Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Downloadable User Role is invalid message

This thread has been viewed 49 times

  • 1.  Downloadable User Role is invalid message

    Posted Jun 06, 2019 10:26 AM

    I've been dabbling with DURs on a 2930 switch runnnig 16.8.3

     

    1st one worked just fine and I can drop a clie t device into . vlan called roaming with an allow all policy.

     

    2nd one set up Per User Tunnelling Node link for a Chromecast deice tha tunneled data up to our ArubaOS 8 mobility controller.

     

    I then went back to one supposedly for a dhcp fingerprinted AP to drop it into a VLAN with name VLAN_5

    Unfortunately I end up with the following error message

     

    "W 06/06/19 13:06:14 05204 dca: ST1-CMDR: Failed to apply user role to macAuth client 204C0340ED11 on port 2/13: user role is invalid."

     

    How can I find out whats wrong with the DUR? Al I did was copy a working one and changed the word "roaming" to "local_5" ?

     

    If I change DUR no (2) then the version number increases on the switch so I know its being downloaded. 

     

    Rgds

    Alex

     

    Profiles shown below

     

    Downloadable profiles are shown below

    1). 

    xb-as-2930-1# sh user-role download detail
    Downloaded user roles are preceded by *

    User Role Information

    Name : *UoY_DUP_Roaming___090318-3120-26
    Type : downloaded
    Reauthentication Period (seconds) : 3600
    Cached Reauth Period (seconds) : 0
    Logoff Period (seconds) : 300
    Untagged VLAN : roaming
    Tagged VLAN :
    Captive Portal Profile :
    Policy : PERMIT-ALL_UoY_DUP_Roaming___090318-31...

    Statements for policy "PERMIT-ALL_UoY_DUP_Roaming___090318-3120-26"
    policy user "PERMIT-ALL_UoY_DUP_Roaming___090318-3120-26"
    10 class ipv4 "IP-ANY-ANY_UoY_DUP_Roaming___090318-3120-26" action permit
    exit


    Statements for class IPv4 "IP-ANY-ANY_UoY_DUP_Roaming___090318-3120-26"
    class ipv4 "IP-ANY-ANY_UoY_DUP_Roaming___090318-3120-26"
    10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
    exit

    Tunnelednode Server Redirect : Disabled
    Secondary Role Name :
    Device Attributes : Disabled

     

    2).

    User Role Information

    Name : *ROLE_AOS_S_DUR__LOCAL5_DEVICES-3155-5
    Type : downloaded
    Reauthentication Period (seconds) : 28800
    Cached Reauth Period (seconds) : 0
    Logoff Period (seconds) : 300
    Untagged VLAN : local_5
    Tagged VLAN :
    Captive Portal Profile :
    Policy : PERMIT-ALL_ROLE_AOS_S_DUR__LOCAL5_DEVI...

    Statements for policy "PERMIT-ALL_ROLE_AOS_S_DUR__LOCAL5_DEVICES-3155-5"
    policy user "PERMIT-ALL_ROLE_AOS_S_DUR__LOCAL5_DEVICES-3155-5"
    10 class ipv4 "IP-ANY-ANY_ROLE_AOS_S_DUR__LOCAL5_DEVICES-3155-5" action
    permit
    exit


    Statements for class IPv4 "IP-ANY-ANY_ROLE_AOS_S_DUR__LOCAL5_DEVICES-3155-5"
    class ipv4 "IP-ANY-ANY_ROLE_AOS_S_DUR__LOCAL5_DEVICES-3155-5"
    10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
    exit

    Tunnelednode Server Redirect : Disabled
    Secondary Role Name :
    Device Attributes : Disabled

     

    3).

    User Role Information

    Name : *ROLE_AOS_S_DUR_T__AIRGROUP_DEVICES-31...
    Type : downloaded
    Reauthentication Period (seconds) : 3600
    Cached Reauth Period (seconds) : 0
    Logoff Period (seconds) : 300
    Untagged VLAN :
    Tagged VLAN :
    Captive Portal Profile :
    Policy :
    Tunnelednode Server Redirect : Enabled
    Secondary Role Name : airgroup_devices
    Device Attributes : Disabled

     


    xb-as-2930-1#

     

     



  • 2.  RE: Downloadable User Role is invalid message
    Best Answer

    EMPLOYEE
    Posted Jun 06, 2019 12:15 PM

    Can you share a sample of the actual user role configuration from ClearPass?

     

    Have you tried running "debug security"?  That should give you the exact line the user role is failing on.



  • 3.  RE: Downloadable User Role is invalid message

    MVP GURU
    Posted Jun 06, 2019 01:39 PM

    Also avoid too longer name for enforcement (and extra characters...)



  • 4.  RE: Downloadable User Role is invalid message

    Posted Jun 07, 2019 06:26 AM

    Sigh! 

    The key is to look at the error message more carefully.

    The message says 

     

    W 06/07/19 10:00:27 05204 dca: ST1-CMDR: Failed to apply user role to macAuth
    client 204C033A6089 on port 2/13: user role is invalid.

     

    However, The user role I'm passing back ( based upon a fingerprint) is for mac address 204C033A6088

     

    a

    xb-as-2930-1(config)# sh mac-addres 2/13

     

    gives

     

    Status and Counters - Port Address Table - 2/13

    MAC Address VLANs
    ----------------- ------------
    204c03-3a6088 480
    204c03-3a6089 4003

     

    which is right, the "88" address is the one processed by clearpass. the "89" address is another one coming from the AP which clearspas doesn't know what to do with so it get dropped into our portal vlan.

     

    thanks for the replies .. at least I know how to use the debug command now :-)

     

    Rgds

    Alex

     

     



  • 5.  RE: Downloadable User Role is invalid message

    Posted May 26, 2021 07:00 PM
    Just too clearify, learned this the hard way.

    Enforcement profiles profilenames has a limit with 51 characters for 2930F when you use downloadable userroles. 52 or more characters will result in errors.
    Secondary userroles profiles for MC appares not to have this limit.

    ------------------------------
    Gerhard Eriksson
    ------------------------------

    Original Message