(ArubaOS 8) Aruba Wireless Controller without GRE tunnels
Summary
This document provides scripts to complete the integration of MetaAccess NAC with one more ArubaOS8 Mobility Controllers for Radius Based Enforcement.
Note – A PEF (Policy Enforcement Firewall) license is required on each controller for this integration.
MetaAccess NAC ArubaOS 8 Integration Script – Mobility Master or Mobility Controller
x
conf tnetservice svc-sc_https tcp 8443netservice svc-sc_https2 tcp 9443!netdestination apple-cnaname www.apple.comname www.airport.usname www.ibook.infoname www.thinkdifferent.usname www.appleiphonecell.comname www.itools.info!ip access-list session sc_compliant_aclany any any permit!ip access-list session sc_guest_aclany network x.x.x.x any deny (Add any network denied to guest users and remove this comment)any any any permit!ip access-list session sc_redirect_aclany host 198.31.193.211 any dst-nat ip <NAC-IP>!ip access-list session sc_intranet_aclany host x.x.x.x any permit (Add any internal resource allowed to all users while blocked and remove this comment)!ip access-list session sc_quarantine_acluser alias apple-cna svc-http permit position 1 (Note – this command will disable captive portal detection. If the desire is to keep native captive portal detection enabled, skip this command)any any svc-http dst-nat ip <NAC-IP>any any svc-https dst-nat ip <NAC-IP>any any svc-sc_https dst-nat ip <NAC-IP>any any svc-sc_https2 dst-nat ip <NAC-IP>any any svc-dns permitany any svc-dhcp permitany any svc-kerberos dst-nat ip <NAC-IP>any any any deny!user-role SC_Compliant_Roleaccess-list session sc_redirect_aclaccess-list session sc_compliant_acl!user-role SC_Guest_Roleaccess-list session sc_redirect_aclaccess-list session sc_guest_acl!user-role SC_Quarantine_Roleaccess-list session sc_redirect_aclaccess-list session sc_intranet_aclaccess-list session sc_quarantine_acl!user-role SC_Initial_Roleaccess-list session sc_redirect_aclaccess-list session sc_compliant_acl!aaa rfc-3576-server <NAC-IP>key ArUb@-SC-RB3!aaa authentication-server radius "MetaAccess_NAC_RBE"host <NAC-IP>key ArUb@-SC-RB3!aaa authentication-server radius "MetaAccess_NAC_Acct"host <NAC-IP>key ArUb@-SC-RB3!aaa authentication dot1x "MetaAccess_NAC-dot1x_prof"!end!write memoryMetaAccess NAC / ArubaOS 8 - Open Wireless Example
conf taaa server-group "MetaAccess_NAC_RBE_svrgrp"auth-server "MetaAccess_NAC_RBE" position 1!aaa server-group "MetaAccess_NAC_Acct_svrgrp"auth-server "MetaAccess_NAC_Acct" position 1!aaa authentication mac "SC_Open_RBE_Mac_Auth"delimiter nonecase upper!aaa profile "MetaAccess_NAC-Open_SSID"initial-role "SC_Initial_Role"authentication-mac "SC_Open_RBE_Mac_Auth"mac-default-role "SC_Initial_Role"mac-server-group "MetaAccess_NAC_RBE_svrgrp"dot1x-default-role "SC_Initial_Role"radius-accounting "MetaAccess_NAC_Acct_svrgrp"radius-interim-accountingrfc-3576-server <NAC-IP>!wlan ht-ssid-profile "MetaAccess_NAC-Open-htssid_prof"!wlan ssid-profile "MetaAccess_NAC-Open-ssid_prof"essid "MetaAccess_NAC-Open"ht-ssid-profile "MetaAccess_NAC-Open-htssid_prof"!wlan virtual-ap "MetaAccess_NAC-Open-vap_prof"aaa-profile "MetaAccess_NAC-Open_SSID"ssid-profile "MetaAccess_NAC-Open-ssid_prof"vlan <VLAN-ID>!ap-group "MetaAccess_NAC"virtual-ap "MetaAccess_NAC-Open-vap_prof"!end!write memoryMetaAccess NAC / ArubaOS 8 - Secure Wireless Example (802.1x)
conf taaa server-group "MetaAccess_NAC_RBE_svrgrp"auth-server "MetaAccess_NAC_RBE" position 1!aaa server-group "MetaAccess_NAC_Acct_svrgrp"auth-server "MetaAccess_NAC_Acct" position 1!aaa profile "MetaAccess_NAC_Secure_SSID"initial-role "SC_Initial_Role"dot1x-default-role "SC_Initial_Role"authentication-dot1x "MetaAccess_NAC-dot1x_prof"dot1x-server-group "MetaAccess_NAC_RBE_svrgrp"radius-accounting "MetaAccess_NAC_Acct_svrgrp"radius-interim-accountingrfc-3576-server <NAC-IP>!wlan ht-ssid-profile "MetaAccess_NAC_Secure-htssid_prof"!wlan ssid-profile "MetaAccess_NAC_Secure-ssid_prof"essid "MetaAccess_NAC_Secure"ht-ssid-profile "MetaAccess_NAC_Secure-htssid_prof"opmode wpa2-aes!wlan virtual-ap "MetaAccess_NAC_Secure-vap_prof"aaa-profile "MetaAccess_NAC_Secure_SSID"ssid-profile "MetaAccess_NAC_Secure-ssid_prof"vlan <VLAN-ID>!ap-group "MetaAccess_NAC"virtual-ap "MetaAccess_NAC_Secure-vap_prof"!end!write memoryNote: These steps may be needed if iOS users constantly get disconnected from Aruba SSIDs: Adjust the Global User idle timeout from 30 seconds to 300 seconds
conf taaa timers idle-timeout 300 seconds!end!write memoryWas this page helpful?