Hi Everyone,So we are working on a Clearpass setup where user roles are pushed from Clearpass to the switch.From Clearpass we can see that the user successfully authenticates and that the radius response contains the DUR configuration.This, however, is not being applied to the client; they are still getting the Initial-Role.As far as I can see from the Radius response the configuration looks alright. For now we are wanting to assign an allow all rule and VLAN IT.From the switch we are getting these 2 errors in the logs:
W 12/31/21 11:39:23 05204 dca: ST5-CMDR: Failed to apply user role employees-3047-8_7Z4q to 8021X client B4A9FC9C1DBB on port 3/12: user role is invalid.W 12/31/21 11:39:23 05620 dca: ST5-CMDR: 8021X client B4A9FC9C1DBB on port 3/12 assigned to initial role as downloading failed for user role.
I have found this article: Airheads Community which suggested that the problem could be that the incorrect VSA is being returned, but we have checked ours matches their recommendation. I found another article that pointed to NTP being the issue: Airheads Community but ours if properly synced:Core-Switch# show ntp statusNTP Status InformationNTP Status : Enabled NTP Mode : UnicastSynchronization Status : Synchronized Peer Dispersion : 0.00000 secStratum Number : 4 Leap Direction : 0Reference Assoc ID : 0 Clock Offset : -0.00248 secReference ID : 192.168.254.40 Root Delay : 0.27432 secPrecision : 2**-18 Root Dispersion : 0.19274 secNTP Up Time : 25d 10h 34m Time Resolution : 0 nsecDrift : 0.00028 sec/secSystem Time : Fri Dec 31 12:48:05 2021Reference Time : Fri Dec 31 12:02:25 2021
We are still pretty new to Clearpass so there is a good chance we have made a simple mistake somewhere. If anyone has any advice or suggestions it would be much appreciated!Kind regardsCiaran
Hi Dustin,Thank you for your response. We created a read-only admin in clearpass and set up that on the switch, so I believe that's all good.For the Certificates, the switch we were using wasn't on new enough firmware to use the auto-download feature so we did it manually like this:
crypto pki ta-profile Clearpasscopy tftp ta-certificate Clearpass 192.168.250.127 ClearPass_Onboard_Local_Certificate_Authority.pem
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.