Security

 View Only
last person joined: 3 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Parse error of downloaded userRole

This thread has been viewed 35 times
  • 1.  Parse error of downloaded userRole

    Posted Sep 07, 2023 04:12 AM

    Hello!

    We have a problem with one of our switches that I do not know how to resolve.

    We are getting a Parse error of the DUR role. Se logs below from debugging

    The role works on other AOS switches in our enviroment. Currently, I have only seen this on one switch.

    The 2540 switch are running YC.16.11.0013 but ran YC.16.10.0020 before. Same error on both.

    The config is the same a a working AOS switch as I have done a config compare and also re-configured the CPPM details in the switch.

    Anyone who has any ideas?

    0251:17:36:55.01 AUOR  m8021xCtrl:Auth Order: Port 15: Client status updated for client: 04d9f5-7beccc, auth-method: 2 , auth-state: 1 .
    0251:17:36:55.06 SSL  mcppmTask: (CLIENT)
    0251:17:36:55.06 SSL  mcppmTask: Finished
    0251:17:36:55.06 SSL  mcppmTask:

    0251:17:36:55.09 SSL  mcppmTask:SSL_closeConnection() from AppType:
    0251:17:36:55.09 SSL  mcppmTask:4
    0251:17:36:55.09 UMIB mcppmTask:Download of userRole AAM_BBB_CC_STD-3036-7 is
       success
    0251:17:36:55.09 UMIB mcppmTask:Parsing of downloaded userRole
       AA_BBB_CC_STD-3036-7 is Failed with reason PARSE_ERROR_NO_ENFORCEMENT
    0251:17:36:55.09 UMIB mdcaCtrl: Sending message to authentication task for
       client with request-id 63
    0251:17:36:55.09 1X   m8021xCtrl:Port 15: Received Auth Success for client
       04d9f5-7beccc, User xxx.xxxx@xxxx.com.
    0251:17:36:55.09 UMIB mdcaCtrl:Removing DUR Client with request-id 63 for
       downloadable user role AA_BBB_CC_STD-3036-7 from waiting queue as role
       parsing failed
    0251:17:36:55.09 UMIB m8021xCtrl:8021X Deauthenticating client 04D9F57BECCC on
       port 15, downloaded user role AA_BBB_CC_STD-3036-7 is not valid as
       enforcement profile not present.
    0251:17:36:55.09 UMIB m8021xCtrl:Mac: 04d9f5-7beccc Port: 15 Adding auth client
       to DCA failed because of DUR parse error.



  • 2.  RE: Parse error of downloaded userRole

    Posted Sep 07, 2023 09:49 AM

    Hi Mikael

    Sounds strange. Do I understand you correct that the same DUR with the same version number works fine on another switch running the same firmware version?

    In some situations when I have had issues with downloadable user roles it have been when the DUR have been created in advanced mode and a new version have a syntax error. But clients already authenticated have an old working version.

    In your exemple DUR name the last digit is the version number AA_BBB_CC_STD-3036-7.

    Have the DUR been working on these switches or has it never been working on them?



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: Parse error of downloaded userRole

    Posted Sep 07, 2023 12:30 PM

    Hello Jonas! 

    Thank you for having a look at my issue and taking the time to respond.

    The same version is working on other switches. Just confirmed it and re-checked.

    I also downloaded configured it on a "new" switch that never had any aaa ports enabled. Worked as intended. Also a 2540, same version and config.

    This is an ongoing Clearpass rollout and we are currently testing wired 1.x on a number of random clients. This switch has not hade any prior clients attached to it using EAP or Mac auth. The other switches that have a selected client on them works fine and I also ran a couple of tests today just adding a port and using my laptop (with cable) just to confirm it working on others but not on this one.

    I also tried with our Mac based Access Point authentication as well as my role - same issue. Nothing worked and it complains on parsing.

    And yes, it sounds like it's time to let the Tac have a look :)




  • 4.  RE: Parse error of downloaded userRole

    EMPLOYEE
    Posted Sep 07, 2023 07:20 PM

    i would also completely factory default that switch and start from scratch, to see if that makes a difference.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 5.  RE: Parse error of downloaded userRole

    Posted Oct 25, 2023 10:07 AM

    Hey, 

    i got the exact same error message and noticed this: 

    We configure our switches with airwave templates. A new switch installed via template got this error (this never worked before, we are quite new in this topic).

    I think it has something to do with this command: "radius-server cppm identity "<Role-Name>" key <Key>" (I stripped away to confidential information)

    The template pushes this command to the switch. Then we get the error. When I execute this command manually on the ClI, everything works as desired and the error disappears.

    Could anyone confirm this behavior?