Technical Whitepaper

User Roles and User-Based Tunneling

AOS-Switch

Revised – September 2020

1
 Technical Whitepaper
User Roles and User-Based Tunneling

Contents
User-Based Tunneling ...................................................................................................................................... 4
Overview ....................................................................................................................................................... 4
Terminologies................................................................................................................................................ 5
Components of User-Based Tunneling .......................................................................................................... 6
Understanding User-Based Tunneling ........................................................................................................... 7
How It Works ............................................................................................................................................. 7
Use Cases................................................................................................................................................... 11
Wired Access Firewall.............................................................................................................................. 11
Wired Guest/Device Segmentation .......................................................................................................... 12
Branch Deployment ................................................................................................................................. 12
Deployment Scenarios ................................................................................................................................ 13
User-Based Tunneling – Standalone Gateway ........................................................................................ 13
User-Based Tunneling – Gateway Cluster (Wired Deployment) ............................................................... 14
User-Based Tunneling – Gateway Cluster (Large Scale - Wired and Wireless Deployment).................... 15
Configuring Tunneling ................................................................................................................................. 16
Configuring User-Based Tunneling on the switch..................................................................................... 16
Configuring a Tunneling Profile on a Mobility Gateway and Cluster ......................................................... 17
Configuring User Roles ............................................................................................................................... 18
Attributes in User Roles ........................................................................................................................... 18
Local User Roles ..................................................................................................................................... 24
Downloadable User Roles ....................................................................................................................... 25
Troubleshooting User Roles..................................................................................................................... 33
Scalability .................................................................................................................................................... 33
Gateway .................................................................................................... Error! Bookmark not defined.
Switch ...................................................................................................................................................... 34
Switch or Stack ........................................................................................................................................ 34
Maximum Supported User Tunnels per Switch or Stack .......................................................................... 34
Maximum Supported User Tunnels per port............................................................................................. 34
Performance................................................................................................................................................ 34
Feature Limitations and Mutual Exclusions.................................................................................................. 35
Mutually exclusive with User-Based Tunneling ........................................................................................ 35
Not configurable on a User-Based Tunneling port.................................................................................... 35

2
 Technical Whitepaper
User Roles and User-Based Tunneling

Frequently Asked Questions ....................................................................................................................... 35

Appendix A ..................................................................................................................................................... 39
Validated Switch Configuration .................................................................................................................... 39
Validated Mobility Conductor Configuration ................................................................................................. 42
Validated Mobility Gateway Configuration ................................................................................................... 67

3
 Technical Whitepaper
User Roles and User-Based Tunneling
User-Based Tunneling
Overview
At the most basic level User-Based Tunneling has two components:

• User-Roles referring to Aruba’s ability to assign policy (roles), on the fly, to a wired device or user, based on such things as
the access method of a client, which incorporating with ClearPass, adds context such as time-of-day and type-of-machine.
An IT staff no loger must pre-configure an access-port to VLAN and uplinks.

• Tunneling focuses Aruba’s ability to tunnel traffic back to an Aruba Mobility Gateway (previously known as tunneled-node).

The two types of tunneling present in AOS-Switch are: port based tunneling and user based tunneling. Previously, this was called per
user tunneled-node, which was built on top of Aruba’s per-port tunneled node otherwise known as port based tunneling. Port based
tunneling allows the switch to tunnel traffic to an Aruba Mobility Gateway on a per-port basis, in other words, all traffic on a
configured switch port was statically tunneled to an Aruba Mobility gateway. Role Based tunneling in dynamic segmentation now
implements the capability to tunnel traffic on a user role-based or device basis, tunneling traffic of a given client or device based on
an assigned user role. The policies associated with that client could be driven through a RADIUS server such as ClearPass, a
downloaded role from ClearPass, or by local MAC authentication in the switch.

Many devices that require power over Ethernet (PoE) and network access, such as security cameras, printers, payment card readers,
and medical devices, do not have built in security software such as a desktop or laptop computer. These devices can pose a risk to
networks with the lack security on the device. Role based tunneling can authenticate these devices using ClearPass, and tunnel the
client traffic, utilizing the advanced firewall and policy capabilities in the Aruba Mobility gateway. It can also provide high availability
and load balancing with Gateway clustering in AOS 8.X. This can provide secure access to IoT devices within the Aruba Wired
Intelligent Edge network.

User-based tunneling supports two types of Gateway deployments

• Standalone Gateway Support
• Clustered Gateway Support
User-based tunneling Switch Platform Support
• 3810M
• 2930F/M
• 5400R (v3 blades only)
Recommended Switch Firmware

• AOS-Switch 16.08 or later

Recommended Gateway Firmware

• Standalone Gateway (70xx,72xx): AOS 8.4 or later
• Cluster Support in Gateway (70xx,72xx): AOS 8.4 or later

4
 Technical Whitepaper
User Roles and User-Based Tunneling
Terminologies
• Colorless Ports: The greatest impact/benefit of colorless ports is that we no longer have to statically pre-configure access
ports to any VLANs. Colorless ports signify traditional, legacy networks where the ports were assigned a “color” physically on
the switch so that specific policy is assigned to that port. Specific devices were assigned a color and could only be plugged
into the corresponding ports. By using colorless ports, IT operating cycles are significantly reduced, leading to efficient
planning for initial deployment or ongoing configuration changes which will accommodate future additions, moves, or
changes.

Colorless Ports demonstrate that switched access ports can automatically apply a role/policy required to support the
connected device in real-time.

Colorless Ports at the most basic level, can be demonstrated with a single standalone switch using local user roles and
Local-Mac-Authentication (LMA). Without using external RADIUS or tunneling, a customer can observe how the same port
takes on different policies (QoS/ACL/VLANs) depending on the connected device.

• User Role: The benefits of assigning “roles” to users and/or devices is well known within the Aruba wireless world. This has
simply been adapted to the wired switch port. Just as with Aruba Wireless, there is now the ability to simplify the burden of
configuration, grouping policies into a “role” that can be referenced by many device or user types. Additionally, when
ClearPass is incorporated, context can be added (time of day, type of machine, device profiling) when deciding if a
user/device will be allowed on the network, and what access rights will be granted or denied.

Roles can be configured locally on the switch using a Local User Role (LUR) or on a ClearPass server, using a downloadable
user role (DUR). Roles that are configured locally can be assigned via LMA, any RADIUS server, using the HPE-User-Role VSA.
When using DUR, the ClearPass HPE-CPPM-Role VSA is used in combination with HTTPS to transfer the role to the switch.

A role is a role – A role at a minimum will dictate what VLAN is to be assigned (tagged or untagged) and if the traffic is locally-
switched, or if tunneled back to AOS Mobility Gateway. Optionally a role can also assign a policy (ACL/QOS), reauthentication
timers, and a captive portal redirect. The same syntax is used if it is pre-defined on a switch (local-roles) or downloaded
from ClearPass, it must exist on the switch before it can be applied to a device/user.

• Tunneled Switch: The switch on which tunneled profile is configured.

• Tunneled profile: Includes the set of configuration parameters required to be set like Gateway IP, backup Gateway IP, etc. A
user can enable or disable the tunneled profile on a switch.

• Tunneled interface: Interface on which tunneling is configured.

• User-Based Tunneling: Tunneled traffic based on user role

• Port-Based Tunneling: Tunneled traffic based on a switch port

• Client Device: The end-host (Desktop/Laptop/IoT Device) connected to a tunneled port which is authenticated by credentials
like Username/Password or MAC authentication.

• Primary gateway: Aruba Mobility Gateway working as a tunneling termination endpoint.

• Backup gateway: Aruba “backup” Mobility Gateway working as backup tunneling termination endpoint.

• MM: Mobility Conductor

• MD: Managed Device

• Radius server: External radius server.

• LMS: Local Conductor Server

• UAG: User Anchor Gateway

5
 Technical Whitepaper
User Roles and User-Based Tunneling
• S-UAG: Secondary User Anchor Gateway

• SAG: Switch Anchor Gateway

• S-SAG: Secondary Switch Anchor Gateway

Components of User-Based Tunneling

Figure 1: Example User-Based Tunneling Deployment

Clients and Devices

This is where “colorless” ports come in. Traditionally, ports were labeled with a color and a color was assigned to a specific device.
With “colorless” ports, all ports on an access switch are set to authenticate with both 802.1x and MAC Authentication. As devices are
plugged in, the device is authenticated either by MAC Authentication or 802.1x and triggers an enforcement policy from ClearPass,
which will contain an enforcement profile with a user role configuration.

Access Switches

The access switches authenticate users connected to the switch. Once a device or user is authenticated, a user role is applied to the
device or user. A user role is a set of attributes and policies that is applied to the device or user. This user role can exist locally on an
access switch or on ClearPass as part of an enforcement profile.

Mobility Gateway Cluster

The Aruba Mobility Gateway has many built-in security and application capabilities tailored specifically to wireless traffic. However,
this can be extended as well to wired traffic. This is the main reason to tunnel traffic from an Aruba access switch to a gateway, so
the wired, tunneled traffic can take advantage of the gateway’s firewall capabilities and client applications.

6
 Technical Whitepaper
User Roles and User-Based Tunneling

Core Switches

Core switches, such as the Aruba 8400, 8320, 8325, and 6400 Switch Series, merely forward packets, tunneled or not, to and from
the access switches and gateway.

Aruba ClearPass Policy Manager

ClearPass assigns enforcement policies and profiles containing user role information based on profiled devices or authenticated user
information.

Understanding User-Based Tunneling

How It Works
When first configuring the switch, the “tunneling profile” should be configured first. This is done using the command “tunneled-node-
server”. Within this context, the gateway -ip can be set as well as the tunneling mode to use. Once the tunneled-node server
(gateway) information is known on the switch and the “mode” is configured as role-based, the “tunneled node module” (switch)
performs a “handshake” with the “tunneled-node-server” (gateway) to determine its reachability and to discover the version
information.

When reachability is confirmed, the tunneled node module in the switch software executes a switch “bootstrap”. This is where the
switch sends a “bootstrap message” to the gateway, similar to an “AP Hello” between AP and gateway. This bootstrap control packet
contains user role information (secondary user role, GRE key, etc.). Once the Gateway receives the message, it replies with an
“acknowledge” message. Once acknowledged, the switch updates its local data structures with a “bucket map” and Gateway node list,
which is used for mapping users to gateway s and client load balancing. To further elaborate, the “bucket map” is a list of hashed
entries that contain the mapping of user MAC addresses to gateway s (clustered) that the users will be tunneled to. After the bucket
map list is downloaded to the switch, a GRE “heartbeat” is then started between switch and Gateway creating a tunnel. A regular
“heartbeat”, using GRE, is exchanged with the gateway, which then serves as the switch anchor Gateway (SAG). This is the “gateway -
ip” in the “tunneled-node-server” command. A secondary “heartbeat” is also established with a standby gateway, acting as a
secondary switch anchor Gateway (s-SAG).

As a user connects to a secure port, the authentication sub system on the switch send a RADIUS request to the RADIUS server, for
example ClearPass Policy Manager, which authenticates the user and returns a user role vendor specific attribute (VSA) to the switch,
as one would observe using local user roles on AOS-Switch. In the case of downloadable user roles, the entire role itself will be
downloaded to the switch containing the user role. A downloadable user role example is shown in a previous section of this
document.

Figure 2: Example ClearPass Local User Role VSA

Once the VSA is received by the switch, the local user role or downloaded role from ClearPass, is applied to the user.

Aruba utilizes the concept of a user role which contains user policy and access to the network based on the role. A user-role can
contain ACL/QoS policy, captive portal, VLAN information (used for locally switched traffic, and device attributes. As mentioned
previously, when the user role VSA, received from the RADIUS server, is applied to the user, a command to redirect traffic to a
Gateway can be included within the user role. This is defined with the “tunneled-node-server-redirect” command. With this
command, when the “tunneled node feature” status is “up”, the authentication sub system notifies the tunneled node module,
providing a secondary role. The secondary role is the user role on the Gateway where policy generally will exist for tunneled users,

7
 Technical Whitepaper
User Roles and User-Based Tunneling
where firewall and security policy will be applied. This secondary-role information is an indication to the Gateway that it has to
enforce additional policies to the user’s traffic based on policy configuration associated with the secondary role and then form the
tunnel. This secondary role can be downloaded directly to the gateway, this will be discussed in a later section in this document. For
a more in-depth look at how to configure enforcement policy and profiles within ClearPass, please see the Wired Policy Enforcement
Guide - https://arubapedia.arubanetworks.com/arubapedia/index.php/ClearPass_Solutions_Guide:_Wired_Policy_Enforcement.

In the case of tunneled users to a Gateway cluster, the “bucket map” containing the mapping between a given “bucket” of clients to
the active and standby user anchor gateway (s) (UAG) populated in the gateway. A value obtained and based on the client’s MAC
address is assigned when a user is redirected to a gateway. This value is then used to lookup the bucket map and the client device is
then anchored to that particular Gateway node. After this process, the tunneled node module creates a tunnel to this UAG, if not
already created, and forwards user traffic to that UAG. If a user-role doesn’t contain an attribute to redirect traffic to a gateway, the
user or device will be placed into the specified VLAN on the switch and traffic will forward locally.

Once user tunnels are established to the user anchor gateways, a PAPI (Process Application Programming Interface)-based keepalive
packet is exchanged with the gateways that have users anchored to them, maintaining the integrity of the tunnel.
Role-Based tunneling Flow
• Authenticate User
• Apply user role to authenticated user
• Redirect user traffic to gateway
• Apply secondary user-role to user traffic on gateway

Figure 3: User Authentication Flow with dynamic segmentation

8
 Technical Whitepaper
User Roles and User-Based Tunneling
In previous versions of AOS-Switch, the tunneling mechanism was bound to the VLANs configured on the switch. For each user role
where traffic would be tunneled, the VLAN was required for the tunnels to form from switch to gateway. With AOS-Switch 16.08 and
AOS 8.4, the switch and Gateway will automatically reserve the VLAN to be used for tunneled traffic. All tunneled traffic will then
traverse the reserved VLAN and decapsulate at the gateway. VLAN assignment will then be based on the VLAN specified in the
secondary role manually created or downloaded to the Mobility Gateway. This simplifies the solution by eliminating the need to
configure all tunneled user VLANs across all the switches in a campus network.
Broadcast/Multicast Traffic
All multicast/broadcast traffic is sent over the reserved VLAN to the gateway. The Gateway will then replicate the multicast/broadcast
packet for each user on the VLAN and convert back into a unicast stream, sending the traffic back down the user tunnel to the client
or device.

Refer to the below packet capture with a multicast video streaming from a tunneled user, the packet capture is taken from the users
PC. Note that the source is the video streaming server and the destination is the multicast group address using a Real-time Transfer
Protocol (RTP) stream. Observe the protocol that the stream is using is UDP, this shows that the Gateway is converting the multicast
traffic into UDP or unidirectional traffic to the tunneled client.

Figure 4: Packet Capture showing Multicast traffic conversion with a tunneled user

9
 Technical Whitepaper
User Roles and User-Based Tunneling
Below is the process which describes how this works:

Figure 5: User-Based tunneling process

Refer to Figure 33 above, which shows the process with which users form tunnels to a cluster.

The switch sets up a Heartbeat/Multicast GRE tunnel with configured cluster node MC3.

MC3 responds with the Standby Switch Anchor Gateway (S-SAG), cluster node list, and bucket map.

The switch then sets up a Heartbeat/Multicast backup tunnel (S-SAG) with MC1.

When a client connects to the switch, user or device authentication takes place (802.1x/MAC-Auth).

If the local or downloaded user role has the redirect attribute and opt. secondary role, the switch checks the bucket map to find
UAG=MC2 and S-UAG=MC4

The switch then establishes the User GRE Tunnel (UAG) with MC2 and sends the secondary role which contains the user VLAN
assignment.

The UAG (MD2) then creates the user entry with the secondary role and VLAN sent by the switch. Any broadcast or multicast
traffic will be converted to unicast and sent back over the user/device tunnel.

10
 Technical Whitepaper
User Roles and User-Based Tunneling
A dormant user entry is added to the S-UAG. A tunnel is formed between the switch and S-UAG gateway, but the switch does
not send a keepalive, the keepalive is only sent over the UAG. If there’s a cluster node-list update, indicating the UAG is down,
the switch will immediately flip over all clients that are on the UAG, to the S-UAG, which will immediately start a keepalive until a
bucket map updates determines a new S-UAG.

Use Cases
Some common uses for User-Based Tunneling is to provide wired guest capability, the ability to utilize a firewall at the logical client
network access device (Mobility Gateway), and the ability to tunnel wired traffic in a branch environment.

Wired Access Firewall

Users tunneled to an Aruba Mobility Gateway can have firewall and access policy implement to restrict user access, like was also
experienced with port-based tunneling. Rather than installing expensive next-generation firewalls within the network infrastructure,
engineers can use the built-in firewall capabilities of the Aruba Mobility Gateway s to control access, especially if already used for
wireless traffic.

Figure 6: Wired Firewall Access Use Case Diagram

11
 Technical Whitepaper
User Roles and User-Based Tunneling
Wired Guest/Device Segmentation
Wired guest traffic can be segmented on the network using role-based tunneling. By creating the “secondary role” on the Aruba
Mobility Gateway as a guest role, and assigning a specific “guest” VLAN, access and firewall policy can be implemented on the
Gateway to isolate guest access to the rest of the campus network.

Figure 7: Wired Guest Segmentation Use Case Diagram

Branch Deployment
In a typical branch scenario such as in retail, if user-based tunneling is deployed, each store would have a Mobility Gateway deployed
in it. This would be followed by an access switch which all devices and users would be plugged into. All these devices would tunnel
traffic back to the Mobility Gateway which when decapsulated, the traffic would traverse the WAN to the specific destination.

12
 Technical Whitepaper
User Roles and User-Based Tunneling

Figure 8: Branch Use Case Diagram

Deployment Scenarios

User-Based Tunneling – Standalone Gateway

This deployment includes a single primary Gateway and an optional secondary Gateway which acts as a backup in the event the
primary Gateway fails.

• On a single tunneled port, there can be as many as 32 clients with different user-roles, if clients are behind an unmanaged
Layer 2 switch for example.

• On a single tunneled port, if there are two tunneled clients which are in the same role, tunneled to the same user anchor
gateway, a single tunnel will be formed with the gateway

• On a single tunneled port, if there are two tunneled clients in different user roles, to the same user anchor gateway, two
tunnels will be formed with the gateway

• On a single switch, if there are ten tunneled clients on ten different ports, ten tunnels are formed with the gateway.

13
 Technical Whitepaper
User Roles and User-Based Tunneling

Figure 9: Standalone Gateway deployment diagram

User-Based Tunneling – Gateway Cluster (Wired Deployment)

This implementation utilizes the clustering of the Aruba Mobility Gateway.

Gateway Clustering

• The objective of clustering is to provide high availability to all the clients and ensure service continuity when a failover
occurs

• The 72xx Gateway platform supports a maximum of 12 gateway s in a cluster (All gateway s = 72XX).

• The 70xx Gateway platform supports a maximum of 4 gateway s in a cluster (All gateway s = 70XX).

• If there is a mix of 70xx and 72xx gateway s, a cluster can support up to a max of 4 gateway s.

• In a cluster, one of the Gateway nodes is configured to be the Mobility Conductor which manages the other Gateway
nodes which would then be called the Managed Devices.

• A cluster of gateway s can be used primarily for wired tunneled traffic. This will enable a large-scale tunneled node
deployment if many wired devices exist in the campus network. In the case of a large scale, wired client deployment, as
long as the mobility Gateway resources are correctly allocated (Gateway clustering, load balancing, etc.), every wired
port on a switch can be tunneled back to the gateway.

• On a single tunneled port, if there are two tunneled clients which are in same/different roles, anchored to two different
UAGs, there will be a tunnel to each UAG.

14
 Technical Whitepaper
User Roles and User-Based Tunneling

Figure 10: Clustered Gateway deployment diagram

User-Based Tunneling – Gateway Cluster (Large Scale - Wired and Wireless Deployment)
If there is a large scale wired and wireless deployment, a Gateway cluster can be used solely for tunneled user traffic. This will enable
wired clients and devices to tunnel back to dedicated Gateway clusters freeing the wireless gateway s to handle pure wireless traffic.

Figure 11: Wired Gateway cluster deployment diagram

15
 Technical Whitepaper
User Roles and User-Based Tunneling
Configuring Tunneling

Configuring User-Based Tunneling on the switch

First the switch needs to point to the Gateway to download the cluster information.
(config)#tunneled-node-server

(tunneled-node-server)# controller-ip <IP-ADDR> - The Gateway IP is a physical IP address of a cluster member.

Optional: (tunneled-node-server)# backup-controller-ip <IP-ADDR> (used in the case of failure with the
primary Gateway or cluster)
Optional:(tunneled-node-server)# keepalive interval <Integer> - Used to change keepalive packet interval in the case
of troubleshooting during a network congestion event

(tunneled-node-server)# mode role-based reserved-vlan <VID> - The reserved VLAN is where all tunneled traffic will
traverse to and from the switch. This VLAN is automatically created once defined here and connectivity between switch and Gateway
is established.
(tunneled-node-server)# enable – Enables the tunneling profile
Note: Mode should be configured as role-based for dynamic segmentation – can be changed to port-based for per port tunneling.
Tunneling using IPv6
User-Based tunneling can also be done over IPv6. The switch commands are the same as for IPv4 configuration except for the user
of IPv6 addressing.

The output will look like the following on the switch:

Figure 12: AOS-Switch IPv6 tunneling state output

The output from the Gateway would look like the following:

Figure 13: AOS IPv6 tunneling state output

Note: The tunneled users are using a downloaded “IPv6” user role – indicated under the role category.

16
 Technical Whitepaper
User Roles and User-Based Tunneling
Considerations for User-Based tunneling with IPv6

• No IPv6 support for port-based tunneling

• The tunnel overhead increases to 70B per packet as opposed to 46B with IPv4

• Link Local addresses are not allowed to be configured for the primary or backup Gateway IPs

• Limitation: If using OSPFv6, if the tunneling switch has a route change by which the uplink VLAN also changes, auto binding
to the new source IP address will not work, the tunneling process would need to be restarted from the tunneled-node-
server context.

Configuring a Tunneling Profile on a Mobility Gateway and Cluster

This is to configure the secondary on the gateway, if using a local Gateway role, and how-to setup the gateways in a cluster.
“Secondary user-role” configuration on the gateway:

(Gateway) (config) # user-role authenticated

access-list session global-SAGl
access-list session apprf-authenticated-SAGl
access-list session ra-guard
access-list session allowall
access-list session v6-allowall

If the Gateway is in cluster mode, the following configurations are applicable:

Mobility Conductor Configuration

lc-cluster group-profile "aruba2node"
Gateway 10.0.102.6
Gateway 10.0.102.218
(ArubaMM) [mm] (config) #cd /md/00:1a:1e:02:a4:c0
(ArubaMM) [00:1a:1e:02:a4:c0] (config) #lc-cluster group-membership aruba2node
(ArubaMM) [mm] (config) #cd /md/00:1a:1e:02:a6:40
(ArubaMM) [00:1a:1e:02:a6:40] (config) #lc-cluster group-membership aruba2node
(ArubaMM) (config) #show configuration node-hierarchy
Default-node is not configured. Autopark is disabled.
Configuration node hierarchy
----------------------------
Config Node Type
----------- ----
/ System
/md System
/md/00:1a:1e:02:a4:c0 Device
/md/00:1a:1e:02:a6:40 Device
/mm System
/mm/mynode System

Note: Configure a cluster profile. Specify the MD IP addresses. Map them to the cluster profile.

17
 Technical Whitepaper
User Roles and User-Based Tunneling

Figure 14: ArubaOS “show switches” output

Notes:

Verify that all nodes (MDs) are added and the status is “Update Successful”

Useful Show commands on Switch:

#Show tunneled-node-server state
#Show tunneled-node-server statistics
#Show tunneled-node-server information
#Show tunneled-node-server users all
#Show tunneled-node-server users count

Switch debug commands

#debug usertn
#debug security (for user roles)
#debug destination session
#debug destination buffer

Useful “Show” commands for troubleshooting on Mobility gateway :

#Show tunneled-node-mgr tunneled-nodes
#Show tunneled-node-mgr tunneled-users
#Show station-table
#Show datapath bridge
#Show datapath tunnel
#show lc-cluster group-membership
#show lc-cluster vlan-probe status
#show tunneled-node-mgr cluster-bucket-map

Configuring User Roles

Local user roles are used in cases where the RADIUS server is not ClearPass. Any RADIUS server can return the HPE-User-Role VSA,
which when received by the switch, would place the user into the user role configured locally on the switch. However, each role
would have to be configured across each and every switch where the roles would be used, which unless there is automatic switch
provisioning, can be

Attributes in User Roles

There are multiple device attributes that can be configured in a user role in AOS-Switch, local or downloaded:

• Untagged VLAN ID or Name

• Multiple Tagged VLAN IDs (can use a single tagged VLAN Name)

• ACL and QoS Policy

• Port mode

• PoE allocation by device class

• PoE priority

18
 Technical Whitepaper
User Roles and User-Based Tunneling
• Admin edge port, allowing for faster port bringup when spanning tree is enabled
User Role Policy
Access Control Lists

Access Control Lists (ACLs) can be configured in a user role which allows the role to permit or deny traffic. It should be noted that
each time a user role is applied at a port to a client or device, the entries in that policy will be applied from the TCAM table of the
switch. It is necessary to plan accordingly when deploying user roles to ensure that the switch platform model being used has the
necessary amount of TCAM entries for the expected amount of network clients. An example of a user role with an ACL is as follows:

class ipv4 "testclass"

10 match ip 10.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
Class ipv4 “permit_all”
10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
policy user "testpolicy"
10 class ipv4 "testclass" action deny
20 class ipv4 “permit_all” action permit
exit
aaa authorization user-role name "user-tunnel"
policy "testpolicy"
vlan-id 100
tunneled-node-server-redirect secondary-role "authenticated"
exit
Note: There is an implicit denyall rule in a user policy. Any traffic that will need to be permitted, needs to have an appropriate class.

QoS

User traffic can be prioritized based on DSCP or IP Precedence with in a User Role QoS policy. This enables a user or device’s traffic
priority to be reclassified in the case of network congestion.

If a user or device is tunneling, you can mark the outer GRE header of the tunnel back to the Gateway to the class set in the policy.
For an example, refer to Figure 46.

Figure 15: Downloadable user role with QoS configuration

19
 Technical Whitepaper
User Roles and User-Based Tunneling
In the above user role, we will mark any traffic using HTTP or HTTPS as “EF” traffic. After the client is connected and the tunnel is
formed, we can do a packet capture at the core switch between the access switch and the Gateway to view the tunneled packets and
observe that the DSCP marking is seen in the GRE packet – Figure 37.

Figure 16: Packet Capture showing QoS marking in GRE header

Port-Mode
When port-mode is configured in the user role, the first device to use that user role is authenticated with the user role, then when
the port-mode command is parsed by the switch, the port is then “opened” for subsequent authentications. This is used primary for
Campus or Instant Access points (IAP) by Aruba, the IAP would be authenticated, and all other subsequent users would be allowed
access to the network.

When configuring port mode in ClearPass, the user role configuration would look as the following:

Figure 17: Downloadable User Role with port-mode configuration

20
 Technical Whitepaper
User Roles and User-Based Tunneling
When this role is applied to the switch, the attributes that are applied can be seen using the command “show user-role
downloaded detailed”

Figure 18: Downloadable User Role output in AOS-Switch

From the following authentication output, one can see that there are other MAC addresses attempting to authenticate to the AP
which are allowed onto the network after the AP is authenticated.

Figure 19: Port-Access output in AOS-Switch highlighting AP client devices attempting to authenticate
By looking at the IAP UI, the 3 clients that were shown on the switch trying to connect are added by the AP as wireless clients.

Figure 20: Aruba Instant Access Point UI

PoE - Device Allocation by Class and PoE Priority
For devices that use Power over Ethernet (PoE), allocation by PoE class can now be set. By default, the switch allocates power to a
device based on usage, this means that power limits are not enforced. To allocate PoE power by class, this will strictly enforce power
limits that the device can draw. For example, a Class 4 device would be limited to the 30W maximum that the device is allocated by

21
 Technical Whitepaper
User Roles and User-Based Tunneling
that class to draw. With the allocation by class setting now configurable via user role, there is now less configuration per switch now
that this attribute can be downloaded via ClearPass.

PoE priority can also now be set via a user role configuration. This is useful for critical devices that would need to ensure would have
the necessary PoE power to the device. For example, if VoIP phones need to always have power to ensure critical calls such as in
case of an emergency, can be made. By setting a higher PoE priority on phones, this would assure that those calls can be made.

The following user role example show PoE priority and allocation configured as well as what it would look like on the switch when
applied.

Figure 21: Downloadable user role example with PoE allocation and priority settings

Figure 22: Downloadable user role switch output with PoE allocation and priority settings
Admin-edge-port
The admin-edge-port feature in AOS-Switch is like Cisco’s “PortFast”, how it works is during spanning tree establishment, ports with
admin-edge-port enabled, transition immediately to the forwarding state. If a bridge or switch is detected on the segment, the
port automatically operates as non-edge, not enabled.

This feature within a user role, now allows configuration to be stored in ClearPass, rather than on the switch, and dynamically
downloaded to the switch in the user when authenticated.

The following examples show the admin-edge-port configuration in ClearPass and how it appears on the switch when downloaded via
user role.

22
 Technical Whitepaper
User Roles and User-Based Tunneling

Figure 23: Downloadable user role example with admin-edge-port configuration

Figure 24: Downloadable user role switch output with admin-edge-port configuration

If the spanning tree interface status is shown on that port that the user role is applied to, one can see that the admin-edge-port
attribute has been applied to the port via downloaded user role.

Figure 25: Spanning Tree port output with admin-edge-port setting downloaded via user role

23
 Technical Whitepaper
User Roles and User-Based Tunneling
Local User Roles
Local user roles allow user-based policy configuration local to an Aruba switch. Within the user role configuration, ACL and QoS
policy can be created, device and port attributes configured, as well as the command to tunnel traffic to an Aruba Mobility Gateway,
which is “tunneled-node-server-redirect”. When that command is processed, the tunnel is formed and applied to the
secondary role (user role) that exists on the Mobility Gateway, the secondary role can be an existing wireless user role or a custom
configured role, it can either reside locally on the Gateway or downloaded via ClearPass.

For clarification, the role that exists on the switch is called a primary role, it is local to the switch and can be used to assign user role
attributes to locally switched users or clients, or to specifiy whether the client or device traffic will be tunneled to a Mobility Gateway.
The secondary role exists on the Gateway and is only applied to tunneled clients. As an example, if a client were to be tunneled, the
primary role would contain little configuration aside from the tunneled-node-server-redirect command, which when tunneled, the
Gateway or secondary role would be applied. Within the secondary role, policy and VLAN assignment would be applied to the
tunneled client or user traffic upon decapsulation from the tunnel.

Local user roles would be used in cases where the RADIUS server is not ClearPass. Any RADIUS server can return the HPE-User-Role
VSA, which when received by the switch, would place the user into the user role configured locally on the switch. Local roles may also
be used if the it is easier to define roles for location based VLANs such as a building floor.

The configuration for a local user role would appear as the following:
class ipv4 "testclass"
10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
20 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
policy user "testpolicy"
10 class ipv4 "testclass" action permit
exit
aaa authorization user-role name "tn-secure"
policy "testpolicy"
vlan-id 100
tunneled-node-server-redirect secondary-role "authenticated"
exit
aaa authorization user-role enable
Notes:
• In the example above, the tunneled-node-server-redirect attribute instructs the switch to redirect all traffic within the “tn-
secure” user-role to the gateway, using the “Authenticated” user role at the gateway.
• The secondary-role that is specified with the redirect attribute should be configured and present on the gateway. In the
example above, the predefined Gateway role “Authenticated” is used. This can also be downloaded via ClearPass if using
AOS-Switch 16.05 or later, AOS 8.3 or later, and ClearPass 6.7 or later.
• All user policy includes implicit “deny all” rules for both IPv4 and IPv6 traffic. Rules will need to be created to allow specific
ports.
• IPv4 and IPv6 classes must specific the source address as “any”. Using a specific source address or subnet will result in the
following error message:
Switch(policy-user)# class ipv4 class25 action priority 0
User policies cannot use classes that have a source IP address specified.
• Jumbo Frames must be enabled on all VLANs which will carry tunneled packets across the network to avoid potential
fragmentation issues. If a maximum standard frame size of 1518B is sent across the network, there is a minimum of 46B
attached to the packet as part of the GRE header which will exceed the maximum standard frame size.

24
 Technical Whitepaper
User Roles and User-Based Tunneling
Downloadable User Roles
Downloadable user roles allow the Aruba switch to download the user role directly from ClearPass Policy Manager. This alleviates the
configuration of multiple user roles across all switches in a campus network. It also enables ClearPass to become a centralized point
in administering user policy to the access switch while also minimizing the user configuration on the switch. Downloadable user
roles work by downloading user role attributes, the same attributes that can be configured in a local user role, specifically the user
role syntax (see previous section under “Local User Roles), from ClearPass using the REST API. This is done using the Hyper Text
Transfer Protocol Secure (HTTPS) protocol. In order to have a Secure Sockets Layer (SSL) handshake, as well as for downloadable
user roles to work appropriately, the signing Certificate Authority (CA) of the ClearPass HTTPS certificate must be added to the switch
and marked as trusted. This can be done by automatically downloading the root certificate from ClearPass, covered in a later section.
Aruba recommends using downloadable user roles throughout the campus network.
ClearPass Read-Only Administrator Creation
A read-only admin user is recommended to use for the switch to connect with ClearPass and download the User Role (below). These
user credentials will be used within the Switch configuration to create a secure connection with ClearPass. To create a read-only
admin user, navigate to Administration  Users and Privileges  Admin Users  Add.

Figure 26: ClearPass Read-Only Admin User creation

Once the credentials are created in ClearPass and on the switch, the downloadable user role can be created in an enforcement
profile within ClearPass. Referencing Figure 16, the profile will be created using the “Aruba Downloadable Role Enforcement”
Category (1). Then, click the either the “standard” or “advanced” button and “Next” to advance to configure the downloadable role (2).

1.

2.

Figure 27: ClearPass Downloadable User Role Profile Creation

In figure 28, to configure the downloadable user role, use the RADIUS type “Radius: Hewlett-Packard-Enterprise” (1). Select Attribute
Name “HPE-CPPM-Role” (2). In the Value field, enter the user role configuration with the exact same syntax as a local user role
configuration within AOS-Switch (3). Save the downloadable user role by clicking the “floppy disk” icon at the right of the attribute
fields.

25
 Technical Whitepaper
User Roles and User-Based Tunneling

1. 2. 3.

Figure 28: ClearPass Downloadable User Role Profile Creation

The downloadable user role will be configured as shown in figure 29.

Figure 29: ClearPass Downloadable User Role Profile

Note: The example in the above figure shows a downloadable user role with tunneling configured to a local Gateway (secondary) role,
the following section will show how to configure a downloadable Gateway role.
Automatic CA Certificate Download
One of the recent enhancements in AOS-Switch allows the switch to automatically download the root or intermediate CA certificate
from ClearPass. Previously, the certificate would need to be manually uploaded to each switch that would use downloadable user
roles. The certificate is necessary to use the Downloadable User Role and Device Fingerprinting features in AOS-Switch.

Each deployed version of ClearPass should have a publicly trusted root certificate installed, the HTTPS certificate should be signed by
the Root Certificate Authority. For more information on certificates in ClearPass, please refer to the ClearPass deployment guide:

https://www.arubanetworks.com/techdocs/ClearPass/6.7/Aruba_DeployGd_HTML/Default.htm

In order to support the automatic download of the ClearPass CA, the IP address or Fully Qualified Domain name (FQDN) that is
configured as the RADIUS server host address is used to create a pre-defined URL. The CA certificate of ClearPass is hosted in this
URL in the PEM format. This pre-defined URL is used to send a HTTP GET request to download the CA to the switch when a
downloadable role is requested.

The command for this is as follows:

radius-server host "aoss-cp.tmelab.net" clearpass

Note: IP address can be used in place of FQDN

26
 Technical Whitepaper
User Roles and User-Based Tunneling
When the CA certificate is automatically downloaded, by turning on the debugging command “debug cppm”, the certificate download
message can be seen in the debug output.

Figure 30: Debug output for the automatic certificate download

The command “crypto ca-download usage clearpass retry” creates an interval with a configured value to download the
CA certificate from ClearPass for the purpose of troubleshooting why the certificate from ClearPass would not download. A user can
ensure that the certificate will download multiple times, this is used for instances such as reconfiguring the RADIUS server or
investigating connectivity issues.

