Hi,
So ...
2930 switch running WC.16.11.18
Switch configured to use downloadable user roles
Normal operation is
1). in clearpass have 2 services , one for switches in monitor mode and one for switches in "live mode"
2). Switch configured to use DURs and in moniotor mode group on cppm
3). Define an initial-role with set of ACLS that correspond to what would be sent in a DUR
4). Connect device to switch port... cppm authenticates it, tells you whast it would do and sends bacn an access accept
5). Switch sees successsful auth but no DUR so uses the local user-role as defined either globally on switch or on the switch port
6). while switch port has mac-pin enabled on a switch port this will be overidden by contents of the user-role used
7). local user role called initial-role has a policy statement ( AllowAll) and a reauth period of 3600
8). sh user-role initial-role shows that the logoff-period =300 secs
9). sh port-access client shoes that specific switch port using user-role initial-role
10). from the above , to me this implies that the logoff-period=300 is enforced.
11). Create a new user-role called voip-client, same as initial-role one but includes logoff-period=0
12). Assign this role to switch port and reauth client
13). Switch generates a log error saying you cannot use a logoff-period statement in a user-role being used in an initial / critical state
So when using a switch in a local user-role envioronment how can i disable the logoff period or even set it to a large number if the user-role overrides the switch port statement?
Rgds
Alex