Author Archives: aek82

AOS-CX: Configure VSF on Two Members

Please note, Aruba AOS-CX switches can only establish VSF links via SFP ports. I assume the user knows which commands require configuration mode.

First verify that the switches are connected

sh int brief
sh lldp neighbor

On the primary member, set the VSF configuration. Port 1/1/28 on primary is connected to port 1/1/28 on the secondary.

vsf member 1
link 1 1/1/28

On the secondary member, set the following:

vsf member 1
link 1 1/1/28
exit
vsf renumber-to 2

The secondary member should reboot and attempt to form a VSF stack.

On the primary, renumber the second member after it joins the stack:

vsf secondary-member 2

On the primary, you can status with the following commands:

sh vsf
sh int brief
sh vsf top
sh vsf member 2

Aruba Instant and Sonos Clients

Clients are a Play:1 and a Play:3. Both clients were able to group and ungroup, stream music, and update firmware from the Android and Windows 10 clients. I didn’t experience any issues streaming music from Pandora or Amazon Music.

Aruba Instant 8.4+, 300 series APs

In the CLI, add the following:

airgroupservice Sonos
enable
id urn:schemas-upnp-org:service:GroupRenderingControl:1
id urn:schemas-sonos-com:service:Queue:1
id urn:schemas-upnp-org:service:AVTransport:1
id urn:schemas-upnp-org:service:RenderingControl:1
id urn:schemas-tencent-com:service:QPlay:1
id urn:schemas-upnp-org:service:GroupManagement:1
id urn:schemas-upnp-org:service:ZoneGroupTopology:1
id urn:schemas-upnp-org:service:DeviceProperties:1
id urn:schemas-upnp-org:service:MusicServices:1
id urn:schemas-upnp-org:service:AlarmClock:1
id urn:schemas-upnp-org:device:ZonePlayer:1
id urn:schemas-upnp-org:service:SystemProperties:1
id urn:schemas-upnp-org:service:ContentDirectory:1
id urn:schemas-upnp-org:service:ConnectionManager:1
id urn:schemas-upnp-org:service:HTControl:1
id urn:smartspeaker-audio:service:SpeakerGroup:1
id urn:schemas-upnp-org:service:VirtualLineIn:1
id urn:schemas-upnp-org:service:AudioIn:1
id urn:schemas-upnp-org:device:EmbeddedNetDevice:1
id urn:schemas-upnp-org:service:EmbeddedNetDeviceControl:1

Troubleshooting:

show airgroup blocked-queries
show airgroup blocked-service-id

Update 7/2/21

A new use case for getting Sonos came up recently for allowing SSDP (Sonos discovery/broadcast/multicast) traffic across different VLANs. In this use case, clients were on a separate subnet and VLAN while the Sonos speakers were on a different VLAN/subnet.

Hardware setup was Aruba Central managed gateways, 2930F switches, and Instant APs. At the time of this writing, I was running AOS Switch 16.10.14, Instant 8.7.2, and SD Branch 2.3 on the gateway.

The technical summary for getting Sonos to run on my lab is the following:


Setup and enable airgroup as shown above, and enable roaming across mobility domains if multiple APs are used.

Disable broadcast filtering on any SSIDs clients, including mobile devices running the Sonos App and the Sonos speakers themselves, are using to communicate.

Setup tunneled node on switch interfaces connected to APs. Config snippet on the my access is the following:

alias node “show tunneled-node-server state”
alias server “show tunneled-node-server”
jumbo ip-mtu 1566
jumbo max-frame-size 1584


tunneled-node-server
controller-ip CONTROLLERIPHERE
keepalive interval 1
exit

interface IDSHERE tunneled-node-server

vlan CLIENTVLANID
name “wlan-1”
jumbo
exit
vlan CLIENTVLANID
name “wlan-2”
jumbo
exit


vlan 30
tagged 1
name “iap-mgmt”
jumbo
exit

vlan 249
name “transit”
untagged 1
ip address dhcp-bootp
jumbo
exit


device-profile name “ArubaAP”
untagged-vlan 30
tagged-vlan WLANVLANIDs
allow-tunneled-node
allow-jumbo-frames
exit

device-profile type “aruba-ap”
associate “ArubaAP”
enable
exit

On the gateway, enable jumbo frames on the switch to switch uplink, set the port as untrusted, and apply a default AAA profile for the WLAN VLANs passed to the gateway.


Reference: Airheads Post

Active Directory and LDAP Queries

Query Examples

Example 2

<filter> ::= '(' <filtercomp> ')'
<filtercomp> ::= <and> | <or> | <not> | <item><and> ::= '&' <filterlist>
<or> ::= '|' <filterlist>
<not> ::= '!' <filter>
<filterlist> ::= <filter> | <filter> <filterlist>
<item>::= <simple> | <present> | <substring>
<simple> ::= <attr> <filtertype> <value><filtertype> ::= <equal> | <approx> | <ge> | <le>
<equal> ::= '='
<approx> ::= '~='
<ge> ::= '>='
<le> ::= '<='
<present> ::= <attr> '=*'
<substring> ::= <attr> '=' <initial> <any> <final>
<initial> ::= NULL | <value><any> ::= '*' <starval>
<starval> ::= NULL | <value>'*' <starval>
<final> ::= NULL | <value>

AD Schema

OpenSSL Commands for Certificate Request and PFX File Generation

Generate CSR for domain

openssl req -new -newkey rsa:2048 -nodes -keyout wildcard.alexkuo.com.key -out wildcard.alexkuo.com.csr

Combine CA , Private, and Public certificate files into PFX file

openssl pkcs12 -export -in public.key -certfile intermediate-ca.key -inkey wildcard.alexkuo.com.key -out wildcard.alexkuo.com.pfx
  • public.key – Public SSL Key returned from CSR
  • intermediate-ca.key – Intermediate/Root CA Public Certificate
  • wildcard.alexkuo.com.key – private key
  • wildcard.alexkuo.com.pfx – combined file

ClearPass and SQL Database Authentication Source

When writing queries for checking a mac address in a table, denoting the correct filter for a mac address can be confusing, depending on the format stored in the table. Here’s a few options

  • %{Authentication:Username}
  • %{Connection:Client-Mac-Address}
  • %{Connection:Client-Mac-Address-NoDelim}
  • %{Connection:Client-Mac-Address-Hyphen}
  • %{Connection:Client-Mac-Address-Dot}
  • %{Connection:Client-Mac-Address-Upper-Hyphen}

Example SQL Server Query

Select top 1 mac from clientmac where mac = ‘%{Authentication:Username}’ or mac = ‘%{Connection:Client-Mac-Address}’

In the enforcement policy, using an exists comparison should be sufficient, although most official examples add another rule to compare the returned value from the query.

Subnet Size Blocks


Addresses Hosts Netmask Amount of a Class C
/3042255.255.255.2521/64
/2986255.255.255.2481/32
/281614255.255.255.2401/16
/273230255.255.255.2241/8
/266462255.255.255.1921/4
/25128126255.255.255.1281/2
/24256254255.255.255.01
/23512510255.255.254.02
/2210241022255.255.252.04
/2120482046255.255.248.08
/2040964094255.255.240.016
/1981928190255.255.224.032
/181638416382255.255.192.064
/173276832766255.255.128.0128
/166553665534255.255.0.0256

References

Subnet Mask Cheat Sheet

ClearPass and Mac Auth Expiration Time

The default ClearPass service for Mac Auth uses the MAC-Auth Expiry attribute for determining if the expire time for when the account is expires. However, the default expire timestamp in Guest uses the expiry_time attribute in the Guest User Repository, and the default ClearPass Service Template does not include the necessary Authorization sources to make Mac Auth service functional. Nor does the Mac-Auth Expiry ever get set by a default service template in the endpoints repository.

To make this work, setting the attribute in the endpoint repository is required.

For the post_auth profile, set the Mac-Auth Expiry

%{Authorization:[Time Source]:Now Plus 2hrs}

You can also use the Guest user repository Expire Time attribute.

%{Authorization:[Guest User Repository]:ExpireTime}

In order for these sources to be available, you must add the Time Source to the authorization tab of the service.

Mac authentication must be enabled or configured on ArubaOS. For Instant, its a checkbox in the security settings for the network configuration. For ArubaOS, you must setup mac authentication under AAA profiles.

Instant Mac Auth Setting
Controller Based WLAN AOS8

If adding a custom expiration length to an account is required, this can be done by editing the default expire after attribute in the Guest Registration form or adding a custom Time Attribute to the Time Source.

ClearPass Guest and Expire_after attribute
Custom Time Attribute to Time Source

Aruba ClearPass and Cisco Wired Guest Access

Here are some notes on getting a basic ClearPass Captive Portal page to authenticate an unknown wired client connected to a Cisco Catalyst 3560. Before this is all done, make sure the NAD has been added to ClearPass.

First.. the general algorithm

  • Mac Auth Service – Allow all
  • Radius Request
  • Authenticaiont Success
  • Radius url-redirect VSAs sent
  • User Sends HTTP traffic
  • User redirect to ClearPass Portal
  • User Sends Login from Portal
  • Web Auth Occurs
  • On Success- Radius CoA Terminate Session
  • MAC Auth Service – Reauthenticate
  • Radius Allow All Access VSA Sent

The first trick is to get the Wired Mac policy to classify. The default IETF attributes will not work, you must check access tracker for the correct inputs that are being sent from the authenticator (switch).

The second gotcha is the Use Cached Policy checkbox in the Enforcement tab. Its not really emphasized in the documentation, but after the web auth happens, the MAC caching policy will not pick up the role assigned unless you enable the cached policy check.

On Initial User Authentication, send the Radius VSAs
You should see access tracker assign this enforcement profile
Policy for Web Auth
Web Login Page Settings

There are many pages on Aruba’s documentation sites that document the required switch configuration, the main configuration lines are the following:

aaa new-model

interface VlanXXX
ip address 192.168.X.XXX 255.255.255.0
ip helper-address <CP_IP>

dot1x system-auth-control

aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting update periodic 1
aaa accounting dot1x default start-stop group radius

aaa server radius dynamic-author
client <CP IP> server-key aruba123!
port 3799
auth-type all

ip dhcp snooping
ip device tracking

ip access-list extended weblogin
deny tcp any host 192.168.3.241
permit tcp any any

radius-server host <CP_IP> key <RADIUS_KEY>

interface FastEthernet0/1
switchport access vlan X
switchport mode access
authentication order dot1x mab
authentication priority dot1x mab

authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x max-req 3
dot1x max-reauth-req 3
spanning-tree portfast
!

Other useful switch config hints:

# Make sure the native VLAN is set for the trunk port

interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan X
switchport trunk allowed vlan X
switchport mode trunk
!

ntp server 216.239.35.0 prefer

clock timezone CST -5 0
clock summer-time CDT recurring


enable password cisco
!
username cisco privilege 15 password 0 cisco