In most cases just compare values in Clearpass access tracker output tab with the switch configuration.
It would be really helpful to have at least log entry saying that receiving role does not exist on switch.
Original Message:
Sent: May 03, 2024 04:37 AM
From: jantrance
Subject: Troubleshooting RADIUS response, authenticator side (Switch)
Apparently I do have a test setup :). First I show that dot1x is working correctly with the correct role: "access-point":
NLUT--SD05401# show port-access clients
Port Access Clients
Status Codes: d device-mode, c client-mode, m multi-domain
-----------------------------------------------------------------------------------------------------------------
Port MAC-Address Onboarding Status Role Device Type
Method
-----------------------------------------------------------------------------------------------------------------
d 1/1/28 f0:61:c0:ca:91:0e dot1x Success access-point
=======================================================================================
I then put the switch in aruba-central support-mode, broke the config so that the correct role isn't anymore on the switch. And then removed POE from the port and enabled POE on the port again, so that the AP would go through the whole authentication process again:
NLUT--SD05401# aruba-central support-mode
NLUT--SD05401(config)# port-access role access-points
NLUT--SD05401(config-pa-role)# auth-mode device-mode
NLUT--SD05401(config-pa-role)# poe-priority high
NLUT--SD05401(config-pa-role)# trust-mode dscp
NLUT--SD05401(config-pa-role)# stp-admin-edge-port
NLUT--SD05401(config-pa-role)# vlan access 99
NLUT--SD05401(config-pa-role)# exit
NLUT--SD05401(config)# no port-access role access-point
NLUT--SD05401(config)# do show run | b "access-point"
port-access role access-points
auth-mode device-mode
poe-priority high
trust-mode dscp
stp-admin-edge-port
vlan access 99
We then see a 802.1x fail on the switch with the show port-access clients:
NLUT--SD05401# show port-access clients
Port Access Clients
Status Codes: d device-mode, c client-mode, m multi-domain
-----------------------------------------------------------------------------------------------------------------
Port MAC-Address Onboarding Status Role Device Type
Method
-----------------------------------------------------------------------------------------------------------------
c 1/1/28 f0:61:c0:ca:91:0e dot1x Fail
If we go into detail we see the following information, but in my humble opinion this still doesn't help you to troubleshoot that the RADIUS response contains a role that the switch doesn't have and so won't do anything with that RADIUS response:
NLUT--SD05401# show port-access clients in 1/1/28 detail
Port Access Client Status Details:
Client f0:61:c0:ca:91:0e, NLUT--SD05F061C0CA910E
================================================
Session Details
---------------
Port : 1/1/28
Session Time : 91336s
IPv4 Address :
IPv6 Address :
Device Type :
VLAN Details
------------
VLAN Group Name :
VLANs Assigned :
Access :
Native Untagged :
Allowed Trunk :
Authentication Details
----------------------
Status : dot1x Authenticated
Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted
Auth History : dot1x - Authenticated, 91312s ago
mac-auth - Authenticated, 91336s ago
Authorization Details
----------------------
Role :
Status : Invalid
=============================================================================
The logging on the switch also doesn't show anything useful, maybe there is a different logging I need to check to get to the root cause of this issue, but with the command provided below I cannot determine the root cause:
NLUT--SD05401# show logg -r | i 1/1/28
2024-05-03T04:21:21.158944-04:00 NLUT--SD05401 lldpd[3479]: Event|106|LOG_INFO|CDTR|1|LLDP neighbor f0:61:c0:ca:91:0e deleted on 1/1/28
2024-05-03T04:19:35.748669-04:00 NLUT--SD05401 ops-switchd[661]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for f0:61:c0:ca:91:0e with VLAN 4001 on port 1/1/28
2024-05-03T04:19:35.745583-04:00 NLUT--SD05401 lldpd[3479]: Event|113|LOG_INFO|CDTR|1|PVID mismatch on 1/1/28 pvid = 1, Neighbor f0:61:c0:ca:91:0e port_id = f0:61:c0:ca:91:0e pvid = 0
2024-05-03T04:19:35.728793-04:00 NLUT--SD05401 port-accessd[4159]: Event|10502|LOG_INFO|CDTR|1|Port 1/1/28 is blocked by port-access
2024-05-03T04:19:16.705754-04:00 NLUT--SD05401 lldpd[3479]: Event|104|LOG_INFO|CDTR|1|LLDP neighbor f0:61:c0:ca:91:0e added on 1/1/28
