AOS-CX Downloadable User Role (DUR) Simple Steps To Configure! Wired Intelligent Edge

AOS-CX Downloadable User Role (DUR) simple steps to Configure! | ... https://community.arubanetworks.com/community-home/digestviewer/...
REGISTER | SIGN IN
COMMUNITY HOME / DISCUSSION / TOPIC THREAD
Wired Intelligent Edge
COMMUNITY HOME DISCUSSION 35.8K MEMBERS 1.2K
 BACK TO DISCUSSIONS Expand all | Collapse all
AOS-CX Downloadable User Role (DUR) simple

steps to Con�gure!
This thread has been viewed 95 times
1. AOS-CX Downloadable User Role (DUR) simple steps to Con�gure! 
4 KUDOS
1 sur 13 02/11/2022, 08:42

Good day!
AOS-CX Downloadable User Role (DUR) simple steps to Con�gure!
Prior condition or prerequisite:
◦ Good to know these terms AAA, LUR, Radius Attributes, 802.1x (dot1x), Mac-
Authentication
◦ AOS-CX Radius-server simple steps to

Con�gure https://community.arubanetworks.com/t5/Wired-Intelligent-Edge-Campus
/AOS-CX-Radius-server-simple-steps-to-Con�gure/m-p/663009#M10219
◦ Open CX Security guide for your reference:https://techhub.hpe.com/eginfolib/Aruba

/OS-CX_10.04/5200-6715/index.html
Note 1: DUR is Aruba solution, means it works with Aruba Clearpass Radius-Server.
Note 2: Simple DUR CX Switch required con�guration is attached at the end. Step by
Step process is below:
Step1: Con�guring/Installing TA-Certi�cate on CX switches.
Example of installing ta-certi�cate.
2 sur 13 02/11/2022, 08:42

ta-certi�cate
-----BEGIN CERTIFICATE-----
MIIDYzCCAkugAwIBAgIQZiDAdPhWQqNE3PpMDBcTBjANBgkqhkiG9w0BAQsFADBE
MRMwEQYKCZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGdG1lbGFiMRUw
EwYDVQQDEwx0bWVsYWItQUQtQ0EwHhcNMTcwMzI5MDExMzA4WhcNMjIwMzI5MDEy
MzA4WjBEMRMwEQYKCZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGdG1l
bGFiMRUwEwYDVQQDEwx0bWVsYWItQUQtQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDrdqdR2QQm4Lo3i/X9bvTu41cf3sVFzPFn727zlgrYySXWtyvW
M3Jzf6P3FsqQzrsaP+QhlNsYMTrY2Yiccm7C9gNshpx95elzXsZ2TBP88qoUPD9F
jH42YgnqAN61+opmct8aRgSJhTtKv+WEolVtLgL9/CL3zmvmbpz3oyYjF9W3lesp
D52BeEbPqsBrALbYQypxJJLonZuueM7ePhSYbPnbrGuV8M9BiDyEyQ87OUYGgq7J
krwjrer+BKYFIxqJQDHbY96ozbaUScv8nOylpUrH56r3jT5Xn05JDdOIJvBKniYK
ZxIK+m4Mv2XS0zxuZBG1F1YDl/bcQ353jazbAgMBAAGjUTBPMAsGA1UdDwQEAwIB
hjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQuBjOz0LpCALxkgy9bWbziV+1D
UDAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQsFAAOCAQEAydVR86YZez9N
uIvJOftLczu0y3YfGoA5PK88Yv3TSMv+gxK5yiceU2HkV3PvVeCXyN9Nn9EUKLJ8
87/BqDTsNKKD20axHNk/w2p5I8LY6g/Y8t3N84gXx3439+GezBdlxznEmWAhebAQ
/JMnp+aD9Xhw9tgGeDXMB/GIhx0PCK22VbRUoDeZP3o+LmdB2fOdqhfN8+e2OMpz
AGsBGGEJJWqOKSUkHC25Jkl0RfyymdxuWE�HofbF2DjSWheR023A5dA6a5WkxTV
7WxwC8ekitnlY5BT2ZHV1LXLUsgvuN3j8G2+yvYiS6Z/da3ORb6Grm79sqZpzlKZ
XWjU/zVxBQ==
-----END CERTIFICATE-----
END_OF_CERTIFICATE
BLDG02-F1# show crypto pki ta-pro�le
TA Pro�le Name TA Certi�cate Revocation Check
3 sur 13 02/11/2022, 08:42

BLDG02-F1#
!#Use below command to see certi�cate validity and more details:
BLDG02-F1# show crypto pki ta-pro�le cp
!#no role is con�gured on CX switch
BLDG02-F1# show running-con�g port-access

BLDG02-F1#
If you have questions regarding how to generate these certi�cate, please leave your
comments, will cover in next write up.
Step2: Radius-server con�guration
Please refer to below post and con�gure Radius server.
https://community.arubanetworks.com/t5/Wired-Intelligent-Edge-Campus/AOS-CX-
Radius-server-simple-steps-to-Con�gure/m-p/663009#M10219
4 sur 13 02/11/2022, 08:42

