Original Message:
Sent: Apr 05, 2023 05:10 AM
From: Herman Robers
Subject: Failed to apply user role
Can you try to change your radius/clearpass configuration on the switch to use the fqdn instead of the IP address?
BTW, I would have expected this to be documented if there was a change between WC.16.11.0008 and WC.16.11.0010, but could not find anything.
If configuring the fqdn (hostname of your clearpass) does not work, it may make sense to open a support case as it's strange that the behavior changes between such a small firmware step and not seeing anything documented in the release notes.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Apr 05, 2023 03:43 AM
From: mmedoadm
Subject: Failed to apply user role
The certificate is ECC and RSA is disabled.Cpass version is 6.11.2.252294
I noticed that the switch is trying to download the DUR from :
https://10.YY.0.XX/async_netd/arubacppmapi/downloadableconfig?role=Medo__VL_41
__Voice41__DUR-3249-1
It's the IP of the Clearpass VIP instead of DNS name , as specified on radius config.
Maybe this is the drawback?
Original Message:
Sent: Apr 05, 2023 02:50 AM
From: Herman Robers
Subject: Failed to apply user role
Based on CERT_INVALID_KEY Usage, can you share the HTTPS certificate that you have on your ClearPass? It looks self-signed, a CA certificate, or not for Server Authentication.
If you are on ClearPass 6.10 or 6.11, make sure that if you have an ECC HTTPS certificate, that the RSA HTTPS certificate is disabled. And if you have an RSA HTTPS certificate, make sure the ECC Cert is disabled. If you have both enabled, and one is a default/self-signed, depending on the firmware version/OS, the switch may prefer RSA or ECC, which can be the wrong one. Most modern webbrowsers prefer ECC if both are available.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Apr 04, 2023 12:21 PM
From: mmedoadm
Subject: Failed to apply user role
please find bellow some more information :
I believe that there is an issue with the EC certificate because the DUR is starting download but never completes due to handshake failure.
I'm in between Switching and Clearpass TAC team who are disputing where the issue resides.
Any thoughts ?
Original Message:
Sent: Apr 04, 2023 08:44 AM
From: Herman Robers
Subject: Failed to apply user role
If you just see 05204 dca: ST1-CMDR: Failed to apply user role
Medo__VL_41__Voice__DUR-3185-7_7Z4q to macAuth client XXXXXXXX
on port 2/21: user role is invalid.
in the logging, it looks like the switch is not even trying to download the role, but is looking for a local user role (that does not exist).
You can either increase the log verbosity or enable debugging for port-access/DUR/RADIUS and find the issue yourself, or open a TAC Case and let TAC find the issue.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Apr 02, 2023 02:49 PM
From: mmedoadm
Subject: Failed to apply user role
the same configuration is working for switches running WC_16_11_0007
I believe the issue resides on https communication with clearpass.
Original Message:
Sent: Apr 02, 2023 10:27 AM
From: Ulises Cazares
Subject: Failed to apply user role
Hi, sometimes when you're typing the rules into the role in Clearpass there could be a typo(hard to see a lot of times) in the acls which make the syntax bad and the role won't be applied.
Can you show us how are you creating the role in Clearpass?
I hope this helps
Original Message:
Sent: Apr 01, 2023 11:28 PM
From: mmedoadm
Subject: Failed to apply user role
Aruba 2930M-48G-PoE+ Switch (JL322A)
Software revision : WC.16.11.0010
Upgraded from WC.16.11.0008 to WC.16.11.0010 , reboot and DUR started failing :
05204 dca: ST1-CMDR: Failed to apply user role
Medo__VL_41__Voice__DUR-3185-7_7Z4q to macAuth client XXXXXXXX
on port 2/21: user role is invalid.
Switch# sh user-role download detail
Downloaded user roles are preceded by *
Checked ntp and communication with Clearpass and was ok.
The DUR name on clearpass is less than 52 chars.
What could stop the role from being downloaded?