Wired Intelligent Edge

 View Only
last person joined: 8 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

2930F device attribute is already applied on this port.

This thread has been viewed 46 times

  • 1.  2930F device attribute is already applied on this port.

    Posted Dec 09, 2021 08:19 AM
    I have 2 Devices which are connected to 1 Port of 2930M Switch and both Devices should fall into the same Vlan, but unfortunatelly the Switch says:

    W 11/29/21 06:12:56 05800 dca: Failed to apply user role

                'XXX_DUR_Aruba_AOS-3694-2_7Z4q' to macAuth client

                112233445566 on port 1: device attribute is already applied on this

                port.

    So the first Mac Adress got the DUR, but the second device is not able to get the DUR. Anyone knows how to fix it ?



    ------------------------------
    Andreas Hofer
    ------------------------------


  • 2.  RE: 2930F device attribute is already applied on this port.

    EMPLOYEE
    Posted Dec 09, 2021 09:58 AM
    Hello, 

    This is obvious but did you raise the addr-limit for MAC based authentication on the port? The default seems to be 1.


    Aruba-VSF-2930F(config)# aaa port-access mac-based 2/1 addr-limit ?
    <1-256> Enter a number.

    Maybe it would be good to have the port access configuration of the port and also the CLI syntax of the role. Is it specifying just a VLAN or also other attributes?

    ------------------------------
    Emil Gogushev
    ------------------------------

    Original Message


  • 3.  RE: 2930F device attribute is already applied on this port.

    Posted Dec 09, 2021 10:12 AM

    Addr Limit is always set to 2: aaa port-access mac-based 1 addr-limit 2


    Config is:
    aaa server-group radius "CPPM" host "CPPM1"
    aaa server-group radius "CPPM" host "CPPM2"
    aaa authorization user-role enable download
    aaa authentication port-access eap-radius server-group "CPPM"
    aaa authentication captive-portal enable
    aaa port-access authenticator 1-13
    aaa port-access authenticator 1 client-limit 2
    aaa port-access authenticator active
    aaa port-access mac-based 1-13
    aaa port-access mac-based 1 addr-limit 2

    Normal radius config, nothing special. Here my DUR:


    Also nothing special, but it seems there is a problem with 2 mac adressen on one port.



    Original Message


  • 4.  RE: 2930F device attribute is already applied on this port.
    Best Answer

    EMPLOYEE
    Posted Dec 09, 2021 10:58 AM
    Hello, 
    Could you disable for testing admin-edge-port or the whole device configuration in the DUR?

    ------------------------------
    Emil Gogushev
    ------------------------------

    Original Message


  • 5.  RE: 2930F device attribute is already applied on this port.

    Posted Dec 13, 2021 04:16 AM
    Hi, Yes without Device Config it is working.
    Also with Device Config and Port Mode it is working. Do you know what is Port Mode ?
    Shoudln´t it working with Admin Edge Port enable regarding Spanning-Tree ?

    ------------------------------
    Andreas Hofer
    ------------------------------

    Original Message


  • 6.  RE: 2930F device attribute is already applied on this port.

    EMPLOYEE
    Posted Dec 13, 2021 05:46 AM
    Hallo Andreas, 
    Port mode is related to authentication and means that once a single user (mac address) is authenticated on an interface the port is opened for all subsequent other MAC addresses which appear on the port. This is typically used for APs in local bridging more (ie IAPs), where the AP bridges the wireless traffic directly to the LAN and the switch sees multiple MAC addresses which don't have to be authenticated (because they were already authenticated by the AP). If you need to authenticate more than 1 device on a port this is probably not what you want. The device is client mode where each MAC address is authenticated separately

    Your test has shown that the device attribute "admin-edge-port" is causing the issue. Did you check if there is any conflict with the rest of the configuration? Is admin-edge-port already enabled by CLI on the port where the devices authenticate? 
    Or is maybe MSTP disabled on the switch globally?


    ------------------------------
    Emil Gogushev
    ------------------------------

    Original Message


  • 7.  RE: 2930F device attribute is already applied on this port.

    Posted Dec 13, 2021 10:08 AM
    MSTP ist disabled on that Switch - yes.
    So we haven´t configured any spanning-tree commandos global or in interface.

    ------------------------------
    Andreas Hofer
    ------------------------------

    Original Message


  • 8.  RE: 2930F device attribute is already applied on this port.

    EMPLOYEE
    Posted Dec 16, 2021 02:47 AM
    Good morning, 
    This behavior is strange indeed. Particularly because it is working with the first authenticated client.  If the switch is not running the latest version please update it to make sure that you are not hitting any old issues. If it is still not working and disabling the attribute "admin-edge-port" in the DUR is not acceptable as a workaround, I think the best way to continue would be a support case.

    ------------------------------
    Emil Gogushev
    ------------------------------

    Original Message