Mod08MBC-Roles-6.3-v1.4

8/17/2019 Mod08MBC-Roles-6.3-v1.4

http://slidepdf.com/reader/full/mod08mbc-roles-63-v14 1/29

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Aruba Bootcamp – Roles

8-1

8/17/2019 Mod08MBC-Roles-6.3-v1.4




8-2

8/17/2019 Mod08MBC-Roles-6.3-v1.4




8-3

A role is composed of firewall rules or policies, combined with other attributes such as bandwidth contracts, VPNdialers, and VPN IP pools, to create a set of rules and rights that is bound to user(s) or device(s). Examples of rolesinclude employee, guest, and voice (device). Role types include user roles and system roles.

Every client in an Aruba user-centric network is associated with a user role, which determines the client’s networkprivileges, how often it must re-authenticate, and which bandwidth contracts are applicable. A policy is a set of rulesthat applies to traffic that passes through the Aruba controller. One or more policies may be assigned to a user roleand policies may be copied to more than one role. Finally, Roles are assigned pre-authentication and post-authentication.

Roles use firewall policies which in turn determine user access rights:

Each role has one or more firewall policies applied. Firewall policies are executed in order. The final implicit policy isalways “deny all.”

Roles can be determined through different methods:

User-derived (from ESSID, MAC or encryption type for example)

Server-derived (through RADIUS or LDAP attributes)

Default based on access method (i.e., 802.1X, VPN, WEP, etc.)

8/17/2019 Mod08MBC-Roles-6.3-v1.4




8-4

8/17/2019 Mod08MBC-Roles-6.3-v1.4




8-5

The User Roles tab is WebUI location to create roles. It launches the role editor.

Multiple firewall policies can be added to the role that you create

If there are multiple policies for this role, policies can be re-ordered by the using the up and downbuttons provided for each policy

8/17/2019 Mod08MBC-Roles-6.3-v1.4




8-6

The firewall policy “split-tunnel” will be applied only to the users who connect to an AP in the APgroup RAP, other traffic coming from users connecting to any other AP in different AP groups willnot be evaluated against the split-tunnel firewall policy

8/17/2019 Mod08MBC-Roles-6.3-v1.4




8-7

8/17/2019 Mod08MBC-Roles-6.3-v1.4




8-8

These two roles are not the same because policies within roles are evaluated sequentially. In thecase of Role1, all traffic will be captured by the policy explicitDeny and will never be evaluatedagainst the internetOnly policy which follows.

Role2 has a more likely sequence where the explicitDeny is the last policy and therefore will

evaluate any traffic not caught by the first policy.

8/17/2019 Mod08MBC-Roles-6.3-v1.4




8-9

Initial Role:

This role is assigned to every user before authentication. Aruba provides a template for an initial role butthe administrator may modify or create alternative initial roles and rules.

User-Derived Roles:

The user role can be derived from attributes from client attributes or the AP the client uses for network

entry. For example a role or VLAN may be assigned to a client depending upon the BSS of the AP the

client is using.

Server Derived Roles:

If different users and devices have different access privileges based on security policy, a single ESSID canbe used and the users put into different roles based on attributes that the back end server returns. This is

typically done by sending a RADIUS attribute back to the Aruba controller with either the name of thedesired role, or another value that can be pattern matched on the controller so that the user is placed intothe proper role. This can be done with LDAP as well as RADIUS.

8/17/2019 Mod08MBC-Roles-6.3-v1.4




8-10

VSA-Derived Roles:

Many Network Address Server (NAS) vendors, including Aruba, use Vendor Specific Attributes to providefeatures not supported in standard RADIUS attributes. For Aruba systems, VSAs can be employed toprovide the user role and VLAN for RADIUS-authenticated clients, however the VSAs must be present onyour RADIUS server. This involves defining the vendor (Aruba) and/or the vendor-specific code (14823),vendor-assigned attribute number, attribute format (such as string or integer), and attribute value in theRADIUS dictionary file. VSAs supported on controllers conform to the format recommended in RFC 2865,“Remote Authentication Dial In User Service (RADIUS)”.

There is a RADIUS vendor specific attribute (VSA) named “Aruba-No-DHCPFingerprint,” value 14. This

attribute signals the RADIUS Client (controller) to ignore the DHCP Fingerprint user role and VLAN changepost L2 authentication

Dictionary files that contain Aruba VSAs are available on the Aruba support website for various RADIUSservers. Log into the Aruba support website to download a dictionary file from the Tools folder.

Default Roles:

Each authentication method has a configurable default role. Roles can be derived from any of the

8/17/2019 Mod08MBC-Roles-6.3-v1.4




8-11

8/17/2019 Mod08MBC-Roles-6.3-v1.4




8-12

The Aruba firewall assigns an initial role when the device associates to the 802.11 network, andprior to authentication. The logon role (template) allows the user/device to obtain an IP addressfrom a server, issue DNS queries, hit the captive portal and open a VPN connection. You may

want to modify the logon role or create a new role for the initial role assignment based upon thenetwork’s mission.

8/17/2019 Mod08MBC-Roles-6.3-v1.4




8-13

Rule Type options

DHCP option 77

Encryption

ESSID

Location

Mac Address

DHCP option 77 is used by a Dynamic Host Configuration Protocol (DHCP) client to optionally identify thetype or category of user or applications it represents. There is a field that indicates the user class which theclient is a member. Based on this class, the DHCP server selects the appropriate address pool to assign anaddress to the client and other appropriate networking parameters. This option should be configurable by anadministrator.

