Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Downloadable User Role Error on Boot

This thread has been viewed 9 times
  • 1.  Downloadable User Role Error on Boot

    Posted Feb 12, 2020 04:41 PM

    Hi guys,

     

    We have DUR (Downloadable User Roles) working great - however, upon a switch reboot, we're seeing these deauthentications for all ports. 

     

    Most of the ports seem to come up eventually (assuming after the device talks to create traffic to initiate the MAC Auth), although we have the odd one where the only solution is to reboot the device (not idea with remote devices).

     

     

     

     

     

    W 02/13/20 09:44:52 05630 dca: AM1: Faulty line: aaa authorization user-role name cppm-dur-role-name-3064-2_7Z4q .
    W 02/13/20 09:44:52 05619 dca: AM1: macAuth Deauthenticating client 001755EA579B on port D20, downloaded user role cppm-dur-role-nam... is not valid as CLI execution Error.
    W 02/13/20 09:44:52 05619 dca: AM1: macAuth Deauthenticating client 30B5C203317E on port D19, downloaded user role cppm-dur-role-nam... is not valid as CLI execution Error.

     

     

     

     

     

    Is this expected on a reboot?

     

    Cheers,

    Ben.



  • 2.  RE: Downloadable User Role Error on Boot

    EMPLOYEE
    Posted Feb 13, 2020 03:40 AM

    Looks to me that there is an error in the Downloadable role content for this specific user.

     

    Doesn't sound like expected or how it should work. If you can't find the issue with this specific role (or roles if there are multiple), please work with Aruba support.



  • 3.  RE: Downloadable User Role Error on Boot

    Posted Feb 13, 2020 04:14 AM

    Thanks Herman.  The role is very simple (literally just a vlan id and a permit-all ACL).  It works fine (no errors) through version iterations and users connecting etc - so I think the role itself is fine - this error only happens on boot.

     

    I'll log a call.

     

    Cheers!



  • 4.  RE: Downloadable User Role Error on Boot

    Posted 13 days ago

    Hi

    I have the same issue.

    I found out that this only appears in VSF stack. With single switch there is no issue.

    I think the problem is that the devices are trying to authenticate too early, even the stack is not yet formed (see attached picture).

    Also in log I could see the dur errors like you see, but after the message:
    stacking: ST1-CMDR: Redundant Standby Management Module syncing is complete. Configuration changes are allowed
    there are no more errors for DUR.