Hello!
I've configured clearpass and a arubaOS switch to apply downloadable user roles to mac-based clients.
This fails with: Failed to apply user role ... user role is invalid.
NTP is configured properly, the time matches exactly with clearpass.
The clearpass certificate and the user roles were downloaded to the switch.
Switch OS: 16.10.0005
Clearpass Version: 6.9.0.130064
Switch configuration:
Spoilerradius-server host "server.domain.net" key "key123"
radius-server host "server.domain.net" dyn-authorization
radius-server host "server.domain.net" time-window plus-or-minus-time-window
radius-server host "server.domain.net" time-window 30
radius-server host "server.domain.net" clearpass
radius-server cppm identity "duadmin"
aaa server-group radius "CPSERVERS" host "server.domain.net"
aaa accounting update periodic 3
aaa accounting network start-stop radius server-group "CPSERVERS"
aaa authorization user-role enable download
aaa authentication port-access eap-radius server-group "CPSERVERS"
aaa authentication mac-based chap-radius server-group "CPSERVERS"
aaa port-access authenticator
aaa port-access authenticator 1/J4 tx-period 10
aaa port-access authenticator 1/J4 supplicant-timeout 10
aaa port-access authenticator 1/J4 max-eap-retries 1
aaa port-access authenticator 1/J4 client-limit 3
aaa port-access mac-based 1/J4
aaa port-access mac-based 1/J4 addr-limit 2
aaa port-access mac-based 1/J4 mac-pin
aaa port-access 1/J4 auth-order authenticator mac-based
Debug output:
Spoilerdebug security radius-server
debug security ssl
debug security port-access mac-based include port 1/J4
debug destination session
debug destination buffer
0031:19:18:06.42 RAD tRadiusR:ACCESS ACCEPT id: 88 from x.x.x.x received.
0031:19:18:06.42 UMIB tRadiusR:Received ClearPass downloadable user role vsa for
client with request-id 11131 and assigned user role is :
DUR_allow_any-3048-1
0031:19:18:06.42 UMIB tRadiusR:User role DUR_allow_any-3048-1 is already
downloaded and present in the system.
0031:19:18:06.42 MAC mWebAuth:Failed to apply user role
DUR_allow_any-3048-1_7Z4q to macAuth client 001122AABBCC on port 1/J4:
user role is invalid.
0031:19:18:06.42 MAC mWebAuth:Port: 1/J4 MAC: 001122-aabbcc error when processing user-role in dcaRadiusProcessUserRole.
0031:19:18:06.42 UMIB mWebAuth:MAC: 001122-aabbcc Port: 1/J4 getting radius attributes failed.
0031:19:18:06.42 AUOR mWebAuth:Auth Order: Port 1/J4: Client status updated for
client: 001122-aabbcc, auth-method: 2 , auth-state: 1 .
0031:19:18:06.42 MAC mWebAuth:Port: 1/J4 MAC: 001122-aabbcc [11131] assigned role 'DUR_allow_any-3048-1_7Z4q' failed, attempting to apply initial role.
0031:19:18:06.42 UMIB mWebAuth:added new dca client 001122-abbcc for new client
port 1/J4.
...
0031:19:18:06.42 MAC mWebAuth:Port: 1/J4 MAC: 001122-aabbcc [11131] client
accepted with role 'allow-all'.
0031:19:18:06.42 MAC mWebAuth:Port: 1/J4 MAC: 001122-aabbcc client successfully
placed into vid: 999.
0031:19:18:06.42 MAC mWebAuth:Port: 1/J4 MAC: 001122-aabbcc client pinned
successfully
W 05/08/20 16:14:56 05204 dca: ST1-CMDR: Failed to apply user role
DUR_allow_any-3048-1_7Z4q to macAuth client 001122AABBCC on
port 1/J4: user role is invalid.
I 05/08/20 16:14:56 00076 ports: ST1-CMDR: port 1/J4 is now on-line
ClearPass Enforcement:
I tried both Standard and Advanced role configuration modes.
Both modes result in this error.
There are also no certificate errors in the debug output during authentication, like it is described here.
The Switch is also configured as network device with Hewlett-Packard-Enterprise as Vendor Name.
The entpoint will end up in the inital-role of the switch.
Could this line be a hint that ClearPas is not using the correct radius attributes?
0031:19:18:06.42 UMIB mWebAuth:MAC: 001122-aabbcc Port: 1/J4 getting radius attributes failed.
There is also this alert in the Access Tracker:
Do I miss something?
Thank you!