Security

Hello,

I'm having an issue with (what I thought) was a simple downloadable user role. In this example, I'm passing two DURs from ClearPass to an Aruba 2930F switch:

• DUR-DHCP-Only
• DUR-Allow-All

The allow all role is working correctly:

CPPM:

class ipv4 IP-ANY-ANY
match ip any any
exit

policy user Allow-All-ACL
class ipv4 IP-ANY-ANY action permit
exit

aaa authorization user-role name DUR-Data-Allow-All
policy Allow-All-ACL
vlan-name Lab-Network
exit

Switch:

I 08/04/19 18:08:14 00435 ports: port 8 is Blocked by AAA
0000:01:50:23.34 UMIB tRadiusR:Received cppm downloadable user role vsa for
   client with request-id 60 and assigned user role is :
   Aruba_DUR_Data_Allow_All-3016-11
0000:01:50:23.34 UMIB mdcaCtrl:New node is created for the downloadable user
   role Aruba_DUR_Data_Allow_All-3016-11
0000:01:50:23.34 UMIB mdcaCtrl:DUR Client with request-id 60 is added to waiting
   queue for downloadable user role Aruba_DUR_Data_Allow_All-3016-11 in INITIAL
   state
0000:01:50:23.34 UMIB mdcaCtrl:Posting event to cppm task to  download the
   userRole Aruba_DUR_Data_Allow_All-3016-11
0000:01:50:23.44 UMIB tRadiusR:Received cppm downloadable user role vsa for
   client with request-id 61 and assigned user role is :
   Aruba_DUR_Data_Allow_All-3016-11
0000:01:50:23.44 UMIB mdcaCtrl:DUR Client with request-id 61 is added to waiting
   queue for downloadable user role Aruba_DUR_Data_Allow_All-3016-11 in
   DOWNLOADING state
0000:01:50:25.51 UMIB mcppmTask:Download of userRole
   Aruba_DUR_Data_Allow_All-3016-11 is success
0000:01:50:25.51 UMIB mcppmTask:Parsing of downloaded userRole
   Aruba_DUR_Data_Allow_All-3016-11 is success
0000:01:50:25.53 UMIB mcppmTask:Copying downloaded userRole
   Aruba_DUR_Data_Allow_All-3016-11 to RamFs is success
0000:01:50:25.53 UMIB mdcaCtrl:Removing DUR Client with request-id 60 for
   downloadable user role Aruba_DUR_Data_Allow_All-3016-11 from waiting queue as
   the role is downloaded
0000:01:50:25.53 UMIB mdcaCtrl: Sending message to authentication task for
   client with request-id 60
0000:01:50:25.53 UMIB mdcaCtrl:Removing DUR Client with request-id 61 for
   downloadable user role Aruba_DUR_Data_Allow_All-3016-11 from waiting queue as
   the role is downloaded
0000:01:50:25.53 UMIB mdcaCtrl: Sending message to authentication task for
   client with request-id 61
0000:01:50:25.53 UMIB mdcaCtrl:Removing previous downloadable user role version
   Aruba_DUR_Data_Allow_All-3016-10_7Z4q as no clients are mapped to that
   version
0000:01:50:25.53 UMIB mdcaCtrl: Deleting the downloadable user role
   Aruba_DUR_Data_Allow_All-3016-10 from config record
0000:01:50:25.58 UMIB mWebAuth:added new dca client f0def1-7b4652 for new client
   port 8.
0000:01:50:25.58 UMIB mWebAuth:Client Mac F0DEF1-7B4652, accessMode MacAuth
I 08/04/19 18:08:16 00076 ports: port 8 is now on-line
0000:01:50:25.59 UMIB m8021xCtrl:removing dca client f0def1-7b4652 for port 8.
0000:01:50:25.59 UMIB m8021xCtrl:added new dca client f0def1-7b4652 for new
   client port 8.
0000:01:50:25.59 UMIB m8021xCtrl:Client Mac F0DEF1-7B4652, accessMode 8021x
I 08/04/19 18:08:16 00001 vlan: Default virtual LAN enabled (1 times in 60
            seconds)
I 08/04/19 18:08:16 00002 vlan: Default virtual LAN disabled (1 times in 60
            seconds)

The DUR-DHCP-Only role however is not working correctly. I get an error that the role contains non role commands. I've made sure to 1) eliminate any additional spacing or extra characters and 2) have confirmed that the role works successfully when deployed locally on the switch.

Does anyone have any ideas here? There must be something simple that I've overlooked. Switch is running 16.08.0005.

CPPM:

class ipv4 IP-ANY-ANY
match ip any any
class ipv4 DHCP 
match udp any any eq 67
exit

policy user DHCP-Only-ACL
class ipv4 DHCP action permit
class ipv4 IP-ANY-ANY action deny
exit

aaa authorization user-role name DUR-DHCP-Only
policy DHCP-Only-ACL
vlan-name Lab-Network
exit

Switch:

I 08/04/19 18:10:35 00435 ports: port 8 is Blocked by AAA
0000:01:52:44.19 UMIB tRadiusR:Received cppm downloadable user role vsa for
   client with request-id 62 and assigned user role is :
   Aruba_DUR_DHCP_Only-3017-5
0000:01:52:44.19 UMIB mdcaCtrl:New node is created for the downloadable user
   role Aruba_DUR_DHCP_Only-3017-5
0000:01:52:44.19 UMIB mdcaCtrl:DUR Client with request-id 62 is added to waiting
   queue for downloadable user role Aruba_DUR_DHCP_Only-3017-5 in INITIAL state
0000:01:52:44.19 UMIB mdcaCtrl:Posting event to cppm task to  download the
   userRole Aruba_DUR_DHCP_Only-3017-5
0000:01:52:44.25 UMIB tRadiusR:Received cppm downloadable user role vsa for
   client with request-id 63 and assigned user role is :
   Aruba_DUR_DHCP_Only-3017-5
0000:01:52:44.25 UMIB mdcaCtrl:DUR Client with request-id 63 is added to waiting
   queue for downloadable user role Aruba_DUR_DHCP_Only-3017-5 in DOWNLOADING
   state
0000:01:52:46.34 UMIB mcppmTask:Download of userRole Aruba_DUR_DHCP_Only-3017-5
   is success
0000:01:52:46.34 UMIB mcppmTask:Parsing of downloaded userRole
   Aruba_DUR_DHCP_Only-3017-5 is Failed with reason PARSE_ERROR_INVALID_CONTEXT
0000:01:52:46.34 UMIB mdcaCtrl: Sending message to authentication task for
   client with request-id 62
0000:01:52:46.34 UMIB mdcaCtrl:Removing DUR Client with request-id 62 for
   downloadable user role Aruba_DUR_DHCP_Only-3017-5 from waiting queue as role
   parsing failed
0000:01:52:46.34 UMIB mdcaCtrl: Sending message to authentication task for
   client with request-id 63
0000:01:52:46.34 UMIB mdcaCtrl:Removing DUR Client with request-id 63 for
   downloadable user role Aruba_DUR_DHCP_Only-3017-5 from waiting queue as role
   parsing failed
0000:01:52:46.34 UMIB mWebAuth:macAuth Deauthenticating client F0DEF17B4652 on
   port 8, downloaded user role Aruba_DUR_DHCP_On... is not valid as it contains
   non user role commands.
W 08/04/19 18:10:37 05630 dca: Faulty line: class ipv4 DHCP
.
W 08/04/19 18:10:37 05619 dca: macAuth Deauthenticating client F0DEF17B4652 on
            port 8, downloaded user role Aruba_DUR_DHCP_On... is not valid as it
            contains non user role commands.
0000:01:52:46.35 UMIB m8021xCtrl:8021X Deauthenticating client F0DEF17B4652 on
   port 8, downloaded user role Aruba_DUR_DHCP_On... is not valid as it contains
   non user role commands.
W 08/04/19 18:10:37 05619 dca: 8021X Deauthenticating client F0DEF17B4652 on
            port 8, downloaded user role Aruba_DUR_DHCP_On... is not valid as it
            contains non user role commands.

If the role is assigned locally, I get no errors:

Aruba-Lab-SW1(config)# class ipv4 IP-ANY-ANY
Aruba-Lab-SW1(config-class)# match ip any any
Aruba-Lab-SW1(config-class)# class ipv4 DHCP
Aruba-Lab-SW1(config-class)# match udp any any eq 67
Aruba-Lab-SW1(config-class)# exit
Aruba-Lab-SW1(config)#
Aruba-Lab-SW1(config)# policy user DHCP-Only-ACL
Aruba-Lab-SW1(policy-user)# class ipv4 DHCP action permit
Aruba-Lab-SW1(policy-user)# class ipv4 IP-ANY-ANY action deny
Aruba-Lab-SW1(policy-user)# exit
Aruba-Lab-SW1(config)#
Aruba-Lab-SW1(config)# aaa authorization user-role name DUR-DHCP-Only
Aruba-Lab-SW1(user-role)# policy DHCP-Only-ACL
Aruba-Lab-SW1(user-role)# vlan-name Lab-Network
Aruba-Lab-SW1(user-role)# exit

For further context, the Allow-All role:

Aruba-Lab-SW1(config)# show port-access clients detailed

 Port Access Client Status Detail

  Client Base Details :
   Port            : 8                     Authentication Type : 802.1x
   Client Status   : authenticated         Session Time        : 11 seconds
   Client name     : VMLAB\Ryan            Session Timeout     : 0 seconds
   MAC Address     : f0def1-7b4652
   IP              : 169.254.16.6

   Auth Order      : Not Set
   Auth Priority   : Not Set
   LMA Fallback    : Disabled

Downloaded user roles are preceded by *

 User Role Information

   Name                              : *Aruba_DUR_Data_Allow_All-3016-11
   Type                              : downloaded
   Reauthentication Period (seconds) : 0
   Cached Reauth Period (seconds)    : 0
   Logoff Period (seconds)           : 300
   Untagged VLAN                     : 20
   Tagged VLANs                      :
   Captive Portal Profile            :
   Policy                            : Allow-All-ACL_Aruba_DUR_Data_Allow_All-3016-11

Statements for policy "Allow-All-ACL_Aruba_DUR_Data_Allow_All-3016-11"
policy user "Allow-All-ACL_Aruba_DUR_Data_Allow_All-3016-11"
     10 class ipv4 "IP-ANY-ANY_Aruba_DUR_Data_Allow_All-3016-11" action permit
   exit


Statements for class IPv4 "IP-ANY-ANY_Aruba_DUR_Data_Allow_All-3016-11"
class ipv4 "IP-ANY-ANY_Aruba_DUR_Data_Allow_All-3016-11"
     10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
   exit

   Tunnelednode Server Redirect      : Disabled
   Secondary Role Name               :
   Device Attributes                 : Disabled


Aruba-Lab-SW1(config)#

And the DHCP-Only role:

Aruba-Lab-SW1(eth-8)# show port-access clients detailed

 Port Access Client Status Detail

  Client Base Details :
   Port            : 8                     Authentication Type : 802.1x
   Client Status   : initial role failed   Session Time        : 0 seconds
   Client name     :                       Session Timeout     : 0 seconds
   MAC Address     : f0def1-7b4652
   IP              : n/a

   Auth Order      : Not Set
   Auth Priority   : Not Set
   LMA Fallback    : Disabled


  Client Base Details :
   Port            : 8                     Authentication Type : mac-based
   Client Status   : initial role failed   Session Time        : 4 seconds
   Client Name     : f0def17b4652          Session Timeout     : 0 seconds
   MAC Address     : f0def1-7b4652
   IP              : n/a

   Auth Order      : Not Set
   Auth Priority   : Not Set
   LMA Fallback    : Disabled


Aruba-Lab-SW1(eth-8)#