We configure our switches with airwave templates. A new switch installed via template got this error (this never worked before, we are quite new in this topic).
I think it has something to do with this command: "radius-server cppm identity "<Role-Name>" key <Key>" (I stripped away to confidential information)
The template pushes this command to the switch. Then we get the error. When I execute this command manually on the ClI, everything works as desired and the error disappears.
Original Message:
Sent: Sep 07, 2023 07:19 PM
From: ariyap
Subject: Parse error of downloaded userRole
i would also completely factory default that switch and start from scratch, to see if that makes a difference.
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: Sep 07, 2023 12:30 PM
From: mikael.svensson
Subject: Parse error of downloaded userRole
Hello Jonas!
Thank you for having a look at my issue and taking the time to respond.
The same version is working on other switches. Just confirmed it and re-checked.
I also downloaded configured it on a "new" switch that never had any aaa ports enabled. Worked as intended. Also a 2540, same version and config.
This is an ongoing Clearpass rollout and we are currently testing wired 1.x on a number of random clients. This switch has not hade any prior clients attached to it using EAP or Mac auth. The other switches that have a selected client on them works fine and I also ran a couple of tests today just adding a port and using my laptop (with cable) just to confirm it working on others but not on this one.
I also tried with our Mac based Access Point authentication as well as my role - same issue. Nothing worked and it complains on parsing.
And yes, it sounds like it's time to let the Tac have a look :)
Original Message:
Sent: Sep 07, 2023 09:48 AM
From: Jonas Hammarback
Subject: Parse error of downloaded userRole
Hi Mikael
Sounds strange. Do I understand you correct that the same DUR with the same version number works fine on another switch running the same firmware version?
In some situations when I have had issues with downloadable user roles it have been when the DUR have been created in advanced mode and a new version have a syntax error. But clients already authenticated have an old working version.
In your exemple DUR name the last digit is the version number AA_BBB_CC_STD-3036-7.
Have the DUR been working on these switches or has it never been working on them?
------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Sep 07, 2023 03:33 AM
From: mikael.svensson
Subject: Parse error of downloaded userRole
Hello!
We have a problem with one of our switches that I do not know how to resolve.
We are getting a Parse error of the DUR role. Se logs below from debugging
The role works on other AOS switches in our enviroment. Currently, I have only seen this on one switch.
The 2540 switch are running YC.16.11.0013 but ran YC.16.10.0020 before. Same error on both.
The config is the same a a working AOS switch as I have done a config compare and also re-configured the CPPM details in the switch.
Anyone who has any ideas?
0251:17:36:55.01 AUOR m8021xCtrl:Auth Order: Port 15: Client status updated for client: 04d9f5-7beccc, auth-method: 2 , auth-state: 1 .
0251:17:36:55.06 SSL mcppmTask: (CLIENT)
0251:17:36:55.06 SSL mcppmTask: Finished
0251:17:36:55.06 SSL mcppmTask:
0251:17:36:55.09 SSL mcppmTask:SSL_closeConnection() from AppType:
0251:17:36:55.09 SSL mcppmTask:4
0251:17:36:55.09 UMIB mcppmTask:Download of userRole AAM_BBB_CC_STD-3036-7 is
success
0251:17:36:55.09 UMIB mcppmTask:Parsing of downloaded userRole
AA_BBB_CC_STD-3036-7 is Failed with reason PARSE_ERROR_NO_ENFORCEMENT
0251:17:36:55.09 UMIB mdcaCtrl: Sending message to authentication task for
client with request-id 63
0251:17:36:55.09 1X m8021xCtrl:Port 15: Received Auth Success for client
04d9f5-7beccc, User xxx.xxxx@xxxx.com.
0251:17:36:55.09 UMIB mdcaCtrl:Removing DUR Client with request-id 63 for
downloadable user role AA_BBB_CC_STD-3036-7 from waiting queue as role
parsing failed
0251:17:36:55.09 UMIB m8021xCtrl:8021X Deauthenticating client 04D9F57BECCC on
port 15, downloaded user role AA_BBB_CC_STD-3036-7 is not valid as
enforcement profile not present.
0251:17:36:55.09 UMIB m8021xCtrl:Mac: 04d9f5-7beccc Port: 15 Adding auth client
to DCA failed because of DUR parse error.