Shared-Secret: None
Timeout: 5
Auth-Type: pap
Retries: 1
TLS Timeout: 5
Tracking Time Interval (seconds): 60
Tracking Retries: 5
Tracking User-name: radius-tracking-user
Tracking Password: None
Number of Servers: 1
-------------------------------------------------------------------------------------------------
SERVER NAME | TLS | PORT | VRF
-------------------------------------------------------------------------------------------------
aoss-cppm.tmelab.net | | 1812 | mgmt
-------------------------------------------------------------------------------------------------
BLDG02-F1#
BLDG02-F1# ping aoss-cppm.tmelab.net vrf mgmt repetitions 1

PING aoss-cppm.tmelab.net (10.5.8.12) 100(128) bytes of data.
108 bytes from 10.5.8.12: icmp_seq=1 ttl=61 time=0.545 ms
--- aoss-cppm.tmelab.net ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.545/0.545/0.545/0.000 ms
BLDG02-F1#
5 sur 13 02/11/2022, 08:42

BLDG02-F1# sh mac-address-table port

PORTS List of Ports [e.g. 1/1/1 or 1/1/1-1/1/3 or lag1]
BLDG02-F1# sh mac-address-table port 1/1/5
MAC age-time : 300 seconds
Number of MAC addresses : 1
MAC Address VLAN Type Port

--------------------------------------------------------------
2c:41:38:7f:27:05 1 dynamic 1/1/5
BLDG02-F1#
BLDG02-F1# sh running-con�g interface 1/1/5

interface 1/1/5
no shutdown
vlan access 1
exit
BLDG02-F1#
Step4: Con�gure 802.1x or mac-auth on client connected interface
!# Enable on global mode and then on connected interface as below.
BLDG02-F1(con�g)# aaa authentication port-access mac-auth enable
6 sur 13 02/11/2022, 08:42

interface 1/1/5
no shutdown
vlan access 1
aaa authentication port-access mac-auth
enable
exit
BLDG02-F1#
Step4: Con�gure Pro�le, Policies and Service on Clearpass.
Note that every con�guration should be exactly same as local role
Let's add this pro�le to policies in clearpass.
7 sur 13 02/11/2022, 08:42

Let's add this policies into a service
Let's Validate:
BLDG02-F1# show port-access clients detail
Port Access Client Status Details:
Client 2c:41:38:7f:27:05, 2c41387f2705

============================
8 sur 13 02/11/2022, 08:42

Session Time : 918s

IPv4 Address :
IPv6 Address :
Authentication Details
----------------------
Status : mac-auth Authenticated
Auth Precedence : dot1x - Not attempted, mac-auth - Authenticated
Authorization Details
----------------------
Role : DUR_PY_CX-3099-2
Status : Applied
Role Information:
Name : DUR_PY_CX-3099-2
Type : clearpass
Status: Completed
----------------------------------------------
Reauthentication Period : 3000 secs
Authentication Mode : client-mode
Session Timeout :
Client Inactivity Timeout : 400 secs
Description : DUR_CPMM_mac_auth
Gateway Zone :
UBT Gateway Role :
Access VLAN :
Native VLAN :
9 sur 13 02/11/2022, 08:42

Allowed Trunk VLAN Names :

MTU :
QOS Trust Mode :
STP Administrative Edge Port :
PoE Priority : critical
Captive Portal Pro�le :
Policy :
BLDG02-F1#
BLDG02-F1# sh aaa authentication port-access interface all client-status
Port Access Client Status Details
Client 2c:41:38:7f:27:05, 2c41387f2705

============================
Session Details
---------------
Port : 1/1/5
Session Time : 1060s
IPv4 Address :
IPv6 Address :
Authentication Details
----------------------
Status : mac-auth Authenticated
Auth Precedence : dot1x - Not attempted, mac-auth - Authenticated
Authorization Details
10 sur 13 02/11/2022, 08:42

BLDG02-F1#
BLDG02-F1# sh port-access clients
Port Access Clients

--------------------------------------------------------------------------------
Port MAC Address Onboarded Status Role
Method
--------------------------------------------------------------------------------
1/1/5 2c:41:38:7f:27:05 mac-auth Success DUR_PY_CX-3099-2
BLDG02-F1#
Thank you,
Yash
11 sur 13 02/11/2022, 08:42

radius-server tracking retries 5

radius-server host aoss-cppm.tmelab.net key ciphertext
AQBapdAz4irjSK61Zg/CFArsNYWKbn1LObqDD/v9SH1eMQ6ABQAAADY26liu tracking enable
clearpass-username admin clearpass-password ciphertext AQBapYv/u3
/YfG9vYRpFxmOTtsFLIWxuAX442RdG9j11jsZ6CQAAACZ5Y2/BK9FmhQ== vrf mgmt
crypto pki ta-profile cp

ta-certificate
-----BEGIN CERTIFICATE-----
MIIDYzCCAkugAwIBAgIQZiDAdPhWQqNE3PpMDBcTBjANBgkqhkiG9w0BAQsFADBE
MRMwEQYKCZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGdG1lbGFiMRUw
EwYDVQQDEwx0bWVsYWItQUQtQ0EwHhcNMTcwMzI5MDExMzA4WhcNMjIwMzI5MDEy
MzA4WjBEMRMwEQYKCZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGdG1l
Attachment(s)
DUR_CPMM_Required_CFG_6xxx_AOS-CX_Switch.txt 2 KB 1 version
COMPANY
About Us
Careers
At Aruba, we believe that the Contact Us

most dynamic customer Leadership Team
experiences happen at the Edge.
Our mission is to deliver Environmental Citizenship
innovative solutions that harness HPE.com
data at the Edge to drive
powerful business outcomes.
SUPPORT
Support Services
12 sur 13 02/11/2022, 08:42

Contact Support
Aruba Education Services
Professional Services
Software Downloads
Licensing Login
PARTNERS
Find a Partner
Become a Partner
Partner Ready for Networking
Technology Partner Programs
Privacy policy Terms of service Site Map © Copyright 2021 Hewlett Packard Enterprise
Legal Development LP
All Rights Reserved.
13 sur 13 02/11/2022, 08:42

AOS-CX Downloadable User Role (DUR) Simple Steps To Configure! Wired Intelligent Edge

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AOS-CX Downloadable User Role (DUR) Simple Steps To Configure! Wired Intelligent Edge

Uploaded by

Copyright:

Available Formats

AOS-CX Downloadable User Role (DUR) simple steps to Configure! | ... https://community.arubanetworks.com/community-home/digestviewer/...

COMMUNITY HOME / DISCUSSION / TOPIC THREAD

Wired Intelligent Edge

COMMUNITY HOME DISCUSSION 35.8K MEMBERS 1.2K

 BACK TO DISCUSSIONS Expand all | Collapse all

AOS-CX Downloadable User Role (DUR) simple

1. AOS-CX Downloadable User Role (DUR) simple steps to Con�gure! 

1 sur 13 02/11/2022, 08:42

AOS-CX Downloadable User Role (DUR) simple steps to Con�gure!

Prior condition or prerequisite:

◦ AOS-CX Radius-server simple steps to

◦ Open CX Security guide for your reference:https://techhub.hpe.com/eginfolib/Aruba

Step1: Con�guring/Installing TA-Certi�cate on CX switches.

Example of installing ta-certi�cate.

2 sur 13 02/11/2022, 08:42

BLDG02-F1# show crypto pki ta-pro�le

TA Pro�le Name TA Certi�cate Revocation Check

3 sur 13 02/11/2022, 08:42

!#Use below command to see certi�cate validity and more details:

BLDG02-F1# show crypto pki ta-pro�le cp

!#no role is con�gured on CX switch

BLDG02-F1# show running-con�g port-access

Step2: Radius-server con�guration

Please refer to below post and con�gure Radius server.

4 sur 13 02/11/2022, 08:42

BLDG02-F1# ping aoss-cppm.tmelab.net vrf mgmt repetitions 1

--- aoss-cppm.tmelab.net ping statistics ---

5 sur 13 02/11/2022, 08:42

BLDG02-F1# sh mac-address-table port

MAC Address VLAN Type Port

BLDG02-F1# sh running-con�g interface 1/1/5

Step4: Con�gure 802.1x or mac-auth on client connected interface

!# Enable on global mode and then on connected interface as below.

BLDG02-F1(con�g)# aaa authentication port-access mac-auth enable

6 sur 13 02/11/2022, 08:42

Step4: Con�gure Pro�le, Policies and Service on Clearpass.

Note that every con�guration should be exactly same as local role

Let's add this pro�le to policies in clearpass.

7 sur 13 02/11/2022, 08:42

Let's add this policies into a service

BLDG02-F1# show port-access clients detail

Port Access Client Status Details:

Client 2c:41:38:7f:27:05, 2c41387f2705

8 sur 13 02/11/2022, 08:42

Session Time : 918s

9 sur 13 02/11/2022, 08:42

Allowed Trunk VLAN Names :

BLDG02-F1# sh aaa authentication port-access interface all client-status

Port Access Client Status Details

Client 2c:41:38:7f:27:05, 2c41387f2705

10 sur 13 02/11/2022, 08:42

BLDG02-F1# sh port-access clients

Port Access Clients

11 sur 13 02/11/2022, 08:42

radius-server tracking retries 5

crypto pki ta-profile cp

At Aruba, we believe that the Contact Us

12 sur 13 02/11/2022, 08:42

Aruba Education Services

Partner Ready for Networking

Technology Partner Programs

13 sur 13 02/11/2022, 08:42

You might also like