Campus Switching and Routing

Occasional Contributor II

2930M user-role issue

Hey everyone,

We are evaluating some 2930M, and had a question that someone might be able to answer for me. 

We are trying to use user-roles. We have that working to a point. The way we have it now, is clearpass returns the hpe: user-role vsa, and the switch accepts it very happily. This is assuming we have the vlan defined on the switch. 

What I would like to do, is have clearpass assign the user-role AND the untagged VLAN. However, when I updated the enforcement profile with the vlan information, the switch complains that the user role is invalid. 

Is this something that can be done, or is it a limitation? 

To assist in explaining what I mean, here is the config for a user-role

User Role Information

Name : Standard_Student
Type : local
Reauthentication Period (seconds) : 64800
Untagged VLAN : 108
Tagged VLAN :
Captive Portal Profile :
Policy : Policy-Standard_Student
Tunnelednode Server Redirect : Disabled
Secondary Role Name :

When I remove the untagged VLAN, and add it to the enforcement profile in clearpass(screenshot attached), i get the user-role is invalid. 
Enforcement profile.PNG
Any ideas? 


Guru Elite

Re: 2930M user-role issue

Did you follow the ClearPass Solution Guide for Wired Policy Enforcement?

Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
Occasional Contributor II

Re: 2930M user-role issue

I actually looked through it right before I posted, just to make sure. From what I saw, everything in there showed the user-role already having the VLAN defined if using local user roles. 

I understand I could use downloadable user roles and assign a VLAN that way, however, my end goal is to have multiple devices having the same role, but different VLANs. 

My use case being, we have different VLANs for a wide range of  devices, however, they all require a very similar set of ACLs. 

Guru Elite

Re: 2930M user-role issue

The role should really be the security context and each role would have a VLAN attached. VLAN names are recommended to abstract the VLAN-ID across the environment from a policy standpoint


vlan-name student
vlan-name faculty
vlan-name staff
vlan-name headless
vlan-name headless
Vlan-name quarantine
vlan-name guest
vlan-name guest
vlan-name guest

Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
Occasional Contributor II

Re: 2930M user-role issue

That makes sense. Thanks a ton for your clarification. 

Search Airheads
Showing results for 
Search instead for 
Did you mean: