Hello,
I'm running a 2930F w/ 16.08 firmware and I'm attempting to get DUR working with ClearPass. I've followed the wired guide pretty closely but I'm getting some errors.
For the purposes of testing, I created a simple allow all and DHCP only policy w/ MAC auth.
Allow All:
class ipv4 IP-ANY-ANY match ip any any
exit
policy user "DUR-Data-Allow-All"
10 class ipv4 IP-ANY-ANY action permit
exit
aaa authorization user-role name "DUR-Data-Allow-All"
policy "DUR-Data-Allow-All"
vlan-name "Lab Network"
exit
DHCP Only:
class ipv4 IP-ANY-ANY match ip any any
class ipv4 DHCP match udp any any eq 67
exit
policy user "DUR-DHCP-Only"
10 class ipv4 DHCP action permit
20 class ipv4 IP-ANY-ANY action deny
exit
aaa authorization user-role name "DUR-DHCP-Only"
policy "DUR-DHCP-Only"
vlan-name "Lab Network"
exit
When I enable debugging on the switch (user-profile-mib, cppm, event), I can see that the communication between CPPM and Switch appears to be working but the switch seems to have an issue with the above roles.
Aruba-Lab-SW1#
0002:05:39:29.43 UMIB m8021xCtrl:removing dca client f0def1-7b4652 for port 8.
I 01/02/90 21:39:29 00077 ports: port 8 is now off-line
I 01/02/90 21:39:29 00002 vlan: Default virtual LAN disabled (1 times in 60
seconds)
I 01/02/90 21:39:33 00435 ports: port 8 is Blocked by AAA
0002:05:39:33.75 UMIB tRadiusR:Received cppm downloadable user role vsa for
client with request-id 28 and assigned user role is :
Aruba_DUR_Data_Allow_All-3016-5
0002:05:39:33.75 UMIB mdcaCtrl:New node is created for the downloadable user
role Aruba_DUR_Data_Allow_All-3016-5
0002:05:39:33.75 UMIB mdcaCtrl:DUR Client with request-id 28 is added to waiting
queue for downloadable user role Aruba_DUR_Data_Allow_All-3016-5 in INITIAL
state
0002:05:39:33.75 UMIB mdcaCtrl:Posting event to cppm task to download the
userRole Aruba_DUR_Data_Allow_All-3016-5
0002:05:39:36.49 UMIB mcppmTask:Download of user role
Aruba_DUR_Data_Allow_All-3016-5 failed with error code 35 : cppm server url
https://172.16.10.41/async_netd/arubacppmapi/downloadableconfig?role=Aruba_DU
R_Data_Allow_All-3016-
0002:05:39:36.49 UMIB mcppmTask:Download of userRole
Aruba_DUR_Data_Allow_All-3016-5 is failed
0002:05:39:36.50 UMIB mdcaCtrl: Sending message to authentication task for
client with request-id 28
0002:05:39:36.50 UMIB mdcaCtrl:Removing DUR Client with request-id 28 for
downloadable user role Aruba_DUR_Data_Allow_All-3016-5 from waiting queue as
role download failed
0002:05:39:36.50 UMIB mWebAuth:macAuth client F0DEF17B4652 on port 8 assigned to
initial role as downloading failed for user role Aruba_DUR_Data_Al....
0002:05:39:36.50 UMIB mWebAuth:added new dca client f0def1-7b4652 for new client
port 8.
0002:05:39:36.50 UMIB mWebAuth:Client Mac F0DEF1-7B4652, accessMode MacAuth
W 01/02/90 21:39:36 05620 dca: macAuth client F0DEF17B4652 on port 8 assigned to
initial role as downloading failed for user role
Aruba_DUR_Data_Al....
W 01/02/90 21:39:36 05204 dca: Failed to apply user role
Aruba_DUR_Data_Allow_All-3016-5_7Z4q to macAuth client F0DEF17B4652
on port 8: user role is invalid.
I 01/02/90 21:39:36 00435 ports: port 8 is Blocked by STP
0002:05:39:38.71 UMIB m8021xCtrl:removing dca client f0def1-7b4652 for port 8.
0002:05:39:38.71 UMIB m8021xCtrl:added new dca client f0def1-7b4652 for new
client port 8.
0002:05:39:38.71 UMIB m8021xCtrl:Client Mac F0DEF1-7B4652, accessMode 8021x
I 01/02/90 21:39:39 00076 ports: port 8 is now on-line
I 01/02/90 21:39:39 00001 vlan: Default virtual LAN enabled (1 times in 60
seconds)
I 01/02/90 21:40:18 00428 802.1x: 1 auth-failures for the last 60 sec.
If I'm reading the above correctly, it looks like the switch is failing w/ error code 35? cppm server url?
Does anyone have any additional insight on this?