This command “crypto ca-download usage clearpass force” forces the certificate to download from ClearPass and
replace any existing certificates for servers that are configured with the “clearpass” option.

The automatic certificate download feature requires ClearPass version 6.7.8 or later.
Creating a Switch Downloadable User Role
Note: Ensure the Downloadable User Role VLAN exists on the switch. If using the role for locally switched traffic. For example, if the
downloadable user role contains VLAN 50, make sure that VLAN 50 exists in the switch configuration.

• Enable downloadable user roles on the switch using the following command
aaa authorization user-role enable download
• Configuring switch ClearPass credentials

Note: Use Read-only Admin user credentials created in the section “ClearPass Read-Only Administrator User Creation”

radius-server cppm identity <user name> key <password>

Netdestination in Downloadable User Roles (Switch)
An enhancement in the AOS-Switch 16.06 release is the ability to configure Netdestination and Netservice in a downloadable user
role. Netdestination allows the use of aliases in creating class filters. This simplifies the creation of those class filters, by decreasing
the number of lines of syntax within the class filter. In a typical user role configuration, a user wanting to create a traffic class with
filters to match or ignore a set of non-contiguous hosts or subnets, as well as utilizing a list of TCP/UDP ports, would have to
configure many individual lines of syntax, for each user role. This would appear as below:
class ipv4 “abc
10 match tcp 10.120.0.1 0.0.0.0 16.90.51.120.0.0.0 eq 100
20 match tcp 10.120.0.1 0.0.0.0 10.93.24.10.0.0.0 eq 100
30 match tcp 10.91.1.1 0.0.0.0 16.90.51.120.0.0.0 eq 100
40 match tcp 10.91.1.1 0.0.0.0 10.93.24.1 0.0.0.0 eq 100
50 match tcp 10.0.100.12 0.0.0.0 16.90.51.12 0.0.0.0 eq 100
60 match tcp 10.0.100.12 0.0.0.0 10.93.24.1 0.0.0.0 eq 100
This can be a tedious task and consume many engineering hours in editing and troubleshooting. Netdestination and Netservice can
reduce the effort in creating these class filters, whether using a local user role existing on the local access switch or a role
downloaded from ClearPass to the switch.

27
 Technical Whitepaper
User Roles and User-Based Tunneling
A Netdestination is a list of hosts, networks, or subnets that are used to configure ACL rules and class filters. An example is shown
below:

Switch(config)#[no] netdestination <NAME-STR> {host <IP-ADDR> [position <NUM>] |

network <IP-ADDR/MASK-LENGTH> [position <NUM>]}

Table 1: Netdestination parameters

Parameter Description

Host Configures a single IPv4 host

Network An IPv4 subnetwork consisting of an IP address

and netmask

Position Specifies the position of a host/network/range in

the net-destination. This optional parameter is
specific to a Netdestination - will be used only to
sort entries in a list.

A Netservice is a list of alphanumerical names of UDP and TCP port numbers that are used in configuring ACL rules and class filters.
An example is shown below:

Switch(config)#[no] netservice <NAME-STR> {tcp|udp|<PROTOCOL>} [<PORT-NUM> | <PORT-NUM> | list

<PORT-STR>]

Table 2: Netservice parameters

Parameter Description Range

Protocol IP protocol number. 0-255

TCP Configure an alias for a TCP

protocol

UDP Configure an alias for a UDP

protocol

<port-num> Specify a single TCP/UDP 0-65535

port or two port numbers
for a range.

List <<P1,P2,...P6> Specify a list of port 0-65535

numbers separated by
commas up to six ports.

Netdestination and Netservice names can be used as aliases in defining class filters for the defined lists, in a single line. Therefore, an
alias of net-destination and net-service will configure a list of hosts, networks or subnets and alpha numerical names of UDP and/or
TCP port numbers under a new command structure and then be linked to a class.

28
 Technical Whitepaper
User Roles and User-Based Tunneling
Figure 31 shows an example of Netdestination and Netservice as used in a downloaded user role. This sample policy is configured to
deny Remote Desktop Protocol (RDP) access from one client to another.

Figure 31: Netdestination configured in a downloadable user role

As also shown in Figure 29, netdestination and netservice increase the readability of the class filter, as the alias name is defined by
the user, and can also be reused for other filters.

Note: User policy cannot have an IP address defined as a “source”, the source IP address must be specified as “any”, as the client’s MAC
address is automatically populated in the source address within a user policy as it is applied to the client.
Creating a Gateway Downloadable User Role
This feature allows the secondary role on the gateway, which will be used by the tunneled clients, to be downloaded to the Gateway
from ClearPass. This effectively eliminates the need to configure the secondary role on potentially multiple Gateway clusters in a
large campus network. Now, the secondary role can be configured in ClearPass, downloaded to the Mobility Gateway, and the switch
notified via a new VSA “HPE-CPPM-Secondary-Role”.

With this downloadable secondary role, the user will need two ClearPass profiles, a downloadable role profile for the switch (created
earlier) and one for the gateway, see figure 32.

29
 Technical Whitepaper
User Roles and User-Based Tunneling

Gateway

Switch

Figure 32: ClearPass Profile list

The steps to create the downloadable secondary role are as follows:

First, a new profile needs to be added for the downloadable Gateway role. Select “Add” to add a new profile (see Figure 33).

Figure 33: Adding an enforcement profile in ClearPass

Next, as shown in Figure 34, select “Aruba Downloadable Role Enforcement” (a.), followed by naming the profile (b.), and finally
selecting the product “Mobility Gateway ” (c.).

a.
b.

c.
Figure 34: ClearPass downloadable role profile – mobility Gateway

30
 Technical Whitepaper
User Roles and User-Based Tunneling
After selecting whether to do a “Standard” configuration or “Advanced”, click next which advances to the “Role Configuration”
screen. Figure 35 shows the standard role configuration, where a captive portal, VLAN, NetService, NetDestination, Time Range,
NAT Pool, and ACLs can be configured. Figure 16 shows an advanced configuration example. Here one would configure the
exact syntax from the Gateway to be used in the user role configuration.

Figure 35: ClearPass downloadable role standard configuration

Figure 36: ClearPass downloadable role advanced configuration

After configuring ClearPass, the Gateway will also need to be configured with the appropriate credentials to connect ClearPass
and download the secondary role. The Gateway RADIUS configuration should appear like the following in Figure 37.

31
 Technical Whitepaper
User Roles and User-Based Tunneling

Figure 37: Aruba Mobility Gateway RADIUS server configuration

Most importantly, the CPPM credentials box needs to be checked and the login information configured. This can be done by
selecting the appropriate RADIUS server and scrolling down. One would use the same credentials as used for the switch, the read-
only administrator that was created previously.

Figure 38: Aruba Mobility Gateway RADIUS server configuration – ClearPass Credentials

Finally, in the AAA profile that is being used, the box needs to be checked to “Download Role from CPPM” as shown in Figure 39.

Figure 39: Aruba Mobility Gateway AAA profile

32
 Technical Whitepaper
User Roles and User-Based Tunneling
For more details on how to configure a RADIUS server on the Aruba Mobility Gateway, please refer to the User Guide -
https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=300
85

An example of a downloadable user role with these features configured would appear as such in figure 40.

Figure 40: Downloadable user role example with device attributes

Troubleshooting User Roles

Some useful command for troubleshooting user roles:

• debug security

• debug cppm

Common error codes with user roles:

• error code 35 – This error will show up in the debug log and indicates either the time is off between the switch and
ClearPass, or there is an issue with the certificate download/installation.

Scalability

Gateway
Table 3 – Gateway Scale Numbers
Gateway Maximum Supported Tunnels
7280 34816
7240 /7240XM 34816
7220 17408
7210 8704
7205 4352
7030 1088
7024 544
7010 544
7008 272
7005 272

33
 Technical Whitepaper
User Roles and User-Based Tunneling
Switch
Table 4 – Switch Scale Numbers

Switch or Maximum Supported Maximum Supported User

Stack User Tunnels per Tunnels per port
Switch or Stack
5400R 1024 32

3810M 1024 32

2930F 1024 32

2930M 1024 32

Performance
500 Tunneled User per Switch – 5000 users on gateway :
Table 5 – 5000 Gateway tunneled user performance

Total
Tunneled
Packet Tunneled Average of Agg Tx
Users per Avg Latency (ms)
Size (B) Users in Throughput (Gbps)
port
Switch

64 15 500 0.346 3.027

128 15 500 0.548 3.100

256 15 500 1.079 2.981

512 15 500 1.925 0.600

1024 15 500 1.962 0.660

1280 15 500 1.969 0.608

1518 15 500 1.974 0.664

32 Tunneled Users per port:

Table 6 – 32 switch tunneled users per port performance

Total
Tunneled
Packet Tunneled Average of Agg Tx
Users per Avg Latency (ms)
Size (B) Users in Throughput (Gbps)
port
Switch

64 32 32 0.346 3.027

128 32 32 0.548 3.100

256 32 32 1.079 3.000

512 32 32 1.925 0.600

1024 32 32 1.962 0.660

34
 Technical Whitepaper
User Roles and User-Based Tunneling
1280 32 32 1.969 0.608

1518 32 32 1.974 0.664

Multicast

Max throughput for 8k Users with a 1.52 Mbps Multicast stream / 1k clients = 12.20 Mbps

Max throughput for 16k Users with a 0.747 Mbps Multicast stream / 1k clients = 11.963 Mbps

Feature Limitations and Mutual Exclusions

Mutually exclusive with User-Based Tunneling

• Port-Based Tunneling

• Meshing

• QinQ

Not configurable on a User-Based Tunneling port

• Arp-protect

• DHCP-Relay

• DHCP-Server

• DHCP-Snooping

• IGMP

• MLD

• mDNS

• Openflow

• Portal commands (BYOD Redirect)

• SFlow

• RA-guard

Frequently Asked Questions

1) In a Gateway cluster, how does the switch determine which Gateway to send the user traffic to?

a. The SAG sends a bucket-map to the switch during the switch bootstrap process. This map is an array of 256
entries with each entry containing the active and standby Gateway to use. A user’s mac address is hashed into this
table to get the Gateway to tunnel the user traffic to.

2) When is the heartbeat started to SAG and S-SAG?

a. Heartbeat is over a GRE tunnel with a specific GRE key (0xDEED). This is initiated with SAG and S-SAG immediately
after a switch bootstrap is complete.

3) What happens when heartbeat to SAG fails?

a. A heartbeat failure triggers the switch to:

i. Remove users anchored to the SAG

ii. Fail over to the S-SAG (Example: S-SAG now becomes the new SAG)

35
 Technical Whitepaper
User Roles and User-Based Tunneling
4) What happens when the keepalive to a UAG fails?

a. The users anchored to the UAG are removed and a message is logged to the same effect in the event log.

5) Should Jumbo frames be enabled on the switch?

a. It is recommended to have jumbo frames enabled on the datapath of the tunneled packets. As the packet size
reaches 1468 bytes, the GRE header has a 46-byte header which will push the packet towards a jumbo frame size.
If jumbo frames are not desired to setup within the network, the Aruba Mobility Gateway can do a TCP-MSS rewrite
for TCP traffic. However, if larger packet sizes are seen with other types of traffic, packet loss may be seen.

b. Jumbo Frames TCP MSS Rewrite scenarios (TCP Rewrite on gateway )

Table 7 – Jumbo Frame TCP MSS Rewrite Scenarios

Network
(Infra.
Switch Client Windows Client
between Gateway Gateway TCP mss re-write ICMP
facing VLAN MTU
Ctrl &
switch)
Jumbo Jumbo Jumbo 9014 bytes no re-write since client send mss is No issues observed in
not more than tunnel->mtu – 114 bigger packet size
Jumbo No Jumbo Jumbo 9014 bytes no re-write happened because till 1706 bytes (ping with
tunnel mtu is set to 9198 on 1664 bytes) ICMP works.
gateway After that packets are
not forwarded by
gateway
Jumbo Jumbo No Jumbo default no re-write happened because No issues observed
tunnel mtu is set to 9198 on
gateway
Jumbo No Jumbo No Jumbo default no re-write happened because No Issues observed
tunnel mtu is set to 9198 on
gateway
No Jumbo Jumbo Jumbo 9014 bytes Gateway re-write mss when client packets beyond 1468
send mss more than tunnel->mtu – bytes have drop due to
114 tunneling overhead is
~46 bytes
No Jumbo No Jumbo Jumbo 9014 bytes Gateway re-write mss when client packets beyond 1468
send mss more than tunnel->mtu – bytes have drop
114
No Jumbo Jumbo No Jumbo default Gateway re-write mss when client packets beyond 1468
send mss more than tunnel->mtu – bytes have drop
114
No Jumbo No Jumbo No Jumbo default Gateway re-write mss when client packets beyond 1468
send mss more than tunnel->mtu – bytes have drop
114

36
 Technical Whitepaper
User Roles and User-Based Tunneling

6) What happens when a UAG Gateway goes down?

a. A node list update is sent by the SAG to the switch to inform that a Gateway went down. All users anchored to that
Gateway are removed (un-bootstrapped). After some time, the Gateway sends a bucket map update to the switch.
The switch then processes the bucket map update and anchors users to the respective gateway s (standby) as per
the bucket map.

Note: It is important to verify that the bucket map on the switch and Gateway are the same. Also, it should be
verified that users are anchored to the right Gateway as shown in the bucket maps on both the switch and
gateway.

7) What happens when a SAG Gateway goes down?

a. A node list update is sent by S-SAG to switch. Since the node list is received from the S-SAG and not the SAG, the
switch considers that SAG is down and initiates a failover to S-SAG. Also, the switch removes all users anchored to
SAG. Once S-SAG acknowledges the failover request, the S-SAG becomes the new active SAG. The new Active SAG
then sends a node list update and bucket map update. In the node list update, the new S-SAG will be provided. The
switch will then bootstrap and initiate a heartbeat with new S-SAG. The switch then processes the bucket map
update and anchors users to respective gateway s.

Note: It is important to verify that the bucket map on switch and Gateway are the same. Also, it should be verified
that users are anchored to the right Gateway identified in the bucket map on both the switch and gateway.

8) What happens when the S-SAG Gateway goes down?

a. A node list update is sent by the SAG to the switch. The switch stops the heartbeat with the S-SAG which has gone
down and removes all users anchored to it. The switch then initiates a bootstrap to a new S-SAG provided in the
node list update. Once a bootstrap acknowledgment is received, the switch starts a heartbeat to the new S-SAG.
After some time, the SAG will send a bucket map update. The switch then processes the update and anchors users
to their respective gateway s.

Note: It is important to verify that the bucket map on the switch and Gateway are the same. Also, it should be
verified that users are anchored to the appropriate Gateway according to the bucket map on both the switch and
gateway.

9) What do the states in “show tunneled-node-server state” mean?

a. Registering - Bootstrapping

Registered - Bootstrapped

Unregistering – Un-bootstrapping

10) What happens when user-role attributes change?

a. A re-bootstrap is initiated for users applied within that role containing updated role attributes in the bootstrap
packet. These users move to “registering” state. Once an acknowledgement is received from the gateway, users
then move to “registered” state. This applies only to VLAN and secondary role changes.

11) What happens on a client “MAC address move”?

a. A re-bootstrap is initiated for the client. Only after an acknowledgement from the Gateway is received, the client
traffic begins to be tunneled.

12) What is the recommendation for PUTN client VLAN configuration?

37
 Technical Whitepaper
User Roles and User-Based Tunneling
a. Tunneled user client VLAN has to be present at the per user tunneled node switch

There is no need to specifically add tunneled user ports to this VLAN. Switch AAA takes care of this via Mac-Based
VLANs (MBV).

The uplink to the Gateway port should NOT be part of this VLAN.

The uplink to the Gateway VLAN and the tunneled users VLAN cannot be same.

13) How do I prioritize tunneled packets using QoS?

14) “I see that user has ‘registered’ at the switch but has no response to a ping. How do I debug?”

a. Check that the user roles and VLANs are correctly configured at the switch as well as the gateway.

Check the IP MTU is set to >= (1500+46) at all the switches in the path from PUTN switch to the gateway.

As there are two parts to the solution, we need to know exactly which part is not behaving right. To find out if the
switch is tunneling the traffic, use the “show tunneled-node-server statistics” command to check if the user traffic is
being received and transmitted. If the counters do not increment, then the switch configuration needs to be
investigated.

At the Mobility gateway : check “show datapath tunnel” to see if the “Encaps” and “Decaps” counters increase.

A packet trace of traffic sent from and received at the switch uplink to the Gateway can also be useful, GRE
encapsulated packets are what will be of interest.

15) Which Firewall ports need to be opened to enable User-Based Tunneling?

a. Make sure you have PAPI (UDP 8211), GRE (Protocol 47) and ICMP (Echo-Request/Echo-Reply) allowed through the
network between the Aruba switch and the Mobility Gateway.

