Security

Reply

Re: Aruba downloadable roles

I'm just getting this.

 

Dec 9 16:22:16 :522280:  <ERRS> |authmgr|  MAC=18:3d:a2:10:ae:04 Dldb Role: Guest_Unlimited-3036-5 Cannot be assigned downloadable role, role is in error state
Dec 9 16:22:16 :522282:  <DBUG> |authmgr|  MAC=18:3d:a2:10:ae:04 Dldb Role: Guest_Unlimited-3036-5 User will be assigned default role

 

I tried to create it with both standard and advanced method.  Interestingly, when I had the downloadable role with 'Guest-Unlimited', it changed the role to 'Guest_Unlimited'.  Anyhow, I changed it to only have the _ and still no joy.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Aruba

Re: Aruba downloadable roles

I've asked QA to review.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II

Re: Aruba downloadable roles

Thanks Troy. I have now opened up a 2nd case with TAC with the AOS group as I wasn't making progress with the Clearpass group. I have now tested this on CP 6.3 and 6.4 as well as 620's/3200's/7010 with various levels of 6.4 code and a MASS1500 but no working solution seen.  Hopefully TAC will perform internal testing and advise.

Occasional Contributor II

Re: Aruba downloadable roles

Definitely do. I'm tempted to downgrade the controllers. You wouldn't happen to know what is the earliest version of code I could be on to support this feature? Whats interesting as well is the switch doesn't work either.
Super Contributor II

Re: Aruba downloadable roles

Any news regarding your TAC cases you could share with us?

Christoffer Jacobsson | Aranya AB
Aruba Partner Ambassador
Aruba: ACMX #537 ACCP ACDP | CWNP: CWNE #306
Occasional Contributor II

Re: Aruba downloadable roles

Nothing to share yet. Yesterdays update from TAC is they are still working towards replicating the issue. 

Occasional Contributor II

Re: Aruba downloadable roles

Problem is now resolved. Problem was clearpass was missing an api administrator account that the mobility controllers use to fetch the role. TAC had to create the account in clearpass and key in the password. Apparently this will be fixed in a later version of AOS code.

 

 

Contributor II

Re: Aruba downloadable roles

Was this affecting all of your downloadable roles or just some?  I'm noticing this on several MAS and it seems to be getting worse.  A reboot of the switch would fix it in the past, but now it seems to always corrupt some role when it is pulled down.


Mike Naylor
The College of Wooster
Highlighted
Contributor II

Re: Aruba downloadable roles

FYI, the issue is in the CPPM code when moving to 6.4.3.  Apparently, there is new code in 6.4.3 that includes a new auth piece for the switches to recieve their downloadable roles.  The problem is that neither the MAS nor the wireless controllers have that code yet.  Problem...when the switch tries to get its downloadable role from CPPM, it can't because it has no way (or idea) how to auth.

 

I'm really not sure how this one got past QC.


Mike Naylor
The College of Wooster
Occasional Contributor II

Re: Aruba downloadable roles

We had the same problem here after upgrading from clearpass 6.4.0 to 6.4.4.

TAC had to add a apiadmin account to clearpass as a workaround.

There was a change in behaviour in CPPM 6.4.3 where aruba implemented authentication between switch/controller and CPPM as mandatory for providing downloadable role’s configuration (cppm hardening)

 

Switches and controllers supports this authentication from version 7.3.2.5 and 7.4.0.2.

 

I think it is reprehensible that aruba make changes like this without notify, we had access points down for hours before the problem was solved.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: