Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

Defining local user-roles for use in event cppm not contactable

This thread has been viewed 14 times
  • 1.  Defining local user-roles for use in event cppm not contactable

    MVP EXPERT
    Posted Jul 04, 2022 08:52 AM
    Hi,
    I'm successfully using downloadable user roles  via clearpass and now need to configure some local ones  in the event cppm is not accessible. (Switch code WC.16.10.21)
    Thought I'd try something simple  so the allowall roole below should just let the client  connect via the statically defined vlan/port assignment. Got DHCP/DNS and allowall classes, at a later date the allowall class will be replaced with something   more representative

    Unfortunately, it doesnt work.
    I have
    ......
    aaa port-access 1/1 critical-auth user-role allowall
    ......

    Looking through the session logs when i forcve a reauth I can see

    "dca: ST1-CMDR: Failed to apply user role to macAuth client <macaddress> on port 1/1: user role is invalid"

    Aruba-2930F# show user-role allowall detailed

    User Role Information

    Name : allowall
    Type : local
    Reauthentication Period (seconds) : 3600
    Cached Reauth Period (seconds) : 0
    Logoff Period (seconds) : 300
    Untagged VLAN :
    Tagged VLAN :
    Captive Portal Profile :
    Policy : AllowAll


    Statements for policy "AllowAll"
    policy user "AllowAll"
    10 class ipv4 "DHCP" action permit
    20 class ipv4 "DNS" action permit
    60 class ipv4 "allowall" action permit
    exit



    Statements for class IPv4 "DHCP"
    class ipv4 "DHCP"
    10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
    exit



    Statements for class IPv4 "DNS"
    class ipv4 "DNS"
    10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
    exit



    Statements for class IPv4 "allowall"
    class ipv4 "allowall"
    10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
    exit

    Tunnelednode Server Redirect : Disabled
    Secondary Role Name :
    Device Attributes : Disabled


  • 2.  RE: Defining local user-roles for use in event cppm not contactable

    MVP EXPERT
    Posted Jul 04, 2022 10:37 AM
    Should say that cppm is in monitor mode and not sending back a user-role. Even get the message when  I've assigned an explicit initial user-role, so is the log just telling me that it hasnt seen a downloaded user-role?

    if I do show port-access 1/1 client

    it shows that it has role "allowall" applied
    A


  • 3.  RE: Defining local user-roles for use in event cppm not contactable

    EMPLOYEE
    Posted Jul 06, 2022 07:07 AM

    Hi Alex,

    For me it looks like the CPPM is returning access accept messages only (CPPM Monitor mode: https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=22277) and these messages are having the wrong/or missing VSAs (https://community.arubanetworks.com/blogs/esupport1/2020/04/10/arubaos-switch-error-message-05204-dca-failed-to-apply-user-role-reported-in-the-log-file).

    The error message is kind of confirming this (Description: User role VSA received for the client is invalid or does not exist.)

    Event ID: 5204: https://support.hpe.com/hpesc/public/docDisplay?docId=a00093582en_us

    Did you try the critical authentication with no connection to the CPPM?




  • 4.  RE: Defining local user-roles for use in event cppm not contactable

    MVP EXPERT
    Posted Jul 06, 2022 09:39 AM
    Hi,
    Yes I tried that on my dev server nasty home.
    At home I have
    class ipv4 "DNS"
    10 match udp 0.0.0.0 255.255.255.255 192.168.1.152 0.0.0.0 eq 53
    20 match udp 0.0.0.0 255.255.255.255 192.168.2.4 0.0.0.0 eq 53
    30 match udp 0.0.0.0 255.255.255.255 192.168.1.88 0.0.0.0 eq 53
    exit
    class ipv4 "DHCP"
    10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
    exit
    class ipv4 "ICMP"
    10 match icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
    exit
    class ipv4 "allowall"
    10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
    exit
    policy user "AllowAll"
    10 class ipv4 "DHCP" action permit
    20 class ipv4 "DNS" action permit
    30 class ipv4 "ICMP" action permit
    60 class ipv4 "allowall" action permit
    exit

    aaa authorization user-role name "servers"
    policy "AllowAll"
    reauth-period 3600
    vlan-name "servers"
    exit
    aaa authorization user-role name "allowall"
    policy "AllowAll"
    reauth-period 3600
    exit
    aaa authorization user-role name "critical-role"
    policy "AllowAll"
    reauth-period 3600
    exit
    aaa authorization user-role name "aruba-instant-ap"
    policy "AllowAll"
    reauth-period 3600
    vlan-name "DEFAULT_VLAN"
    vlan-id-tagged 2-6,10,111,222,333
    device
    poe-allocate-by-class
    admin-edge-port
    port-mode
    exit
    exit

    And finally …..

    aaa port-access 2 auth-order authenticator mac-based
    aaa port-access 3 controlled-direction in
    aaa port-access 3 auth-order authenticator mac-based
    aaa port-access 3 auth-priority authenticator mac-based
    aaa port-access 3 critical-auth user-role "aruba-instant-ap"
    aaa port-access 4 controlled-direction in
    aaa port-access 4 auth-order authenticator mac-based
    aaa port-access 4 auth-priority authenticator mac-based
    aaa port-access 4 critical-auth user-role "aruba-instant-ap"
    aaa port-access 5 controlled-direction in
    aaa port-access 5 auth-order authenticator mac-based
    aaa port-access 5 auth-priority authenticator mac-based
    aaa port-access 5 critical-auth user-role "aruba-instant-ap"
    aaa port-access 6 controlled-direction in
    aaa port-access 6 auth-order authenticator mac-based
    aaa port-access 6 auth-priority authenticator mac-based
    aaa port-access 7 controlled-direction in
    aaa port-access 7 auth-order authenticator mac-based
    aaa port-access 7 auth-priority authenticator mac-based
    aaa port-access 7 critical-auth user-role "servers"
    aaa port-access 8 controlled-direction in
    aaa port-access 8 auth-order authenticator mac-based
    aaa port-access 8 auth-priority authenticator mac-based
    aaa port-access 8 critical-auth user-role "aruba-instant-ap”


    Had a power cut at home and switches came back before cppm and ended up getting the following

    W 07/06/22 09:58:23 05204 dca: Failed to apply user role to macAuth client
    5AC41408495B on port 4: user role is invalid.
    W 07/06/22 09:58:13 05204 dca: Failed to apply user role to macAuth client
    DC4F22EC13FC on port 4: user role is invalid.
    W 07/06/22 09:58:12 05204 dca: Failed to apply user role to macAuth client
    DC4F22F2D31E on port 3: user role is invalid.
    W 07/06/22 09:58:10 05204 dca: Failed to apply user role to macAuth client
    1C30080934EE on port 4: user role is invalid.
    W 07/06/22 09:58:09 05204 dca: Failed to apply user role to macAuth client
    8A1E274C75F1 on port 4: user role is invalid.
    W 07/06/22 09:58:09 05204 dca: Failed to apply user role to macAuth client
    140AC5ACAD9D on port 4: user role is invalid.
    W 07/06/22 09:58:08 05204 dca: Failed to apply user role to macAuth client
    C8E265001B76 on port 3: user role is invalid.

    The above relate to an Aruba instant AP which should have been in port mode so I shouldn’t have seen them. When cppm is there and I’m using DUP, works just fine
    A




  • 5.  RE: Defining local user-roles for use in event cppm not contactable

    EMPLOYEE
    Posted Jul 07, 2022 06:05 AM
    Hi Alex,

    Have you tried to enable debugging to see more details? 
    You can try the debugs for port-access and radius (debug security port-access/radius).