Security

Hi Community,  Currently trying to get downloadable roles feature working using Clearpass 6.4 and Aruba 620 with 6.4 code or Aruba 7010 with 6.4 code or a MAS S1500 with latest code.

 

Both mobility controllers keep logging the following.

 

Dec 6 11:23:05 <authmgr 522280>  <ERRS> |authmgr|  MAC=84:38:35:4f:59:3a Dldb Role: student_downloadable_role-3082-3 Cannot be assigned downloadable role, role is in error state

 

I don't have fresh logs from the switch but I recall it complaining about no role Title.

 

 

Any ideas?

 

Thanks

 

 

 

 

 

 

Can you post a screenshot from ClearPass for the downloadable role?

Hi Cappalli - Heres the shot. This role is straight from the CP POC Kit. I've atempted creating my own downloadable roles as well but same issues. Also have tried this on patched and unpatched version of 6.4 of clearpass.

 

Thanks

 

Also here's a shot of the radius response.

 

 

Do you have downloadable role enabled in the AAA profile?

Definitely do.  I’m tempted to downgrade the controllers. You wouldn’t happen to know what is the earliest version of code I could be on to support this feature? Whats interesting as well is the switch doesn’t work either. 

Here are some logs from the MAS. If this helps. Different POC downloadable role in use here.

Dec 5 13:04:41 :199802:  <ERRS> |authmgr|  auth_cppm.c, auth_cppm_deprecate_old_role:527: Old Role: Aruba_Wired_Wired_User_Type_1-3039-6 found but wrong version:6 to current:6
Dec 5 13:04:41 :199802:  <ERRS> |authmgr|  auth_cppm.c, auth_request_cppm_role:1248: role request failed:3
Dec 5 13:04:46 :199802:  <ERRS> |authmgr|  auth_cppm.c, auth_cppm_strip_xml:2259: No Role title
Dec 5 13:04:46 :199802:  <ERRS> |authmgr|  auth_cppm_fsm.c, ac_afsm_role_incomplete:821: 0c:4d:e9:9a:f0:8b remains in previous role. Downloaded Role: Aruba_Wired_Wired_User_Type_1-3039-6 is in unrecoverable failure state.

I am just starting to dip into configuring downloadable roles, but still yet to see it in working in anger.

 

My understanding of it is this......and I could be wrong.  Hopefully this can be confirmed or corrected.

 

• Clearpass would send back a normal radius response with the VSA of Aruba-User-Role=whatever.

• If the controller does not have this role already configured, then it would contact Clearpass and request it.
• Clearpass would send back the downloadable role, and the controller would apply it to the user.

 

 

 

That is correct.

Davidsnet - let me test your config in my lab.

Thx Cappalli - Much appreciated.

One thing I have noticed is Clearpass is appending random strings to the role name which is causing grief I believe. After modifing the enforcement policy to provide an additional radius attribute specifying role with randomly generated role name I was able to connect briefly and saw I had been assigned this role finally. However connectivity is very brief like 3-5 seconds and then I am constantly deauthenticated.

From show user

216.138.198.120  84:38:35:4f:59:3a  mdavids    1DNET_CPPM-3048-10  00:00:00    802.1x            Office      Wireless  uac-corp/18:64:72:e3:de:31/a-VHT  uac-corp-aaa_prof  tunnel        OS X  

The role is actually called 1DNET_CPPM not sure where the -3048-10 is coming from. I'll attach more screenshots.

One thing I have noticed is Clearpass is appending random strings to the role name which is causing grief I believe. After modifing the enforcement policy to provide an additional radius attribute specifying role with randomly generated role name I was able to connect briefly and saw I had been assigned this role finally. However connectivity is very brief like 3-5 seconds and then I am constantly deauthenticated.

From show user

216.138.198.120  84:38:35:4f:59:3a  mdavids    1DNET_CPPM-3048-10  00:00:00    802.1x            Office      Wireless  uac-corp/18:64:72:e3:de:31/a-VHT  uac-corp-aaa_prof  tunnel        OS X  

The role is actually called 1DNET_CPPM not sure where the -3048-10 is coming from. I'll attach more screenshots.

Sorry bout the triple posts not sure what happened. Seems if I combine the last screen shot policy and what I had previously I get the role but as mentioned before deauthed pretty fast.

 

I did a quick test and I'm seeing some of the same errors and also some new errors in the logs.

 

I would open a TAC case. I'll also keep playing with it when I get a chance. 

Definitely do. I'm tempted to downgrade the controllers. You wouldn't happen to know what is the earliest version of code I could be on to support this feature? Whats interesting as well is the switch doesn't work either.

Any news regarding your TAC cases you could share with us?

Nothing to share yet. Yesterdays update from TAC is they are still working towards replicating the issue. 

Problem is now resolved. Problem was clearpass was missing an api administrator account that the mobility controllers use to fetch the role. TAC had to create the account in clearpass and key in the password. Apparently this will be fixed in a later version of AOS code.

 

 

Was this affecting all of your downloadable roles or just some?  I'm noticing this on several MAS and it seems to be getting worse.  A reboot of the switch would fix it in the past, but now it seems to always corrupt some role when it is pulled down.

FYI, the issue is in the CPPM code when moving to 6.4.3.  Apparently, there is new code in 6.4.3 that includes a new auth piece for the switches to recieve their downloadable roles.  The problem is that neither the MAS nor the wireless controllers have that code yet.  Problem...when the switch tries to get its downloadable role from CPPM, it can't because it has no way (or idea) how to auth.

 

I'm really not sure how this one got past QC.

We had the same problem here after upgrading from clearpass 6.4.0 to 6.4.4.

TAC had to add a apiadmin account to clearpass as a workaround.

There was a change in behaviour in CPPM 6.4.3 where aruba implemented authentication between switch/controller and CPPM as mandatory for providing downloadable role’s configuration (cppm hardening)

 

Switches and controllers supports this authentication from version 7.3.2.5 and 7.4.0.2.

 

I think it is reprehensible that aruba make changes like this without notify, we had access points down for hours before the problem was solved.

---

@davidsnet wrote:

Hi Cappalli - Heres the shot. This role is straight from the CP POC Kit. I've atempted creating my own downloadable roles as well but same issues. Also have tried this on patched and unpatched version of 6.4 of clearpass.

 

Thanks

 

---

davidsnet,

 

Your acl looks correct, but the MAS platform can only accept stateless ACLs.  In your screenshot replace the word "session" with the word "stateless" in both places and try again.

 

Thanks cjoseph and cappalli. I opened a case and they are reproducing in their lab. It's looking like bugs. I'm downloading CP 6.3 as we speak as I want to see this work. We ended up noticing the strange numbers appended to the role as I saw previously as well as system roles being created on the mobility conroller with the strange names. Which should be user roles instead from what TAC is telling me.

 

I'll post back if I hear anything exciting about this. Again thx for helping me fast track this.

 

 

 

 

I'm seeing the same thing with random numbers being added to the end of the role, which ultimately fails and the user gets put into the default role.

 

Using a 7210 (6.4.2.2) and CPPM 6.4.3

#7210

Still not sure why they are failing, but the random numbers are expected beahvior.

Thanks. I opened a case with TAC but it seems they are not very familiar with this feature.

I'm just getting this.

 

Dec 9 16:22:16 :522280:  <ERRS> |authmgr|  MAC=18:3d:a2:10:ae:04 Dldb Role: Guest_Unlimited-3036-5 Cannot be assigned downloadable role, role is in error state
Dec 9 16:22:16 :522282:  <DBUG> |authmgr|  MAC=18:3d:a2:10:ae:04 Dldb Role: Guest_Unlimited-3036-5 User will be assigned default role

 

I tried to create it with both standard and advanced method.  Interestingly, when I had the downloadable role with 'Guest-Unlimited', it changed the role to 'Guest_Unlimited'.  Anyhow, I changed it to only have the _ and still no joy.

I've asked QA to review.

Thanks Troy. I have now opened up a 2nd case with TAC with the AOS group as I wasn't making progress with the Clearpass group. I have now tested this on CP 6.3 and 6.4 as well as 620's/3200's/7010 with various levels of 6.4 code and a MASS1500 but no working solution seen.  Hopefully TAC will perform internal testing and advise.

thx for your help. I'll call TAC.