38
 Technical Whitepaper
User Roles and User-Based Tunneling
Appendix A
Validated Switch Configuration
Running configuration:

; hpStack_KB Configuration Editor; Created on release #KB.16.08.0001

; Ver #14:0f.6f.f8.1d.fb.7f.bf.bb.ff.7c.59.fc.7b.ff.ff.fc.ff.ff.3f.ef:60

stacking
member 1 type "JL074A" mac-address 70106f-8fa780
member 1 priority 255
member 2 type "JL076A" mac-address 1c98ec-9e0f80
member 2 priority 200
member 3 type "JL076A" mac-address 1c98ec-9e4d00
member 3 priority 150
member 3 flexible-module A type JL083A
exit
hostname "UBT-Demo"
class ipv4 "test"
exit
crypto ca-download usage clearpass retry 5
trunk 1/1,3/1 trk1 lacp
max-vlans 4094
include-credentials
radius-server host "aoss-cppm.tmelab.net" key "admin"
radius-server host "aoss-cppm.tmelab.net" dyn-authorization
radius-server host "aoss-cppm.tmelab.net" time-window 0
radius-server host "aoss-cppm.tmelab.net" clearpass
radius-server cppm identity "justin"
timesync ntp
ntp unicast
ntp server 10.80.2.219 iburst
ntp enable
time daylight-time-rule continental-us-and-canada
time timezone -480
ip default-Gateway 10.5.8.1
ip dns domain-name "tmelab.net"
ip dns server-address priority 1 10.80.2.219
ip route 0.0.0.0 0.0.0.0 10.5.8.3
ip router-id 5.8.1.2
ip routing
ip source-interface tunneled-node-server vlan 10
ip client-tracker trusted
tunneled-node-server

39
 Technical Whitepaper
User Roles and User-Based Tunneling
controller-ip 10.5.8.7
mode role-based reserved-vlan 1000
exit
interface 1/11
disable
exit
interface loopback 0
ip address 5.8.1.2
exit
snmp-server community "public" unrestricted
snmpv3 engineid "00:00:00:0b:00:00:70:10:6f:8f:a7:c5"
aaa authorization user-role name "test123"
captive-portal-profile "DURTest"
vlan-id 20
exit
aaa authorization user-role enable download
aaa authentication port-access eap-radius
aaa authentication captive-portal enable
aaa authentication captive-portal url-hash-key plaintext "aruba123"
aaa authentication captive-portal profile "DURTest" url "https://10.5.8.12/guest/Aruba_CapPort.php"
aaa port-access authenticator 1/11,1/13-1/14,1/23-1/24,1/48,2/11-2/12,2/24,2/46,2/48,3/24
aaa port-access authenticator 1/11 client-limit 5
aaa port-access authenticator 1/13 client-limit 5
aaa port-access authenticator 1/14 client-limit 5
aaa port-access authenticator 1/23 client-limit 5
aaa port-access authenticator 1/24 client-limit 5
aaa port-access authenticator 1/48 server-timeout 30
aaa port-access authenticator 1/48 client-limit 5
aaa port-access authenticator 2/11 client-limit 5
aaa port-access authenticator 2/11 cached-reauth-period 200
aaa port-access authenticator 2/12 client-limit 5
aaa port-access authenticator 2/24 client-limit 5
aaa port-access authenticator 3/24 client-limit 5
aaa port-access authenticator active
aaa port-access mac-based 1/11,1/23-1/24,2/24,3/24
aaa port-access mac-based 1/24 addr-limit 5
aaa port-access mac-based 2/11 cached-reauth-period 200
aaa port-access mac-based 2/24 addr-limit 5
aaa port-access mac-based 3/24 addr-limit 5
aaa port-access 1/13 auth-order mac-based authenticator
aaa port-access 3/24 mixed
oobm
ip address dhcp-bootp
ipv6 enable

40
 Technical Whitepaper
User Roles and User-Based Tunneling
ipv6 address dhcp full
member 1
ip address dhcp-bootp
ipv6 enable
ipv6 address dhcp full
exit
member 2
ip address dhcp-bootp
ipv6 enable
ipv6 address dhcp full
exit
member 3
ip address dhcp-bootp
ipv6 enable
ipv6 address dhcp full
exit
exit
vlan 1
name "DEFAULT_VLAN"
no untagged 1/2-1/48,2/1-2/48,3/2-3/48,3/A1-3/A4,Trk1
no ip address
ipv6 enable
ipv6 address dhcp full
exit
vlan 10
name "Uplink"
untagged 1/11,Trk1
ip address 10.5.8.4 255.255.255.0
ipv6 address 2001::2/64
jumbo
exit
vlan 20
name "Phone"
no ip address
voice
exit
vlan 199
name "VLAN199"
no ip address
exit
vlan 200
name "guest"
no ip address
exit

41
 Technical Whitepaper
User Roles and User-Based Tunneling
vlan 999
name "VLAN999"
untagged 1/2-1/10,1/12-1/48,2/1-2/48,3/2-3/48,3/A1-3/A4
no ip address
exit
vlan 1000
name "TUNNELED_NODE_SERVER_RESERVED"
no ip address
exit
spanning-tree Trk1 priority 4
spanning-tree mode rapid-pvst

Validated Mobility Conductor Configuration

Building Configuration...

version 8.4
hostname "ARUBAMM-DS"
clock timezone America/Los_Angeles -08 00
!
location "Building1.floor1"
Gateway config 222
crypto-local pki PublicCert conductor-ssh-pub-cert conductor-ssh-pub-cert
ip NAT pool dynamic-srcnat 0.0.0.0 0.0.0.0
ip access-list eth validuserethacl
permit any
!
ip access-list geolocation global-geolocation-acl
!
netservice svc-snmp-trap udp 162
netservice svc-netbios-dgm udp 138
netservice svc-pcoip2-tcp tcp 4172
netservice svc-facetime-tcp tcp 5223 alg facetime
netservice svc-https tcp 443
netservice svc-dhcp udp 67 68 alg dhcp
netservice svc-ike udp 500
netservice svc-smb-tcp tcp 445
netservice svc-l2tp udp 1701
netservice svc-citrix tcp 2598
netservice svc-syslog udp 514
netservice svc-ica tcp 1494
netservice svc-pptp tcp 1723
netservice svc-telnet tcp 23
netservice svc-sccp tcp 2000 alg sccp
netservice svc-sec-papi udp 8209
netservice svc-tftp udp 69 alg tftp
netservice svc-sip-tcp tcp 5060 alg sip
netservice svc-lpd tcp 515
netservice svc-web tcp list "80 443"
netservice svc-kerberos udp 88
netservice svc-netbios-ssn tcp 139
netservice svc-pcoip-udp udp 50002
netservice svc-pop3 tcp 110
netservice svc-pcoip-tcp tcp 50002

42
 Technical Whitepaper
User Roles and User-Based Tunneling
netservice svc-http-proxy3 tcp 8888
netservice svc-adp udp 8200
netservice svc-cfgm-tcp tcp 8211
netservice svc-noe udp 32512 alg noe
netservice svc-dns udp 53 alg dns
netservice svc-rtsp tcp 554 alg rtsp
netservice svc-msrpc-tcp tcp 135 139
netservice svc-h323-tcp tcp 1720 alg h323
netservice svc-vocera udp 5002 alg vocera
netservice svc-http tcp 80
netservice svc-h323-udp udp 1718 1719 alg h323
netservice vnc tcp 5900 5905
netservice svc-nterm tcp 1026 1028
netservice svc-http-proxy2 tcp 8080
netservice svc-sip-udp udp 5060 alg sip
netservice svc-noe-oxo udp 5000 alg noe
netservice svc-papi udp 8211
netservice svc-natt udp 4500
netservice svc-ftp tcp 21 alg ftp
netservice svc-svp 119 alg svp
netservice svc-microsoft-ds tcp 445
netservice svc-gre 47
netservice svc-smtp tcp 25
netservice svc-sips tcp 5061 alg sips
netservice svc-netbios-ns udp 137
netservice svc-smb-udp udp 445
netservice svc-esp 50
netservice svc-ipp-tcp tcp 631
netservice svc-pcoip2-udp udp 4172
netservice svc-snmp udp 161
netservice svc-bootp udp 67 69
netservice svc-v6-dhcp udp 546 547
netservice svc-icmp 1
netservice svc-ntp udp 123
netservice svc-msrpc-udp udp 135 139
netservice svc-ssh tcp 22
netservice svc-ipp-udp udp 631
netservice svc-http-proxy1 tcp 3128
netservice svc-v6-icmp 58
netservice svc-vmware-rdp tcp 3389
netdestination6 ipv6-reserved-range
invert
network 2000::/3
!
netdestination wificalling-block
name pub.3gppnetwork.org
name vowifi.com
!
netexthdr default
!
time-range periodic night-hours
weekday 18:01 to 23:59
weekday 00:00 to 07:59
!
time-range periodic working-hours

43
 Technical Whitepaper
User Roles and User-Based Tunneling
weekday 08:00 to 18:00
!
ip access-list session control
user any udp 68 deny
any any svc-icmp permit
any any svc-dns permit
any any svc-papi permit
any any svc-sec-papi permit
any any svc-cfgm-tcp permit
any any svc-adp permit
any any svc-tftp permit
any any svc-dhcp permit
any any svc-natt permit
any any tcp 6633 permit
!
ip access-list session v6-icmp-acl
ipv6 any any svc-v6-icmp permit
!
ip access-list session allow-diskservices
any any svc-netbios-dgm permit
any any svc-netbios-ssn permit
any any svc-microsoft-ds permit
any any svc-netbios-ns permit
!
ip access-list session validuser
network 127.0.0.0 255.0.0.0 any any deny
network 169.254.0.0 255.255.0.0 any any deny
network 224.0.0.0 240.0.0.0 any any deny
host 255.255.255.255 any any deny
network 240.0.0.0 240.0.0.0 any any deny
any any any permit
ipv6 host fe80:: any any deny
ipv6 network fc00::/7 any any permit
ipv6 network fe80::/64 any any permit
ipv6 alias ipv6-reserved-range any any deny
ipv6 any any any permit
!
ip access-list session vocera-acl
any any svc-vocera permit queue high
!
ip access-list session v6-https-acl
ipv6 any any svc-https permit
!
ip access-list session voip-applications-acl
any any app alg-skype4b-audio permit
any any app alg-skype4b-video permit
any any app alg-skype4b-desktop-sharing permit
any any app alg-skype4b-app-sharing permit
any any app alg-sip-audio permit
any any app alg-sip-video permit
any any app alg-sccp permit
any any app alg-vocera permit
any any app alg-noe permit
any any app alg-h323 permit
any any app alg-jabber-audio permit

44
 Technical Whitepaper
User Roles and User-Based Tunneling
any any app alg-jabber-video permit
any any app alg-jabber-desktop-sharing permit
any any app alg-facetime permit
any any app alg-wifi-calling permit
any any app alg-rtp permit
!
ip access-list session vmware-acl
any any svc-vmware-rdp permit tos 46 dot1p-priority 6
any any svc-pcoip-tcp permit tos 46 dot1p-priority 6
any any svc-pcoip-udp permit tos 46 dot1p-priority 6
any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6
any any svc-pcoip2-udp permit tos 46 dot1p-priority 6
!
ip access-list session icmp-acl
any any svc-icmp permit
!
ip access-list session apprf-default-vpn-role-SAGl
!
ip access-list session apprf-logon-SAGl
!
ip access-list session v6-control
ipv6 user any udp 546 deny
ipv6 any any svc-v6-icmp permit
ipv6 any any svc-dns permit
ipv6 any any svc-papi permit
ipv6 any any svc-sec-papi permit
ipv6 any any svc-cfgm-tcp permit
ipv6 any any svc-adp permit
ipv6 any any svc-tftp permit
ipv6 any any svc-dhcp permit
ipv6 any any svc-natt permit
!
ip access-list session jabber-acl
any any tcp 5222 permit
any any tcp 8443 permit
!
ip access-list session apprf-authenticated-SAGl
!
ip access-list session apprf-switch-logon-SAGl
!
ip access-list session apprf-stateful-dot1x-SAGl
!
ip access-list session v6-dhcp-acl
ipv6 any any svc-v6-dhcp permit
!
ip access-list session captiveportal
user alias Gateway svc-https dst-nat 8081
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
user any svc-http-proxy1 dst-nat 8088
user any svc-http-proxy2 dst-nat 8088
user any svc-http-proxy3 dst-nat 8088
!
ip access-list session wificalling-acl
any any tcp 443 permit

45
 Technical Whitepaper
User Roles and User-Based Tunneling
!
ip access-list session allowall
any any any permit
ipv6 any any any permit
!
ip access-list session v6-dns-acl
ipv6 any any svc-dns permit
!
ip access-list session facetime-acl
any any svc-facetime-tcp permit queue high
any any udp 3478 3497 permit
any any udp 16384 16387 permit
any any udp 16393 16402 permit
!
ip access-list session apprf-voice-SAGl
!
ip access-list session skype4b-acl
any any svc-sips permit
any any svc-https permit
!
ip access-list session wan-uplink-protect-acl
any any sys-svc-dhcp permit
ipv6 any any sys-svc-v6-dhcp permit
any any sys-svc-esp permit
any any sys-svc-natt permit
any any sys-svc-ike permit
any any sys-svc-icmp permit
ipv6 any any sys-svc-icmp6 permit
!
ip access-list session sip-acl
any any svc-sip-udp permit queue high
any any svc-sip-tcp permit queue high
!
ip access-list session https-acl
any any svc-https permit
!
ip access-list session citrix-acl
any any svc-citrix permit tos 46 dot1p-priority 6
any any svc-ica permit tos 46 dot1p-priority 6
!
ip access-list session ra-guard
ipv6 user any icmpv6 rtr-adv deny
!
ip access-list session dns-acl
any any svc-dns permit
!
ip access-list session allow-printservices
any any svc-lpd permit
any any svc-ipp-tcp permit
any any svc-ipp-udp permit
!
ip access-list session skinny-acl
any any svc-sccp permit queue high
!
ip access-list session logon-control

46
 Technical Whitepaper
User Roles and User-Based Tunneling
user any udp 68 deny
any any svc-icmp permit
any any svc-dns permit
any any svc-dhcp permit
any any svc-natt permit
any network 169.254.0.0 255.255.0.0 any deny
any network 240.0.0.0 240.0.0.0 any deny
!
ip access-list session v6-allowall
ipv6 any any any permit
!
ip access-list session tftp-acl
any any svc-tftp permit
!
ip access-list session vpnlogon
user any svc-ike permit
user any svc-esp permit
any any svc-l2tp permit
any any svc-pptp permit
any any svc-gre permit
!
ip access-list session srcnat
user any any src-nat
!
ip access-list session wificalling-block
any alias wificalling-block any deny
!
ip access-list session cplogout
user alias Gateway svc-https dst-nat 8081
!
ip access-list session captiveportal6
ipv6 user alias gateway 6 svc-https captive
ipv6 user any svc-http captive
ipv6 user any svc-https captive
ipv6 user any svc-http-proxy1 captive
ipv6 user any svc-http-proxy2 captive
ipv6 user any svc-http-proxy3 captive
!
ip access-list session http-acl
any any svc-http permit
!
ip access-list session apprf-default-via-role-SAGl
!
ip access-list session dhcp-acl
any any svc-dhcp permit
!
ip access-list session v6-http-acl
ipv6 any any svc-http permit
!
ip access-list session stateful-dot1x
any any svc-dns permit
any any svc-dhcp permit
!
ip access-list session apprf-ap-role-SAGl
!

47
 Technical Whitepaper
User Roles and User-Based Tunneling
ip access-list session apprf-guest-SAGl
!
ip access-list session ap-uplink-acl
any any udp 68 permit
any any svc-icmp permit
any host 224.0.0.251 udp 5353 permit
ipv6 any any udp 546 permit
ipv6 any any svc-v6-icmp permit
ipv6 any host ff02::fb udp 5353 permit
!
ip access-list session apprf-guest-logon-SAGl
!
ip access-list session noe-acl
any any svc-noe permit queue high
!
ip access-list session ap-acl
any any svc-gre permit
any any svc-syslog permit
any user svc-snmp permit
user any svc-snmp-trap permit
user any svc-ntp permit
user any svc-ftp permit
user any svc-telnet deny
!
ip access-list session svp-acl
any any svc-svp permit queue high
user host 224.0.1.116 any permit
!
ip access-list session global-SAGl
!
ip access-list session v6-ap-acl
ipv6 any any svc-gre permit
ipv6 any any svc-syslog permit
ipv6 any user svc-snmp permit
ipv6 user any svc-snmp-trap permit
ipv6 user any svc-ntp permit
ipv6 user any svc-ftp permit
!
ip access-list session apprf-sys-switch-role-SAGl
!
ip access-list session h323-acl
any any svc-h323-tcp permit queue high
any any svc-h323-udp permit queue high
!
ip access-list session v6-logon-control
ipv6 user any udp 546 deny
ipv6 any any svc-v6-icmp permit
ipv6 any any svc-v6-dhcp permit
ipv6 any any svc-dns permit
ipv6 any network fc00::/7 any permit
ipv6 any network fe80::/64 any permit
ipv6 any alias ipv6-reserved-range any deny
!
ip access-list session apprf-sys-ap-role-SAGl
!

48
 Technical Whitepaper
User Roles and User-Based Tunneling
ip access-list route uplink-lb-cfg-racl
!
ip access-list route conductor-boc-traffic
!
vpn-dialer default-dialer
ike authentication PRE-SHARE ******
!
user-role ap-role
no openflow-enable
access-list session ra-guard
access-list session control
access-list session ap-acl
access-list session v6-control
access-list session v6-ap-acl
!
user-role default-vpn-role
access-list session global-SAGl
access-list session apprf-default-vpn-role-SAGl
access-list session ra-guard
access-list session allowall
access-list session v6-allowall
!
user-role sys-switch-role
!
user-role sys-ap-role
no openflow-enable
!
user-role voice
access-list session global-SAGl
access-list session apprf-voice-SAGl
access-list session ra-guard
access-list session sip-acl
access-list session noe-acl
access-list session svp-acl
access-list session vocera-acl
access-list session skinny-acl
access-list session h323-acl
access-list session dhcp-acl
access-list session tftp-acl
access-list session dns-acl
access-list session icmp-acl
access-list session http-acl
access-list session https-acl
access-list session skype4b-acl
access-list session facetime-acl
access-list session jabber-acl
access-list session wificalling-acl
access-list session voip-applications-acl
!
user-role default-via-role
access-list session global-SAGl
access-list session apprf-default-via-role-SAGl
access-list session allowall
access-list session v6-allowall
!

49
 Technical Whitepaper
User Roles and User-Based Tunneling
user-role switch-logon
!
user-role guest-logon
captive-portal "default"
access-list session ra-guard
access-list session logon-control
access-list session captiveportal
access-list session v6-logon-control
access-list session captiveportal6
!
user-role guest
access-list session global-SAGl
access-list session apprf-guest-SAGl
access-list session ra-guard
access-list session http-acl
access-list session https-acl
access-list session dhcp-acl
access-list session icmp-acl
access-list session dns-acl
access-list session v6-http-acl
access-list session v6-https-acl
access-list session v6-dhcp-acl
access-list session v6-icmp-acl
access-list session v6-dns-acl
!
user-role stateful-dot1x
access-list session global-SAGl
access-list session apprf-stateful-dot1x-SAGl
!
user-role authenticated
access-list session global-SAGl
access-list session apprf-authenticated-SAGl
access-list session ra-guard
access-list session allowall
access-list session v6-allowall
!
user-role default-iap-user-role
access-list session allowall
!
user-role logon
access-list session ra-guard
access-list session logon-control
access-list session captiveportal
access-list session vpnlogon
access-list session v6-logon-control
access-list session captiveportal6
!
!
aaa tacacs-accounting

gateway -ip vlan 10

gateway -ipv6 vlan 10 address 2001::5
datapath energy-efficiency
kernel coredump

50
 Technical Whitepaper
User Roles and User-Based Tunneling
interface mgmt
shutdown
!

dialer group evdo_us

init-string ATQ0V1E0
dial-string ATDT#777
!

dialer group gsm_us

init-string AT+CGDCONT=1,"IP","ISP.CINGULAR"
dial-string ATD*99#
!

dialer group gsm_asia

init-string AT+CGDCONT=1,"IP","internet"
dial-string ATD*99***1#
!

dialer group vivo_br

init-string AT+CGDCONT=1,"IP","zap.vivo.com.br"
dial-string ATD*99#
!

vlan 10
vlan 15

vlan-name putn-client
vlan putn-client 15

no spanning-tree

interface gigabitethernet 0/0/0

description "GE0/0/0"
trusted
trusted vlan 1-4094
no poe
switchport mode trunk
switchport trunk native vlan 10
switchport trunk allowed vlan 10,15
no spanning-tree
!

interface gigabitethernet 0/0/1

description "GE0/0/1"
shutdown
trusted
trusted vlan 1-4094
no poe
no spanning-tree
!

interface port-channel 0

51
 Technical Whitepaper
User Roles and User-Based Tunneling
trusted
trusted vlan 1-4094
!

interface port-channel 1
trusted
trusted vlan 1-4094
!

interface port-channel 2
trusted
trusted vlan 1-4094
!

interface port-channel 3
trusted
trusted vlan 1-4094
!

interface port-channel 4
trusted
trusted vlan 1-4094
!

interface port-channel 5
trusted
trusted vlan 1-4094
!

interface port-channel 6
trusted
trusted vlan 1-4094
!

interface port-channel 7
trusted
trusted vlan 1-4094
!

interface vlan 10
ip address 10.5.8.5 255.255.255.0
ipv6 address 2001::5/64
!

interface vlan 1
!

!
!
ip default-Gateway 10.5.8.1
ipv6 default-Gateway 2001::1
ip nexthop-list load-balance-Gateway s
!
ip nexthop-list load-balance-ipsecs
!

52
 Technical Whitepaper
User Roles and User-Based Tunneling
ip nexthop-list traditional-ipsecs
!

crypto isakmp policy 20

encryption aes256
!

crypto isakmp policy 10001

!

crypto isakmp policy 10002

encryption aes256
authentication rsa-sig
!

crypto isakmp policy 10003

encryption aes256
!

crypto isakmp policy 10004

version v2
encryption aes256
authentication rsa-sig
!

crypto isakmp policy 10005

encryption aes256
!

crypto isakmp policy 10006

version v2
encryption aes128
authentication rsa-sig
!

crypto isakmp policy 10007

version v2
encryption aes128
!

crypto isakmp policy 10008

version v2
encryption aes128
hash sha2-256-128
group 19
authentication ecdsa-256
prf prf-hmac-sha256
!

crypto isakmp policy 10009

version v2
encryption aes256
hash sha2-384-192
group 20
authentication ecdsa-384

53
 Technical Whitepaper
User Roles and User-Based Tunneling
prf prf-hmac-sha384
!

crypto isakmp policy 10012

version v2
encryption aes256
authentication rsa-sig
!

crypto isakmp policy 10013

encryption aes256
!

crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmac

crypto ipsec transform-set default-boc-bm-transform esp-aes256 esp-sha-hmac
crypto ipsec transform-set default-1st-ikev2-transform esp-aes256 esp-sha-hmac
crypto ipsec transform-set default-3rd-ikev2-transform esp-aes128 esp-sha-hmac
crypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmac
crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac
crypto dynamic-map default-rap-ipsecmap 10001
version v2
set transform-set "default-gcm256" "default-gcm128" "default-rap-transform"
!

crypto dynamic-map default-dynamicmap 10000

set transform-set "default-transform" "default-aes"
!

crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmap

crypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmap
localip 10.5.8.6 ipsec d6350c9fdb128543ecb9c05dfab11cb4a3244ca81e6f2926
localip 10.5.8.7 ipsec d232b5789eb6074523b2a03e9fb505c8a6d533028cd24149
localipv6 2001::3 ipsec ****** localipv4 10.5.8.7
crypto isakmp eap-passthrough eap-tls
crypto isakmp eap-passthrough eap-peap
crypto isakmp eap-passthrough eap-mschapv2

vpdn group l2tp

!

ip dynamic-dns interval 900

snmp-server community "tmelab"

vpdn group pptp
!

tunneled-node-address 0.0.0.0

adp discovery disable

54
 Technical Whitepaper
User Roles and User-Based Tunneling
adp igmp-join disable
adp igmp-vlan-id 0

ap ap-blacklist-time 3600
ap flush-r1-on-new-r0 disable
amon msg-buffer-size 1264
amon udp 0
mgmt-server primary-server 10.5.8.18 profile default-amp transport udp

stm mon-update-queue 83328

ssh mgmt-auth public-key

ssh mgmt-auth username/password
mgmt-user admin root ******************** node
mgmt-user ssh-pubkey client-cert conductor-ssh-pub-cert seamless-logon read-only node
mgmt-user ssh-pubkey client-cert conductor-ssh-pub-cert seamless-logon-w standard node

ntp

no database synchronize
ip mobile domain default
!

ip igmp
!

ipv6 mld
!

firewall
prohibit-ip-spoofing
attack-rate grat-arp 50 drop
session-idle-timeout 16
cp-bandwidth-contract untrusted-ucast 9765
cp-bandwidth-contract untrusted-mcast 1953
cp-bandwidth-contract trusted-ucast 98304
cp-bandwidth-contract trusted-mcast 1953
cp-bandwidth-contract route 976
cp-bandwidth-contract sessmirr 976
cp-bandwidth-contract vrrp 512
cp-bandwidth-contract arp-traffic 976
cp-bandwidth-contract l2-other 976
cp-bandwidth-contract auth 976
cp-bandwidth-contract ike 1953
amsdu
firewall wireless-bridge-aging
session-tunnel-fib
stall-crash
optimize-dad-frames
!
ipv6 enable
ipv6 firewall

55
 Technical Whitepaper
User Roles and User-Based Tunneling
ext-hdr-parse-len 100
!

!
firewall cp
ipv4 permit any proto 6 ports 2126 2126
ipv6 permit any proto 6 ports 2126 2126
ipv6 deny any proto 0 ports 0 65535
ipv6 permit any proto 17 ports 49170 49200
!
ip domain lookup
!
country US
change-config-node /
aaa authentication mac "default"
!
aaa authentication dot1x "default"
!
aaa authentication dot1x "default-psk"
!
aaa authentication via global-config
!
scheduler-profile "default"
queue-weights q0 0 q1 0 q2 0 q3 0
priority-map q0 "6 7" q1 "4 5" q2 "2 3" q3 "0 1"
!
aaa server-group "default"
auth-server Internal position 1
set role condition role value-of
!
aaa server-group "internal"
auth-server Internal position 1
set role condition Role value-of
!
aaa profile "default"
!
aaa profile "default-dot1x"
authentication-dot1x "default"
dot1x-default-role "authenticated"
!
aaa profile "default-dot1x-psk"
authentication-dot1x "default-psk"
!
aaa profile "default-iap-aaa-profile"
initial-role "default-iap-user-role"
no wired-to-wireless-roam
no devtype-classification
!
aaa profile "default-mac-auth"
authentication-mac "default"
mac-default-role "authenticated"
!
aaa profile "default-open"

56
 Technical Whitepaper
User Roles and User-Based Tunneling
!
aaa profile "default-tunneled-user"
initial-role "guest"
no wired-to-wireless-roam
no devtype-classification
!
aaa profile "default-xml-api"
!
aaa profile "NoAuthAAAProfile"
!
aaa authentication captive-portal "default"
!
aaa authentication wispr "default"
!
aaa authentication vpn "default"
!
aaa authentication vpn "default-cap"
default-role "sys-ap-role"
server-group "internal"
!
aaa authentication vpn "default-hp-switch"
!
aaa authentication vpn "default-iap"
!
aaa authentication vpn "default-rap"
!
aaa authentication mgmt
!
aaa authentication stateful-ntlm "default"
!
aaa authentication stateful-kerberos "default"
!
aaa authentication stateful-dot1x
!
aaa authentication via auth-profile "default"
!
aaa authentication wired
!
aaa authentication via connection-profile "default"
!
aaa authentication via web-auth "default"
!
web-server profile
!
guest-access-email
!
aaa password-policy mgmt
!
control-plane-security
!
ids management-profile
!
ids wms-general-profile
!
ids wms-local-system-profile

57
 Technical Whitepaper
User Roles and User-Based Tunneling
!
ids ap-rule-matching
!
valid-network-oui-profile
!
traceoptions
!
activate
!
file syncing profile
!
ucc skype4b
!
ucc rtpa-config
!
ucc jabber
!
ucc sip
!
ucc h323
!
ucc vocera
!
ucc sccp
!
ucc noe
!
ucc facetime
!
ucc ich
!
ucc session-idle-timeout
!
ucc wificalling
!
license-pool-profile-root
pefng-licenses-enable
rfp-license-enable
webcc-license-enable
!
papi-security
!
est profile "default"
!
aruba-central
!
wlan sae-profile
!
ifmap cppm
!
pan profile "default"
!
pan-options
!
websocket clearpass

58
 Technical Whitepaper
User Roles and User-Based Tunneling
!
pan active-profile
!
openflow-profile
!
openflow-gateway
!
sdwan-profile
!
dump-collection-profile "default"
!
ap regulatory-domain-profile "default"
country-code US
valid-11g-channel 1
valid-11g-channel 6
valid-11g-channel 11
valid-11a-channel 36
valid-11a-channel 40
valid-11a-channel 44
valid-11a-channel 48
valid-11a-channel 149
valid-11a-channel 153
valid-11a-channel 157
valid-11a-channel 161
valid-11a-channel 165
valid-11g-40mhz-channel-pair 1-5
valid-11g-40mhz-channel-pair 7-11
valid-11a-40mhz-channel-pair 36-40
valid-11a-40mhz-channel-pair 44-48
valid-11a-40mhz-channel-pair 149-153
valid-11a-40mhz-channel-pair 157-161
valid-11a-80mhz-channel-group 36-48
valid-11a-80mhz-channel-group 149-161
valid-11a-160mhz-channel-group 36-64
!
ap wired-ap-profile "default"
!
ap wired-ap-profile "NoAuthWiredAp"
wired-ap-enable
!
ap enet-link-profile "default"
!
ap mesh-ht-ssid-profile "default"
!
ap lldp med-network-policy-profile "default"
!
ap mesh-cluster-profile "default"
!
ap multizone-profile "default"
!
ap system-profile "default"
ap-console-password 5f1a506da1ccb5b37b879adb001898d48f6b4c51f16cfd02
!
ap system-profile "NoAuthApSystem"
ap-console-password 01a3960ae9a5edc410210eb448f6b81089cd0130f0c5e59e

59
 Technical Whitepaper
User Roles and User-Based Tunneling
!
ap lldp profile "default"
!
ap mesh-radio-profile "default"
!
ap wired-port-profile "default"
!
ap wired-port-profile "NoAuthWiredPort"
wired-ap-profile "NoAuthWiredAp"
aaa-profile "NoAuthAAAProfile"
!
ap wired-port-profile "shutdown"
shutdown
!
ids general-profile "default"
!
ids rate-thresholds-profile "default"
!
ids rate-thresholds-profile "probe-request-response-thresholds"
channel-inc-time 30
channel-threshold 350
node-time-interval 10
node-threshold 250
!
ids signature-profile "AirJack"
frame-type beacon ssid AirJack
!
ids signature-profile "ASLEAP"
frame-type beacon ssid asleap
!
ids signature-profile "Deauth-Broadcast"
frame-type deauth
dst-mac ff:ff:ff:ff:ff:ff
!
ids signature-profile "Deauth-Broadcast-From-Valid-AP"
frame-type deauth
dst-mac ff:ff:ff:ff:ff:ff
src-mac valid-ap
bssid valid-ap
!
ids signature-profile "default"
!
ids signature-profile "Disassoc-Broadcast"
frame-type disassoc
dst-mac ff:ff:ff:ff:ff:ff
!
ids signature-profile "Disassoc-Broadcast-From-Valid-AP"
frame-type disassoc
dst-mac ff:ff:ff:ff:ff:ff
src-mac valid-ap
bssid valid-ap
!
ids signature-profile "Netstumbler Generic"
payload 0x00601d 3
payload 0x0001 6

60
 Technical Whitepaper
User Roles and User-Based Tunneling
!
ids signature-profile "Netstumbler Version 3.3.0x"
payload 0x00601d 3
payload 0x000102 12
!
ids signature-profile "Null-Probe-Response"
frame-type probe-response ssid-length 0
!
ids signature-profile "Wellenreiter"
frame-type probe-request ssid this_is_used_for_wellenreiter
!
ids impersonation-profile "default"
!
ids unauthorized-device-profile "default"
!
ids signature-matching-profile "default"
signature "Deauth-Broadcast"
signature "Disassoc-Broadcast"
!
ids dos-profile "default"
!
ids profile "default"
!
rf dot11-60GHz-radio-profile "default"
!
rf arm-profile "arm-maintain"
no scanning
!
rf arm-profile "arm-scan"
!
rf arm-profile "default-a"
!
rf arm-profile "default-g"
!
rf ht-radio-profile "default-a"
!
rf ht-radio-profile "default-g"
!
rf spectrum-profile "default-a"
!
rf spectrum-profile "default-g"
!
rf optimization-profile "default"
!
rf event-thresholds-profile "default"
!
rf am-scan-profile "default"
!
rf dot11a-radio-profile "default"
!
rf dot11a-radio-profile "rp-maintain-a"
arm-profile "arm-maintain"
!
rf dot11a-radio-profile "rp-monitor-a"
mode am-mode

61
 Technical Whitepaper
User Roles and User-Based Tunneling
!
rf dot11a-radio-profile "rp-scan-a"
arm-profile "arm-scan"
!
rf dot11g-radio-profile "default"
!
rf dot11g-radio-profile "rp-maintain-g"
arm-profile "arm-maintain"
!
rf dot11g-radio-profile "rp-monitor-g"
mode am-mode
!
rf dot11g-radio-profile "rp-scan-g"
arm-profile "arm-scan"
!
wlan rrm-ie-profile "default"
!
wlan bcn-rpt-req-profile "default"
!
wlan dot11r-profile "default"
!
wlan tsm-req-profile "default"
!
wlan ht-ssid-profile "default"
!
wlan he-ssid-profile "default"
!
wlan hotspot anqp-venue-name-profile "default"
!
wlan hotspot anqp-nwk-auth-profile "default"
!
wlan hotspot anqp-roam-cons-profile "default"
!
wlan hotspot anqp-nai-realm-profile "default"
!
wlan hotspot anqp-3gpp-nwk-profile "default"
!
wlan hotspot h2qp-operator-friendly-name-profile "default"
!
wlan hotspot h2qp-wan-metrics-profile "default"
!
wlan hotspot h2qp-conn-capability-profile "default"
!
wlan hotspot h2qp-op-cl-profile "default"
!
wlan hotspot h2qp-osu-prov-list-profile "default"
!
wlan hotspot anqp-ip-addr-avail-profile "default"
!
wlan hotspot anqp-domain-name-profile "default"
!
wlan edca-parameters-profile station "default"
!
wlan edca-parameters-profile ap "default"
!

62
 Technical Whitepaper
User Roles and User-Based Tunneling
wlan mu-edca-parameters-profile "default"
!
wlan dot11k-profile "default"
!
wlan ssid-profile "default"
!
wlan hotspot advertisement-profile "default"
!
wlan hotspot hs2-profile "default"
!
wlan virtual-ap "default"
!
mgmt-server profile "default-acp"
stats-enable
tag-enable
sessions-enable
monitored-info-enable
monitored-info-del-enable
monitored-info-snapshot-enable
wids-event-info-enable
misc-enable
location-enable
uccmonitoring-enable
airgroupinfo-enable
wan-state
!
mgmt-server profile "default-ale"
stats-enable
tag-enable
sessions-enable
misc-enable
location-enable
uccmonitoring-enable
!
mgmt-server profile "default-amp"
stats-enable
tag-enable
sessions-enable
misc-enable
location-enable
!
mgmt-server profile "default-gateway "
stats-enable
tag-enable
sessions-enable
misc-enable
location-enable
uccmonitoring-enable
airgroupinfo-enable
wan-state
!
mgmt-server profile "default-niara"
no generic-amon-enable
sessions-enable
no inline-dhcp-stats

63
 Technical Whitepaper
User Roles and User-Based Tunneling
no inline-ap-stats
no inline-auth-stats
no inline-dns-stats
!
ap authorization-profile "default"
ap-authorization-group "NoAuthApGroup"
!
ap provisioning-profile "default"
!
rf arm-rf-domain-profile
!
ap am-filter-profile "default"
!
ap spectrum local-override
!
airmatch profile
!
ap-lacp-striping-ip
!
ap general-profile
!
ap deploy-profile
!
ap provisioning-rules
!
ap-group "default"
!
ap-group "NoAuthApGroup"
enet1-port-profile "NoAuthWiredPort"
enet2-port-profile "NoAuthWiredPort"
enet3-port-profile "NoAuthWiredPort"
enet4-port-profile "NoAuthWiredPort"
ap-system-profile "NoAuthApSystem"
!
airgroup cppm-server aaa
!
airgroupprofile service "default-airplay"
id "_airplay._tcp"
id "_appletv-v2._tcp"
id "_raop._tcp"
description "AirPlay"
!
airgroupprofile service "default-airprint"
id "_canon-bjnp1._tcp"
id "_fax-ipp._tcp"
id "_http-alt._tcp"
id "_http._tcp"
id "_ica-networking._tcp"
id "_ica-networking2._tcp"
id "_ipp-tls._tcp"
id "_ipp._tcp"
id "_ipps._tcp"
id "_pdl-datastream._tcp"
id "_printer._tcp"
id "_ptp._tcp"

64
 Technical Whitepaper
User Roles and User-Based Tunneling
id "_riousbprint._tcp"
description "AirPrint"
!
airgroupprofile service "default-allowall"
description "Remaining-Services"
!
airgroupprofile service "default-amazontv"
id "_amzn-wplay._tcp"
description "Amazon fire tv"
!
airgroupprofile service "default-dial"
id "urn:dial-multiscreen-org:device:dial:1"
id "urn:dial-multiscreen-org:service:dial:1"
description "DIAL supported by Chromecast, FireTV, Roku etc"
!
airgroupprofile service "default-dlna-media"
id "urn:schemas-upnp-org:device:MediaPlayer:1"
id "urn:schemas-upnp-org:device:MediaRenderer:1"
id "urn:schemas-upnp-org:device:MediaRenderer:2"
id "urn:schemas-upnp-org:device:MediaRenderer:3"
id "urn:schemas-upnp-org:device:MediaServer:1"
id "urn:schemas-upnp-org:device:MediaServer:2"
id "urn:schemas-upnp-org:device:MediaServer:3"
id "urn:schemas-upnp-org:device:MediaServer:4"
id "urn:schemas-upnp-org:device:ZonePlayer:1"
id "urn:schemas-upnp-org:service:AVTransport:1"
id "urn:schemas-upnp-org:service:AlarmClock:1"
id "urn:schemas-upnp-org:service:ConnectionManager:1"
id "urn:schemas-upnp-org:service:ContentDirectory:1"
id "urn:schemas-upnp-org:service:DeviceProperties:1"
id "urn:schemas-upnp-org:service:GroupManagement:1"
id "urn:schemas-upnp-org:service:GroupRenderingControl:1"
id "urn:schemas-upnp-org:service:MusicServices:1"
id "urn:schemas-upnp-org:service:RenderingControl:1"
id "urn:schemas-upnp-org:service:SystemProperties:1"
id "urn:schemas-upnp-org:service:ZoneGroupTopology:1"
description "Media"
!
airgroupprofile service "default-dlna-print"
id "urn:schemas-upnp-org:device:Printer:1"
id "urn:schemas-upnp-org:service:PrintBasic:1"
id "urn:schemas-upnp-org:service:PrintEnhanced:1"
description "Print"
!
airgroupprofile service "default-googlecast"
id "_googlecast._tcp"
id "_googlezone._tcp"
description "GoogleCast supported by Chromecast etc"
!
airgroupprofile service "default-itunes"
id "_apple-mobdev._tcp"
id "_daap._tcp"
id "_dacp._tcp"
id "_home-sharing._tcp"
description "iTunes"

65
 Technical Whitepaper
User Roles and User-Based Tunneling
!
airgroupprofile service "default-remotemgmt"
id "_ftp._tcp"
id "_net-assistant._tcp"
id "_rfb._tcp"
id "_sftp-ssh._tcp"
id "_ssh._tcp"
id "_telnet._tcp"
description "Remote management"
!
airgroupprofile service "default-sharing"
id "_afpovertcp._tcp"
id "_odisk._tcp"
id "_xgrid._tcp"
description "Sharing"
!
airgroupprofile ipv6 "default"
!
airgroupprofile "default"
service "default-airplay"
service "default-airprint"
service "default-dial"
disallow-vlan type servers service ""
disallow-role "" type servers service ""
!

snmp-server enable trap

snmp-server host 10.5.8.18 version 2c tmelab udp-port 162
snmp-server trap source 0.0.0.0
snmp-server trap disable wlsxAPBROADCASTSTORM
snmp-server trap disable wlsxAPIPConflict
snmp-server trap disable wlsxAPLoopDetected
snmp-server trap disable wlsxAPPortDown
snmp-server trap disable wlsxAPPortUp
snmp-server trap disable wlsxAceUsageThreshold
snmp-server trap disable wlsxAdhocNetwork
snmp-server trap disable wlsxAdhocNetworkBridgeDetectedAP
snmp-server trap disable wlsxAdhocNetworkBridgeDetectedSta
snmp-server trap disable wlsxAdhocUsingValidSSID
snmp-server trap disable wlsxAuthMaxAclEntries
snmp-server trap disable wlsxAuthMaxBWContracts
snmp-server trap disable wlsxAuthMaxUserEntries
snmp-server trap disable wlsxAuthServerIsUp
snmp-server trap disable wlsxAuthServerReqTimedOut
snmp-server trap disable wlsxAuthServerTimedOut
snmp-server trap disable wlsxCLEARPASSSERVERINVALID
snmp-server trap disable wlsxChannelChanged
snmp-server trap disable wlsxCoverageHoleDetected
snmp-server trap disable wlsxDBCommunicationFailure
snmp-server trap disable wlsxDisconnectStationAttack
snmp-server trap disable wlsxESIServerDown
snmp-server trap disable wlsxESIServerUp
snmp-server trap disable wlsxFanAbsent
snmp-server trap disable wlsxFanFailure
snmp-server trap disable wlsxFanTrayInserted

66
 Technical Whitepaper
User Roles and User-Based Tunneling
snmp-server trap disable wlsxFanTrayRemoved
snmp-server trap disable wlsxGBICInserted
snmp-server trap disable wlsxHaFailoverRequestFromAp
snmp-server trap disable wlsxHaFailoverTrigger
snmp-server trap disable wlsxHaIntergateway HbtMiss
snmp-server trap disable wlsxHaStandbyConnectivityState
snmp-server trap disable wlsxHaStandbyIpSentFailed
snmp-server trap disable wlsxHaState
snmp-server trap disable wlsxIpSpoofingDetected
snmp-server trap disable wlsxLCInserted
snmp-server trap disable wlsxLCRemoved
snmp-server trap disable wlsxLicenseExpiry
snmp-server trap disable wlsxLowMemory
snmp-server trap disable wlsxLowOnFlashSpace
snmp-server trap disable wlsxNAceUsageThreshold
snmp-server trap disable wlsxNFanAbsent
snmp-server trap disable wlsxNWebCCLicenseEnforcement
snmp-server trap disable wlsxOutOfRangeTemperature
snmp-server trap disable wlsxOutOfRangeVoltage
snmp-server trap disable wlsxPowerSupplyFailure
snmp-server trap disable wlsxPowerSupplyMissing
snmp-server trap disable wlsxProcessDied
snmp-server trap disable wlsxProcessExceedsMemoryLimits
snmp-server trap disable wlsxSCInserted
snmp-server trap disable wlsxSignatureMatch
snmp-server trap disable wlsxStaUnAssociatedFromUnsecureAP
snmp-server trap disable wlsxStationAddedToBlackList
snmp-server trap disable wlsxStationRemovedFromBlackList
snmp-server trap disable wlsxSwitchIPChanged
snmp-server trap disable wlsxSwitchRoleChange
snmp-server trap disable wlsxUserAuthenticationFailed
snmp-server trap disable wlsxUserEntryAuthenticated
snmp-server trap disable wlsxUserEntryChanged
snmp-server trap disable wlsxUserEntryCreated
snmp-server trap disable wlsxUserEntryDeAuthenticated
snmp-server trap disable wlsxUserEntryDeleted
snmp-server trap disable wlsxVrrpStateChange
snmp-server trap disable wlsxWebCCLicenseEnforcement

process monitor log

ale-configuration
!
end

Validated Mobility Gateway Configuration

Building Configuration...

version 8.4
hostname "Aruba7010"
clock timezone America/Los_Angeles -08 00
!
conductoripv6 2001::5 ipsec ****** interface vlan 10 controller-ipv4 10.5.8.5
location "Building1.floor1"

67
 Technical Whitepaper
User Roles and User-Based Tunneling
Controller config 222
crypto-local pki PublicCert conductor-ssh-pub-cert
ip NAT pool dynamic-srcnat 0.0.0.0 0.0.0.0
ip access-list geolocation global-geolocation-acl
!
ip access-list eth validuserethacl
permit any
!
netservice svc-dhcp udp 67 68 alg dhcp
netservice svc-ipp-tcp tcp 631
netservice svc-citrix tcp 2598
netservice svc-pcoip-udp udp 50002
netservice svc-tftp udp 69 alg tftp
netservice svc-netbios-ssn tcp 139
netservice svc-papi udp 8211
netservice svc-natt udp 4500
netservice svc-ica tcp 1494
netservice svc-facetime-tcp tcp 5223 alg facetime
netservice svc-msrpc-udp udp 135 139
netservice svc-lpd tcp 515
netservice svc-msrpc-tcp tcp 135 139
netservice svc-microsoft-ds tcp 445
netservice svc-smtp tcp 25
netservice svc-syslog udp 514
netservice svc-http-proxy2 tcp 8080
netservice svc-cfgm-tcp tcp 8211
netservice vnc tcp 5900 5905
netservice svc-telnet tcp 23
netservice svc-http tcp 80
netservice svc-h323-udp udp 1718 1719 alg h323
netservice svc-bootp udp 67 69
netservice svc-web tcp list "80 443"
netservice svc-sccp tcp 2000 alg sccp
netservice svc-ipp-udp udp 631
netservice svc-vmware-rdp tcp 3389
netservice svc-vocera udp 5002 alg vocera
netservice svc-esp 50
netservice svc-noe-oxo udp 5000 alg noe
netservice svc-http-proxy1 tcp 3128
netservice svc-sec-papi udp 8209
netservice svc-gre 47
netservice svc-rtsp tcp 554 alg rtsp
netservice svc-l2tp udp 1701
netservice svc-svp 119 alg svp
netservice svc-sip-tcp tcp 5060 alg sip
netservice svc-snmp udp 161

68
 Technical Whitepaper
User Roles and User-Based Tunneling
netservice svc-pptp tcp 1723
netservice svc-icmp 1
netservice svc-smb-tcp tcp 445
netservice svc-pcoip2-tcp tcp 4172
netservice svc-ssh tcp 22
netservice svc-v6-icmp 58
netservice svc-h323-tcp tcp 1720 alg h323
netservice svc-ntp udp 123
netservice svc-pop3 tcp 110
netservice svc-adp udp 8200
netservice svc-netbios-ns udp 137
netservice svc-dns udp 53 alg dns
netservice svc-v6-dhcp udp 546 547
netservice svc-netbios-dgm udp 138
netservice svc-http-proxy3 tcp 8888
netservice svc-sip-udp udp 5060 alg sip
netservice svc-kerberos udp 88
netservice svc-sips tcp 5061 alg sips
netservice svc-nterm tcp 1026 1028
netservice svc-snmp-trap udp 162
netservice svc-pcoip2-udp udp 4172
netservice svc-pcoip-tcp tcp 50002
netservice svc-ike udp 500
netservice svc-noe udp 32512 alg noe
netservice svc-ftp tcp 21 alg ftp
netservice svc-https tcp 443
netservice svc-smb-udp udp 445
netdestination6 ipv6-reserved-range
invert
network 2000::/3
!
netdestination wificalling-block
name pub.3gppnetwork.org
name vowifi.com
!
netexthdr default
!
time-range periodic working-hours
weekday 08:00 to 18:00
!
time-range periodic night-hours
weekday 18:01 to 23:59
weekday 00:00 to 07:59
!
ip access-list session apprf-switch-logon-SAGl
!

69
 Technical Whitepaper
User Roles and User-Based Tunneling
ip access-list session apprf-adminuser-SAGl
!
ip access-list session svp-acl
any any svc-svp permit queue high
user host 224.0.1.116 any permit
!
ip access-list session apprf-stateful-dot1x-SAGl
!
ip access-list session apprf-voice-SAGl
!
ip access-list session logon-control
user any udp 68 deny
any any svc-icmp permit
any any svc-dns permit
any any svc-dhcp permit
any any svc-natt permit
any network 169.254.0.0 255.255.0.0 any deny
any network 240.0.0.0 240.0.0.0 any deny
!
ip access-list session apprf-default-vpn-role-SAGl
!
ip access-list session ap-uplink-acl
any any udp 68 permit
any any svc-icmp permit
any host 224.0.0.251 udp 5353 permit
ipv6 any any udp 546 permit
ipv6 any any svc-v6-icmp permit
ipv6 any host ff02::fb udp 5353 permit
!
ip access-list session icmp-acl
any any svc-icmp permit
!
ip access-list session v6-logon-control
ipv6 user any udp 546 deny
ipv6 any any svc-v6-icmp permit
ipv6 any any svc-v6-dhcp permit
ipv6 any any svc-dns permit
ipv6 any network fc00::/7 any permit
ipv6 any network fe80::/64 any permit
ipv6 any alias ipv6-reserved-range any deny
!
ip access-list session http-acl
any any svc-http permit
!
ip access-list session vocera-acl
any any svc-vocera permit queue high

70
 Technical Whitepaper
User Roles and User-Based Tunneling
!
ip access-list session v6-http-acl
ipv6 any any svc-http permit
!
ip access-list session sip-acl
any any svc-sip-udp permit queue high
any any svc-sip-tcp permit queue high
!
ip access-list session citrix-acl
any any svc-citrix permit tos 46 dot1p-priority 6
any any svc-ica permit tos 46 dot1p-priority 6
!
ip access-list session vmware-acl
any any svc-vmware-rdp permit tos 46 dot1p-priority 6
any any svc-pcoip-tcp permit tos 46 dot1p-priority 6
any any svc-pcoip-udp permit tos 46 dot1p-priority 6
any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6
any any svc-pcoip2-udp permit tos 46 dot1p-priority 6
!
ip access-list session tftp-acl
any any svc-tftp permit
!
ip access-list session ra-guard
ipv6 user any icmpv6 rtr-adv deny
!
ip access-list session test
!
ip access-list session voip-applications-acl
any any app alg-skype4b-audio permit
any any app alg-skype4b-video permit
any any app alg-skype4b-desktop-sharing permit
any any app alg-skype4b-app-sharing permit
any any app alg-sip-audio permit
any any app alg-sip-video permit
any any app alg-sccp permit
any any app alg-vocera permit
any any app alg-noe permit
any any app alg-h323 permit
any any app alg-jabber-audio permit
any any app alg-jabber-video permit
any any app alg-jabber-desktop-sharing permit
any any app alg-facetime permit
any any app alg-wifi-calling permit
any any app alg-rtp permit
!
ip access-list session srcnat

71
 Technical Whitepaper
User Roles and User-Based Tunneling
user any any src-nat
!
ip access-list session global-SAGl
!
ip access-list session v6-dhcp-acl
ipv6 any any svc-v6-dhcp permit
!
ip access-list session jabber-acl
any any tcp 5222 permit
any any tcp 8443 permit
!
ip access-list session wan-uplink-protect-acl
any any sys-svc-dhcp permit
ipv6 any any sys-svc-v6-dhcp permit
any any sys-svc-esp permit
any any sys-svc-natt permit
any any sys-svc-ike permit
any any sys-svc-icmp permit
ipv6 any any sys-svc-icmp6 permit
any any sys-svc-v6-dhcp permit
any any sys-svc-icmp6 permit
!
ip access-list session stateful-dot1x
any any svc-dns permit
any any svc-dhcp permit
!
ip access-list session webcc_test
!
ip access-list session cplogout
user alias Gateway svc-https dst-nat 8081
!
ip access-list session pbt-demo-role
!
ip access-list session adminuser
!
ip access-list session wificalling-acl
any any tcp 443 permit
!
ip access-list session apprf-authenticated-SAGl
!
ip access-list session apprf-logon-SAGl
!
ip access-list session apprf-guest-logon-SAGl
!
ip access-list session vpnlogon
user any svc-ike permit

72
 Technical Whitepaper
User Roles and User-Based Tunneling
user any svc-esp permit
any any svc-l2tp permit
any any svc-pptp permit
any any svc-gre permit
!
ip access-list session allow-diskservices
any any svc-netbios-dgm permit
any any svc-netbios-ssn permit
any any svc-microsoft-ds permit
any any svc-netbios-ns permit
!
ip access-list session v6-control
ipv6 user any udp 546 deny
ipv6 any any svc-v6-icmp permit
ipv6 any any svc-dns permit
ipv6 any any svc-papi permit
ipv6 any any svc-sec-papi permit
ipv6 any any svc-cfgm-tcp permit
ipv6 any any svc-adp permit
ipv6 any any svc-tftp permit
ipv6 any any svc-dhcp permit
ipv6 any any svc-natt permit
!
ip access-list session staffping
userrole staffuser userrole adminuser icmp echo deny
network 10.15.1.0 255.255.255.0 any tcp 21 deny
network 10.15.1.0 255.255.255.0 any udp 21 deny
network 10.15.1.0 255.255.255.0 any udp 3389 deny
network 10.15.1.0 255.255.255.0 any tcp 3389 deny
any any any permit
!
ip access-list session apprf-sys-switch-role-SAGl
!
ip access-list session apprf-guest-SAGl
!
ip access-list session pbt-role
!
ip access-list session v6-ap-acl
ipv6 any any svc-gre permit
ipv6 any any svc-syslog permit
ipv6 any user svc-snmp permit
ipv6 user any svc-snmp-trap permit
ipv6 user any svc-ntp permit
ipv6 user any svc-ftp permit
!
ip access-list session wificalling-block

73
 Technical Whitepaper
User Roles and User-Based Tunneling
any alias wificalling-block any deny
!
ip access-list session apprf-default-via-role-SAGl
!
ip access-list session v6-allowall
ipv6 any any any permit
!
ip access-list session v6-icmp-acl
ipv6 any any svc-v6-icmp permit
!
ip access-list session validuser
network 127.0.0.0 255.0.0.0 any any deny
network 169.254.0.0 255.255.0.0 any any deny
network 224.0.0.0 240.0.0.0 any any deny
host 255.255.255.255 any any deny
network 240.0.0.0 240.0.0.0 any any deny
any any any permit
ipv6 host fe80:: any any deny
ipv6 network fc00::/7 any any permit
ipv6 network fe80::/64 any any permit
ipv6 alias ipv6-reserved-range any any deny
ipv6 any any any permit
!
ip access-list session v6-dns-acl
ipv6 any any svc-dns permit
!
ip access-list session skype4b-acl
any any svc-sips permit
any any svc-https permit
!
ip access-list session captiveportal
user alias Gateway svc-https dst-nat 8081
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
user any svc-http-proxy1 dst-nat 8088
user any svc-http-proxy2 dst-nat 8088
user any svc-http-proxy3 dst-nat 8088
!
ip access-list session h323-acl
any any svc-h323-tcp permit queue high
any any svc-h323-udp permit queue high
!
ip access-list session allowall
any any any permit
ipv6 any any any permit
!

