From what I have seen is that with user-roles enabled, the VLAN needs to be part of the role; regardless of DUR or local user roles.
In 'traditional mode', the VLAN, dACL, etc should be returned in separate attributes.
In 'user-role mode' there is a single role that has all the attributes. That role can be local or downloadable.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------
Original Message:
Sent: May 12, 2021 06:46 PM
From: Matthias Moritz
Subject: ClearPass, DUR & AOS Switch: V-Lan assigment without DUR failing
Hello,
I tried just to return the vlan id (IETF Tunnel-private-Group-ID) without a role name or a DUR to a AOS switch, which is configured for DUR download.
In this case, the debug shows that the role "0" can not be applied (I assume, because no rolename or DUR is offered by CPPM).
Because role 0 can not be applied, the initial role (aaa authorization user-role initial-role "custom-role") gets applied.
But the vlan ID which cppm returns as IETF tunnel-private-group-id will also not get applied.
To assign a vlan, therefore I had to apply a vlan-id to the user role configured as initial role locally on the switch.
I found nothing regarding this behaviour in the clearpass solution guide.
Is it mandatory to return a userrole to the switch to set a V-Lan, if DUR download is enabeled?
Thank you!
------------------------------
Best regards, mom
------------------------------