12-05-2014 08:34 AM
Hi Community, Currently trying to get downloadable roles feature working using Clearpass 6.4 and Aruba 620 with 6.4 code or Aruba 7010 with 6.4 code or a MAS S1500 with latest code.
Both mobility controllers keep logging the following.
Dec 6 11:23:05 <authmgr 522280> <ERRS> |authmgr| MAC=84:38:35:4f:59:3a Dldb Role: student_downloadable_role-3082-3 Cannot be assigned downloadable role, role is in error state
I don't have fresh logs from the switch but I recall it complaining about no role Title.
Solved! Go to Solution.
12-05-2014 08:44 AM
Hi Cappalli - Heres the shot. This role is straight from the CP POC Kit. I've atempted creating my own downloadable roles as well but same issues. Also have tried this on patched and unpatched version of 6.4 of clearpass.
12-05-2014 09:54 AM
Definitely do. I’m tempted to downgrade the controllers. You wouldn’t happen to know what is the earliest version of code I could be on to support this feature? Whats interesting as well is the switch doesn’t work either.
12-05-2014 10:13 AM
Here are some logs from the MAS. If this helps. Different POC downloadable role in use here.
Dec 5 13:04:41 :199802: <ERRS> |authmgr| auth_cppm.c, auth_cppm_deprecate_old_role:527: Old Role: Aruba_Wired_Wired_User_Type_1-3039-6 found but wrong version:6 to current:6
Dec 5 13:04:41 :199802: <ERRS> |authmgr| auth_cppm.c, auth_request_cppm_role:1248: role request failed:3
Dec 5 13:04:46 :199802: <ERRS> |authmgr| auth_cppm.c, auth_cppm_strip_xml:2259: No Role title
Dec 5 13:04:46 :199802: <ERRS> |authmgr| auth_cppm_fsm.c, ac_afsm_role_incomplete:821: 0c:4d:e9:9a:f0:8b remains in previous role. Downloaded Role: Aruba_Wired_Wired_User_Type_1-3039-6 is in unrecoverable failure state.
12-05-2014 11:23 AM
I am just starting to dip into configuring downloadable roles, but still yet to see it in working in anger.
My understanding of it is this......and I could be wrong. Hopefully this can be confirmed or corrected.
- Clearpass would send back a normal radius response with the VSA of Aruba-User-Role=whatever.
- If the controller does not have this role already configured, then it would contact Clearpass and request it.
- Clearpass would send back the downloadable role, and the controller would apply it to the user.
If my post is helpful please give kudos, or mark as solved if it answers your post.
ACCP, ACMP, ACMX #294