Wired Intelligent Edge

 View Only
last person joined: 20 hours ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

Clearpass DUR only assigns initial role

This thread has been viewed 30 times
  • 1.  Clearpass DUR only assigns initial role

    Posted Dec 31, 2021 05:51 AM

    Hi Everyone,

    So we are working on a Clearpass setup where user roles are pushed from Clearpass to the switch.

    From Clearpass we can see that the user successfully authenticates and that the radius response contains the DUR configuration.

    This, however, is not being applied to the client; they are still getting the Initial-Role.

    As far as I can see from the Radius response the configuration looks alright. For now we are wanting to assign an allow all rule and VLAN IT.

    From the switch we are getting these 2 errors in the logs:

    W 12/31/21 11:39:23 05204 dca: ST5-CMDR: Failed to apply user role employees-3047-8_7Z4q to 8021X client B4A9FC9C1DBB on port 3/12: user role is invalid.
    W 12/31/21 11:39:23 05620 dca: ST5-CMDR: 8021X client B4A9FC9C1DBB on port 3/12 assigned to initial role as downloading failed for user role.

    I have found this article: Airheads Community which suggested that the problem could be that the incorrect VSA is being returned, but we have checked ours matches their recommendation. 

    I found another article that pointed to NTP being the issue: Airheads Community but ours if properly synced:

    Core-Switch# show ntp status

    NTP Status Information

    NTP Status : Enabled NTP Mode : Unicast
    Synchronization Status : Synchronized Peer Dispersion : 0.00000 sec
    Stratum Number : 4 Leap Direction : 0
    Reference Assoc ID : 0 Clock Offset : -0.00248 sec
    Reference ID : 192.168.254.40 Root Delay : 0.27432 sec
    Precision : 2**-18 Root Dispersion : 0.19274 sec
    NTP Up Time : 25d 10h 34m Time Resolution : 0 nsec
    Drift : 0.00028 sec/sec

    System Time : Fri Dec 31 12:48:05 2021
    Reference Time : Fri Dec 31 12:02:25 2021

     

    We are still pretty new to Clearpass so there is a good chance we have made a simple mistake somewhere. If anyone has any advice or suggestions it would be much appreciated!

    Kind regards
    Ciaran 



    ------------------------------
    Ciaran Coghlan
    ------------------------------


  • 2.  RE: Clearpass DUR only assigns initial role

    MVP GURU
    Posted Jan 03, 2022 08:06 AM
    Do you have the certificate trust set up between the switch and clearpass?


    ------------------------------
    Dustin Burns
    Lead Mobility Engineer @WEI

    ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2021
    If my post was useful accept solution and/or give kudos
    ------------------------------



  • 3.  RE: Clearpass DUR only assigns initial role

    MVP GURU
    Posted Jan 03, 2022 08:07 AM
    And also do you have your clearpass username and password set correctly on the switch side so that it can log into clearpass to download the user role information?

    ------------------------------
    Dustin Burns
    Lead Mobility Engineer @WEI

    ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2021
    If my post was useful accept solution and/or give kudos
    ------------------------------



  • 4.  RE: Clearpass DUR only assigns initial role

    Posted Jan 04, 2022 01:22 AM

    Hi Dustin,

    Thank you for your response. We created a read-only admin in clearpass and set up that on the switch, so I believe that's all good.

    For the Certificates, the switch we were using wasn't on new enough firmware to use the auto-download feature so we did it manually like this:

    crypto pki ta-profile Clearpass
    copy tftp ta-certificate Clearpass 192.168.250.127 ClearPass_Onboard_Local_Certificate_Authority.pem

    • Core-Switch(config)# show crypto pki ta-profile
    • Profile Name    Profile Status                 CRL Configured  OCSP Configured
    • --------------- ------------------------------ --------------- ---------------
    • IDEVID_ROOT     Root Certificate Installed                                   
    • COMODO_CA       Root Certificate Installed     No              No            
    • GEOTRUST_CA     Root Certificate Installed     No              No            
    • ARUBA_CA        Root Certificate Installed     No              No            
    • ADDTRUST_CA     Root Certificate Installed     No              No            
    • Clearpass       Root Certificate Installed     No              No        

    Thanks for the help

    ------------------------------
    Ciaran Coghlan
    ------------------------------