74
 Technical Whitepaper
User Roles and User-Based Tunneling
ip access-list session v6-https-acl
ipv6 any any svc-https permit
!
ip access-list session apprf-sys-ap-role-SAGl
!
ip access-list session dhcp-acl
any any svc-dhcp permit
!
ip access-list session facetime-acl
any any svc-facetime-tcp permit queue high
any any udp 3478 3497 permit
any any udp 16384 16387 permit
any any udp 16393 16402 permit
!
ip access-list session allow-printservices
any any svc-lpd permit
any any svc-ipp-tcp permit
any any svc-ipp-udp permit
!
ip access-list session apprf-test-SAGl
!
ip access-list session skinny-acl
any any svc-sccp permit queue high
!
ip access-list session https-acl
any any svc-https permit
!
ip access-list session apprf-staffuser-SAGl
!
ip access-list session ap-acl
any any svc-gre permit
any any svc-syslog permit
any user svc-snmp permit
user any svc-snmp-trap permit
user any svc-ntp permit
user any svc-ftp permit
user any svc-telnet deny
!
ip access-list session apprf-ap-role-SAGl
!
ip access-list session captiveportal6
ipv6 user alias gateway 6 svc-https captive
ipv6 user any svc-http captive
ipv6 user any svc-https captive
ipv6 user any svc-http-proxy1 captive
ipv6 user any svc-http-proxy2 captive

75
 Technical Whitepaper
User Roles and User-Based Tunneling
ipv6 user any svc-http-proxy3 captive
!
ip access-list session control
user any udp 68 deny
any any svc-icmp permit
any any svc-dns permit
any any svc-papi permit
any any svc-sec-papi permit
any any svc-cfgm-tcp permit
any any svc-adp permit
any any svc-tftp permit
any any svc-dhcp permit
any any svc-natt permit
any any tcp 6633 permit
!
ip access-list session noe-acl
any any svc-noe permit queue high
!
ip access-list session dns-acl
any any svc-dns permit
!
ip access-list route conductor-boc-traffic
!
ip access-list route uplink-lb-cfg-racl
!
vpn-dialer default-dialer
ike authentication PRE-SHARE ******
!
user-role default-via-role
access-list session global-SAGl
access-list session apprf-default-via-role-SAGl
access-list session allowall
access-list session v6-allowall
!
user-role sys-switch-role
!
user-role ap-role
no openflow-enable
access-list session ra-guard
access-list session control
access-list session ap-acl
access-list session v6-control
access-list session v6-ap-acl
!
user-role switch-logon
!

76
 Technical Whitepaper
User Roles and User-Based Tunneling
user-role test
access-list session global-SAGl
access-list session apprf-test-SAGl
access-list session test
!
user-role sys-ap-role
no openflow-enable
!
user-role stateful-dot1x
access-list session global-SAGl
access-list session apprf-stateful-dot1x-SAGl
!
user-role staffuser
access-list session global-SAGl
access-list session apprf-staffuser-SAGl
access-list session staffping
!
user-role guest-logon
captive-portal "default"
access-list session ra-guard
access-list session logon-control
access-list session captiveportal
access-list session v6-logon-control
access-list session captiveportal6
!
user-role adminuser
access-list session global-SAGl
access-list session apprf-adminuser-SAGl
!
user-role voice
access-list session global-SAGl
access-list session apprf-voice-SAGl
access-list session ra-guard
access-list session sip-acl
access-list session noe-acl
access-list session svp-acl
access-list session vocera-acl
access-list session skinny-acl
access-list session h323-acl
access-list session dhcp-acl
access-list session tftp-acl
access-list session dns-acl
access-list session icmp-acl
access-list session http-acl
access-list session https-acl
access-list session skype4b-acl

77
 Technical Whitepaper
User Roles and User-Based Tunneling
access-list session facetime-acl
access-list session jabber-acl
access-list session wificalling-acl
access-list session voip-applications-acl
!
user-role default-vpn-role
access-list session global-SAGl
access-list session apprf-default-vpn-role-SAGl
access-list session ra-guard
access-list session allowall
access-list session v6-allowall
!
user-role logon
access-list session ra-guard
access-list session logon-control
access-list session captiveportal
access-list session vpnlogon
access-list session v6-logon-control
access-list session captiveportal6
!
user-role authenticated
vlan 25
access-list session global-SAGl
access-list session apprf-authenticated-SAGl
access-list session ra-guard
access-list session allowall
access-list session v6-allowall
!
user-role guest
access-list session global-SAGl
access-list session apprf-guest-SAGl
access-list session ra-guard
access-list session http-acl
access-list session https-acl
access-list session dhcp-acl
access-list session icmp-acl
access-list session dns-acl
access-list session v6-http-acl
access-list session v6-https-acl
access-list session v6-dhcp-acl
access-list session v6-icmp-acl
access-list session v6-dns-acl
!
user-role default-iap-user-role
access-list session allowall
!

78
 Technical Whitepaper
User Roles and User-Based Tunneling
!
aaa tacacs-accounting

gateway -ip vlan 10

gateway -ipv6 vlan 10 address 2001::3
no kernel coredump
interface mgmt
!

interface loopback
ip address 5.8.1.3
!

dialer group evdo_us

init-string ATQ0V1E0
dial-string ATDT#777
!

dialer group gsm_us

init-string AT+CGDCONT=1,"IP","ISP.CINGULAR"
dial-string ATD*99#
!

dialer group gsm_asia

init-string AT+CGDCONT=1,"IP","internet"
dial-string ATD*99***1#
!

dialer group vivo_br

init-string AT+CGDCONT=1,"IP","zap.vivo.com.br"
dial-string ATD*99#
!

cellular profile FRANKLIN_WIRELESS_U772

vendor 1fac product 232
dialer none
tty none
driver franklin-u772
--More-- (q) q
uit (!

cellular profile ZTE_MF832U

vendor 19d2 product 1292
dialer none
tty none

79
 Technical Whitepaper
User Roles and User-Based Tunneling
driver zte-mf-832u
!

vlan 10
vlan 15
vlan 20
vlan 25
vlan 100
vlan 101
vlan 102
vlan 103
vlan 104
vlan 105
vlan 200

vlan-name contractor
vlan contractor 25
vlan-name employee
vlan employee 15
vlan-name ipv6
vlan ipv6 200
vlan-name phone
vlan phone 20

interface gigabitethernet 0/0/0

description "GE0/0/0"
trusted
trusted vlan 1-4094
jumbo
switchport mode trunk
switchport trunk native vlan 10
no spanning-tree
lldp transmit
lldp receive
!

interface gigabitethernet 0/0/1

description "GE0/0/1"
trusted
trusted vlan 1-4094
!

interface gigabitethernet 0/0/2

80
 Technical Whitepaper
User Roles and User-Based Tunneling
description "GE0/0/2"
trusted
trusted vlan 1-4094
!

interface gigabitethernet 0/0/3

description "GE0/0/3"
trusted
trusted vlan 1-4094
!

interface gigabitethernet 0/0/4

description "GE0/0/4"
trusted
trusted vlan 1-4094
!

interface gigabitethernet 0/0/5

description "GE0/0/5"
trusted
trusted vlan 1-4094
!

interface gigabitethernet 0/0/6

description "GE0/0/6"
trusted
trusted vlan 1-4094
!

interface gigabitethernet 0/0/7

description "GE0/0/7"
trusted
trusted vlan 1-4094
!

interface gigabitethernet 0/0/8

description "GE0/0/8"
trusted
trusted vlan 1-4094
!

interface gigabitethernet 0/0/9

description "GE0/0/9"
trusted
trusted vlan 1-4094
!

81
 Technical Whitepaper
User Roles and User-Based Tunneling

interface gigabitethernet 0/0/10

description "GE0/0/10"
trusted
trusted vlan 1-4094
!

interface gigabitethernet 0/0/11

description "GE0/0/11"
trusted
trusted vlan 1-4094
!

interface gigabitethernet 0/0/12

description "GE0/0/12"
trusted
trusted vlan 1-4094
no poe
!

interface gigabitethernet 0/0/13

description "GE0/0/13"
trusted
trusted vlan 1-4094
no poe
!

interface gigabitethernet 0/0/14

description "GE0/0/14"
trusted
trusted vlan 1-4094
no poe
!

interface gigabitethernet 0/0/15

description "GE0/0/15"
trusted
trusted vlan 1-4094
no poe
!

interface gigabitethernet 0/0/16

description "GE0/0/16"
trusted
trusted vlan 1-4094
no poe

82
 Technical Whitepaper
User Roles and User-Based Tunneling
!

interface gigabitethernet 0/0/17

description "GE0/0/17"
trusted
trusted vlan 1-4094
no poe
!

interface port-channel 0
trusted
trusted vlan 1-4094
!

interface port-channel 1
trusted
trusted vlan 1-4094
!

interface port-channel 2
trusted
trusted vlan 1-4094
!

interface port-channel 3
trusted
trusted vlan 1-4094
!

interface port-channel 4
trusted
trusted vlan 1-4094
!

interface port-channel 5
trusted
trusted vlan 1-4094
!

interface port-channel 6
trusted
trusted vlan 1-4094
!

interface port-channel 7
trusted

83
 Technical Whitepaper
User Roles and User-Based Tunneling
trusted vlan 1-4094
!

interface vlan 10
ip address 10.5.8.7 255.255.255.0
ipv6 address 2001::3/64
ipv6 nd ra enable
ip helper-address 10.5.8.1
ip igmp proxy gigabitethernet 0/0/0
ip ospf area 0.0.0.0
!

interface vlan 1
!

interface vlan 15
ip address 10.15.1.7 255.255.255.0
ipv6 address 2002::3/64
ip helper-address 10.15.1.254
ip igmp proxy gigabitethernet 0/0/0
ip ospf area 0.0.0.0
!

interface vlan 20
ip address 10.15.3.7 255.255.255.0
ipv6 address 2003::3/64
ip helper-address 10.15.3.254
ip ospf area 0.0.0.0
!

interface vlan 25
ip address 10.15.2.7 255.255.255.0
ip helper-address 10.15.2.254
ip igmp proxy gigabitethernet 0/0/0
ip ospf area 0.0.0.0
!

interface vlan 100

ip address dhcp-client
ip helper-address 10.5.8.50
no suppress-arp
!

interface vlan 200

ipv6 address 2005::3/64
ipv6 dhcp server ipv6

84
 Technical Whitepaper
User Roles and User-Based Tunneling
!

!
uplink health-check
!
ip default-Gateway 10.5.8.1
ipv6 default-Gateway 2001::1
ip nexthop-list load-balance-Gateway s
!
ip nexthop-list load-balance-ipsecs
!
ip nexthop-list pan-gp-ipsec-map-list
!
ip nexthop-list traditional-ipsecs
!

crypto isakmp policy 20

encryption aes256
!

crypto isakmp policy 10001

!

crypto isakmp policy 10002

encryption aes256
authentication rsa-sig
!

crypto isakmp policy 10003

encryption aes256
!

crypto isakmp policy 10004

version v2
encryption aes256
authentication rsa-sig
!

crypto isakmp policy 10005

encryption aes256
!

crypto isakmp policy 10006

version v2
encryption aes128
authentication rsa-sig

85
 Technical Whitepaper
User Roles and User-Based Tunneling
!

crypto isakmp policy 10007

version v2
encryption aes128
!

crypto isakmp policy 10008

version v2
encryption aes128
hash sha2-256-128
group 19
authentication ecdsa-256
prf prf-hmac-sha256
!

crypto isakmp policy 10009

version v2
encryption aes256
hash sha2-384-192
group 20
authentication ecdsa-384
prf prf-hmac-sha384
!

crypto isakmp policy 10012

version v2
encryption aes256
authentication rsa-sig
!

crypto isakmp policy 10013

encryption aes256
!

crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmac

crypto ipsec transform-set default-boc-bm-transform esp-aes256 esp-sha-hmac
crypto ipsec transform-set default-1st-ikev2-transform esp-aes256 esp-sha-hmac
crypto ipsec transform-set default-3rd-ikev2-transform esp-aes128 esp-sha-hmac
crypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmac
crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac
crypto dynamic-map default-rap-ipsecmap 10001
version v2
set transform-set "default-gcm256" "default-gcm128" "default-rap-transform"
!

86
 Technical Whitepaper
User Roles and User-Based Tunneling
crypto dynamic-map default-dynamicmap 10000
set transform-set "default-transform" "default-aes"
!

crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmap

crypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmap
crypto-local ipsec-map default-ha-ipsecmap10.5.8.6 9999
version v2
set ikev2-policy 10006
peer-ip 10.5.8.6
vlan 0
src-net 10.5.8.7 255.255.255.255
dst-net 10.5.8.6 255.255.255.255
set transform-set "default-ha-transform"
pre-connect
factory-cert-auth
trusted
!

crypto isakmp eap-passthrough eap-tls

crypto isakmp eap-passthrough eap-peap
crypto isakmp eap-passthrough eap-mschapv2

vpdn group l2tp

!

ipv6 dhcp pool ipv6

network 2005::/120
!
ip dynamic-dns interval 900
service dhcp

router ospf
router ospf router-id 5.8.1.3
router ospf area 0.0.0.0

snmp-server community "public"

snmp-server community "tmelab"
vpdn group pptp
!

tunneled-node-address 0.0.0.0

87
 Technical Whitepaper
User Roles and User-Based Tunneling
ap-crash-transfer

adp discovery enable

adp igmp-join enable
adp igmp-vlan-id 0

ap ap-blacklist-time 3600
ap flush-r1-on-new-r0 disable
amon msg-buffer-size 1264
amon udp 0
mgmt-server primary-server 10.5.8.18 profile default-amp transport udp
mgmt-server primary-server conductor profile default-Gateway transport udp

stm mon-update-queue 14496

ssh mgmt-auth public-key

ssh mgmt-auth username/password
mgmt-user admin root ******************** node
mgmt-user ssh-pubkey client-cert conductor-ssh-pub-cert seamless-logon read-only
node
mgmt-user ssh-pubkey client-cert conductor-ssh-pub-cert seamless-logon-w standard
node

ntp
ntp authentication-key 1 md5 ********

ntp server 10.80.2.219 iburst

no database synchronize
ip mobile domain default
!

ip igmp
!

ipv6 mld
!

firewall
prohibit-ip-spoofing
attack-rate grat-arp 50 drop
session-idle-timeout 16
cp-bandwidth-contract untrusted-ucast 9765
cp-bandwidth-contract untrusted-mcast 3906

88
 Technical Whitepaper
User Roles and User-Based Tunneling
cp-bandwidth-contract trusted-ucast 65535
cp-bandwidth-contract trusted-mcast 3906
cp-bandwidth-contract route 976
cp-bandwidth-contract sessmirr 976
cp-bandwidth-contract vrrp 512
cp-bandwidth-contract arp-traffic 3906
cp-bandwidth-contract l2-other 1953
cp-bandwidth-contract auth 976
amsdu
dpi
web-cc
firewall wireless-bridge-aging
session-tunnel-fib
stall-crash
jumbo mtu 9216
optimize-dad-frames
!
ipv6 enable
ipv6 firewall
ext-hdr-parse-len 100
!

!
cp-bandwidth-contract cpbwc-ipv4-wms-lo pps 48000
cp-bandwidth-contract cpbwc-ipv4-udp pps 204800
cp-bandwidth-contract cpbwc-ipv6-udp pps 204800
cp-bandwidth-contract cpbwc-ipv6-wms-lo pps 48000
cp-bandwidth-contract cpbwc-ipv4-arm pps 48000
cp-bandwidth-contract cpbwc-ipv6-amp pps 96000
cp-bandwidth-contract cpbwc-ipv6-arm pps 48000
cp-bandwidth-contract cpbwc-ipv4-amp pps 96000

!
firewall cp
ipv6 permit any proto 17 ports 49170 49200
ipv4 deny any proto 6 ports 1723 1723
ipv4 deny any proto 17 ports 1701 1701
ipv4 permit any proto 6 ports 2126 2126
ipv6 deny any proto 0 ports 0 65535
ipv6 deny any proto 6 ports 1723 1723
ipv6 deny any proto 17 ports 1701 1701
ipv6 permit any proto 6 ports 2126 2126
!
ip domain lookup
!
ip name-server 10.80.2.219

89
 Technical Whitepaper
User Roles and User-Based Tunneling
!
country US
change-config-node /
aaa authentication mac "default"
!
aaa authentication dot1x "default"
!
aaa authentication dot1x "default-psk"
!
aaa authentication dot1x "PBTDemo"
!
aaa authentication dot1x "TME-AP"
!
aaa authentication via global-config
!
scheduler-profile "default"
queue-weights q0 0 q1 0 q2 0 q3 0
priority-map q0 "6 7" q1 "4 5" q2 "2 3" q3 "0 1"
!
aaa authentication-server radius "cppm-tme"
host "10.5.8.12"
key 4fb7e80e8f75dbeca0cd451fa1321465e0caaa2af3435637
cppm username "dur-test" password
d1405d2f805dbfa2dc7efaa5c44c3e82e88192a70e1f4d6a
!
aaa authentication-server radius "tme-cppm"
host "10.5.8.12"
cppm username "dur-test" password
e7171da212501128bc4d2e62ade432b1e8d88f14d690b209
nas-ip 10.5.8.12
!
aaa server-group "cppm"
auth-server tme-cppm position 1
!
aaa server-group "default"
auth-server cppm-tme position 1
auth-server Internal position 2
!
aaa server-group "internal"
auth-server Internal position 1
set role condition Role value-of
!
aaa profile "default"
initial-role "authenticated"
authentication-dot1x "default"
dot1x-default-role "authenticated"

90
 Technical Whitepaper
User Roles and User-Based Tunneling
dot1x-server-group "cppm"
download-role
!
aaa profile "default-dot1x"
authentication-dot1x "default"
dot1x-default-role "authenticated"
!
aaa profile "default-dot1x-psk"
authentication-dot1x "default-psk"
!
aaa profile "default-iap-aaa-profile"
initial-role "default-iap-user-role"
no wired-to-wireless-roam
no devtype-classification
!
aaa profile "default-mac-auth"
authentication-mac "default"
mac-default-role "authenticated"
!
aaa profile "default-open"
!
aaa profile "default-tunneled-user"
initial-role "guest"
download-role
no wired-to-wireless-roam
no devtype-classification
!
aaa profile "default-xml-api"
!
aaa profile "NoAuthAAAProfile"
!
aaa profile "PBTDemo"
initial-role "authenticated"
authentication-dot1x "PBTDemo"
dot1x-server-group "cppm"
!
aaa profile "TME-AP"
initial-role "authenticated"
authentication-dot1x "TME-AP"
!
aaa authentication captive-portal "default"
!
aaa authentication wispr "default"
!
aaa authentication vpn "default"
!

91
 Technical Whitepaper
User Roles and User-Based Tunneling
aaa authentication vpn "default-cap"
default-role "sys-ap-role"
server-group "internal"
!
aaa authentication vpn "default-hp-switch"
!
aaa authentication vpn "default-iap"
!
aaa authentication vpn "default-rap"
!
aaa authentication mgmt
!
aaa authentication stateful-ntlm "default"
!
aaa authentication stateful-kerberos "default"
!
aaa authentication stateful-dot1x
!
aaa authentication via auth-profile "default"
!
aaa authentication wired
profile "default-dot1x"
!
aaa authentication via connection-profile "default"
!
aaa authentication via web-auth "default"
!
web-server profile
!
guest-access-email
!
aaa password-policy mgmt
!
control-plane-security
auto-cert-prov
!
ids management-profile
!
ids wms-general-profile
!
ids wms-local-system-profile
!
ids ap-rule-matching
!
valid-network-oui-profile
!

