Aruba Wireless Controller ArubaOS 8
Summary
This document provides scripts to complete the integration of MetaAccess NAC with one more ArubaOS8 Mobility Controllers for Radius Based Enforcement.
Note – A PEF (Policy Enforcement Firewall) license is required on each controller for this integration.
Note – Even when using a Mobility Master node to manage Mobility Controllers at many locations, the tunnel configuration must be applied directly on any Mobility Controller which you wish to integrate with the NAC (i.e. at the /mm/mynode level). The rest of the configuration can be applied at either the Mobility Controller level or the Mobility Master level. You can use show configuration node-heirarchy to see the configuration on the Mobility Master.
show configuration node-hierarchyMetaAccess NAC ArubaOS 8 Integration Script – Mobility Controller
x
conf tinterface tunnel 58008description "MetaAccess NAC Interface tunnel02"ip address x.x.x.x 255.255.255.252 (Replace x.x.x.x with an available private IP, other host will be used by MetaAccess NAC server)tunnel source x.x.x.x (Replace x.x.x.x with IP of controller and remove this comment)tunnel destination <NAC-IP>trusted!end!write memoryNote - Do not apply tunnel keep-alives as they are not compatible with third party vendors such as MetaAccess NAC.
Note - After completing the configuration above, please email a sanitized show run and show switches to your OPSWAT Network Specialist so they can complete the tunnel configuration on the NAC side.
MetaAccess NAC ArubaOS 8 Integration Script – Mobility Master or Mobility Controller
conf tnetservice svc-sc_https tcp 8443netservice svc-sc_https2 tcp 9443netservice svc-sc_http tcp 8008!netdestination apple-cnaname www.apple.comname www.airport.usname www.ibook.infoname www.thinkdifferent.usname www.appleiphonecell.comname www.itools.info!ip access-list session sc_compliant_aclany any any permit!ip access-list session sc_guest_aclany network x.x.x.x any deny (Add any network denied to guest users and remove this comment)any any any permit!ip access-list session sc_redirect_aclany host 198.31.193.211 any redirect tunnel 58008any host <NAC-IP> any redirect tunnel 58008!ip access-list session sc_intranet_aclany host x.x.x.x any permit (Add any internal resource allowed to all users while blocked and remove this comment)!ip access-list session sc_quarantine_acluser alias apple-cna svc-http permit position 1 (Note – this command will disable captive portal detection. If the desire is to keep native captive portal detection enabled, skip this command)any any svc-http redirect tunnel 58008any any svc-https redirect tunnel 58008any any svc-sc_https redirect tunnel 58008any any svc-sc_https2 redirect tunnel 58008any any svc-sc_http redirect tunnel 58008any any svc-dns permitany any svc-dhcp permitany any svc-kerberos redirect tunnel 58008any any any deny!user-role SC_Compliant_Roleaccess-list session sc_redirect_aclaccess-list session sc_compliant_acl!user-role SC_Guest_Roleaccess-list session sc_redirect_aclaccess-list session sc_guest_acl!user-role SC_Quarantine_Roleaccess-list session sc_redirect_aclaccess-list session sc_intranet_aclaccess-list session sc_quarantine_acl!user-role SC_Initial_Roleaccess-list session sc_redirect_aclaccess-list session sc_compliant_acl!aaa rfc-3576-server <NAC-IP>key ArUb@-SC-RB3!aaa authentication-server radius "MetaAccess_NAC_RBE"host <NAC-IP>key ArUb@-SC-RB3!aaa authentication-server radius "MetaAccess_NAC_Acct"host <NAC-IP>key ArUb@-SC-RB3!aaa authentication dot1x "MetaAccess_NAC-dot1x_prof"!end!write memory####
MetaAccess NAC / ArubaOS 8 - Open Wireless Example
conf taaa server-group "MetaAccess_NAC_RBE_svrgrp"auth-server "MetaAccess_NAC_RBE" position 1!aaa server-group "MetaAccess_NAC_Acct_svrgrp"auth-server "MetaAccess_NAC_Acct" position 1!aaa authentication mac "SC_Open_RBE_Mac_Auth"delimiter nonecase upper!aaa profile "MetaAccess_NAC-Open_SSID"initial-role "SC_Initial_Role"authentication-mac "SC_Open_RBE_Mac_Auth"mac-default-role "SC_Initial_Role"mac-server-group "MetaAccess_NAC_RBE_svrgrp"dot1x-default-role "SC_Initial_Role"radius-accounting "MetaAccess_NAC_Acct_svrgrp"radius-interim-accountingrfc-3576-server <NAC-IP>!wlan ht-ssid-profile "MetaAccess_NAC-Open-htssid_prof"!wlan ssid-profile "MetaAccess_NAC-Open-ssid_prof"essid "MetaAccess_NAC-Open"ht-ssid-profile "MetaAccess_NAC-Open-htssid_prof"!wlan virtual-ap "MetaAccess_NAC-Open-vap_prof"aaa-profile "MetaAccess_NAC-Open_SSID"ssid-profile "MetaAccess_NAC-Open-ssid_prof"vlan <VLAN-ID>!ap-group "MetaAccess_NAC"virtual-ap "MetaAccess_NAC-Open-vap_prof"!end!write memoryMetaAccess NAC / ArubaOS 8 - Secure Wireless Example (802.1x)
conf taaa server-group "MetaAccess_NAC_RBE_svrgrp"auth-server "MetaAccess_NAC_RBE" position 1!aaa server-group "MetaAccess_NAC_Acct_svrgrp"auth-server "MetaAccess_NAC_Acct" position 1!aaa profile "MetaAccess_NAC_Secure_SSID"initial-role "SC_Initial_Role"dot1x-default-role "SC_Initial_Role"authentication-dot1x "MetaAccess_NAC-dot1x_prof"dot1x-server-group "MetaAccess_NAC_RBE_svrgrp"radius-accounting "MetaAccess_NAC_Acct_svrgrp"radius-interim-accountingrfc-3576-server <NAC-IP>!wlan ht-ssid-profile "MetaAccess_NAC_Secure-htssid_prof"!wlan ssid-profile "MetaAccess_NAC_Secure-ssid_prof"essid "MetaAccess_NAC_Secure"ht-ssid-profile "MetaAccess_NAC_Secure-htssid_prof"opmode wpa2-aes!wlan virtual-ap "MetaAccess_NAC_Secure-vap_prof"aaa-profile "MetaAccess_NAC_Secure_SSID"ssid-profile "MetaAccess_NAC_Secure-ssid_prof"vlan <VLAN-ID>!ap-group "MetaAccess_NAC"virtual-ap "MetaAccess_NAC_Secure-vap_prof"!end!write memoryNote - These steps may be needed if iOS users constantly get disconnected from Aruba SSIDs: Adjust the Global User idle timeout from 30 seconds to 300 seconds:
conf taaa timers idle-timeout 300 seconds!end!write memoryWas this page helpful?
On This Page
Aruba Wireless Controller ArubaOS 8SummaryMetaAccess NAC ArubaOS 8 Integration Script – Mobility ControllerMetaAccess NAC ArubaOS 8 Integration Script – Mobility Master or Mobility ControllerMetaAccess NAC / ArubaOS 8 - Open Wireless ExampleMetaAccess NAC / ArubaOS 8 - Secure Wireless Example (802.1x)