Wired Intelligent Edge

Hi,

So ...

2930 switch running WC.16.11.18

Switch configured  to use downloadable user roles

Normal operation is 

1). in clearpass have 2 services , one for  switches in monitor mode and one for switches in "live mode"

2). Switch configured to use  DURs  and in moniotor mode group  on cppm

3). Define an initial-role with set of ACLS that correspond to what would  be sent in a DUR

4). Connect device to switch port... cppm authenticates it, tells you whast it would do and sends bacn an access accept

5). Switch sees successsful auth but no DUR so uses the local user-role as defined either globally on switch or on the switch port

6). while switch port has mac-pin enabled on a switch port  this will be overidden by contents of the user-role used

7). local user role called initial-role has a policy statement ( AllowAll) and a reauth period of 3600

8). sh user-role  initial-role shows that the logoff-period =300 secs

9). sh port-access client  shoes that specific switch port using user-role initial-role

10). from the above , to me this implies that the logoff-period=300 is enforced.

11). Create a new user-role called voip-client, same  as initial-role one but includes  logoff-period=0

12). Assign  this role to switch port and reauth client

13). Switch generates a log error saying you cannot use a logoff-period statement in a user-role being used in an initial / critical state 

So when using a switch in a local user-role envioronment how can i disable the logoff period or even set it to a large number if the user-role overrides the switch port statement?

Rgds

Alex

Alex, this is a pretty specific situation and question. If the switch shows an error that you cannot set that statement in an initial role (which sounds logical as what should the switch fallback on when the logoff timer expires; you would end-up with a dead-end for such a client), it may just not be possible what your ask (by design, or never considered as a use-case). If there are no further responses here, you may reach out to TAC and see if they can provide a definitive answer to this.

Hi,

So ...

2930 switch running WC.16.11.18

Switch configured  to use downloadable user roles

Normal operation is 

1). in clearpass have 2 services , one for  switches in monitor mode and one for switches in "live mode"

2). Switch configured to use  DURs  and in moniotor mode group  on cppm

3). Define an initial-role with set of ACLS that correspond to what would  be sent in a DUR

4). Connect device to switch port... cppm authenticates it, tells you whast it would do and sends bacn an access accept

5). Switch sees successsful auth but no DUR so uses the local user-role as defined either globally on switch or on the switch port

6). while switch port has mac-pin enabled on a switch port  this will be overidden by contents of the user-role used

7). local user role called initial-role has a policy statement ( AllowAll) and a reauth period of 3600

8). sh user-role  initial-role shows that the logoff-period =300 secs

9). sh port-access client  shoes that specific switch port using user-role initial-role

10). from the above , to me this implies that the logoff-period=300 is enforced.

11). Create a new user-role called voip-client, same  as initial-role one but includes  logoff-period=0

12). Assign  this role to switch port and reauth client

13). Switch generates a log error saying you cannot use a logoff-period statement in a user-role being used in an initial / critical state 

So when using a switch in a local user-role envioronment how can i disable the logoff period or even set it to a large number if the user-role overrides the switch port statement?

Rgds

Alex