roles, my switch is giving me the error

    W 04/30/23 21:41:38 05204 dca: Failed to apply user role ArubaAPS_2-3260-1_7Z4q
    to 8021X client CCD083C97B7A on port 5: user role is invalid.

    How can i find out what the error is.
    DUR content is

    User Role Information

    Name : *ArubaAPS_2-3260-1
    Type : downloaded
    Reauthentication Period (seconds) : 0
    Cached Reauth Period (seconds) : 0
    Logoff Period (seconds) : 300
    Untagged VLAN :
    Tagged VLAN :
    Captive Portal Profile :
    Policy : AllowAll_ArubaAPS_2-3260-1

    Statements for policy “AllowAll_ArubaAPS_2-3260-1”
    policy user “AllowAll_ArubaAPS_2-3260-1”
    40 class ipv4 “Permit_All_ArubaAPS_2-3260-1” action permit
    exit

    Statements for class IPv4 “Permit_All_ArubaAPS_2-3260-1”
    class ipv4 “Permit_All_ArubaAPS_2-3260-1”
    10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
    exit

    Tunnelednode Server Redirect : Disabled
    Secondary Role Name :
    Device Attributes : Disabled
    Client-Limit Mac-based :
    Client-Limit Dot1x :

    Reply
    • Hi Alex,

      I assume, the output is from the switch, so the role was being downloaded from CPPM already.

      I think, while writing this post, I was getting this error as well and I’m sure, that there was something in the logs which points me to the error. Or you can enable debugging to get more infos.
      If there is nothing in the logs, you could add a VLAN, because this is missing in the output.
      Also, the name of the role which fails does not match the name of the role in the output.

      BR
      Florian

      Reply
  8. I am not sure if it is mandatory, but I don’t see any VLAN being pushed. Another item to check is the existence of the dur admin in CPPM and the certificate chain on the switch.

    Reply
  9. I am trying to determine if it is possible to use the DUR feature with an IAP cluster without Clearpass. I have gotten as far as running a web server the responds to requests for “/async_netd/arubacppmapi/downloadableconfig?role=” but the IAP errors with “Failed to strip XML”.

    Could you post the contents of the downloaded file that Clearpass generates? I have not found any documentation on its format. I believe in your example the URL would be
    https://clearpass-a.arubalab.net/async_netd/arubacppmapi/downloadableconfig?role=FloLan_Guest_CP-3054-3

    Reply
    • Hi Andy,

      Even if this looks like a nice reverse engineering project it is not supported and you could not know, when something is changed, which will break your setup. If you do not have a ClearPass server but any other radius server my recommendation is to use local user roles.

      BR
      Florian

      Reply
  10. Yes the name is slightly different. Whatever DUR I use has the same “extension” added to it in that message. The switch manages to download the role, if i change the role on cppm the version number on the switch updates .Also what ive noticed is if you type show port-access client you can see that 1 edge client has the DUR applied .. then everything else uses the local user roles. It’s drving me mad!. The DUR used on the mobility controller all just work.

    Just trying to figure out what debug comands give me more info, currenty sending logging to a syslog server but have only managed to get same as I see in the swith log so far.

    Reply
  11. And the solution was ….. dont mix RADIUS attributes and DUR attributes. once I’d removed the RADIUS attributes for vlan named assignment and reauthentication everything sprang back into life .
    Annoyingly might mean that i cannot set the interim-accounting-interval attribute if i use DURs …more testing required

    Reply
    • hi Alex,

      this is one hard requirement. Either use DUR or normal radius attributes. But you cannot mix them.

      The Interim Accounting Interval needs to be set globally on the switch. I’ve never used individual accounting intervals for individual users/roles. What is the use case behind this?

      BR
      Florian

      Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: