Wireless Access

Reply
Frequent Contributor I
Posts: 68
Registered: ‎01-03-2014

pushing a undefined access-list (role) from clearpass

is there a setup doc that shows how to set up a L3 acl from clear pass and push it to a controller when a device logs on?   This would be an access-list/role that is not defined on the controller.   using a 6.4 controller  6.5.6 CPPM.

Guru Elite
Posts: 8,321
Registered: ‎09-08-2010

Re: pushing a undefined access-list (role) from clearpass

Are you referring to downloadable roles?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 68
Registered: ‎01-03-2014

Re: pushing a undefined access-list (role) from clearpass

yes,  and I do not want to have to pre-define the role on the controller.

Guru Elite
Posts: 20,768
Registered: ‎03-29-2007

Re: pushing a undefined access-list (role) from clearpass

Frequent Contributor I
Posts: 68
Registered: ‎01-03-2014

Re: pushing a undefined access-list (role) from clearpass

Thanks for the reply. I have added what I think is needed in the controller and it looks to me like the role is getting downloaded but it doesn't show up as used when I look at the client.   I have attached the log from the time frame and it seems to show in the end that there are no references to that role.   Any idea why it is not referenced from the log?

 

Sep 30 10:27:07 :501093:  <NOTI> |AP lab215@10.10.42.181 stm|  Auth success: 0c:d7:46:75:c8:09: AP 10.10.42.181-04:bd:88:27:40:a2-lab215
Sep 30 10:27:07 :501095:  <NOTI> |AP lab215@10.10.42.181 stm|  Assoc request @ 10:27:07.629873: 0c:d7:46:75:c8:09 (SN 1667): AP 10.10.42.181-04:bd:88:27:40:a2-lab215
Sep 30 10:27:07 :501100:  <NOTI> |stm|  Assoc success @ 10:27:07.635023: 0c:d7:46:75:c8:09: AP 10.10.42.181-04:bd:88:27:40:a2-lab215
Sep 30 10:27:07 :501100:  <NOTI> |AP lab215@10.10.42.181 stm|  Assoc success @ 10:27:07.630699: 0c:d7:46:75:c8:09: AP 10.10.42.181-04:bd:88:27:40:a2-lab215
Sep 30 10:27:07 :500511:  <DBUG> |mobileip|  Station 0c:d7:46:75:c8:09, 0.0.0.0: Received association on ESSID: murrawolka_test Mobility service ON, HA Discovery on Association ON, Fastroaming Disabled, AP: Name lab215 Group RTlab BSSID 04:bd:88:27:40:a2, phy g, VLAN 190 V6-VLAN 0
Sep 30 10:27:07 :522295:  <DBUG> |authmgr|  Auth GSM : USER_STA event 0 for user 0c:d7:46:75:c8:09
Sep 30 10:27:07 :500993:  <INFO> |mobileip|  Station 0c:d7:46:75:c8:09: Assoc event ignored; Current State MIP_PROXY_NO_MOBILITY_SERVICE, Previous State MIP_PROXY_CREATE_SIBYTE_BRIDGE_STALE, HA discovery triggered 1 at line 4134
Sep 30 10:27:07 :522035:  <INFO> |authmgr|  MAC=0c:d7:46:75:c8:09 Station UP: BSSID=04:bd:88:27:40:a2 ESSID=murrawolka_test VLAN=190 AP-name=lab215
Sep 30 10:27:07 :522077:  <DBUG> |authmgr|  MAC=0c:d7:46:75:c8:09 ingress 0x0x1001c (tunnel 28), u_encr 64, m_encr 4112, slotport 0x0x2100 , type: local, FW mode: 0, AP IP: 0.0.0.0 mdie 0 ft_complete 0
Sep 30 10:27:07 :522078:  <DBUG> |authmgr|  MAC=0c:d7:46:75:c8:09, wired: 0, vlan:190 ingress:0x0x1001c (tunnel 28), ingress:0x0x1001c new_aaa_prof: murrawolka-aaa_prof, stored profile: murrawolka-aaa_prof stored wired: 0 stored essid: murrawolka_test, stored-ingress: 0x0x1001c
Sep 30 10:27:07 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user 0c:d7:46:75:c8:09 vlan 0 derivation_type Reset VLANs for Station up index 3.
Sep 30 10:27:07 :522255:  <DBUG> |authmgr|  "VDR - set vlan in user for 0c:d7:46:75:c8:09 vlan 190 fwdmode 0 derivation_type Default VLAN.
Sep 30 10:27:07 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user 0c:d7:46:75:c8:09 vlan 190 derivation_type Default VLAN index 4.
Sep 30 10:27:07 :522255:  <DBUG> |authmgr|  "VDR - set vlan in user for 0c:d7:46:75:c8:09 vlan 190 fwdmode 0 derivation_type Current VLAN updated.
Sep 30 10:27:07 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user 0c:d7:46:75:c8:09 vlan 190 derivation_type Current VLAN updated index 5.
Sep 30 10:27:07 :522158:  <DBUG> |authmgr|  Role Derivation for user N/A-0c:d7:46:75:c8:09-a0224918 N/A Set AAA profile defaults.
Sep 30 10:27:07 :522246:  <DBUG> |authmgr|  Idle timeout should be driven by STM for MAC 0c:d7:46:75:c8:09.
Sep 30 10:27:07 :524141:  <DBUG> |authmgr|  clr_pmkcache_ft():987: MAC:0c:d7:46:75:c8:09 BSS:04:bd:88:27:40:a2
Sep 30 10:27:07 :522254:  <DBUG> |authmgr|  VDR - mac 0c:d7:46:75:c8:09 rolename logon fwdmode 0 derivation_type Initial Role Contained vp not present.
Sep 30 10:27:07 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user 0c:d7:46:75:c8:09 vlan 0 derivation_type Reset Role Based VLANs index 6.
Sep 30 10:27:07 :522083:  <DBUG> |authmgr|  Skip User-Derivation, mba:0 udr_exist:0,default_role:logon,pDefRole:0x0x14528f4
Sep 30 10:27:07 :524124:  <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:0c:d7:46:75:c8:09, pmkid_present:False, pmkid:N/A
Sep 30 10:27:07 :522243:  <DBUG> |authmgr|  MAC=0c:d7:46:75:c8:09 Station Updated Update MMS: BSSID=04:bd:88:27:40:a2 ESSID=murrawolka_test VLAN=190 AP-name=lab215
Sep 30 10:27:07 :522301:  <DBUG> |authmgr|  Auth GSM : USER publish for uuid 0xfba2890120a0002c mac 0c:d7:46:75:c8:09 name a0224918 role authenticated devtype iPhone wired 0 authtype 4 subtype 9  encrypt-type 10 conn-port 8448 fwd-mode 0
Sep 30 10:27:08 :522038:  <INFO> |authmgr|  username=a0224918 MAC=0c:d7:46:75:c8:09 IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=olevcppm100-dev
Sep 30 10:27:08 :522044:  <INFO> |authmgr|  MAC=0c:d7:46:75:c8:09 Station authenticate(start): method=802.1x, role=authenticated///logon, VLAN=190/190, Derivation=7/1, Value Pair=1, flags=0x8
Sep 30 10:27:08 :522158:  <DBUG> |authmgr|  Role Derivation for user N/A-0c:d7:46:75:c8:09-a0224918 N/A station Authenticated with auth type:  Unknown auth type.
Sep 30 10:27:08 :522142:  <DBUG> |authmgr|  Setting cached role to NULL for user 0c:d7:46:75:c8:09".
Sep 30 10:27:08 :522266:  <DBUG> |authmgr|  Calling derive_role2 for user 0c:d7:46:75:c8:09
Sep 30 10:27:08 :522278:  <INFO> |authmgr|  MAC=0c:d7:46:75:c8:09 IP=?? Dldb Role: Murrawolka_ACL_Download-3045-4 Derived downloadable role from Aruba CPPM VSA
Sep 30 10:27:08 :522285:  <DBUG> |authmgr|  MAC=0c:d7:46:75:c8:09 Dldb Role: Murrawolka_ACL_Download-3045-4 Adding user ref as l2 role, total refs: 1
Sep 30 10:27:08 :522281:  <DBUG> |authmgr|  MAC=0c:d7:46:75:c8:09 Dldb Role: Murrawolka_ACL_Download-3045-4 User enqueued, total enqueued: 1
Sep 30 10:27:08 :522282:  <DBUG> |authmgr|  MAC=0c:d7:46:75:c8:09 Dldb Role: Murrawolka_ACL_Download-3045-4 User will be assigned default role for the auth-type
Sep 30 10:27:08 :522136:  <DBUG> |authmgr|  {L2} authenticated from profile "murrawolka-aaa_prof" for user 0c:d7:46:75:c8:09.
Sep 30 10:27:08 :522127:  <DBUG> |authmgr|  {L2} Update role from authenticated to authenticated for IP=N/A, MAC=0c:d7:46:75:c8:09.
Sep 30 10:27:08 :522049:  <INFO> |authmgr|  MAC=0c:d7:46:75:c8:09,IP=N/A User role updated, existing Role=authenticated/none, new Role=authenticated/none, reason=station Authenticated with auth type:  802.1x
Sep 30 10:27:08 :522128:  <DBUG> |authmgr|  download-L2: acl=64/0 role=authenticated, tunl=0x0x1001c, PA=0, HA=1, RO=0, VPN=0 L3MOB=0.
Sep 30 10:27:08 :522050:  <INFO> |authmgr|  MAC=0c:d7:46:75:c8:09,IP=N/A User data downloaded to datapath, new Role=authenticated/64, bw Contract=0/0, reason=Download driven by user role setting, idle-timeout=300
Sep 30 10:27:08 :522301:  <DBUG> |authmgr|  Auth GSM : USER publish for uuid 0xfba2890120a0002c mac 0c:d7:46:75:c8:09 name a0224918 role authenticated devtype iPhone wired 0 authtype 4 subtype 9  encrypt-type 10 conn-port 8448 fwd-mode 0
Sep 30 10:27:08 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user 0c:d7:46:75:c8:09 vlan 0 derivation_type Reset Dot1x VLANs index 7.
Sep 30 10:27:08 :527000:  <DBUG> |mdns|  mdns_parse_auth_userrole_message 269 Auth User ROLE: MAC:0c:d7:46:75:c8:09, ROLE_NAME:authenticated
Sep 30 10:27:08 :522254:  <DBUG> |authmgr|  VDR - mac 0c:d7:46:75:c8:09 rolename NULL fwdmode 0 derivation_type Dot1x Aruba VSA vp present.
Sep 30 10:27:08 :522254:  <DBUG> |authmgr|  VDR - mac 0c:d7:46:75:c8:09 rolename NULL fwdmode 0 derivation_type Dot1x MSFT Attributes vp present.
Sep 30 10:27:08 :522254:  <DBUG> |authmgr|  VDR - mac 0c:d7:46:75:c8:09 rolename NULL fwdmode 0 derivation_type Dot1x Server Rule vp present.
Sep 30 10:27:08 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user 0c:d7:46:75:c8:09 vlan 0 derivation_type Reset Role Based VLANs index 8.
Sep 30 10:27:08 :522161:  <DBUG> |authmgr|  Valid Dot1xct, remote:0, assigned:190, default:190, current:190,termstate:0, wired:0, dot1x enabled:1, psk:0 static:0 bssid=04:bd:88:27:40:a2.
Sep 30 10:27:08 :522255:  <DBUG> |authmgr|  "VDR - set vlan in user for 0c:d7:46:75:c8:09 vlan 190 fwdmode 0 derivation_type Current VLAN updated.
Sep 30 10:27:08 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user 0c:d7:46:75:c8:09 vlan 190 derivation_type Current VLAN updated index 9.
Sep 30 10:27:08 :522260:  <DBUG> |authmgr|  "VDR - Cur VLAN updated 0c:d7:46:75:c8:09 mob 1 inform 1 remote 0 wired 0 defvlan 190 exportedvlan 0 curvlan 190.
Sep 30 10:27:08 :522232:  <DBUG> |authmgr|  Data ready: MAC=0c:d7:46:75:c8:09 def_vlan 190 derive vlan: 0 auth_type 4 auth_subtype 4.
Sep 30 10:27:08 :522029:  <INFO> |authmgr|  MAC=0c:d7:46:75:c8:09 Station authenticate: method=802.1x, role=authenticated///logon, VLAN=190/190, Derivation=7/1, Value Pair=1
Sep 30 10:27:08 :522158:  <DBUG> |authmgr|  Role Derivation for user 10.10.42.183-0c:d7:46:75:c8:09-a0224918 N/A User authenticated with auth type:Unknown auth type role derivation:0.
Sep 30 10:27:08 :522318:  <DBUG> |authmgr|  Client 0c:d7:46:75:c8:09 idle timeout 300 profile murrawolka-aaa_prof
Sep 30 10:27:08 :500415:  <DBUG> |mobileip|  Station 0c:d7:46:75:c8:09, : Data ready message from auth default vlan 190 assigned vlan 0, mobile assigned vlan 0, mobile home vlan 190
Sep 30 10:27:08 :522008:  <NOTI> |authmgr|  User Authentication Successful: username=a0224918 MAC=0c:d7:46:75:c8:09 IP=10.10.42.183 role=authenticated VLAN=190 AP=lab215 SSID=murrawolka_test AAA profile=murrawolka-aaa_prof auth method=802.1x auth server=olevcppm100-dev
Sep 30 10:27:08 :522301:  <DBUG> |authmgr|  Auth GSM : USER publish for uuid 0xfba2890120a0002c mac 0c:d7:46:75:c8:09 name a0224918 role authenticated devtype iPhone wired 0 authtype 4 subtype 9  encrypt-type 10 conn-port 8448 fwd-mode 0
Sep 30 10:27:08 :500414:  <DBUG> |mobileip|  Station 0c:d7:46:75:c8:09, : Received User Update from Auth, User name a0224918, L2 Role authenticated, Auth type 4, Auth status 1, ESSID murrawolka_test, AP: Name  Group
Sep 30 10:27:08 :522053:  <DBUG> |authmgr|  PMK Cache getting updated for 0c:d7:46:75:c8:09, (def, cur, vhow) = (190, 190, 1) with vlan=0 vlanhow=0 essid=murrawolka_test role=Murrawolka_ACL_Download-3045-4 rhow=10
Sep 30 10:27:08 :524129:  <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:0c:d7:46:75:c8:09 GSM: Successfully published Key-cache object.
Sep 30 10:27:08 :524134:  <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:0c:d7:46:75:c8:09 BSS:04:bd:88:27:40:a2 GSM: Successfully published PMK-cache object.
Sep 30 10:27:08 :524139:  <DBUG> |authmgr|  add_pmkcache():862: MAC:0c:d7:46:75:c8:09 BSS:04:bd:88:27:40:a2 Update:
Sep 30 10:27:08 :500054:  <DBUG> |mobileip|  Station 0c:d7:46:75:c8:09: Re-Added bridge entry for station on vlan 190 assigned vlan 190 v6-vlan 0 to tunnel 28 data path flags MOBILITY roam case Temp
Sep 30 10:27:08 :524136:  <DBUG> |authmgr|  dot1x_gsm_delete_pmkcache(): MAC:0c:d7:46:75:c8:09 BSS:04:bd:88:27:40:a2 GSM: Successfully deleted PMK-cache object.
Sep 30 10:27:08 :524131:  <DBUG> |authmgr|  dot1x_gsm_delete_keycache(): MAC:0c:d7:46:75:c8:09 GSM: Successfully deleted Key-cache object.
Sep 30 10:27:08 :522286:  <DBUG> |authmgr|  MAC=0c:d7:46:75:c8:09 Dldb Role: Murrawolka_ACL_Download-3045-4 Deleting user ref as l2 role, total refs: 0
Sep 30 10:27:08 :522283:  <DBUG> |authmgr|  MAC=0c:d7:46:75:c8:09 Dldb Role: Murrawolka_ACL_Download-3045-4 User dequeued, total enqueued: 0

Guru Elite
Posts: 8,321
Registered: ‎09-08-2010

Re: pushing a undefined access-list (role) from clearpass

Did you create a ClearPass account for the controller to use for the downloadable role and define it in the RADIUS server config on the controller?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 68
Registered: ‎01-03-2014

Re: pushing a undefined access-list (role) from clearpass

Tim,   At first I did not have one,   then when reading other posts I saw that that was required, so I added one.  I first tried to do this thru the GUI but it did not look like it took as when I went back and looked there was notheing there.   I then added it thru the CLI and it stayed in the config but did not make a difference to the outcome of the role and the client.

Search Airheads
Showing results for 
Search instead for 
Did you mean: