Good morning,
This behavior is strange indeed. Particularly because it is working with the first authenticated client. If the switch is not running the latest version please update it to make sure that you are not hitting any old issues. If it is still not working and disabling the attribute "admin-edge-port" in the DUR is not acceptable as a workaround, I think the best way to continue would be a support case.
------------------------------
Emil Gogushev
------------------------------
Original Message:
Sent: Dec 13, 2021 10:07 AM
From: Andreas Hofer
Subject: 2930F device attribute is already applied on this port.
MSTP ist disabled on that Switch - yes.
So we haven´t configured any spanning-tree commandos global or in interface.
------------------------------
Andreas Hofer
Original Message:
Sent: Dec 13, 2021 05:45 AM
From: Emil Gogushev
Subject: 2930F device attribute is already applied on this port.
Hallo Andreas, Port mode is related to authentication and means that once a single user (mac address) is authenticated on an interface the port is opened for all subsequent other MAC addresses which appear on the port. This is typically used for APs in local bridging more (ie IAPs), where the AP bridges the wireless traffic directly to the LAN and the switch sees multiple MAC addresses which don't have to be authenticated (because they were already authenticated by the AP). If you need to authenticate more than 1 device on a port this is probably not what you want. The device is client mode where each MAC address is authenticated separately
Your test has shown that the device attribute "admin-edge-port" is causing the issue. Did you check if there is any conflict with the rest of the configuration? Is admin-edge-port already enabled by CLI on the port where the devices authenticate?
Or is maybe MSTP disabled on the switch globally?
------------------------------
Emil Gogushev
Original Message:
Sent: Dec 13, 2021 04:16 AM
From: Andreas Hofer
Subject: 2930F device attribute is already applied on this port.
Hi, Yes without Device Config it is working.
Also with Device Config and Port Mode it is working. Do you know what is Port Mode ?
Shoudln´t it working with Admin Edge Port enable regarding Spanning-Tree ?
------------------------------
Andreas Hofer
Original Message:
Sent: Dec 09, 2021 10:57 AM
From: Emil Gogushev
Subject: 2930F device attribute is already applied on this port.
Hello,
Could you disable for testing admin-edge-port or the whole device configuration in the DUR?
------------------------------
Emil Gogushev
Original Message:
Sent: Dec 09, 2021 10:12 AM
From: Andreas Hofer
Subject: 2930F device attribute is already applied on this port.
Addr Limit is always set to 2: aaa port-access mac-based 1 addr-limit 2
Config is:
aaa server-group radius "CPPM" host "CPPM1"
aaa server-group radius "CPPM" host "CPPM2"
aaa authorization user-role enable download
aaa authentication port-access eap-radius server-group "CPPM"
aaa authentication captive-portal enable
aaa port-access authenticator 1-13
aaa port-access authenticator 1 client-limit 2
aaa port-access authenticator active
aaa port-access mac-based 1-13
aaa port-access mac-based 1 addr-limit 2
Normal radius config, nothing special. Here my DUR:
Also nothing special, but it seems there is a problem with 2 mac adressen on one port.
Original Message:
Sent: Dec 09, 2021 09:57 AM
From: Emil Gogushev
Subject: 2930F device attribute is already applied on this port.
Hello,
This is obvious but did you raise the addr-limit for MAC based authentication on the port? The default seems to be 1.
Aruba-VSF-2930F(config)# aaa port-access mac-based 2/1 addr-limit ?
<1-256> Enter a number.
Maybe it would be good to have the port access configuration of the port and also the CLI syntax of the role. Is it specifying just a VLAN or also other attributes?
------------------------------
Emil Gogushev
Original Message:
Sent: Dec 09, 2021 08:19 AM
From: Andreas Hofer
Subject: 2930F device attribute is already applied on this port.
I have 2 Devices which are connected to 1 Port of 2930M Switch and both Devices should fall into the same Vlan, but unfortunatelly the Switch says:
W 11/29/21 06:12:56 05800 dca: Failed to apply user role
'XXX_DUR_Aruba_AOS-3694-2_7Z4q' to macAuth client
112233445566 on port 1: device attribute is already applied on this
port.
So the first Mac Adress got the DUR, but the second device is not able to get the DUR. Anyone knows how to fix it ?
------------------------------
Andreas Hofer
------------------------------