Security

Reply
Highlighted
New Contributor

Clearpass Downloable user roles

Hello,

we are running Clearpass version 6.9.0.130064 and  Aruba switch 2930F software revision WC.16.10.0007.

 

We recently started testing Downloadable user roles. Everything has been working fine until we started using netdestinations. 

Now, if we modify the DUR enforcement profile, the following error occurs:

 

 

ST1-CMDR: 8021X Deauthenticating client 8C04BA11ABC4 on port 2/38, downloaded user role TATRA__DRE_IT_CP_... is not valid as CLI execution Error.


ST1-CMDR: Faulty line: netdestination OWA_TATRA__DRE_IT_CP_-3035-98_7Z4q .

 

 

We have found that if the old version of DUR is removed from the switch manually by using following command, the authentication is succesfull without previous error.

 

downloadable-role-delete TATRA__DRE_IT_CP_-3035-97

 

This is the correct behaviour:

correct.png

Is this bug in switch firmware or is it intended behaviour? Deleting old Downloadable user role to get the new version work is annoying.

 

 

 

Highlighted
Frequent Contributor II

Re: Clearpass Downloable user roles

I just put this through my lab and ran into the same problem. My issue was faulty syntax in the DUR.

 

W 05/15/20 08:30:03 05619 dca: macAuth Deauthenticating client 885BDDA4XXXX on
            port 5, downloaded user role DUR_EXTRAP-3476-1 is not valid as CLI
            execution Error.
W 05/15/20 08:30:03 05630 dca: Faulty line: network 192.168.1.10 255.255.255.255
            position 10.
I 05/15/20 08:29:59 00435 ports: port 5 is Blocked by AAA
W 05/15/20 08:29:55 05630 dca: Faulty line: network 192.168.1.10 255.255.255.255
            position 10.

 

I corrected it by changing the netdestination as type Network and changed the netmask to 255.255.255.0. Then the DUR applied without issue.

 5     885bdda4XXXX  885bdd-a4XXXX     192.168.199.52  *DUR_EXTRAP-34... MAC   199   
ACEP, ACSP, ACCX #1239
Highlighted
New Contributor

Re: Clearpass Downloable user roles

You cant use:

 

network 192.168.1.10 255.255.255.255 position 10

 

 Instead of network use host:

 

host 192.168.1.10 position 10

 

Your solution extends one address to whole subnet.

Doesnt seems like you ran into same problem. Our syntax isnt issue as if we delete downloaded role from the switch it executes without a problem.

Highlighted
Frequent Contributor II

Re: Clearpass Downloable user roles

Yes, I know. I was trying to trigger the error you were seeing. Can you output more of the log and your full role to include the netdestination? It doesn't like the netdestination line for one reason or another.
ACEP, ACSP, ACCX #1239
Highlighted
New Contributor

Re: Clearpass Downloable user roles

The issue was resolved. It was due to netdestination limit. They call it "feature" to support just 24 netdestinations on 2930F switch. I hope someday they will increase maximum number of netdestinations. Until then, we will suffer with unclear ACL.   

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: