Security

Reply
Frequent Contributor II

Downloadable roles on CPPM

Hi community,

 

I'm testing downloadable roles feature on CPPM. I have defined a very simple rule to just assign vlan for users when they successfully authenticate. Below is my enforcement profile configuration:

 

1.PNG

The authentication and authorization on CPPM was good. I can see it assigned this profile to the authenticated client:

 

2.PNG

 

But the client connection was not successful. Checking log on the controller, it reported the following error (looks like the keyword "vlan" is not supported. But I check from the CLI and this keyword is perfectly valid):

 

Nov  9 17:53:26  authmgr[4217]: <124830> <4217> <ERRS> |authmgr|  Dldb Role Test_Aruba_Corp_Profile-3018-1: Users dequeued, role in incomplete state
Nov  9 17:53:26  authmgr[4217]: <199802> <4217> <ERRS> |authmgr|  auth_cppm.c, auth_cppm_transform_writebuf:1590: Dldb Role Test_Aruba_Corp_Profile-3018-1: Rejected line '^Ivlan 2028', contains unsupported keyword 'vlan'
Nov  9 17:53:26  authmgr[4217]: <199802> <4217> <ERRS> |authmgr|  auth_cppm.c, auth_cppm_transform_writebuf:1872: Dldb Role Test_Aruba_Corp_Profile-3018-1: processing stopped due to presence of unsupported keyword
Nov  9 17:53:26  authmgr[4217]: <199802> <4217> <ERRS> |authmgr|  auth_cppm_fsm.c, ac_afsm_exec_transform:433: Dldb Role Test_Aruba_Corp_Profile-3018-1: Transform failed

 

Please help me on this case,

Thank you

Re: Downloadable roles on CPPM

Did you enabled the downloadable functionality under the aaa profile ?

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor II

Re: Downloadable roles on CPPM

Yes, I have enabled it under AAA profile:

 

3.PNG

 

And I also have added CPPM credentials to controller configuration:

4.PNG

Frequent Contributor II

Re: Downloadable roles on CPPM

Hi all,

 

I'm using Mobility Master to control the Mobility Controller, and running ArubaOS version 8.2.0.1. Can downloadable roles work with this deployment? Or does it only work with standalone AP and controller?

Frequent Contributor II

Re: Downloadable roles on CPPM

Hi,

 

This problem has been solved :). I ended up assigning vlan based on RADIUS attribute, and only use downloadable roles to assign ACL to users. It works fine now.

 

Thank you all,

New Contributor

Re: Downloadable roles on CPPM

Technically this isn't solved. I'm also attempting to push VLANs through an enforcement. Case open. Any true solution on being able to push VLANs?

 

Apr 6 11:55:58 :199802:  <3783> <ERRS> |authmgr|  auth_cppm.c, auth_cppm_transform_writebuf:1590: Dldb Role Wireless_VLAN600_HR_ROLE_DL-3023-4: Rejected line '^Ivlan 600', contains unsupported keyword 'vlan'

Apr 6 11:55:58 :199802:  <3783> <ERRS> |authmgr|  auth_cppm.c, auth_cppm_transform_writebuf:1872: Dldb Role Wireless_VLAN600_HR_ROLE_DL-3023-4: processing stopped due to presence of unsupported keyword

Apr 6 11:55:58 :199802:  <3783> <ERRS> |authmgr|  auth_cppm_fsm.c, ac_afsm_exec_transform:433: Dldb Role Wireless_VLAN600_HR_ROLE_DL-3023-4: Transform failed

Apr 6 11:55:58 :124830:  <3783> <ERRS> |authmgr|  Dldb Role Wireless_VLAN600_HR_ROLE_DL-3023-4: Users dequeued, role in incomplete state

 

Guru Elite

Re: Downloadable roles on CPPM

'vlan-id' or 'vlan-name'

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Downloadable roles on CPPM

How would one pass tagged VLANs using DURs?

 

'vlan-id' or 'vlan-name' seem only to be for untagged VLAN assignments.

Guru Elite

Re: Downloadable roles on CPPM

You can only define a single tagged and/or untagged vlan (untagged-vlan-id, tagged-vlan-name, etc)

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Downloadable roles on CPPM

That's fine for our purposes but I don't know how to differentiate between tagged/vs untagged when using DUR.

 

We're currently using vlan-id xxxx in the HPE-CPPM-Role but the VLANs keep coming up as untagged.

 

In our setup, we're looking to make sure that all VOIP traffic is tagged, for example.

 

Do I simply specify untagged-vlan-id vs tagged-vlan-id in the DUR?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: