Security

Reply
Highlighted
Frequent Contributor I

CPPM + 2930F - Downloadable User Roles Failing

Hello,

 

I'm running a 2930F w/ 16.08 firmware and I'm attempting to get DUR working with ClearPass. I've followed the wired guide pretty closely but I'm getting some errors.

 

For the purposes of testing, I created a simple allow all and DHCP only policy w/ MAC auth.

 

Allow All:

class ipv4 IP-ANY-ANY match ip any any
exit

policy user "DUR-Data-Allow-All"
10 class ipv4 IP-ANY-ANY action permit
exit

aaa authorization user-role name "DUR-Data-Allow-All"
policy "DUR-Data-Allow-All"
vlan-name "Lab Network"
exit

DHCP Only:

class ipv4 IP-ANY-ANY match ip any any
class ipv4 DHCP match udp any any eq 67
exit

policy user "DUR-DHCP-Only"
10 class ipv4 DHCP action permit
20 class ipv4 IP-ANY-ANY action deny
exit

aaa authorization user-role name "DUR-DHCP-Only"
policy "DUR-DHCP-Only"
vlan-name "Lab Network"
exit

When I enable debugging on the switch (user-profile-mib, cppm, event), I can see that the communication between CPPM and Switch appears to be working but the switch seems to have an issue with the above roles. 

 

Aruba-Lab-SW1#
0002:05:39:29.43 UMIB m8021xCtrl:removing dca client f0def1-7b4652 for port 8.
I 01/02/90 21:39:29 00077 ports: port 8 is now off-line
I 01/02/90 21:39:29 00002 vlan: Default virtual LAN disabled (1 times in 60
            seconds)
I 01/02/90 21:39:33 00435 ports: port 8 is Blocked by AAA
0002:05:39:33.75 UMIB tRadiusR:Received cppm downloadable user role vsa for
   client with request-id 28 and assigned user role is :
   Aruba_DUR_Data_Allow_All-3016-5
0002:05:39:33.75 UMIB mdcaCtrl:New node is created for the downloadable user
   role Aruba_DUR_Data_Allow_All-3016-5
0002:05:39:33.75 UMIB mdcaCtrl:DUR Client with request-id 28 is added to waiting
   queue for downloadable user role Aruba_DUR_Data_Allow_All-3016-5 in INITIAL
   state
0002:05:39:33.75 UMIB mdcaCtrl:Posting event to cppm task to  download the
   userRole Aruba_DUR_Data_Allow_All-3016-5
0002:05:39:36.49 UMIB mcppmTask:Download of user role
   Aruba_DUR_Data_Allow_All-3016-5 failed with error code 35 : cppm server url
   https://172.16.10.41/async_netd/arubacppmapi/downloadableconfig?role=Aruba_DU
   R_Data_Allow_All-3016-
0002:05:39:36.49 UMIB mcppmTask:Download of userRole
   Aruba_DUR_Data_Allow_All-3016-5 is failed
0002:05:39:36.50 UMIB mdcaCtrl: Sending message to authentication task for
   client with request-id 28
0002:05:39:36.50 UMIB mdcaCtrl:Removing DUR Client with request-id 28 for
   downloadable user role Aruba_DUR_Data_Allow_All-3016-5 from waiting queue as
   role download failed
0002:05:39:36.50 UMIB mWebAuth:macAuth client F0DEF17B4652 on port 8 assigned to
   initial role as downloading failed for user role Aruba_DUR_Data_Al....
0002:05:39:36.50 UMIB mWebAuth:added new dca client f0def1-7b4652 for new client
   port 8.
0002:05:39:36.50 UMIB mWebAuth:Client Mac F0DEF1-7B4652, accessMode MacAuth
W 01/02/90 21:39:36 05620 dca: macAuth client F0DEF17B4652 on port 8 assigned to
            initial role as downloading failed for user role
            Aruba_DUR_Data_Al....
W 01/02/90 21:39:36 05204 dca: Failed to apply user role
            Aruba_DUR_Data_Allow_All-3016-5_7Z4q to macAuth client F0DEF17B4652
            on port 8: user role is invalid.
I 01/02/90 21:39:36 00435 ports: port 8 is Blocked by STP
0002:05:39:38.71 UMIB m8021xCtrl:removing dca client f0def1-7b4652 for port 8.
0002:05:39:38.71 UMIB m8021xCtrl:added new dca client f0def1-7b4652 for new
   client port 8.
0002:05:39:38.71 UMIB m8021xCtrl:Client Mac F0DEF1-7B4652, accessMode 8021x
I 01/02/90 21:39:39 00076 ports: port 8 is now on-line
I 01/02/90 21:39:39 00001 vlan: Default virtual LAN enabled (1 times in 60
            seconds)
I 01/02/90 21:40:18 00428 802.1x: 1 auth-failures for the last 60 sec.

If I'm reading the above correctly, it looks like the switch is failing w/ error code 35? cppm server url?

 

Does anyone have any additional insight on this?

Frequent Contributor I

Re: CPPM + 2930F - Downloadable User Roles Failing

I found some errors in the above policies but I did get the revised roles to be accepted in the switch's configuration when I entered them manually. DUR is still not working.


The revised roles are as follows:

 

Allow all:

class ipv4 IP-ANY-ANY
match ip any any
exit

policy user Allow-All-ACL
10 class ipv4 IP-ANY-ANY action permit
exit

aaa authorization user-role name DUR-Data-Allow-All
policy Allow-All-ACL
vlan-name "Lab Network"
exit

DHCP Only:

class ipv4 IP-ANY-ANY 
match ip any any
class ipv4 DHCP 
match udp any any eq 67
exit

policy user DHCP-Only-ACL
10 class ipv4 DHCP action permit
20 class ipv4 IP-ANY-ANY action deny
exit

aaa authorization user-role name DUR-DHCP-Only
policy DHCP-Only-ACL
vlan-name "Lab Network"
exit
Frequent Contributor I

Re: CPPM + 2930F - Downloadable User Roles Failing

Fixed it!

 

Switch clock was wrong. Reset it w/ NTP and the DURs started working!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: