Ok so I found the issue on this. For the local role I was pushing to the switch I thought the ACL allowed any traffic. It turned out that I had set it to allow any TCP traffic and not 'any' traffic. Changing this has fixed the issue.
Original Message:
Sent: May 02, 2024 09:49 AM
From: ssmith764
Subject: UBT Clients cannot send traffic. Only get DHCP address
Yes I want the clients to be placed in a role on the gateway. They just need to be placed into the VLAN on the controller and the traffic tunnelled between switch and gateway. I don't think I have any need for tagged traffic so don't need vlan extend. the UBT config on the switch I have is:
vlan 4091
ubt-client-vlan 4091
ubt zone default vrf default
primary-controller ip 10.x.2.40
backup-controller ip 10.x.2.48
enable
ip source-interface ubt interface vlan200
ubt state shows both gateways connected
------------------------------
--------------------
Stewart Smith
ACMX, ACDX, ACCP, ACSA
--------------------
Original Message:
Sent: May 02, 2024 07:48 AM
From: Herman Robers
Subject: UBT Clients cannot send traffic. Only get DHCP address
UBT Client VLAN is somewhat ambiguous; check this video for the difference between local VLAN and VLAN Extend mode. Local VLAN (and use of the ubt-client-vlan command on the switch) is probably what you want.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: May 01, 2024 01:54 PM
From: ssmith764
Subject: UBT Clients cannot send traffic. Only get DHCP address
The UBT client VLAN is created on the gateway but was also on the switch. I removed the VLAN from the switch but then the client no longer appeared in the user table on the gateway. I know the VLAN does not need to be on the switch though.
The user role on the gateway allows any traffic.
I have logged with TAC now so hopefully they will find the issue
------------------------------
--------------------
Stewart Smith
ACMX, ACDX, ACCP, ACSA
Original Message:
Sent: Apr 30, 2024 11:37 PM
From: ariyap
Subject: UBT Clients cannot send traffic. Only get DHCP address
your ubt client VLAN ID should be unique and also be created on your gateway but not applied to any interferes
what is your ubt zone configuration?
Is the UBT user-role on the gateway blocking anything?
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: Apr 30, 2024 09:46 AM
From: ssmith764
Subject: UBT Clients cannot send traffic. Only get DHCP address
Not sure this is the right discussion but:
I have a client with Central, 6300 CX switches, two 7210 gateways and Clearpass. They want to use UBT but the network is live and it will be a gradual migration. I have enabled UBT on the switches, configured the Clearpass authentication and the correct roles on the gateways. If I configure a port to use MAC or 802.1x authentication, the client successfully authenticates, the role is pushed to the switch and the secondary role applied. I see the client on the gateway in the correct role with an IP address obtained via DHCP. However, the client cannot send or receive any other traffic. No traffic appears blocked in the datapath table though. All roles allow all traffic
Any ideas what I have wrong here? I do wonder if the issue is the same VLAN is configured locally on the switch but this is not stated as an issue in the documentation unless using ubt vlan-extend which I am not.
The same issue happens for all ubt clients in any VLAN whether mac auth or 802.1x
Thanks
Stewart
------------------------------
--------------------
Stewart Smith
ACMX, ACDX, ACCP, ACSA
--------------------
------------------------------