Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring Colorless Ports on EX Series Switches with Aruba ClearPass Policy Manager and Cisco ISE

 

Starting from Junos OS Release 20.4R1, EX switches support Colorless ports. Colorless ports are used in conjunction with device profiling with any standards-based radius server, and convert an access port to a trunk port and allow the necessary VLANs with necessary tagging. In the case that some of the VLAN’s are missing on the switch, this feature helps in creating those missing VLANs dynamically on the switch.

MAC Auth Bypass (MAB), is commonly used as a fail-through for headless, non-802.1X capable and legacy devices as well as guest users. MAB is often combined with 802.1X and Captive Portal as part of a colorless port configuration supporting every user and device type with a single port configuration.

Aruba ClearPass is a multi-vendor product that leverages standards-based protocols and technologies along with the flexibility to support vendor-specific switch features for policy enforcement.

Radius IETF Attribute Egress-VLANID is used for vlans with tag functionality. Any standards based Radius server can send multiple tagged vlans using radius attribute Egress-VLANID or Egress-VLAN-Name for tagged packets as per RFC 4675.

The Egress-VLANID or Egress-VLAN-Name attribute contains two parts; the first part indicates if frames on the VLAN for this port are to be represented in tagged or untagged format, the second part is the VLAN name.

For Example:

Note

Egress-VLAN-Name is similar to the Egress-VLANID attribute, except that the VLAN-ID itself is not specified or known; rather, the VLAN name is used to identify the VLAN within the system.

Examples:

  • For attribute Egress-VLANID:

  • For attribute Egress-VLAN-Name:

  • For sample radius profile:

With Junos OS Release 20.3R1, we have added new VSA Supplicant-Mode-Single or Supplicant-Mode-Single-secure with attribute Juniper-AV-Pair. Which will be used to set the supplicant mode of dot1x.

Requirements

This example uses the following hardware and software components for the policy infrastructure:

  • EX4300, EX2300, EX3400 switch running Junos OS Release 20.4R1 or earlier

  • Aruba ClearPass Policy Manager running 6.9.0.130064

Overview and Topology

VLAN name is highly recommended in a colorless port deployment as it removes the need for radius server to maintain a VLAN to function mapping for each switch. This simplifies policy creation, management and troubleshooting.

For example, each switch might use a different VLAN-ID for “secure access”. Instead of having to write complex policy in radius to return the correct VLAN-ID for each switch, we just give the appropriate VLAN-ID a name on each switch; “SECURE” for example. Now in your radius server, you simply return a VLAN enforcement with “SECURE” as the VLAN-ID and each switch will use the appropriate VLAN-ID mapped locally on the switch.

Note

In ClearPass 6.6.X and earlier, the pre-defined Juniper dynamic authorization enforcement profiles need to be used with Juniper switches.

Figure 1 shows the topology used in this example.

Figure 1: Topology Used in This Example
Topology Used in This Example

Here is the sample profile in a radius server to convert the port once device profiling is enabled and we detect a MIST AP to a trunk port with VLAN 130 as native VLAN and allow the rest of the VLAN’s (121,131,151,102).

To configure colorless ports on EX Series switches with Aruba ClearPass policy manager and Cisco ISE, follow the below steps:

  1. Example of an Enforcement Profile in Aruba ClearPass / ISE—When using the Egress-VLANID attribute, ClearPass requires a decimal value to be entered for the Egress-VLANID value, so you must convert your desired hexadecimal values into decimal values. For example, see entry 4 in theFigure 2, for VLAN 130 to be untagged. The hexadecimal value for this is 0x3200082. Converting the hexadecimal value to decimal gives 52428930.Note

    To quickly convert hexadecimal value to decimal value, use the conversion application tool that is available on websites.

    Figure 2: Enforcement Profiles
     Enforcement Profiles

    If the switchport is configured for Supplicant Mode Multiple, you must also return the Juniper-AV-Pair of Supplicant-Mode-Single or Supplicant-Mode-Single-Secure in your RADIUS response. The Egress-VLANID and Egress-VLAN-NAME attributes are not able to be used with the supplicant mode of Multiple.

  2. In the Figure 3 you can see how to use the Egress-VLAN-NAME attribute instead of the Egress-VLANID attribute.
    Figure 3: Enforcement Profiles - Egress-VLAN-NAME
    Enforcement Profiles - Egress-VLAN-NAME
    Note

    You must assign 1 to the VLAN Name to indicate tagged or 2 to indicate untagged. The values are case sensitive.

  3. Example for Cisco ISE
    Figure 4: Cisco ISE
    Cisco ISE
    Figure 5: Aruba ClearPass Profiling
    Figure 6: Configuring VLANs and Port
    Configuring VLANs and Port

Verification

Verification on the switch port

Purpose

To verify the configuration on the switch port, use the show dot1x interface ge-0/0/6 detail command.

Action

Verification of the VLANs created on the switch port

Purpose

To verify the VLANs created on the switch port, use the show vlans command.

Action

Ethernet Switching for Egress VLAN

Purpose

To verify the ethernet-switching table for Egress vlan list, use the show ethernet-switching interface ge-0/0/6.0 command.

Action