Security

Reply
Occasional Contributor I
Posts: 6
Registered: ‎03-07-2016

Clearpass download undefined role to controller

Hi,

 

I'm trying to get CPPM to push a role to a controller but without success. The user is not getting the correct role. It's getting the role I set in the AAA profile. 

 

I followed the guide at http://www.airheads.eu/t5/Controller-Based-WLANs/Downloading-an-undefined-role-from-CPPM-to-Controller/ta-p/243661

 

 

Enforcement profile:

cp_policy.JPG

 

Accesstracker:

kiko-as.JPG

On the controller:

 

Security log doesn't look good...

 

 

Dec 28 10:27:49 :199802: <4052> <ERRS> |authmgr| auth_cppm_api.c, auth_curl_perform:119: Dldb Role KIKO_BYOD_EP-3004-8: Curl response with HTTP code: 401
Dec 28 10:27:49 :124830: <4052> <ERRS> |authmgr| Dldb Role KIKO_BYOD_EP-3004-8: Users dequeued, role in incomplete state

 

 #show rights downloaded-user-roles

RoleTable
---------
Name ACL Bandwidth ACL List Type
---- --- --------- -------- ----
KIKO_BYOD_EP-3004-8 104 Up: No Limit,Dn: No Limit global-sacl/,apprf-KIKO_BYOD_EP-3004-8-sacl/ System (downloaded, not editable)
KIKO_BYOD_PROFILE-3002-6 86 Up: No Limit,Dn: No Limit global-sacl/,apprf-KIKO_BYOD_PROFILE-3002-6-sacl/ System (downloaded, not editable)
test_ep-3003-1 80 Up: No Limit,Dn: No Limit global-sacl/,apprf-test_ep-3003-1-sacl/ System (downloaded, not editable)

 

aaa profile "Users"
initial-role "authenticated"
mac-default-role "logon"
mac-server-group "Clearpass"
authentication-dot1x "Users"
dot1x-default-role "logon"
dot1x-server-group "Clearpass"
download-role
enforce-dhcp

 

Controller is 7205 with 6.5.0.3

Clearpass is 6.6.0.81015

 

Am i missing something here?

 

 

 

 

 

 

Occasional Contributor I
Posts: 6
Registered: ‎03-07-2016

Re: Clearpass download undefined role to controller

Got some more debug information:

 

Dec 28 11:03:18 :522278: <4052> <INFO> |authmgr| MAC=e4:b3:18:9d:0f:49 IP=?? Dldb Role: KIKO_BYOD_EP-3004-9 Derived downloadable role from Aruba CPPM VSA
Dec 28 11:03:18 :522280: <4052> <ERRS> |authmgr| MAC=e4:b3:18:9d:0f:49 Dldb Role: KIKO_BYOD_EP-3004-9 Cannot be assigned downloadable role, role is in error state
Dec 28 11:03:18 :522282: <4052> <DBUG> |authmgr| MAC=e4:b3:18:9d:0f:49 Dldb Role: KIKO_BYOD_EP-3004-9 User will be assigned default role for the auth-type

Guru Elite
Posts: 20,553
Registered: ‎03-29-2007

Re: Clearpass download undefined role to controller

You should try a role that has simple access rules, instead of ethertypes.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 6
Registered: ‎03-07-2016

Re: Clearpass download undefined role to controller

Thanks for the input. Still doesn't work. Due time contraints i resorted to defined roles.

 

Will do some testing in the lab.

Search Airheads
Showing results for 
Search instead for 
Did you mean: