Hi,
So after trying a few firmware releases between WC.16.10.21 and WC.16.11.10 all of which exhibited the same issue, I upgraded my 2 2930s to WC.16.11.11 and when they rebooted, … the policy was there after the “boot sys fl xx”
Thought that had fixed it so I rebooted again, no changesand next time … they weren’t there again.
Just did a copy fl. fl pro to bet both flasher to 16.11.11 and rebooted into the new primary … and it came back with the policy present, so no idea why it.s doing what it does
Alos re the DUR not being installed,
A sh port-access clients show
Aruba-2930F# sh port-access clients
Downloaded user roles are preceded by *
Port Access Client Status
Port Client Name MAC Address IP Address User Role Type. VLAN
----- ------------- ----------------- --------------- ----------------- —— ------------------------------
3 ND-SpareRo... 204c03-5ad8be 192.168.4.8 mydevices-role 8021X 4
4 ND-TV-Room... 204c03-3aa640 192.168.4.10 mydevices-role 8021X 4
5
Barn@aruba.ap 204c03-183124 192.168.4.11 mydevices-role 8021X 4
6 20-4C-03-3... 204c03-3bf72c 192.168.5.2 *GreenlnkWifi_... MAC 5
7 68-27-19-A... 682719-a562b6 192.168.2.4 servers MAC 2
8 ND-Kitchen... 204c03-1792c8 192.168.4.13 mydevices-role 8021X 4
While a sh user-role down gives
Aruba-2930F# sh user-role down
Downloaded user roles are preceded by *
Downloaded User Roles
Enabled : Yes
Type Name
---------- ------------------------------------------------------
downloaded *APs-3264-3
downloaded *GreenlnkWifi_DUR-3232-3
downloaded *mydevices_DUR_Switch-3221-14
Adding detail show that the contents are correct.
Change DUR on Cppm and the version number on the switch increases
Force a wreath on a client and you get.
W 05/09/23 08:11:12 05204 dca: Failed to apply user role APs-3264-3_7Z4q to
8021X client 204C03183124 on port 5: user role is invalid.
The key bit here is the fact that theres a _7Z4q at the end of the user-role thats failing … and of course that doest exist
So the goods news is that at least they are using the local user-roles and. That 1 downloadable one is being used …
The bad news is that no idea why the other. User-roles aren’t being used or why. The erroneous role that the bit at the end
Really stumped with this
A
Original Message:
Sent: 5/5/2023 9:28:00 AM
From: Herman Robers
Subject: RE: switch fails to save local user policy
Apologies if this is a stupid question, but did you save (write mem) the configuration before the switch reboot?
Have you enabled role-based in the switch configuration? I think you can't even configure if you have not, but just to be sure.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: May 05, 2023 08:53 AM
From: alexs-nd
Subject: switch fails to save local user policy
I have a couple of 2930 switches running 16.10.24 & 16.11.10 firmware. On both I have the following defined
class ipv4 "DNS"
10 match udp 0.0.0.0 255.255.255.255 192.168.1.152 0.0.0.0 eq 53
20 match udp 0.0.0.0 255.255.255.255 192.168.2.4 0.0.0.0 eq 53
30 match udp 0.0.0.0 255.255.255.255 192.168.1.88 0.0.0.0 eq 53
exit
class ipv4 "DHCP"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
exit
class ipv4 "ICMP"
10 match icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
class ipv4 "allowall"
10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
class ipv4 "Permit-All"
10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.25.255
exit
policy user "AllowAll"
10 class ipv4 "DNS" action permit
20 class ipv4 "DHCP" action permit
30 class ipv4 "ICMP" action permit
40 class ipv4 "Permit-All" action permit
exit
which gives me a basicl setup to start from when creating local user roles to use with DURs
The above works .... until yuo reboot the switch then wen it comes back the policy statement is empty and you have to re-enger them manually... would rather not do this when a site has 10's of switches
Anyone seen this behaviour before?
Have typed the class statemnts within the policy with quote class name of unquoted name, doesnt make a difference, still doesn't work when you reboot the switch
:-(
A