Hi Everyone,
So we are working on a Clearpass setup where user roles are pushed from Clearpass to the switch.
From Clearpass we can see that the user successfully authenticates and that the radius response contains the DUR configuration.
This, however, is not being applied to the client; they are still getting the Initial-Role.
As far as I can see from the Radius response the configuration looks alright. For now we are wanting to assign an allow all rule and VLAN IT.
From the switch we are getting these 2 errors in the logs:
W 12/31/21 11:39:23 05204 dca: ST5-CMDR: Failed to apply user role employees-3047-8_7Z4q to 8021X client B4A9FC9C1DBB on port 3/12: user role is invalid.
W 12/31/21 11:39:23 05620 dca: ST5-CMDR: 8021X client B4A9FC9C1DBB on port 3/12 assigned to initial role as downloading failed for user role.
I have found this article: Airheads Community which suggested that the problem could be that the incorrect VSA is being returned, but we have checked ours matches their recommendation.
I found another article that pointed to NTP being the issue: Airheads Community but ours if properly synced:
Core-Switch# show ntp status
NTP Status Information
NTP Status : Enabled NTP Mode : Unicast
Synchronization Status : Synchronized Peer Dispersion : 0.00000 sec
Stratum Number : 4 Leap Direction : 0
Reference Assoc ID : 0 Clock Offset : -0.00248 sec
Reference ID : 192.168.254.40 Root Delay : 0.27432 sec
Precision : 2**-18 Root Dispersion : 0.19274 sec
NTP Up Time : 25d 10h 34m Time Resolution : 0 nsec
Drift : 0.00028 sec/sec
System Time : Fri Dec 31 12:48:05 2021
Reference Time : Fri Dec 31 12:02:25 2021
We are still pretty new to Clearpass so there is a good chance we have made a simple mistake somewhere. If anyone has any advice or suggestions it would be much appreciated!
Kind regards
Ciaran
------------------------------
Ciaran Coghlan
------------------------------