Hello,
I'm having an issue with (what I thought) was a simple downloadable user role. In this example, I'm passing two DURs from ClearPass to an Aruba 2930F switch:
- DUR-DHCP-Only
- DUR-Allow-All
The allow all role is working correctly:
CPPM:
class ipv4 IP-ANY-ANY
match ip any any
exit
policy user Allow-All-ACL
class ipv4 IP-ANY-ANY action permit
exit
aaa authorization user-role name DUR-Data-Allow-All
policy Allow-All-ACL
vlan-name Lab-Network
exit
Switch:
I 08/04/19 18:08:14 00435 ports: port 8 is Blocked by AAA
0000:01:50:23.34 UMIB tRadiusR:Received cppm downloadable user role vsa for
client with request-id 60 and assigned user role is :
Aruba_DUR_Data_Allow_All-3016-11
0000:01:50:23.34 UMIB mdcaCtrl:New node is created for the downloadable user
role Aruba_DUR_Data_Allow_All-3016-11
0000:01:50:23.34 UMIB mdcaCtrl:DUR Client with request-id 60 is added to waiting
queue for downloadable user role Aruba_DUR_Data_Allow_All-3016-11 in INITIAL
state
0000:01:50:23.34 UMIB mdcaCtrl:Posting event to cppm task to download the
userRole Aruba_DUR_Data_Allow_All-3016-11
0000:01:50:23.44 UMIB tRadiusR:Received cppm downloadable user role vsa for
client with request-id 61 and assigned user role is :
Aruba_DUR_Data_Allow_All-3016-11
0000:01:50:23.44 UMIB mdcaCtrl:DUR Client with request-id 61 is added to waiting
queue for downloadable user role Aruba_DUR_Data_Allow_All-3016-11 in
DOWNLOADING state
0000:01:50:25.51 UMIB mcppmTask:Download of userRole
Aruba_DUR_Data_Allow_All-3016-11 is success
0000:01:50:25.51 UMIB mcppmTask:Parsing of downloaded userRole
Aruba_DUR_Data_Allow_All-3016-11 is success
0000:01:50:25.53 UMIB mcppmTask:Copying downloaded userRole
Aruba_DUR_Data_Allow_All-3016-11 to RamFs is success
0000:01:50:25.53 UMIB mdcaCtrl:Removing DUR Client with request-id 60 for
downloadable user role Aruba_DUR_Data_Allow_All-3016-11 from waiting queue as
the role is downloaded
0000:01:50:25.53 UMIB mdcaCtrl: Sending message to authentication task for
client with request-id 60
0000:01:50:25.53 UMIB mdcaCtrl:Removing DUR Client with request-id 61 for
downloadable user role Aruba_DUR_Data_Allow_All-3016-11 from waiting queue as
the role is downloaded
0000:01:50:25.53 UMIB mdcaCtrl: Sending message to authentication task for
client with request-id 61
0000:01:50:25.53 UMIB mdcaCtrl:Removing previous downloadable user role version
Aruba_DUR_Data_Allow_All-3016-10_7Z4q as no clients are mapped to that
version
0000:01:50:25.53 UMIB mdcaCtrl: Deleting the downloadable user role
Aruba_DUR_Data_Allow_All-3016-10 from config record
0000:01:50:25.58 UMIB mWebAuth:added new dca client f0def1-7b4652 for new client
port 8.
0000:01:50:25.58 UMIB mWebAuth:Client Mac F0DEF1-7B4652, accessMode MacAuth
I 08/04/19 18:08:16 00076 ports: port 8 is now on-line
0000:01:50:25.59 UMIB m8021xCtrl:removing dca client f0def1-7b4652 for port 8.
0000:01:50:25.59 UMIB m8021xCtrl:added new dca client f0def1-7b4652 for new
client port 8.
0000:01:50:25.59 UMIB m8021xCtrl:Client Mac F0DEF1-7B4652, accessMode 8021x
I 08/04/19 18:08:16 00001 vlan: Default virtual LAN enabled (1 times in 60
seconds)
I 08/04/19 18:08:16 00002 vlan: Default virtual LAN disabled (1 times in 60
seconds)
The DUR-DHCP-Only role however is not working correctly. I get an error that the role contains non role commands. I've made sure to 1) eliminate any additional spacing or extra characters and 2) have confirmed that the role works successfully when deployed locally on the switch.
Does anyone have any ideas here? There must be something simple that I've overlooked. Switch is running 16.08.0005.
CPPM:
class ipv4 IP-ANY-ANY
match ip any any
class ipv4 DHCP
match udp any any eq 67
exit
policy user DHCP-Only-ACL
class ipv4 DHCP action permit
class ipv4 IP-ANY-ANY action deny
exit
aaa authorization user-role name DUR-DHCP-Only
policy DHCP-Only-ACL
vlan-name Lab-Network
exit
Switch:
I 08/04/19 18:10:35 00435 ports: port 8 is Blocked by AAA
0000:01:52:44.19 UMIB tRadiusR:Received cppm downloadable user role vsa for
client with request-id 62 and assigned user role is :
Aruba_DUR_DHCP_Only-3017-5
0000:01:52:44.19 UMIB mdcaCtrl:New node is created for the downloadable user
role Aruba_DUR_DHCP_Only-3017-5
0000:01:52:44.19 UMIB mdcaCtrl:DUR Client with request-id 62 is added to waiting
queue for downloadable user role Aruba_DUR_DHCP_Only-3017-5 in INITIAL state
0000:01:52:44.19 UMIB mdcaCtrl:Posting event to cppm task to download the
userRole Aruba_DUR_DHCP_Only-3017-5
0000:01:52:44.25 UMIB tRadiusR:Received cppm downloadable user role vsa for
client with request-id 63 and assigned user role is :
Aruba_DUR_DHCP_Only-3017-5
0000:01:52:44.25 UMIB mdcaCtrl:DUR Client with request-id 63 is added to waiting
queue for downloadable user role Aruba_DUR_DHCP_Only-3017-5 in DOWNLOADING
state
0000:01:52:46.34 UMIB mcppmTask:Download of userRole Aruba_DUR_DHCP_Only-3017-5
is success
0000:01:52:46.34 UMIB mcppmTask:Parsing of downloaded userRole
Aruba_DUR_DHCP_Only-3017-5 is Failed with reason PARSE_ERROR_INVALID_CONTEXT
0000:01:52:46.34 UMIB mdcaCtrl: Sending message to authentication task for
client with request-id 62
0000:01:52:46.34 UMIB mdcaCtrl:Removing DUR Client with request-id 62 for
downloadable user role Aruba_DUR_DHCP_Only-3017-5 from waiting queue as role
parsing failed
0000:01:52:46.34 UMIB mdcaCtrl: Sending message to authentication task for
client with request-id 63
0000:01:52:46.34 UMIB mdcaCtrl:Removing DUR Client with request-id 63 for
downloadable user role Aruba_DUR_DHCP_Only-3017-5 from waiting queue as role
parsing failed
0000:01:52:46.34 UMIB mWebAuth:macAuth Deauthenticating client F0DEF17B4652 on
port 8, downloaded user role Aruba_DUR_DHCP_On... is not valid as it contains
non user role commands.
W 08/04/19 18:10:37 05630 dca: Faulty line: class ipv4 DHCP
.
W 08/04/19 18:10:37 05619 dca: macAuth Deauthenticating client F0DEF17B4652 on
port 8, downloaded user role Aruba_DUR_DHCP_On... is not valid as it
contains non user role commands.
0000:01:52:46.35 UMIB m8021xCtrl:8021X Deauthenticating client F0DEF17B4652 on
port 8, downloaded user role Aruba_DUR_DHCP_On... is not valid as it contains
non user role commands.
W 08/04/19 18:10:37 05619 dca: 8021X Deauthenticating client F0DEF17B4652 on
port 8, downloaded user role Aruba_DUR_DHCP_On... is not valid as it
contains non user role commands.
If the role is assigned locally, I get no errors:
Aruba-Lab-SW1(config)# class ipv4 IP-ANY-ANY
Aruba-Lab-SW1(config-class)# match ip any any
Aruba-Lab-SW1(config-class)# class ipv4 DHCP
Aruba-Lab-SW1(config-class)# match udp any any eq 67
Aruba-Lab-SW1(config-class)# exit
Aruba-Lab-SW1(config)#
Aruba-Lab-SW1(config)# policy user DHCP-Only-ACL
Aruba-Lab-SW1(policy-user)# class ipv4 DHCP action permit
Aruba-Lab-SW1(policy-user)# class ipv4 IP-ANY-ANY action deny
Aruba-Lab-SW1(policy-user)# exit
Aruba-Lab-SW1(config)#
Aruba-Lab-SW1(config)# aaa authorization user-role name DUR-DHCP-Only
Aruba-Lab-SW1(user-role)# policy DHCP-Only-ACL
Aruba-Lab-SW1(user-role)# vlan-name Lab-Network
Aruba-Lab-SW1(user-role)# exit
For further context, the Allow-All role:
Aruba-Lab-SW1(config)# show port-access clients detailed
Port Access Client Status Detail
Client Base Details :
Port : 8 Authentication Type : 802.1x
Client Status : authenticated Session Time : 11 seconds
Client name : VMLAB\Ryan Session Timeout : 0 seconds
MAC Address : f0def1-7b4652
IP : 169.254.16.6
Auth Order : Not Set
Auth Priority : Not Set
LMA Fallback : Disabled
Downloaded user roles are preceded by *
User Role Information
Name : *Aruba_DUR_Data_Allow_All-3016-11
Type : downloaded
Reauthentication Period (seconds) : 0
Cached Reauth Period (seconds) : 0
Logoff Period (seconds) : 300
Untagged VLAN : 20
Tagged VLANs :
Captive Portal Profile :
Policy : Allow-All-ACL_Aruba_DUR_Data_Allow_All-3016-11
Statements for policy "Allow-All-ACL_Aruba_DUR_Data_Allow_All-3016-11"
policy user "Allow-All-ACL_Aruba_DUR_Data_Allow_All-3016-11"
10 class ipv4 "IP-ANY-ANY_Aruba_DUR_Data_Allow_All-3016-11" action permit
exit
Statements for class IPv4 "IP-ANY-ANY_Aruba_DUR_Data_Allow_All-3016-11"
class ipv4 "IP-ANY-ANY_Aruba_DUR_Data_Allow_All-3016-11"
10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
Tunnelednode Server Redirect : Disabled
Secondary Role Name :
Device Attributes : Disabled
Aruba-Lab-SW1(config)#
And the DHCP-Only role:
Aruba-Lab-SW1(eth-8)# show port-access clients detailed
Port Access Client Status Detail
Client Base Details :
Port : 8 Authentication Type : 802.1x
Client Status : initial role failed Session Time : 0 seconds
Client name : Session Timeout : 0 seconds
MAC Address : f0def1-7b4652
IP : n/a
Auth Order : Not Set
Auth Priority : Not Set
LMA Fallback : Disabled
Client Base Details :
Port : 8 Authentication Type : mac-based
Client Status : initial role failed Session Time : 4 seconds
Client Name : f0def17b4652 Session Timeout : 0 seconds
MAC Address : f0def1-7b4652
IP : n/a
Auth Order : Not Set
Auth Priority : Not Set
LMA Fallback : Disabled
Aruba-Lab-SW1(eth-8)#