92
 Technical Whitepaper
User Roles and User-Based Tunneling
traceoptions
!
activate
!
file syncing profile
!
ucc skype4b
!
ucc rtpa-config
!
ucc jabber
!
ucc sip
!
ucc h323
!
ucc vocera
!
ucc sccp
!
ucc noe
!
ucc facetime
!
ucc ich
!
ucc session-idle-timeout
!
ucc wificalling
!
lc-cluster group-profile "TME-Cluster"
Gateway 10.5.8.6 priority 128 mcast-vlan 0 vrrp-ip 0.0.0.0 vrrp-vlan 0 group
0 rap-public-ip 0.0.0.0
Gateway 10.5.8.7 priority 128 mcast-vlan 0 vrrp-ip 0.0.0.0 vrrp-vlan 0 group
0 rap-public-ip 0.0.0.0
!
license-pool-profile-root
!
papi-security
!
est profile "default"
!
aruba-central
!
wlan sae-profile
!

93
 Technical Whitepaper
User Roles and User-Based Tunneling
ifmap cppm
!
pan profile "default"
!
pan-options
!
websocket clearpass
!
pan active-profile
!
openflow-profile
gateway -ip "conductorip" 6633
bind-vlan 1-4094
!
dump-collection-profile "default"
!
ap regulatory-domain-profile "default"
country-code US
valid-11g-channel 1
valid-11g-channel 6
valid-11g-channel 11
valid-11a-channel 36
valid-11a-channel 40
valid-11a-channel 44
valid-11a-channel 48
valid-11a-channel 149
valid-11a-channel 153
valid-11a-channel 157
valid-11a-channel 161
valid-11a-channel 165
valid-11g-40mhz-channel-pair 1-5
valid-11g-40mhz-channel-pair 7-11
valid-11a-40mhz-channel-pair 36-40
valid-11a-40mhz-channel-pair 44-48
valid-11a-40mhz-channel-pair 149-153
valid-11a-40mhz-channel-pair 157-161
valid-11a-80mhz-channel-group 36-48
valid-11a-80mhz-channel-group 149-161
valid-11a-160mhz-channel-group 36-64
!
ap wired-ap-profile "default"
!
ap wired-ap-profile "NoAuthWiredAp"
wired-ap-enable
!
ap enet-link-profile "default"

94
 Technical Whitepaper
User Roles and User-Based Tunneling
!
ap mesh-ht-ssid-profile "default"
!
ap lldp med-network-policy-profile "default"
!
ap mesh-cluster-profile "default"
!
ap multizone-profile "default"
!
ap system-profile "default"
ap-console-password d8f282bf209e0ea04abea20c8936c13ed339e1a91b9d482b
bkup-passwords b7ed526d9d9280cef040c48d8ee637b7d59fb1a6f3e6e31a
!
ap system-profile "NoAuthApSystem"
ap-console-password 88488dec485e151a5c60058bbbe5c2bd706b482852bd39ed
bkup-passwords 093534568ea556f0680d7e75798ed5bfbb1ae61d04a8a3b1
!
ap lldp profile "default"
!
ap mesh-radio-profile "default"
!
ap wired-port-profile "default"
!
ap wired-port-profile "NoAuthWiredPort"
wired-ap-profile "NoAuthWiredAp"
aaa-profile "NoAuthAAAProfile"
!
ap wired-port-profile "shutdown"
shutdown
!
ids general-profile "default"
!
ids rate-thresholds-profile "default"
!
ids rate-thresholds-profile "probe-request-response-thresholds"
channel-inc-time 30
channel-threshold 350
node-time-interval 10
node-threshold 250
!
ids signature-profile "AirJack"
frame-type beacon ssid AirJack
!
ids signature-profile "ASLEAP"
frame-type beacon ssid asleap
!

95
 Technical Whitepaper
User Roles and User-Based Tunneling
ids signature-profile "Deauth-Broadcast"
frame-type deauth
dst-mac ff:ff:ff:ff:ff:ff
!
ids signature-profile "Deauth-Broadcast-From-Valid-AP"
frame-type deauth
dst-mac ff:ff:ff:ff:ff:ff
src-mac valid-ap
bssid valid-ap
!
ids signature-profile "default"
!
ids signature-profile "Disassoc-Broadcast"
frame-type disassoc
dst-mac ff:ff:ff:ff:ff:ff
!
ids signature-profile "Disassoc-Broadcast-From-Valid-AP"
frame-type disassoc
dst-mac ff:ff:ff:ff:ff:ff
src-mac valid-ap
bssid valid-ap
!
ids signature-profile "Netstumbler Generic"
payload 0x00601d 3
payload 0x0001 6
!
ids signature-profile "Netstumbler Version 3.3.0x"
payload 0x00601d 3
payload 0x000102 12
!
ids signature-profile "Null-Probe-Response"
frame-type probe-response ssid-length 0
!
ids signature-profile "Wellenreiter"
frame-type probe-request ssid this_is_used_for_wellenreiter
!
ids impersonation-profile "default"
!
ids unauthorized-device-profile "default"
!
ids signature-matching-profile "default"
signature "Deauth-Broadcast"
signature "Disassoc-Broadcast"
!
ids dos-profile "default"
!

96
 Technical Whitepaper
User Roles and User-Based Tunneling
ids profile "default"
!
rf dot11-60GHz-radio-profile "default"
!
rf arm-profile "arm-maintain"
no scanning
!
rf arm-profile "arm-scan"
!
rf arm-profile "default-a"
!
rf arm-profile "default-g"
!
rf ht-radio-profile "default-a"
!
rf ht-radio-profile "default-g"
!
rf spectrum-profile "default-a"
!
rf spectrum-profile "default-g"
!
rf optimization-profile "default"
!
rf event-thresholds-profile "default"
!
rf am-scan-profile "default"
!
rf dot11a-radio-profile "default"
!
rf dot11a-radio-profile "rp-maintain-a"
arm-profile "arm-maintain"
!
rf dot11a-radio-profile "rp-monitor-a"
mode am-mode
!
rf dot11a-radio-profile "rp-scan-a"
arm-profile "arm-scan"
!
rf dot11g-radio-profile "default"
!
rf dot11g-radio-profile "rp-maintain-g"
arm-profile "arm-maintain"
!
rf dot11g-radio-profile "rp-monitor-g"
mode am-mode
!

97
 Technical Whitepaper
User Roles and User-Based Tunneling
rf dot11g-radio-profile "rp-scan-g"
arm-profile "arm-scan"
!
wlan rrm-ie-profile "default"
!
wlan bcn-rpt-req-profile "default"
!
wlan dot11r-profile "default"
!
wlan tsm-req-profile "default"
!
wlan ht-ssid-profile "default"
!
wlan he-ssid-profile "default"
!
wlan hotspot anqp-venue-name-profile "default"
!
wlan hotspot anqp-nwk-auth-profile "default"
!
wlan hotspot anqp-roam-cons-profile "default"
!
wlan hotspot anqp-nai-realm-profile "default"
!
wlan hotspot anqp-3gpp-nwk-profile "default"
!
wlan hotspot h2qp-operator-friendly-name-profile "default"
!
wlan hotspot h2qp-wan-metrics-profile "default"
!
wlan hotspot h2qp-conn-capability-profile "default"
!
wlan hotspot h2qp-op-cl-profile "default"
!
wlan hotspot h2qp-osu-prov-list-profile "default"
!
wlan hotspot anqp-ip-addr-avail-profile "default"
!
wlan hotspot anqp-domain-name-profile "default"
!
wlan edca-parameters-profile station "default"
!
wlan edca-parameters-profile ap "default"
!
wlan mu-edca-parameters-profile "default"
!
wlan dot11k-profile "default"

98
 Technical Whitepaper
User Roles and User-Based Tunneling
!
wlan ssid-profile "default"
!
wlan ssid-profile "TME-AP"
essid "TME-AP"
wpa-passphrase fa36ca186d41f59537d825fc430d68bfd683fd25a419610b
opmode wpa2-psk-aes
!
wlan hotspot advertisement-profile "default"
!
wlan hotspot hs2-profile "default"
!
wlan virtual-ap "default"
!
wlan virtual-ap "TME-AP"
aaa-profile "TME-AP"
vlan 10
ssid-profile "TME-AP"
!
mgmt-server profile "default-acp"
stats-enable
tag-enable
sessions-enable
monitored-info-enable
monitored-info-del-enable
monitored-info-snapshot-enable
wids-event-info-enable
misc-enable
location-enable
uccmonitoring-enable
airgroupinfo-enable
wan-state
!
mgmt-server profile "default-ale"
stats-enable
tag-enable
sessions-enable
misc-enable
location-enable
uccmonitoring-enable
!
mgmt-server profile "default-amp"
stats-enable
tag-enable
sessions-enable
misc-enable

99
 Technical Whitepaper
User Roles and User-Based Tunneling
location-enable
!
mgmt-server profile "default-gateway "
stats-enable
tag-enable
sessions-enable
misc-enable
location-enable
uccmonitoring-enable
airgroupinfo-enable
wan-state
!
mgmt-server profile "default-niara"
no generic-amon-enable
sessions-enable
no inline-dhcp-stats
no inline-ap-stats
no inline-auth-stats
no inline-dns-stats
!
ap authorization-profile "default"
ap-authorization-group "NoAuthApGroup"
!
ap provisioning-profile "default"
!
rf arm-rf-domain-profile
!
ap am-filter-profile "default"
!
ap spectrum local-override
!
airmatch profile
!
ap-lacp-striping-ip
!
ap general-profile
!
ap deploy-profile
!
ap provisioning-rules
!
ap-group "default"
virtual-ap "TME-AP"
!
ap-group "NoAuthApGroup"
enet1-port-profile "NoAuthWiredPort"

100
 Technical Whitepaper
User Roles and User-Based Tunneling
enet2-port-profile "NoAuthWiredPort"
enet3-port-profile "NoAuthWiredPort"
enet4-port-profile "NoAuthWiredPort"
ap-system-profile "NoAuthApSystem"
!
airgroup cppm-server aaa
!
airgroupprofile service "default-airplay"
id "_airplay._tcp"
id "_appletv-v2._tcp"
id "_raop._tcp"
description "AirPlay"
!
airgroupprofile service "default-airprint"
id "_canon-bjnp1._tcp"
id "_fax-ipp._tcp"
id "_http-alt._tcp"
id "_http._tcp"
id "_ica-networking._tcp"
id "_ica-networking2._tcp"
id "_ipp-tls._tcp"
id "_ipp._tcp"
id "_ipps._tcp"
id "_pdl-datastream._tcp"
id "_printer._tcp"
id "_ptp._tcp"
id "_riousbprint._tcp"
description "AirPrint"
!
airgroupprofile service "default-allowall"
description "Remaining-Services"
!
airgroupprofile service "default-amazontv"
id "_amzn-wplay._tcp"
description "Amazon fire tv"
!
airgroupprofile service "default-dial"
id "urn:dial-multiscreen-org:device:dial:1"
id "urn:dial-multiscreen-org:service:dial:1"
description "DIAL supported by Chromecast, FireTV, Roku etc"
!
airgroupprofile service "default-dlna-media"
id "urn:schemas-upnp-org:device:MediaPlayer:1"
id "urn:schemas-upnp-org:device:MediaRenderer:1"
id "urn:schemas-upnp-org:device:MediaRenderer:2"
id "urn:schemas-upnp-org:device:MediaRenderer:3"

101
 Technical Whitepaper
User Roles and User-Based Tunneling
id "urn:schemas-upnp-org:device:MediaServer:1"
id "urn:schemas-upnp-org:device:MediaServer:2"
id "urn:schemas-upnp-org:device:MediaServer:3"
id "urn:schemas-upnp-org:device:MediaServer:4"
id "urn:schemas-upnp-org:device:ZonePlayer:1"
id "urn:schemas-upnp-org:service:AVTransport:1"
id "urn:schemas-upnp-org:service:AlarmClock:1"
id "urn:schemas-upnp-org:service:ConnectionManager:1"
id "urn:schemas-upnp-org:service:ContentDirectory:1"
id "urn:schemas-upnp-org:service:DeviceProperties:1"
id "urn:schemas-upnp-org:service:GroupManagement:1"
id "urn:schemas-upnp-org:service:GroupRenderingControl:1"
id "urn:schemas-upnp-org:service:MusicServices:1"
id "urn:schemas-upnp-org:service:RenderingControl:1"
id "urn:schemas-upnp-org:service:SystemProperties:1"
id "urn:schemas-upnp-org:service:ZoneGroupTopology:1"
description "Media"
!
airgroupprofile service "default-dlna-print"
id "urn:schemas-upnp-org:device:Printer:1"
id "urn:schemas-upnp-org:service:PrintBasic:1"
id "urn:schemas-upnp-org:service:PrintEnhanced:1"
description "Print"
!
airgroupprofile service "default-googlecast"
id "_googlecast._tcp"
id "_googlezone._tcp"
description "GoogleCast supported by Chromecast etc"
!
airgroupprofile service "default-itunes"
id "_apple-mobdev._tcp"
id "_daap._tcp"
id "_dacp._tcp"
id "_home-sharing._tcp"
description "iTunes"
!
airgroupprofile service "default-remotemgmt"
id "_ftp._tcp"
id "_net-assistant._tcp"
id "_rfb._tcp"
id "_sftp-ssh._tcp"
id "_ssh._tcp"
id "_telnet._tcp"
description "Remote management"
!
airgroupprofile service "default-sharing"

102
 Technical Whitepaper
User Roles and User-Based Tunneling
id "_afpovertcp._tcp"
id "_odisk._tcp"
id "_xgrid._tcp"
description "Sharing"
!
airgroupprofile ipv6 "default"
!
airgroupprofile "default"
service "default-airplay"
service "default-airprint"
service "default-dial"
disallow-vlan type servers service ""
disallow-role "" type servers service ""
!
logging network level informational
logging network subcat all level informational

snmp-server enable trap

snmp-server host 10.5.8.18 version 2c public udp-port 162
snmp-server trap source 0.0.0.0
snmp-server trap disable wlsxAPBROADCASTSTORM
snmp-server trap disable wlsxAPIPConflict
snmp-server trap disable wlsxAPLoopDetected
snmp-server trap disable wlsxAPPortDown
snmp-server trap disable wlsxAPPortUp
snmp-server trap disable wlsxAceUsageThreshold
snmp-server trap disable wlsxAdhocNetwork
snmp-server trap disable wlsxAdhocNetworkBridgeDetectedAP
snmp-server trap disable wlsxAdhocNetworkBridgeDetectedSta
snmp-server trap disable wlsxAdhocUsingValidSSID
snmp-server trap disable wlsxAuthMaxAclEntries
snmp-server trap disable wlsxAuthMaxBWContracts
snmp-server trap disable wlsxAuthMaxUserEntries
snmp-server trap disable wlsxAuthServerIsUp
snmp-server trap disable wlsxAuthServerReqTimedOut
snmp-server trap disable wlsxAuthServerTimedOut
snmp-server trap disable wlsxCLEARPASSSERVERINVALID
snmp-server trap disable wlsxChannelChanged
snmp-server trap disable wlsxCoverageHoleDetected
snmp-server trap disable wlsxDBCommunicationFailure
snmp-server trap disable wlsxDisconnectStationAttack
snmp-server trap disable wlsxESIServerDown
snmp-server trap disable wlsxESIServerUp
snmp-server trap disable wlsxFanAbsent
snmp-server trap disable wlsxFanFailure
snmp-server trap disable wlsxFanTrayInserted

103
 Technical Whitepaper
User Roles and User-Based Tunneling
snmp-server trap disable wlsxFanTrayRemoved
snmp-server trap disable wlsxGBICInserted
snmp-server trap disable wlsxHaFailoverRequestFromAp
snmp-server trap disable wlsxHaFailoverTrigger
snmp-server trap disable wlsxHaIntergateway HbtMiss
snmp-server trap disable wlsxHaStandbyConnectivityState
snmp-server trap disable wlsxHaStandbyIpSentFailed
snmp-server trap disable wlsxHaState
snmp-server trap disable wlsxIpSpoofingDetected
snmp-server trap disable wlsxLCInserted
snmp-server trap disable wlsxLCRemoved
snmp-server trap disable wlsxLicenseExpiry
snmp-server trap disable wlsxLowMemory
snmp-server trap disable wlsxLowOnFlashSpace
snmp-server trap disable wlsxNAceUsageThreshold
snmp-server trap disable wlsxNFanAbsent
snmp-server trap disable wlsxNWebCCLicenseEnforcement
snmp-server trap disable wlsxOutOfRangeTemperature
snmp-server trap disable wlsxOutOfRangeVoltage
snmp-server trap disable wlsxPowerSupplyFailure
snmp-server trap disable wlsxPowerSupplyMissing
snmp-server trap disable wlsxProcessDied
snmp-server trap disable wlsxProcessExceedsMemoryLimits
snmp-server trap disable wlsxSCInserted
snmp-server trap disable wlsxSignatureMatch
snmp-server trap disable wlsxStaUnAssociatedFromUnsecureAP
snmp-server trap disable wlsxStationAddedToBlackList
snmp-server trap disable wlsxStationRemovedFromBlackList
snmp-server trap disable wlsxSwitchIPChanged
snmp-server trap disable wlsxSwitchRoleChange
snmp-server trap disable wlsxUserAuthenticationFailed
snmp-server trap disable wlsxUserEntryAuthenticated
snmp-server trap disable wlsxUserEntryChanged
snmp-server trap disable wlsxUserEntryCreated
snmp-server trap disable wlsxUserEntryDeAuthenticated
snmp-server trap disable wlsxUserEntryDeleted
snmp-server trap disable wlsxVrrpStateChange
snmp-server trap disable wlsxWebCCLicenseEnforcement
firewall-visibility

process monitor log

lc-cluster group-membership "TME-Cluster"

ip probe default
mode Ping
frequency 10

104
 Technical Whitepaper
User Roles and User-Based Tunneling
retries 3
burst-size 5
!
ip probe health-check
mode Ping
frequency 10
retries 3
burst-size 5
!
ip probe data-vpnc
mode Udp
frequency 10
retries 3
burst-size 5
jitter
!
end

105
 For more information

http://www.arubanetworks.com/

3333 Scott Blvd | Santa Clara, CA 95054

1.866.55.ARUBA | T: 1.408.227.4500 | FAX: 1.408.227.4550 | [email protected]

www.arubanetworks.com