Aruba Downloadable User Roles (DUR) uses HTTPS. When the DUR is being issued by Aruba ClearPass the switch must trust the HTTPS certificate that the ClearPass server uses. The Certificate Authority intermediate certificate must be loaded into the switch as a trusted authority certificate. The public HTTPS certificate is automatically downloaded to the switch when a radius-server host, with type ClearPass, is configured on the switch (e.g. radius-server host <ip-address> clearpass).
To enable useful debugging certificate issues the following commands will work on an ArubaOS Switch.
If the switch detects any issues with the HTTPS process during a radius request which results in a DUR a debug message should be logged to the session window. During the SSL session there may be a lot of messages (it is noisy). Use 'no debug security ssl' to disable those messages.
When DUR works successfully the issued User Role will be specified in the Port Access Client Status output. To see information about the user-roles available and issued use the following show commands.
Today we're testing Aruba ClearPass Policy Manager to show that a disabled user in Active Directory will not be successfully authenticated when connecting to a WLAN using 802.1X
In ClearPass it is very easy to follow and deep-dive into the information of all access request attempts using the Access Tracker. Access Tracker can be accessed from Monitoring —> Live Monitoring in the left hand navigation menu. Access Tracker has a wealth of information which can be viewed in multiple ways and is so important to a ClearPass administrator that it deserves its very own browser tab when you are making changes to and testing new configuration in ClearPass.
Here in Access Tracker we can see an access event where user “matt" requests and is granted access with a resulting enforcement profile of [Allow Access Profile]. You can see the Authentication method is EAP-PEA with EAP-MSCHAPv2 which is common in a Windows Domain, the authentication source is the AD to which the ClearPass server has been joined. The Authorisation source is "WFHX AD” which is the same domain but it has been setup in such a way that ClearPass can access attributes of domain accounts (both computer and user).
Here is another access event showing the same user “matt” requesting access but being denied. The domain account for “matt” was disabled. You can see the authentication source is AD but the Authorisation source is not used this time as the process does not progress beyond the rejected authentication attempt.
Written by Matt Sutherland
We build and optimise networks. Continuous learning is our secret to being good. Along the learning journey we will share things here...