Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass Downloable user roles

This thread has been viewed 15 times

  • 1.  Clearpass Downloable user roles

    Posted May 14, 2020 10:20 AM

    Hello,

    we are running Clearpass version 6.9.0.130064 and  Aruba switch 2930F software revision WC.16.10.0007.

     

    We recently started testing Downloadable user roles. Everything has been working fine until we started using netdestinations. 

    Now, if we modify the DUR enforcement profile, the following error occurs:

     

     

    ST1-CMDR: 8021X Deauthenticating client 8C04BA11ABC4 on port 2/38, downloaded user role TATRA__DRE_IT_CP_... is not valid as CLI execution Error.


ST1-CMDR: Faulty line: netdestination OWA_TATRA__DRE_IT_CP_-3035-98_7Z4q .

     

     

    We have found that if the old version of DUR is removed from the switch manually by using following command, the authentication is succesfull without previous error.

     

    downloadable-role-delete TATRA__DRE_IT_CP_-3035-97

     

    This is the correct behaviour:

    correct.png

    Is this bug in switch firmware or is it intended behaviour? Deleting old Downloadable user role to get the new version work is annoying.

     

     

     



  • 2.  RE: Clearpass Downloable user roles

    Posted May 15, 2020 09:38 AM

    I just put this through my lab and ran into the same problem. My issue was faulty syntax in the DUR.

     

    W 05/15/20 08:30:03 05619 dca: macAuth Deauthenticating client 885BDDA4XXXX on
            port 5, downloaded user role DUR_EXTRAP-3476-1 is not valid as CLI
            execution Error.
W 05/15/20 08:30:03 05630 dca: Faulty line: network 192.168.1.10 255.255.255.255
            position 10.
I 05/15/20 08:29:59 00435 ports: port 5 is Blocked by AAA
W 05/15/20 08:29:55 05630 dca: Faulty line: network 192.168.1.10 255.255.255.255
            position 10.

     

    I corrected it by changing the netdestination as type Network and changed the netmask to 255.255.255.0. Then the DUR applied without issue.

     5     885bdda4XXXX  885bdd-a4XXXX     192.168.199.52  *DUR_EXTRAP-34... MAC   199


  • 3.  RE: Clearpass Downloable user roles

    Posted May 18, 2020 04:38 AM

    You cant use:

     

    network 192.168.1.10 255.255.255.255 position 10

     

     Instead of network use host:

     

    host 192.168.1.10 position 10

     

    Your solution extends one address to whole subnet.

    Doesnt seems like you ran into same problem. Our syntax isnt issue as if we delete downloaded role from the switch it executes without a problem.



  • 4.  RE: Clearpass Downloable user roles

    Posted May 18, 2020 08:34 AM
    Yes, I know. I was trying to trigger the error you were seeing. Can you output more of the log and your full role to include the netdestination? It doesn't like the netdestination line for one reason or another.


  • 5.  RE: Clearpass Downloable user roles

    Posted Jun 15, 2020 08:06 AM

    The issue was resolved. It was due to netdestination limit. They call it "feature" to support just 24 netdestinations on 2930F switch. I hope someday they will increase maximum number of netdestinations. Until then, we will suffer with unclear ACL.