Wired Intelligent Edge

Hey everyone,

I have advanced with security licenses on the gateway and advanced switch licenses.

I want to setup a UBT to my local branch gateway which is 9004.
It's a aos10 setup managed by Central.
Running version 10.6.0.2 & 10.13.1031
I configured on the aos-cx switch a clean ubt-client-van 3999 
I configured ip source for ubt with his management IP.
I created a ubt zone with primary controller ip which is reachable via the switch.

This is the output of show ubt state:

On the controller I always get that the SAC is 0.0.0.0:
The ip: 10.10.101.3 is my switch.
The show tunneled-node-mgr I see always following error:
ul 18 14:55:38  -->  SW Bootstrap Req   10.10.101.3  ec:67:94:d6:45:40 rsvd-vid=1 sacMode=1 sacIP=0.0.0.0 flags=1 mtu=1500                                                  Jul 18 14:55:38  <--  SW Bootstrap Ack   10.10.101.3  Status=29:Switch Bootstrap Failed, Req sent to non controller or non cluster IP.
Jul 18 14:55:48  -->  SW Bootstrap Req   10.10.101.3  ec:67:94:d6:45:40 rsvd-vid=1 sacMode=1 sacIP=0.0.0.0 flags=1 mtu=1500
Jul 18 14:55:48  sos  SW hb tun created  10.10.101.3  tunnel 9.
Jul 18 14:55:48  <--  SW Bootstrap Ack   10.10.101.3  SBY=0.0.0.0

What I'm doing wrong, or why it isn't working?

Is your CX switch managed by Central or just the gateway?  Can you post your full config from the CX switch?

Hey everyone,

I have advanced with security licenses on the gateway and advanced switch licenses.

I want to setup a UBT to my local branch gateway which is 9004.
It's a aos10 setup managed by Central.
Running version 10.6.0.2 & 10.13.1031
I configured on the aos-cx switch a clean ubt-client-van 3999 
I configured ip source for ubt with his management IP.
I created a ubt zone with primary controller ip which is reachable via the switch.

This is the output of show ubt state:

On the controller I always get that the SAC is 0.0.0.0:
The ip: 10.10.101.3 is my switch.
The show tunneled-node-mgr I see always following error:
ul 18 14:55:38  -->  SW Bootstrap Req   10.10.101.3  ec:67:94:d6:45:40 rsvd-vid=1 sacMode=1 sacIP=0.0.0.0 flags=1 mtu=1500                                                  Jul 18 14:55:38  <--  SW Bootstrap Ack   10.10.101.3  Status=29:Switch Bootstrap Failed, Req sent to non controller or non cluster IP.
Jul 18 14:55:48  -->  SW Bootstrap Req   10.10.101.3  ec:67:94:d6:45:40 rsvd-vid=1 sacMode=1 sacIP=0.0.0.0 flags=1 mtu=1500
Jul 18 14:55:48  sos  SW hb tun created  10.10.101.3  tunnel 9.
Jul 18 14:55:48  <--  SW Bootstrap Ack   10.10.101.3  SBY=0.0.0.0

What I'm doing wrong, or why it isn't working?

Hey David,

CX switch & gateway are managed by Central.
In attachment you can see the show running config of the switch & gateway.

I only removed the password for privacy reasons. But it's a test-setup.
So gateway & switch are directly connected to each other.
Gateway is also performing tunnels to another VPNC.

Is your CX switch managed by Central or just the gateway?  Can you post your full config from the CX switch?

Hey everyone,

I have advanced with security licenses on the gateway and advanced switch licenses.

I want to setup a UBT to my local branch gateway which is 9004.
It's a aos10 setup managed by Central.
Running version 10.6.0.2 & 10.13.1031
I configured on the aos-cx switch a clean ubt-client-van 3999 
I configured ip source for ubt with his management IP.
I created a ubt zone with primary controller ip which is reachable via the switch.

This is the output of show ubt state:

On the controller I always get that the SAC is 0.0.0.0:
The ip: 10.10.101.3 is my switch.
The show tunneled-node-mgr I see always following error:
ul 18 14:55:38  -->  SW Bootstrap Req   10.10.101.3  ec:67:94:d6:45:40 rsvd-vid=1 sacMode=1 sacIP=0.0.0.0 flags=1 mtu=1500                                                  Jul 18 14:55:38  <--  SW Bootstrap Ack   10.10.101.3  Status=29:Switch Bootstrap Failed, Req sent to non controller or non cluster IP.
Jul 18 14:55:48  -->  SW Bootstrap Req   10.10.101.3  ec:67:94:d6:45:40 rsvd-vid=1 sacMode=1 sacIP=0.0.0.0 flags=1 mtu=1500
Jul 18 14:55:48  sos  SW hb tun created  10.10.101.3  tunnel 9.
Jul 18 14:55:48  <--  SW Bootstrap Ack   10.10.101.3  SBY=0.0.0.0

What I'm doing wrong, or why it isn't working?

I think your UBT setup is correct, you just never used it anywhere.  You need to create a role for any device that should be using UBT and assign it to any connected device.  There are two main ways of doing that.  The first is with Downloadable User Roles (DURs) where your ClearPass server returns the user role with the authentication response.  That's more complicated but also able to do much more granular role assignments.  The second method is with using Local User Roles (LURs).  To do that you just need to create a user role and have port-access use it as the authenticated role for any authenticated device.

I use DURs in my setup so I can't actually test this config but I'm pretty sure this is all you need

port-access role Tunneled-Rolegateway-zone zone user gateway-role <role name on the gateway>vlan access 3999session-timeout 28800reauth-period 7100interface 1/1/2aaa authentication port-access auth-role Tunneled-Role

Hey David,

CX switch & gateway are managed by Central.
In attachment you can see the show running config of the switch & gateway.

I only removed the password for privacy reasons. But it's a test-setup.
So gateway & switch are directly connected to each other.
Gateway is also performing tunnels to another VPNC.

Is your CX switch managed by Central or just the gateway?  Can you post your full config from the CX switch?

Hey everyone,

I have advanced with security licenses on the gateway and advanced switch licenses.

I want to setup a UBT to my local branch gateway which is 9004.
It's a aos10 setup managed by Central.
Running version 10.6.0.2 & 10.13.1031
I configured on the aos-cx switch a clean ubt-client-van 3999 
I configured ip source for ubt with his management IP.
I created a ubt zone with primary controller ip which is reachable via the switch.

This is the output of show ubt state:

On the controller I always get that the SAC is 0.0.0.0:
The ip: 10.10.101.3 is my switch.
The show tunneled-node-mgr I see always following error:
ul 18 14:55:38  -->  SW Bootstrap Req   10.10.101.3  ec:67:94:d6:45:40 rsvd-vid=1 sacMode=1 sacIP=0.0.0.0 flags=1 mtu=1500                                                  Jul 18 14:55:38  <--  SW Bootstrap Ack   10.10.101.3  Status=29:Switch Bootstrap Failed, Req sent to non controller or non cluster IP.
Jul 18 14:55:48  -->  SW Bootstrap Req   10.10.101.3  ec:67:94:d6:45:40 rsvd-vid=1 sacMode=1 sacIP=0.0.0.0 flags=1 mtu=1500
Jul 18 14:55:48  sos  SW hb tun created  10.10.101.3  tunnel 9.
Jul 18 14:55:48  <--  SW Bootstrap Ack   10.10.101.3  SBY=0.0.0.0

What I'm doing wrong, or why it isn't working?

I tried it with DURs.
But can try with LURS, keep you updated with that.
So configuration is ok.

I opened already a TAC-case, but no progress on that ticket.

I think your UBT setup is correct, you just never used it anywhere.  You need to create a role for any device that should be using UBT and assign it to any connected device.  There are two main ways of doing that.  The first is with Downloadable User Roles (DURs) where your ClearPass server returns the user role with the authentication response.  That's more complicated but also able to do much more granular role assignments.  The second method is with using Local User Roles (LURs).  To do that you just need to create a user role and have port-access use it as the authenticated role for any authenticated device.

I use DURs in my setup so I can't actually test this config but I'm pretty sure this is all you need

port-access role Tunneled-Rolegateway-zone zone user gateway-role <role name on the gateway>vlan access 3999session-timeout 28800reauth-period 7100interface 1/1/2aaa authentication port-access auth-role Tunneled-Role

Hey David,

CX switch & gateway are managed by Central.
In attachment you can see the show running config of the switch & gateway.

I only removed the password for privacy reasons. But it's a test-setup.
So gateway & switch are directly connected to each other.
Gateway is also performing tunnels to another VPNC.

Is your CX switch managed by Central or just the gateway?  Can you post your full config from the CX switch?

Hey everyone,

I have advanced with security licenses on the gateway and advanced switch licenses.

I want to setup a UBT to my local branch gateway which is 9004.
It's a aos10 setup managed by Central.
Running version 10.6.0.2 & 10.13.1031
I configured on the aos-cx switch a clean ubt-client-van 3999 
I configured ip source for ubt with his management IP.
I created a ubt zone with primary controller ip which is reachable via the switch.

This is the output of show ubt state:

On the controller I always get that the SAC is 0.0.0.0:
The ip: 10.10.101.3 is my switch.
The show tunneled-node-mgr I see always following error:
ul 18 14:55:38  -->  SW Bootstrap Req   10.10.101.3  ec:67:94:d6:45:40 rsvd-vid=1 sacMode=1 sacIP=0.0.0.0 flags=1 mtu=1500                                                  Jul 18 14:55:38  <--  SW Bootstrap Ack   10.10.101.3  Status=29:Switch Bootstrap Failed, Req sent to non controller or non cluster IP.
Jul 18 14:55:48  -->  SW Bootstrap Req   10.10.101.3  ec:67:94:d6:45:40 rsvd-vid=1 sacMode=1 sacIP=0.0.0.0 flags=1 mtu=1500
Jul 18 14:55:48  sos  SW hb tun created  10.10.101.3  tunnel 9.
Jul 18 14:55:48  <--  SW Bootstrap Ack   10.10.101.3  SBY=0.0.0.0

What I'm doing wrong, or why it isn't working?

DURs are the better solution so if that's what you're going for let's get that working.  First off, create an admin user in ClearPass that has the privilege level of "Aruba User Role Download".  Then in your CX switch there are a few changes to make:

1. The RADIUS servers need to be added by hostname rather than IP address.  Also when adding the RADIUS servers you need to specify the username and password of the user you just created in Clearpass.  Remove your existing RADIUS servers and re-add both of them with the command 

   radius-server host <hostname> key plaintext <RADIUS key> clearpass-username <username> clearpass-password plaintext <password>

2. Your RADIUS server group will still be referencing the servers by IP address.  Re-create the server group adding the servers by hostname instead.
3. You need to enable dynamic authorization and then add the ClearPass servers as dynamic authorization clients to allow the switch to download the roles from ClearPass.  You'll need to do this for both servers 

   radius dyn-authorization enableradius dyn-authorization client <hostname> secret-key plaintext <RADIUS key>

4. The switch won't automatically trust the SSL certificate of the ClearPass server so you have to add it manually.  If you're using a CA-signed certificate add the CA root cert here.  If you're using a self-signed certificate just add that but remember that every time you replace that certificate you'll need to come back and add the new one to this switch.  The following commands will prompt you to paste in the certificate

   crypto pki ta-profile clearpassta-certificate

5. Finally, make sure that ClearPass is returning the role in the Radius:Aruba:Aruba-CPPM-Role VSA

I think that's all.  If everything works right, you should see clients and roles showing up in the results of the following two commands.

show port-access clientsshow port-access role clearpass

Good luck!  Let me know how it works

I tried it with DURs.
But can try with LURS, keep you updated with that.
So configuration is ok.

I opened already a TAC-case, but no progress on that ticket.

I think your UBT setup is correct, you just never used it anywhere.  You need to create a role for any device that should be using UBT and assign it to any connected device.  There are two main ways of doing that.  The first is with Downloadable User Roles (DURs) where your ClearPass server returns the user role with the authentication response.  That's more complicated but also able to do much more granular role assignments.  The second method is with using Local User Roles (LURs).  To do that you just need to create a user role and have port-access use it as the authenticated role for any authenticated device.

I use DURs in my setup so I can't actually test this config but I'm pretty sure this is all you need

port-access role Tunneled-Rolegateway-zone zone user gateway-role <role name on the gateway>vlan access 3999session-timeout 28800reauth-period 7100interface 1/1/2aaa authentication port-access auth-role Tunneled-Role

Hey David,

CX switch & gateway are managed by Central.
In attachment you can see the show running config of the switch & gateway.

I only removed the password for privacy reasons. But it's a test-setup.
So gateway & switch are directly connected to each other.
Gateway is also performing tunnels to another VPNC.

Is your CX switch managed by Central or just the gateway?  Can you post your full config from the CX switch?

Hey everyone,

I have advanced with security licenses on the gateway and advanced switch licenses.

I want to setup a UBT to my local branch gateway which is 9004.
It's a aos10 setup managed by Central.
Running version 10.6.0.2 & 10.13.1031
I configured on the aos-cx switch a clean ubt-client-van 3999 
I configured ip source for ubt with his management IP.
I created a ubt zone with primary controller ip which is reachable via the switch.

This is the output of show ubt state:

On the controller I always get that the SAC is 0.0.0.0:
The ip: 10.10.101.3 is my switch.
The show tunneled-node-mgr I see always following error:
ul 18 14:55:38  -->  SW Bootstrap Req   10.10.101.3  ec:67:94:d6:45:40 rsvd-vid=1 sacMode=1 sacIP=0.0.0.0 flags=1 mtu=1500                                                  Jul 18 14:55:38  <--  SW Bootstrap Ack   10.10.101.3  Status=29:Switch Bootstrap Failed, Req sent to non controller or non cluster IP.
Jul 18 14:55:48  -->  SW Bootstrap Req   10.10.101.3  ec:67:94:d6:45:40 rsvd-vid=1 sacMode=1 sacIP=0.0.0.0 flags=1 mtu=1500
Jul 18 14:55:48  sos  SW hb tun created  10.10.101.3  tunnel 9.
Jul 18 14:55:48  <--  SW Bootstrap Ack   10.10.101.3  SBY=0.0.0.0

What I'm doing wrong, or why it isn't working?