Security

last person joined: 8 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass download undefined role to controller

This thread has been viewed 16 times

  • 1.  Clearpass download undefined role to controller

    Posted Dec 28, 2016 04:41 AM

    Hi,

     

    I'm trying to get CPPM to push a role to a controller but without success. The user is not getting the correct role. It's getting the role I set in the AAA profile. 

     

    I followed the guide at http://www.airheads.eu/t5/Controller-Based-WLANs/Downloading-an-undefined-role-from-CPPM-to-Controller/ta-p/243661

     

     

    Enforcement profile:

    cp_policy.JPG

     

    Accesstracker:

    kiko-as.JPG

    On the controller:

     

    Security log doesn't look good...

     

     

    Dec 28 10:27:49 :199802: <4052> <ERRS> |authmgr| auth_cppm_api.c, auth_curl_perform:119: Dldb Role KIKO_BYOD_EP-3004-8: Curl response with HTTP code: 401
    Dec 28 10:27:49 :124830: <4052> <ERRS> |authmgr| Dldb Role KIKO_BYOD_EP-3004-8: Users dequeued, role in incomplete state

     

     #show rights downloaded-user-roles

    RoleTable
    ---------
    Name ACL Bandwidth ACL List Type
    ---- --- --------- -------- ----
    KIKO_BYOD_EP-3004-8 104 Up: No Limit,Dn: No Limit global-sacl/,apprf-KIKO_BYOD_EP-3004-8-sacl/ System (downloaded, not editable)
    KIKO_BYOD_PROFILE-3002-6 86 Up: No Limit,Dn: No Limit global-sacl/,apprf-KIKO_BYOD_PROFILE-3002-6-sacl/ System (downloaded, not editable)
    test_ep-3003-1 80 Up: No Limit,Dn: No Limit global-sacl/,apprf-test_ep-3003-1-sacl/ System (downloaded, not editable)

     

    aaa profile "Users"
    initial-role "authenticated"
    mac-default-role "logon"
    mac-server-group "Clearpass"
    authentication-dot1x "Users"
    dot1x-default-role "logon"
    dot1x-server-group "Clearpass"
    download-role
    enforce-dhcp

     

    Controller is 7205 with 6.5.0.3

    Clearpass is 6.6.0.81015

     

    Am i missing something here?

     

     

     

     

     

     



  • 2.  RE: Clearpass download undefined role to controller

    Posted Dec 28, 2016 05:05 AM

    Got some more debug information:

     

    Dec 28 11:03:18 :522278: <4052> <INFO> |authmgr| MAC=e4:b3:18:9d:0f:49 IP=?? Dldb Role: KIKO_BYOD_EP-3004-9 Derived downloadable role from Aruba CPPM VSA
    Dec 28 11:03:18 :522280: <4052> <ERRS> |authmgr| MAC=e4:b3:18:9d:0f:49 Dldb Role: KIKO_BYOD_EP-3004-9 Cannot be assigned downloadable role, role is in error state
    Dec 28 11:03:18 :522282: <4052> <DBUG> |authmgr| MAC=e4:b3:18:9d:0f:49 Dldb Role: KIKO_BYOD_EP-3004-9 User will be assigned default role for the auth-type



  • 3.  RE: Clearpass download undefined role to controller

    EMPLOYEE
    Posted Dec 28, 2016 11:59 AM

    You should try a role that has simple access rules, instead of ethertypes.



  • 4.  RE: Clearpass download undefined role to controller

    Posted Jan 06, 2017 05:23 AM

    Thanks for the input. Still doesn't work. Due time contraints i resorted to defined roles.

     

    Will do some testing in the lab.