2024-05-03T04:19:12.768889-04:00 NLUT--SD05401 port-accessd[4159]: Event|10503|LOG_INFO|CDTR|1|Port 1/1/28 is unblocked by port-access
2024-05-03T04:19:12.746117-04:00 NLUT--SD05401 ops-switchd[661]: Event|9707|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 4001 is mapped to client f0:61:c0:ca:91:0e on port 1/1/28
2024-05-03T04:19:12.726194-04:00 NLUT--SD05401 ops-switchd[661]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 4001 is mapped to client f0:61:c0:ca:91:0e on port 1/1/28
2024-05-03T04:18:39.626479-04:00 NLUT--SD05401 port-accessd[4159]: Event|10502|LOG_INFO|CDTR|1|Port 1/1/28 is blocked by port-access
2024-05-03T04:18:39.599223-04:00 NLUT--SD05401 intfd[684]: Event|403|LOG_INFO|UKWN|1|Link status for interface 1/1/28 is up
2024-05-03T04:18:14.163772-04:00 NLUT--SD05401 poe-hald[3488]: Event|7902|LOG_INFO|CDTR|1|Powered device power delivery on interface 1/1/28
2024-05-03T04:18:14.161277-04:00 NLUT--SD05401 poe-protod[3498]: Event|7901|LOG_INFO|CDTR|1|Detected powered device on interface 1/1/28. Type:2, Class:4
2024-05-03T04:18:08.411300-04:00 NLUT--SD05401 port-accessd[4159]: Event|10503|LOG_INFO|CDTR|1|Port 1/1/28 is unblocked by port-access
2024-05-03T04:18:08.386002-04:00 NLUT--SD05401 intfd[684]: Event|404|LOG_INFO|UKWN|1|Link status for interface 1/1/28 is down
2024-05-03T04:18:07.378573-04:00 NLUT--SD05401 poe-protod[3498]: Event|7906|LOG_INFO|CDTR|1|PoE disabled on interface 1/1/28
=========================================================
I end with a print-screen of what you'd be able to see in the access-tracker in Clearpass, which again isn't going to help you troubleshoot this issue:
===============================================================
We're back to where we started and the original question still remains:
How do you troubleshoot this problem, where the RADIUS response from Clearpass contains a role which the switch doesn't know and therefore won't authenticate the client with the correct role?
Original Message:
Sent: May 03, 2024 04:07 AM
From: jantrance
Subject: Troubleshooting RADIUS response, authenticator side (Switch)
Currently we have already solved the problem by correcting the config on the switch to: "port-access role access-point". We didn't use the detail when troubleshooting this problem initially. I did type it in now on a switch to see what the detail part would show. I don't have a lab setup where I would be able to make a config mistake and see what the "show port-access clients interface 0/0/1 detail" would extra show to help troubleshooting this configuration mistake. Would you be able to test that out in a lab setup?
We have AOS-CX switches with a template configuration in Aruba Central.
Original Message:
Sent: May 03, 2024 03:19 AM
From: Herman Robers
Subject: Troubleshooting RADIUS response, authenticator side (Switch)
The command:
show port-access clients interface 0/0/1 detail
will show more details. Things that I have seen regularly are that the role VLAN is not configured/active on the switch, or that conflicting information is received in the RADIUS response like a user-role and separate VLAN.
What type of switch do you have? AOS-CX or ArubaOS-Switch?
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: May 03, 2024 02:39 AM
From: jantrance
Subject: Troubleshooting RADIUS response, authenticator side (Switch)
Hi All,
We have Aruba central managed switches and we have on-prem Clearpass cluster. We came across the problem where the RADIUS reply from Clearpass contained an Aruba-User-Role of: "access-point" and on the switch there was a: port-access role access-points. In Clearpass all you can see is an accept in the access tracker and everything looks fine from the side of Clearpass. However on the side of the switch the AP is of course not going to get connected because there is no correct port-access role configured.
Now for the question: Without comparing the running config on the switch with the Enforcement Profiles on Clearpass, how would you troubleshoot this on the switch to be able to see that the switch cannot do anything with the received RADIUS response since there is no correct port-access role configured on the switch?
With the command: "show port-access clients" you could see that the AP had the role: Holding,Critical. But that doesn't help in troubleshooting where this has gone wrong. In the logging of the switch there was also no indication that the role doesn't exist on the switch so the switch is just not going to do anything with that RADIUS response.