Wired Intelligent Edge

 View Only
last person joined: 23 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Expand all | Collapse all

switch fails to save local user policy

This thread has been viewed 7 times
  • 1.  switch fails to save local user policy

    MVP EXPERT
    Posted May 05, 2023 08:53 AM

    I have a couple of 2930 switches running 16.10.24 & 16.11.10  firmware.  On both I have the following defined

    class ipv4 "DNS"
         10 match udp 0.0.0.0 255.255.255.255 192.168.1.152 0.0.0.0 eq 53
         20 match udp 0.0.0.0 255.255.255.255 192.168.2.4 0.0.0.0 eq 53
         30 match udp 0.0.0.0 255.255.255.255 192.168.1.88 0.0.0.0 eq 53
       exit
    class ipv4 "DHCP"
         10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
       exit
    class ipv4 "ICMP"
         10 match icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
       exit
    class ipv4 "allowall"
         10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
       exit
    class ipv4 "Permit-All"
         10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.25.255
       exit
    policy user "AllowAll"
         10 class ipv4 "DNS" action permit
         20 class ipv4 "DHCP" action permit
         30 class ipv4 "ICMP" action permit
         40 class ipv4 "Permit-All" action permit
       exit

    which gives me a  basicl setup to start from when creating local user roles to use with DURs

    The above works .... until yuo reboot the switch then wen it comes back the policy statement is empty and you have to re-enger them manually... would rather not do this when a site has 10's of switches


    Anyone seen this behaviour before?

    Have typed the class statemnts within the policy with quote  class name  of  unquoted name, doesnt make a difference, still doesn't work when you reboot the switch
    :-(
    A



  • 2.  RE: switch fails to save local user policy

    Posted May 05, 2023 09:28 AM

    Apologies if this is a stupid question, but did you save (write mem) the configuration before the switch reboot?
    Have you enabled role-based in the switch configuration? I think you can't even configure if you have not, but just to be sure.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: switch fails to save local user policy

    MVP EXPERT
    Posted May 05, 2023 10:38 AM
    Yup ,
    Numerous write moms
    Yes role-based enabled, downloadable user roles set up
    Cna see DUrs appesring on switch , change one on Cppm and one on switch gets updated

    This is my dev stuff at home .




  • 4.  RE: switch fails to save local user policy

    Posted May 09, 2023 12:47 AM

    Did the client onboarded successfully after reboot ? Since its DUR asking this question



    ------------------------------
    Shobana
    Aruba
    ------------------------------



  • 5.  RE: switch fails to save local user policy

    MVP EXPERT
    Posted May 09, 2023 03:37 AM
    Hi,
    So after trying a few firmware releases between WC.16.10.21 and WC.16.11.10 all of which exhibited the same issue, I upgraded my 2 2930s to WC.16.11.11 and when they rebooted, … the policy was there after the “boot sys fl xx”


    Thought that had fixed it so I rebooted again, no changesand next time … they weren’t there again.

    Just did a copy fl. fl pro to bet both flasher to 16.11.11 and rebooted into the new primary … and it came back with the policy present, so no idea why it.s doing what it does

    Alos re the DUR not being installed,

    A sh port-access clients show
    Aruba-2930F# sh port-access clients

    Downloaded user roles are preceded by *

    Port Access Client Status

    Port Client Name MAC Address IP Address User Role Type. VLAN
    ----- ------------- ----------------- --------------- ----------------- —— ------------------------------
    3 ND-SpareRo... 204c03-5ad8be 192.168.4.8 mydevices-role 8021X 4
    4 ND-TV-Room... 204c03-3aa640 192.168.4.10 mydevices-role 8021X 4
    5 Barn@aruba.ap 204c03-183124 192.168.4.11 mydevices-role 8021X 4
    6 20-4C-03-3... 204c03-3bf72c 192.168.5.2 *GreenlnkWifi_... MAC 5
    7 68-27-19-A... 682719-a562b6 192.168.2.4 servers MAC 2
    8 ND-Kitchen... 204c03-1792c8 192.168.4.13 mydevices-role 8021X 4



    While a sh user-role down gives

    Aruba-2930F# sh user-role down

    Downloaded user roles are preceded by *

    Downloaded User Roles

    Enabled : Yes
    Type Name
    ---------- ------------------------------------------------------
    downloaded *APs-3264-3
    downloaded *GreenlnkWifi_DUR-3232-3
    downloaded *mydevices_DUR_Switch-3221-14



    Adding detail show that the contents are correct.

    Change DUR on Cppm and the version number on the switch increases

    Force a wreath on a client and you get.


    W 05/09/23 08:11:12 05204 dca: Failed to apply user role APs-3264-3_7Z4q to
    8021X client 204C03183124 on port 5: user role is invalid.


    The key bit here is the fact that theres a _7Z4q at the end of the user-role thats failing … and of course that doest exist


    So the goods news is that at least they are using the local user-roles and. That 1 downloadable one is being used …
    The bad news is that no idea why the other. User-roles aren’t being used or why. The erroneous role that the bit at the end

    Really stumped with this

    A