Author Archives: aek82

AOS-CX: Configure VSF on Two Members

Please note, Aruba AOS-CX switches can only establish VSF links via SFP ports. I assume the user knows which commands require configuration mode.

First verify that the switches are connected

sh int brief
sh lldp neighbor

On the primary member, set the VSF configuration. Port 1/1/28 on primary is connected to port 1/1/28 on the secondary.

vsf member 1
link 1 1/1/28

On the secondary member, set the following:

vsf member 1
link 1 1/1/28
vsf renumber-to 2

The secondary member should reboot and attempt to form a VSF stack.

On the primary, renumber the second member after it joins the stack:

vsf secondary-member 2

On the primary, you can status with the following commands:

sh vsf
sh int brief
sh vsf top
sh vsf member 2

Aruba Instant and Sonos Clients

Clients are a Play:1 and a Play:3. Both clients were able to group and ungroup, stream music, and update firmware from the Android and Windows 10 clients. I didn’t experience any issues streaming music from Pandora or Amazon Music.

Aruba Instant 8.4+, 300 series APs

In the CLI, add the following:

airgroupservice Sonos
id urn:schemas-upnp-org:service:GroupRenderingControl:1
id urn:schemas-sonos-com:service:Queue:1
id urn:schemas-upnp-org:service:AVTransport:1
id urn:schemas-upnp-org:service:RenderingControl:1
id urn:schemas-tencent-com:service:QPlay:1
id urn:schemas-upnp-org:service:GroupManagement:1
id urn:schemas-upnp-org:service:ZoneGroupTopology:1
id urn:schemas-upnp-org:service:DeviceProperties:1
id urn:schemas-upnp-org:service:MusicServices:1
id urn:schemas-upnp-org:service:AlarmClock:1
id urn:schemas-upnp-org:device:ZonePlayer:1
id urn:schemas-upnp-org:service:SystemProperties:1
id urn:schemas-upnp-org:service:ContentDirectory:1
id urn:schemas-upnp-org:service:ConnectionManager:1
id urn:schemas-upnp-org:service:HTControl:1
id urn:smartspeaker-audio:service:SpeakerGroup:1
id urn:schemas-upnp-org:service:VirtualLineIn:1
id urn:schemas-upnp-org:service:AudioIn:1
id urn:schemas-upnp-org:device:EmbeddedNetDevice:1
id urn:schemas-upnp-org:service:EmbeddedNetDeviceControl:1


show airgroup blocked-queries
show airgroup blocked-service-id

Reference: Airheads Post

Active Directory and LDAP Queries

Query Examples

Example 2

<filter> ::= '(' <filtercomp> ')'
<filtercomp> ::= <and> | <or> | <not> | <item><and> ::= '&' <filterlist>
<or> ::= '|' <filterlist>
<not> ::= '!' <filter>
<filterlist> ::= <filter> | <filter> <filterlist>
<item>::= <simple> | <present> | <substring>
<simple> ::= <attr> <filtertype> <value><filtertype> ::= <equal> | <approx> | <ge> | <le>
<equal> ::= '='
<approx> ::= '~='
<ge> ::= '>='
<le> ::= '<='
<present> ::= <attr> '=*'
<substring> ::= <attr> '=' <initial> <any> <final>
<initial> ::= NULL | <value><any> ::= '*' <starval>
<starval> ::= NULL | <value>'*' <starval>
<final> ::= NULL | <value>

AD Schema

OpenSSL Commands for Certificate Request and PFX File Generation

Generate CSR for domain

openssl req -new -newkey rsa:2048 -nodes -keyout -out

Combine CA , Private, and Public certificate files into PFX file

openssl pkcs12 -export -in public.key -certfile intermediate-ca.key -inkey -out
  • public.key – Public SSL Key returned from CSR
  • intermediate-ca.key – Intermediate/Root CA Public Certificate
  • – private key
  • – combined file

ClearPass and SQL Database Authentication Source

When writing queries for checking a mac address in a table, denoting the correct filter for a mac address can be confusing, depending on the format stored in the table. Here’s a few options

  • %{Authentication:Username}
  • %{Connection:Client-Mac-Address}
  • %{Connection:Client-Mac-Address-NoDelim}
  • %{Connection:Client-Mac-Address-Hyphen}
  • %{Connection:Client-Mac-Address-Dot}
  • %{Connection:Client-Mac-Address-Upper-Hyphen}

Example SQL Server Query

Select top 1 mac from clientmac where mac = ‘%{Authentication:Username}’ or mac = ‘%{Connection:Client-Mac-Address}’

In the enforcement policy, using an exists comparison should be sufficient, although most official examples add another rule to compare the returned value from the query.

Subnet Size Blocks

Addresses Hosts Netmask Amount of a Class C


Subnet Mask Cheat Sheet

ClearPass and Mac Auth Expiration Time

The default ClearPass service for Mac Auth uses the MAC-Auth Expiry attribute for determining if the expire time for when the account is expires. However, the default expire timestamp in Guest uses the expiry_time attribute in the Guest User Repository, and the default ClearPass Service Template does not include the necessary Authorization sources to make Mac Auth service functional. Nor does the Mac-Auth Expiry ever get set by a default service template in the endpoints repository.

To make this work, setting the attribute in the endpoint repository is required.

For the post_auth profile, set the Mac-Auth Expiry

%{Authorization:[Time Source]:Now Plus 2hrs}

You can also use the Guest user repository Expire Time attribute.

%{Authorization:[Guest User Repository]:ExpireTime}

In order for these sources to be available, you must add the Time Source to the authorization tab of the service.

Mac authentication must be enabled or configured on ArubaOS. For Instant, its a checkbox in the security settings for the network configuration. For ArubaOS, you must setup mac authentication under AAA profiles.

Instant Mac Auth Setting
Controller Based WLAN AOS8

If adding a custom expiration length to an account is required, this can be done by editing the default expire after attribute in the Guest Registration form or adding a custom Time Attribute to the Time Source.

ClearPass Guest and Expire_after attribute
Custom Time Attribute to Time Source

Aruba ClearPass and Cisco Wired Guest Access

Here are some notes on getting a basic ClearPass Captive Portal page to authenticate an unknown wired client connected to a Cisco Catalyst 3560. Before this is all done, make sure the NAD has been added to ClearPass.

First.. the general algorithm

  • Mac Auth Service – Allow all
  • Radius Request
  • Authenticaiont Success
  • Radius url-redirect VSAs sent
  • User Sends HTTP traffic
  • User redirect to ClearPass Portal
  • User Sends Login from Portal
  • Web Auth Occurs
  • On Success- Radius CoA Terminate Session
  • MAC Auth Service – Reauthenticate
  • Radius Allow All Access VSA Sent

The first trick is to get the Wired Mac policy to classify. The default IETF attributes will not work, you must check access tracker for the correct inputs that are being sent from the authenticator (switch).

The second gotcha is the Use Cached Policy checkbox in the Enforcement tab. Its not really emphasized in the documentation, but after the web auth happens, the MAC caching policy will not pick up the role assigned unless you enable the cached policy check.

On Initial User Authentication, send the Radius VSAs
You should see access tracker assign this enforcement profile
Policy for Web Auth
Web Login Page Settings

There are many pages on Aruba’s documentation sites that document the required switch configuration, the main configuration lines are the following:

aaa new-model

interface VlanXXX
ip address 192.168.X.XXX
ip helper-address <CP_IP>

dot1x system-auth-control

aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting update periodic 1
aaa accounting dot1x default start-stop group radius

aaa server radius dynamic-author
client <CP IP> server-key aruba123!
port 3799
auth-type all

ip dhcp snooping
ip device tracking

ip access-list extended weblogin
deny tcp any host
permit tcp any any

radius-server host <CP_IP> key <RADIUS_KEY>

interface FastEthernet0/1
switchport access vlan X
switchport mode access
authentication order dot1x mab
authentication priority dot1x mab

authentication port-control auto
authentication periodic
authentication timer reauthenticate server
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x max-req 3
dot1x max-reauth-req 3
spanning-tree portfast

Other useful switch config hints:

# Make sure the native VLAN is set for the trunk port

interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan X
switchport trunk allowed vlan X
switchport mode trunk

ntp server prefer

clock timezone CST -5 0
clock summer-time CDT recurring

enable password cisco
username cisco privilege 15 password 0 cisco