Networks Are Awesome

Aruba AOS-CX Downloadable User Roles

Published by

Nicholas Vigil

on

Aruba AOS-CX switches support a cool feature called downloadable user roles (DUR). This allows a CX switch to download a profile to be applied to a switchport in order to allow an edge device to connect with specific configuration settings. Some call it colorless ports or dynamic segmentation as you can use the role to apply features such as vlan assignment, access control list, and other attributes supported in a role to a switch interface.

The CX switch downloads the role from Aruba’s ClearPass Policy Manager (cppm) platform. So you must have a cppm deployment for this to work.

Downloadable user roles can be used with both dot1x and (mab) mac authentication bypass. 

Now lets get to it. In order to set this up you will need to configure your aos-cx switch and CPPM. Lets start with setting up an aos-cx switch.

Requirements:
In order for DUR to work you need to configure the following items on your switch:

1. Remote AAA with radius including tracking and cppm user
2. DNS server
3. Port access 802.1x/MAC authentication
4. PKI trust anchor profiles (security certificates)
5. Client tracking
For detailed information on these configuration items please refer to the Aruba AOS-CX Security Guides available from HPe Aruba.

Information you will need to complete the cx switch side configuration:
1. CPPM server fully qualified domain name (fqdn)
2. CPPM server radius key
3. CPPM downloadable user role (dur) user account username and password (this account must be created on CPPM with the dur role)
4. Copy of CPPM’s root and if applicable intermediate root security certificates (used to create the pki trust anchor profile on the switch)

Things to Know:
1. Use fully qualified domain name (fqdn) for cppm server in switch configuration and not ip address. Downloadable user roles (dur) uses security certificates to work and fqdn is needed for this to work properly. FQDN of cppm radius server defined on the switch should match the FQDN on CPPM’s security certificate.
2. Switch must have dns servers defined to resolve the fqdn of cppm

Timers used is config snippet below come from Aruba documentation and can be modified as needed to fit your environment requirements.

Configurations:
————————————————
Configure the switch DNS server
Configure radius to ClearPass (CPPM)
————————————————

ip dns domain-name { your_domain }
!
ip dns server-address { ip_address }
!
radius-server host { cppm_fqdn } key plaintext { raduis_key } tracking enable clearpass-username { username } clearpass-password plaintext { password }
!
radius-server host { cppm_fqdn } port 1645 acct-port 1646
aaa authentication allow-fail-through
!
aaa group server radius cppm_ group
    server { cppm_fqdn }
!
aaa accounting port-access start-stop group cppm_group
!
ip source-interface radius { ip_address }
!
radius dyn-authorization client { cppm_fqdn } secret-key plaintext { radius_key }

————————————————
Configure the switch for client tracking
————————————————

client track ip

————————————————
Configure the switch with pki trust anchor profile
————————————————

crypto pki ta-profile { name_for_root_certificate }
ta-certificate
Paste the certificate in PEM format below, then hit enter and ctrl-D:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
ctrl-D
Do you want to accept this certificate (y/n)? y

(If there is an intermediate root certificate repeat)

————————————————
Configure the switch for port access authentication
————————————————

aaa authentication port-access dot1x authenticator
radius server-group CPPM
enable
!
aaa authentication port-access mac-auth
radius server-group CPPM
enable
!
interface 1/1/1
port-access onboarding-method concurrent enable
aaa authentication port-access dot1x authenticator
cached-reauth
cached-reauth-period 86400
quiet-period 5
reauth
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
reauth
enable

————————————————
Helpful downloadable user role verification commands
————————————————

show crypto pki ta-profile
show port-access clients
show port-access clients interface 1/1/1 detail

————————————————
Helpful downloadable user role troubleshooting commands
————————————————

debug portaccess all
debug destination buffer
show debug buffer
no debug all

start-shell
sudo ls -ls /tmp/.xml
sudo cat /tmp/.xml

Leave a comment

Welcome to

Networks Are Awesome

Another site dedicated to the technical art and love of computer networking. From switching to routing, wireless networks, and firewalls lets go beyond talking about features and design. Lets start learning something cool. Let’s have some fun and start configuring something!

Articles By Platform

Aruba CX
Fortinet FortiGate

Recent posts