A number of optional triggers can be used to further assign roles. These roles are triggered by DeviceSpecific Attributes as listed on the above. Usually these are considered transient roles and will beoverridden by server assigned or default roles described on the subsequent pages.

8/17/2019 Mod08MBC-Roles-6.3-v1.4




8-14

The rule created in the User Rules type is then assigned under user derivation rules in the AAAprofiles

8/17/2019 Mod08MBC-Roles-6.3-v1.4




8-15

When you configure a server group, you can set the VLAN or role for clients based on attributesreturned for the client by the server during authentication.

The server derivation rules apply to all servers in the group.

The user role or VLAN assigned through server derivation rules takes precedence over the defaultrole and VLAN configured for the authentication method.

The first rule that is applicable for the server and the attribute returned is applied to the client andwould be the only rule applied from the server rules. Named VLANs can be configured under userrule, server derivation, user derivation, and VSA.

auth-server "Radius01" position 1

set role condition "Filter-Id" value-of position

In this example the controller is provisioned to look at the Radius attribute called Filter-ID and tothen assign the user/device to whatever role is contained within. This is considered to be anauthoritative assignment and the default role will not be used in this case.

8/17/2019 Mod08MBC-Roles-6.3-v1.4




8-16

In this example the controller is provisioned to look at the Radius attribute called Filter-ID and if theserver comes back with attribute emp then set the role to authenticated.

8/17/2019 Mod08MBC-Roles-6.3-v1.4




8-17

If the authentication server does not return any role assignment, then the controller assigns theuser/device to the default role. The default role may be considered the assignment of last resortand is assigned based upon the authentication method.

In this example, any element successfully authenticated via 802.1X will be assigned to the

authenticated role. Default roles for other authentication methods are provisioned using the

appropriate drop down boxes.

8/17/2019 Mod08MBC-Roles-6.3-v1.4




8-18

In CLI

aaa bandwidth-contract "guest-BW-contract" kbits "512”

8/17/2019 Mod08MBC-Roles-6.3-v1.4




8-19

You can assign different bandwidth contracts to upstream and downstream traffic for the sameuser role. You can also assign a bandwidth contract for only upstream or only downstream trafficfor a user role; if there is no bandwidth contract specified for a traffic direction, unlimited bandwidth

is allowed.

By default, all users that belong to the same role share a configured bandwidth rate for upstream

or downstream traffic. You can optionally apply a bandwidth contract on a per-user basis; eachuser who belongs to the role is allowed the configured bandwidth rate.

An administrator can set a hard limit on Over the Air (OTA) bandwidth for a specific Service SetIdentifier (SSID). Currently, the bandwidth allocation process is activated, when the

bandwidth is completely saturated. The new enhancement allows you to limit an SSID to consumemore bandwidth, when some unused bandwidth is available from other SSIDs. You can limit the

bandwidth allocation to low priority SSIDs and allot the bandwidth to other high priority SSIDs.

8/17/2019 Mod08MBC-Roles-6.3-v1.4




8-20

Bandwidth contracts on a VLAN can limit broadcast and multicast traffic.

To remove per-vlan bandwidth contract limits on an additional broadcast or multicast protocol, addthe MAC address for that broadcast/multicast protocol to the VLAN Bandwidth Contracts MACException List

(Aruba3200) (config) #show vlan-bwcontract-explist internal

VLAN Bw Contracts Internal Mac Exception List

---------------------------------------------Mac address

-----------

01:80:C2:00:00:00

01:00:0C:CC:CC:CD

01:80:C2:00:00:02

01:00:5E:00:82:11

8/17/2019 Mod08MBC-Roles-6.3-v1.4




8-21

Problems may occur when clients cannot connect to the network resource they need. Besides IPconnectivity, those clients need to have roles that allow them access. Above is one menu that cantell you the role that has been assigned a client.

8/17/2019 Mod08MBC-Roles-6.3-v1.4




8-22

In addition to the previous page, this page displays the established firewall sessions.

8/17/2019 Mod08MBC-Roles-6.3-v1.4




8-23

Once the clients role is known, to further troubleshoot a problem it will be important to know therights or policies that have been assigned to that role.

8/17/2019 Mod08MBC-Roles-6.3-v1.4




8-24

8/17/2019 Mod08MBC-Roles-6.3-v1.4




8-25

The show rights command will show all the roles and the associated firewall policies

8/17/2019 Mod08MBC-Roles-6.3-v1.4




8-26

To troubleshoot a role, use the show rights <rolename> CLI command to view the firewall policiesand their associated rule set.

8/17/2019 Mod08MBC-Roles-6.3-v1.4




8-27

From the Web UI Go to: Monitoring -> Controller -> Firewall Hits

From there, Firewall hits are summarized by:

User Role Hits

Port Based Session ACL Hits

Port ACL Hits

8/17/2019 Mod08MBC-Roles-6.3-v1.4




8-28

8/17/2019 Mod08MBC-Roles-6.3-v1.4



Date post:	06-Jul-2018
Category:	Documents
Upload:	ewofkewofk
View:	216 times
Download:	0 times

Mod08MBC-Roles-6.3-v1.4

Documents