Wired Intelligent Edge

 View Only

  • 1.  Debugging DUP issues

    Posted Jun 24, 2019 12:09 PM

    Hi,

    I've got a 2930 runnig 16.8.3 which I use to play with all things clearpass and DUP.

     

    I've A DUP profile that wors just fine for an eap-tls device which gets dropped into a named VLAN called "roaming"  This work just fine. ip address out of a pool and DDNS to get  FQDN name assigned to it.

     

    I've also got an AP that I wanted to drop into the same VLAN, so I set up some clearpass configs and sent the same DUP.

     

    However this time the switch   said

     

    W 06/24/19 16:17:48 05204 dca: ST1-CMDR: Failed to apply user role
    UoY_DUP_Roaming___090318-3120-26_7Z4q to macAuth client 204C033A6088
    on port 2/13: user role is invalid.

     

    Now couldn't see why it said thast as the same role was working with the dot1 device.

     

    In the end  i suspect it was cleasrpas sending a DUR and a "standard" vlan assignment  that confiused things as when I removed the "2nd" vlan asignment into a "local_5" vlan  ( vlan 5 ,where we usually piut APs) things sprang into life

     

    However, my question is, if on a switch you do see  "user role is invalid" and you know the role is o.k. what tools are there on the switch to find out what is going on. Think I fixed this by going "what if... " , I'm sure there must be a more logical way of debugging this

     



  • 2.  RE: Debugging DUP issues

    Posted Jun 25, 2019 04:57 AM

    do you have make a show log security ?



  • 3.  RE: Debugging DUP issues

    Posted Jun 25, 2019 07:27 AM

    Believe I did try that at one point ..  didn't seem to show any useful info



  • 4.  RE: Debugging DUP issues

    Posted Jun 25, 2019 07:37 AM

    the name of DUR is not too longer ? (there is some limitation)

     

    What the configuration generated by ClearPass ?



  • 5.  RE: Debugging DUP issues

    Posted Jun 25, 2019 03:23 PM

    On Clearpass are you using the Standard or Advanced way of configuring the DUR?

    With the Advanced way I've made some silly mistakes like forgetting a hypen in the vlan-id syntax. 

    What you can do is in Clearpass, go to access tracker and find that specific request, go to output and the entire DUR should be there, you can try copying and pasting it to see if it throws an error at a specific point. 

    As mentioned before, I've had issues with length as well. If the length of the enforcement profile is too long, it'll throw a fit.



  • 6.  RE: Debugging DUP issues

    Posted Jun 25, 2019 03:44 PM

    Do you get anything from "debug security" and "debug destination session"?  That should show the exact line the user role is failing on.

     

    Does the VLAN ID exist on the switch you're trying to apply the role to?



  • 7.  RE: Debugging DUP issues

    Posted Jun 26, 2019 04:36 AM

    I this case I had a clearpass error that was downloading the profile and trying to set assignmant to a different named vlan.So the DUP was saying one named vlan and the Access-Accept packet was saying another. The DUP was happily working for another device so i knew it was o.k. and didn't have a name length problem.

     

    Once I'd "tweaked" clearpass to only send the DUP and forced a device reauth it all sprang into life, os yup it was a silly mistake on my part.

     

    Debug security didn;t seem to say much, never though to use "destination session "

     

    Just need to write all these commands down so I don;t reinvent this wheel again  a few monthes down the line !

    Rgds

    Alex

     

     



Related Content