We have a problem with one of our switches that I do not know how to resolve.
We are getting a Parse error of the DUR role. Se logs below from debugging
The role works on other AOS switches in our enviroment. Currently, I have only seen this on one switch.
The 2540 switch are running YC.16.11.0013 but ran YC.16.10.0020 before. Same error on both.
The config is the same a a working AOS switch as I have done a config compare and also re-configured the CPPM details in the switch.
Anyone who has any ideas?
0251:17:36:55.01 AUOR m8021xCtrl:Auth Order: Port 15: Client status updated for client: 04d9f5-7beccc, auth-method: 2 , auth-state: 1 .0251:17:36:55.06 SSL mcppmTask: (CLIENT)0251:17:36:55.06 SSL mcppmTask: Finished0251:17:36:55.06 SSL mcppmTask:
0251:17:36:55.09 SSL mcppmTask:SSL_closeConnection() from AppType:0251:17:36:55.09 SSL mcppmTask:40251:17:36:55.09 UMIB mcppmTask:Download of userRole AAM_BBB_CC_STD-3036-7 is success0251:17:36:55.09 UMIB mcppmTask:Parsing of downloaded userRole AA_BBB_CC_STD-3036-7 is Failed with reason PARSE_ERROR_NO_ENFORCEMENT0251:17:36:55.09 UMIB mdcaCtrl: Sending message to authentication task for client with request-id 630251:17:36:55.09 1X m8021xCtrl:Port 15: Received Auth Success for client 04d9f5-7beccc, User email@example.com:17:36:55.09 UMIB mdcaCtrl:Removing DUR Client with request-id 63 for downloadable user role AA_BBB_CC_STD-3036-7 from waiting queue as role parsing failed0251:17:36:55.09 UMIB m8021xCtrl:8021X Deauthenticating client 04D9F57BECCC on port 15, downloaded user role AA_BBB_CC_STD-3036-7 is not valid as enforcement profile not present.0251:17:36:55.09 UMIB m8021xCtrl:Mac: 04d9f5-7beccc Port: 15 Adding auth client to DCA failed because of DUR parse error.
Sounds strange. Do I understand you correct that the same DUR with the same version number works fine on another switch running the same firmware version?
In some situations when I have had issues with downloadable user roles it have been when the DUR have been created in advanced mode and a new version have a syntax error. But clients already authenticated have an old working version.
In your exemple DUR name the last digit is the version number AA_BBB_CC_STD-3036-7.
Have the DUR been working on these switches or has it never been working on them?
Thank you for having a look at my issue and taking the time to respond.
The same version is working on other switches. Just confirmed it and re-checked.
I also downloaded configured it on a "new" switch that never had any aaa ports enabled. Worked as intended. Also a 2540, same version and config.
This is an ongoing Clearpass rollout and we are currently testing wired 1.x on a number of random clients. This switch has not hade any prior clients attached to it using EAP or Mac auth. The other switches that have a selected client on them works fine and I also ran a couple of tests today just adding a port and using my laptop (with cable) just to confirm it working on others but not on this one.
I also tried with our Mac based Access Point authentication as well as my role - same issue. Nothing worked and it complains on parsing.
And yes, it sounds like it's time to let the Tac have a look :)
i would also completely factory default that switch and start from scratch, to see if that makes a difference.
i got the exact same error message and noticed this:
We configure our switches with airwave templates. A new switch installed via template got this error (this never worked before, we are quite new in this topic).
I think it has something to do with this command: "radius-server cppm identity "<Role-Name>" key <Key>" (I stripped away to confidential information)
The template pushes this command to the switch. Then we get the error. When I execute this command manually on the ClI, everything works as desired and the error disappears.
Could anyone confirm this behavior?
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.