Security

Reply
Frequent Contributor I
Posts: 72
Registered: ‎09-19-2011

Error message for Role Mapping Policy - CPPM

Hi All,

 

We have a following Client requirement 

 

1. Authentication type is EAP-TLS.........working fine.

 

2.For different  AD group of users we have enforce different VLAN depending on group name........not working.

 

The issue we are faicng is when we created role mapping policy for different AD Groups i am getting following error messages.

 

Kindly let me know how to resolve this issue.

 

 

 

Request log details for session: R00000030-11-5225c73a
Time 	Message
2013-09-03 16:55:46,085 	[Th 40 Req 315 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 15:254:D4-3D-7E-12-A5-49
2013-09-03 16:55:46,092 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-132 h=223 r=R00000030-11-5225c73a] INFO Core.ServiceReqHandler - Service classification result = Certificate_based_Test
2013-09-03 16:55:46,093 	[Th 40 Req 315 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "Certificate_based_Test"
2013-09-03 16:55:46,093 	[Th 40 Req 315 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_ldap: searching for user host/INGVYSAHOTEST.IN.intranet in AD:spininf00001.in.intranet
2013-09-03 16:55:46,095 	[Th 40 Req 315 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_ldap: found user host/INGVYSAHOTEST.IN.intranet in AD:spininf00001.in.intranet
2013-09-03 16:55:46,095 	[Th 40 Req 315 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_eap_tls: Initiate
2013-09-03 16:55:46,096 	[Th 40 Req 315 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 15:76:D4-3D-7E-12-A5-49:0x00a40087002f00e73b010000d3e70a303a32a52dea8f6f95c95bd811
2013-09-03 16:55:46,112 	[Th 32 Req 316 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Certificate_based_Test" - 16:386:D4-3D-7E-12-A5-49
2013-09-03 16:55:46,113 	[Th 32 Req 316 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read finished A
2013-09-03 16:55:46,113 	[Th 32 Req 316 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 16:225:D4-3D-7E-12-A5-49:0x00f70020002b00c73c010000520e47f9ab1f806777c5c9926f39fd6e
2013-09-03 16:55:46,123 	[Th 33 Req 317 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Certificate_based_Test" - 17:318:D4-3D-7E-12-A5-49
2013-09-03 16:55:46,123 	[Th 33 Req 317 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_eap_tls: Session established.
2013-09-03 16:55:46,124 	[Th 33 Req 317 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.
2013-09-03 16:55:46,130 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-133 h=239 r=R00000030-11-5225c73a] INFO Common.EndpointTable - Returning NULL (EndpointPtr) for macAddr d43d7e12a549
2013-09-03 16:55:46,130 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-133 h=239 r=R00000030-11-5225c73a] INFO Common.TagDefinitionCacheTable - No InstanceTagDefCacheMap found for instance id = 3354 entity id = 29
2013-09-03 16:55:46,130 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-133 h=239 r=R00000030-11-5225c73a] INFO Common.TagDefinitionCacheTable - Building the TagDefMapTable for NAD instance=3354
2013-09-03 16:55:46,130 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-133 h=239 r=R00000030-11-5225c73a] INFO Common.TagDefinitionCacheTable - Built 0 tag(s) for NAD instanceId=3354|entityId=29
2013-09-03 16:55:46,131 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-133 h=239 r=R00000030-11-5225c73a] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=3354|entity=Device
2013-09-03 16:55:46,131 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-133 h=239 r=R00000030-11-5225c73a] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)
2013-09-03 16:55:46,131 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-133 h=239 r=R00000030-11-5225c73a] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)
2013-09-03 16:55:46,131 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-133 h=239 r=R00000030-11-5225c73a] INFO TAT.EndpointTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Endpoint)
2013-09-03 16:55:46,131 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-133 h=239 r=R00000030-11-5225c73a] INFO TAT.OnboardTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Onboard Device User)
2013-09-03 16:55:46,131 	[RequestHandler-1-0x7f2fad3e9700 h=1235 c=R00000030-11-5225c73a] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Started ***
2013-09-03 16:55:46,132 	[RequestHandler-1-0x7f2fad3e9700 h=1236 c=R00000030-11-5225c73a] WARN REC.EvaluatorCtx - Prerequisites set is empty, not populating the Request Map
2013-09-03 16:55:46,132 	[AuthReqThreadPool-26-0x7f307adf6700 r=R00000030-11-5225c73a h=67] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(distinguishedName=%{memberOf}), error=No values for param=memberOf
2013-09-03 16:55:46,133 	[AuthReqThreadPool-26-0x7f307adf6700 r=R00000030-11-5225c73a h=67] WARN Ldap.LdapQuery - execute: Failed to construct filter=(distinguishedName=%{memberOf})
2013-09-03 16:55:46,133 	[AuthReqThreadPool-26-0x7f307adf6700 r=R00000030-11-5225c73a h=67] WARN Ldap.LdapQuery - Failed to get value for attributes=Groups]
2013-09-03 16:55:46,133 	[RequestHandler-1-0x7f2fad3e9700 h=1237 c=R00000030-11-5225c73a] INFO Core.PETaskRoleMapping - Roles: Guest], Machine Authenticated]
2013-09-03 16:55:46,135 	[RequestHandler-1-0x7f2fad3e9700 h=1240 c=R00000030-11-5225c73a] INFO Core.PETaskEnforcement - EnfProfiles: Cert_based_NAC_infrastructure
2013-09-03 16:55:46,135 	[RequestHandler-1-0x7f2fad3e9700 h=1245 c=R00000030-11-5225c73a] INFO Core.PETaskGenericEnfProfileBuilder - getApplicableProfiles: No App enforcement (Generic) profiles applicable for this device
2013-09-03 16:55:46,136 	[RequestHandler-1-0x7f2fad3e9700 h=1241 c=R00000030-11-5225c73a] INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=ACCEPT
2013-09-03 16:55:46,136 	[RequestHandler-1-0x7f2fad3e9700 h=1241 c=R00000030-11-5225c73a] INFO Core.PETaskRadiusEnfProfileBuilder - Radius enfProfiles used: Cert_based_NAC_infrastructure
2013-09-03 16:55:46,136 	[RequestHandler-1-0x7f2fad3e9700 h=1241 c=R00000030-11-5225c73a] INFO Core.EnfProfileComputer - getFinalSessionTimeout: sessionTimeout = 10800
2013-09-03 16:55:46,137 	[RequestHandler-1-0x7f2fad3e9700 h=1246 c=R00000030-11-5225c73a] INFO Core.PETaskCliEnforcement - startHandler: No commands for CLI enforcement
2013-09-03 16:55:46,137 	[RequestHandler-1-0x7f2fad3e9700 r=R00000030-11-5225c73a h=1244 c=R00000030-11-5225c73a] INFO Core.PETaskPostAuthEnfProfileBuilder - getApplicableProfiles: No Post auth enforcement profiles applicable for this device
2013-09-03 16:55:46,138 	[RequestHandler-1-0x7f2fad3e9700 r=R00000030-11-5225c73a h=1242 c=R00000030-11-5225c73a] INFO Core.PETaskRadiusCoAEnfProfileBuilder - getApplicableProfiles: No radius_coa enforcement profiles applicable for this device
2013-09-03 16:55:46,142 	[RequestHandler-1-0x7f2fad3e9700 h=1248 c=R00000030-11-5225c73a] INFO Core.XpipPolicyResHandler - populateResponseTlv: PETaskPostureOutput does not exist. Skip sending posture VAFs
2013-09-03 16:55:46,142 	[RequestHandler-1-0x7f2fad3e9700 h=1248 c=R00000030-11-5225c73a] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
2013-09-03 16:55:46,143 	[Th 33 Req 317 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_policy: Received Accept Enforcement Profile
2013-09-03 16:55:46,143 	[Th 33 Req 317 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_policy: Added Class attribute with value Class = 0xe01eeb5fba974171b4bba595e0ae50d1d80b0000000000005230303030303033302d31312d35323235633733610000000000000000000000
2013-09-03 16:55:46,143 	[Th 33 Req 317 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_policy: Policy Server reply does not contain Posture-Validation-Response
2013-09-03 16:55:46,143 	[RequestHandler-1-0x7f2fad3e9700 h=1247 c=R00000030-11-5225c73a] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
2013-09-03 16:55:46,143 	[RequestHandler-1-0x7f2fad3e9700 r=R00000030-11-5225c73a h=1235 c=R00000030-11-5225c73a] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Completed ***

 

 

Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: Error message for Role Mapping Policy - CPPM

Can paste some screen shots of your services.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: Error message for Role Mapping Policy - CPPM

Here is a same of a basic enforcement based and MemberOF in AD. Just make sure you add the AD as an Authorization source.

 

screenshot_10 Sep. 04 00.14.gif

 

screenshot_08 Sep. 04 00.13.gif

 

screenshot_09 Sep. 04 00.13.gif

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor I
Posts: 72
Registered: ‎09-19-2011

Re: Error message for Role Mapping Policy - CPPM

I could not able to attach the created service here please let me know how to attach it.

Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: Error message for Role Mapping Policy - CPPM

Just click the button in the bottom left coroner to add attachment.

 

screenshot_01 Sep. 04 00.34.gif

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor I
Posts: 72
Registered: ‎09-19-2011

Re: Error message for Role Mapping Policy - CPPM

Hi,

 

Please find the attached screen shot.

 

 

Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: Error message for Role Mapping Policy - CPPM

[ Edited ]

Service looks OK.

What does it show in access tracker? What error is it showing in the alerts tab.

You can also use the policy simulation to test with.

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: Error message for Role Mapping Policy - CPPM

screenshot_03 Sep. 04 00.59.gif

 

screenshot_04 Sep. 04 00.59.gif

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor I
Posts: 72
Registered: ‎09-19-2011

Re: Error message for Role Mapping Policy - CPPM

HI ,

 

I have observed that in authorization part you have added Local user SQL DB.

 

so whatever the roles i have created locally on CPPM where it will be stored whether i have to add any local user DB also in authorization TAB.

 

 

Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: Error message for Role Mapping Policy - CPPM

I have local DB because I also test with local users with role mapping. If you not using local users then you don't need to add it.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: