Security

Hello,

Unfortunately I have only found information for the AOS switches and controllers so far.

But not for Aruba Instant, not even in AFP or similar.

So far only ACLs via the Downloadable Role work, VLAN unfortunately not.

I keep getting the error that the keyword "VLAN" or "VLAN-ID" is not supported.

What is configured so far:
-- Enforcement Profile, as Aruba Downloadable Role
-- Advanced mode
-- The value is currently:

wlan accessrule DR3ACC
rule any any any match any any any permit

This works, I simply tried out the syntax from local instant roles.

BUT: if I add a vlan, it does not.

The line is not accepted:

Dldb Role IAP_DUR_VLAN1-3068-11: Rejected line ' vlan 1

or

Dldb Role IAP_DUR_VLAN1-3068-9: Rejected line 'vlan-id 1', contains unsupport

Since I still want to control much more than just ACL via the roles, here is the question: where is documented how the RADIUS "Aruba-CPPM-Role" attribute has to be structured so that Instant can handle it ?

Like a keyword table, syntax ?

For example settings for:
-- VLAN
-- QoS

Thank you

Did you find this video on Aruba Instant Downloadable user roles already?

If you configure the user role first statically on the Instant AP, you should be able to grab the config/syntax from the configuration and use that; so use the Instant AP itself as syntax checker.

Hello, Herman,

i think i know almost every video you made :)

Always good.

But seriously: yes I copied the syntax from a local profile.

ACLs and bandwith contracts are accepted. VLANs not, with: vlan 1

I get an error that this keyword is not accepted.

And the Bandwith contract doesn't work for some reason either...

Now I push the VLAN over the same enforcement policy with the attribute "Aruba-User-VLAN", in instant I configured that it takes the vlan out of this attribute.

But actually he should use everything from the DUR ? 

Little Update Regarding the bandwith contract:

With local configured roles, it works.

But not with the downloadable.

The CLI Output seems right to me:

I tried this with 8.4.0.4_71183 and 8.5.0.3_72498

Update: ACLs also does not work through DUR, although they are applied.

I am seeing a similar thing. At first i finally got the DUR to work, but at closer inspection the access list (the role) did not filter as expected. (testing with a role for guest access that would restrict access to rfc 1918 networks)

After som fiddeling with the Role - i saw that the IAP was not updating the downloadable role - ClearPass is returning a downloadable role with sequence number -14, but its the role with sequence number -9 thats applied to the user.

When i modify the enforcement profile in ClearPass the sequence number returned to the IAP in radius response is incremented, but not the downloaded role on the IAP

PS. The role show in the example is only for the troubleshooting, the expected role will filter rfc 1918 (if i can get it to work)

Hi, so months later i came back to this.

I am still investigating the problem.

ACLs are applied.

But bandwith contracts wont work.

I compared my dur to a local role, and everything seems fine.

Does anybody have a clue what It can be ?

IAP version is now 8.7, CPPM 6.9.2

I have recently heard from an Aruba SE, that the feature is not "mature" yet - to stay in the positive wording - i will add - that i can confirm that.

Thank you for giving me hope..

Also havent heard from TAC since nearly 2 days...meeh.

I have just experienced the exact same behavior on IAP-515 running 8.6.0.4. I can create the role local on IAP with vlan information, but in a DUR vlan is not a valid keyword, if i move vlan to Aruba-User-Vlan it works.