Security

last person joined: 21 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Downloadable User Role Error on Boot

This thread has been viewed 1 times
  • 1.  Downloadable User Role Error on Boot

    Posted Feb 12, 2020 04:41 PM

    Hi guys,

     

    We have DUR (Downloadable User Roles) working great - however, upon a switch reboot, we're seeing these deauthentications for all ports. 

     

    Most of the ports seem to come up eventually (assuming after the device talks to create traffic to initiate the MAC Auth), although we have the odd one where the only solution is to reboot the device (not idea with remote devices).

     

     

     

     

     

    W 02/13/20 09:44:52 05630 dca: AM1: Faulty line: aaa authorization user-role name cppm-dur-role-name-3064-2_7Z4q .
    W 02/13/20 09:44:52 05619 dca: AM1: macAuth Deauthenticating client 001755EA579B on port D20, downloaded user role cppm-dur-role-nam... is not valid as CLI execution Error.
    W 02/13/20 09:44:52 05619 dca: AM1: macAuth Deauthenticating client 30B5C203317E on port D19, downloaded user role cppm-dur-role-nam... is not valid as CLI execution Error.

     

     

     

     

     

    Is this expected on a reboot?

     

    Cheers,

    Ben.



  • 2.  RE: Downloadable User Role Error on Boot

    Posted Feb 13, 2020 03:40 AM

    Looks to me that there is an error in the Downloadable role content for this specific user.

     

    Doesn't sound like expected or how it should work. If you can't find the issue with this specific role (or roles if there are multiple), please work with Aruba support.



  • 3.  RE: Downloadable User Role Error on Boot

    Posted Feb 13, 2020 04:14 AM

    Thanks Herman.  The role is very simple (literally just a vlan id and a permit-all ACL).  It works fine (no errors) through version iterations and users connecting etc - so I think the role itself is fine - this error only happens on boot.

     

    I'll log a call.

     

    Cheers!