Security

last person joined: 22 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Downloadable roles on CPPM

This thread has been viewed 25 times

  • 1.  Downloadable roles on CPPM

    Posted Nov 09, 2017 06:24 AM

    Hi community,

     

    I'm testing downloadable roles feature on CPPM. I have defined a very simple rule to just assign vlan for users when they successfully authenticate. Below is my enforcement profile configuration:

     

    1.PNG

    The authentication and authorization on CPPM was good. I can see it assigned this profile to the authenticated client:

     

    2.PNG

     

    But the client connection was not successful. Checking log on the controller, it reported the following error (looks like the keyword "vlan" is not supported. But I check from the CLI and this keyword is perfectly valid):

     

    Nov  9 17:53:26  authmgr[4217]: <124830> <4217> <ERRS> |authmgr|  Dldb Role Test_Aruba_Corp_Profile-3018-1: Users dequeued, role in incomplete state
    Nov  9 17:53:26  authmgr[4217]: <199802> <4217> <ERRS> |authmgr|  auth_cppm.c, auth_cppm_transform_writebuf:1590: Dldb Role Test_Aruba_Corp_Profile-3018-1: Rejected line '^Ivlan 2028', contains unsupported keyword 'vlan'
    Nov  9 17:53:26  authmgr[4217]: <199802> <4217> <ERRS> |authmgr|  auth_cppm.c, auth_cppm_transform_writebuf:1872: Dldb Role Test_Aruba_Corp_Profile-3018-1: processing stopped due to presence of unsupported keyword
    Nov  9 17:53:26  authmgr[4217]: <199802> <4217> <ERRS> |authmgr|  auth_cppm_fsm.c, ac_afsm_exec_transform:433: Dldb Role Test_Aruba_Corp_Profile-3018-1: Transform failed

     

    Please help me on this case,

    Thank you



  • 2.  RE: Downloadable roles on CPPM

    Posted Nov 09, 2017 06:40 AM
    Did you enabled the downloadable functionality under the aaa profile ?

    Get Outlook for iOS


  • 3.  RE: Downloadable roles on CPPM

    Posted Nov 09, 2017 06:58 AM

    Yes, I have enabled it under AAA profile:

     

    3.PNG

     

    And I also have added CPPM credentials to controller configuration:

    4.PNG



  • 4.  RE: Downloadable roles on CPPM

    Posted Nov 09, 2017 10:19 PM

    Hi all,

     

    I'm using Mobility Master to control the Mobility Controller, and running ArubaOS version 8.2.0.1. Can downloadable roles work with this deployment? Or does it only work with standalone AP and controller?



  • 5.  RE: Downloadable roles on CPPM
    Best Answer

    Posted Nov 10, 2017 06:23 AM

    Hi,

     

    This problem has been solved :). I ended up assigning vlan based on RADIUS attribute, and only use downloadable roles to assign ACL to users. It works fine now.

     

    Thank you all,



  • 6.  RE: Downloadable roles on CPPM

    Posted Apr 08, 2018 11:12 PM

    Technically this isn't solved. I'm also attempting to push VLANs through an enforcement. Case open. Any true solution on being able to push VLANs?

     

    Apr 6 11:55:58 :199802:  <3783> <ERRS> |authmgr|  auth_cppm.c, auth_cppm_transform_writebuf:1590: Dldb Role Wireless_VLAN600_HR_ROLE_DL-3023-4: Rejected line '^Ivlan 600', contains unsupported keyword 'vlan'

    Apr 6 11:55:58 :199802:  <3783> <ERRS> |authmgr|  auth_cppm.c, auth_cppm_transform_writebuf:1872: Dldb Role Wireless_VLAN600_HR_ROLE_DL-3023-4: processing stopped due to presence of unsupported keyword

    Apr 6 11:55:58 :199802:  <3783> <ERRS> |authmgr|  auth_cppm_fsm.c, ac_afsm_exec_transform:433: Dldb Role Wireless_VLAN600_HR_ROLE_DL-3023-4: Transform failed

    Apr 6 11:55:58 :124830:  <3783> <ERRS> |authmgr|  Dldb Role Wireless_VLAN600_HR_ROLE_DL-3023-4: Users dequeued, role in incomplete state

     



  • 7.  RE: Downloadable roles on CPPM

    EMPLOYEE
    Posted Apr 08, 2018 11:14 PM
    'vlan-id' or 'vlan-name'


  • 8.  RE: Downloadable roles on CPPM

    Posted Apr 09, 2018 07:55 PM

    How would one pass tagged VLANs using DURs?

     

    'vlan-id' or 'vlan-name' seem only to be for untagged VLAN assignments.



  • 9.  RE: Downloadable roles on CPPM

    EMPLOYEE
    Posted Apr 09, 2018 10:07 PM
    You can only define a single tagged and/or untagged vlan (untagged-vlan-id, tagged-vlan-name, etc)


  • 10.  RE: Downloadable roles on CPPM

    Posted Apr 09, 2018 10:18 PM

    That's fine for our purposes but I don't know how to differentiate between tagged/vs untagged when using DUR.

     

    We're currently using vlan-id xxxx in the HPE-CPPM-Role but the VLANs keep coming up as untagged.

     

    In our setup, we're looking to make sure that all VOIP traffic is tagged, for example.

     

    Do I simply specify untagged-vlan-id vs tagged-vlan-id in the DUR?



  • 11.  RE: Downloadable roles on CPPM

    EMPLOYEE
    Posted Apr 09, 2018 10:20 PM
    Are you running 16.05? tagged-vlan-id/tagged-vlan-name was added in this release.


  • 12.  RE: Downloadable roles on CPPM

    Posted Apr 09, 2018 10:47 PM

    I beleive we are. Will have to check. Thanks very much!



  • 13.  RE: Downloadable roles on CPPM

    Posted May 14, 2018 10:05 AM

    Hi Tim,

     

    Running KB.16.05.0007 I am not able to get the tagged VLAN to work with downloadable user roles.  Clearpass is 6.7.1 and the DUR is configured as follows:

     

    aaa authorization user-role name DUR_TEST
vlan-id-tagged 123
exit

    But the switch's logs show that "tagged-vlan-id" is not a valid command:

     

    W 05/14/18 09:50:44 05619 dca: ST1-CMDR: macAuth Deauthenticating client
            94F1288B1234 on port 1/23, downloaded user role DUR_TEST
            is not valid as it contains non user role commands.
W 05/14/18 09:50:44 05630 dca: ST1-CMDR: Faulty line: tagged-vlan-id 123.

    If you go to create a local user-role on the switch, the commands are as follows:

     

     vlan-id               Set the untagged VLAN that users will be assigned to.
 vlan-id-tagged        Set the tagged VLAN that users will be assigned to.
 vlan-name             Set the untagged VLAN name that users will be assigned to.
 vlan-name-tagged      Set the tagged VLAN name that users will be assigned to.

    So I tried changing the DUR to be "vlan-id-tagged" instead of "tagged-vlan-id" but then the switch reports the DUR is empty:

     

    W 05/14/18 09:52:38 05619 dca: ST1-CMDR: macAuth Deauthenticating client
            94F1288B1234 on port 1/23, downloaded user role DUR_TEST
            is not valid as downloaded file is empty.

    Any ideas?  Regular DURs are working, we just want to have one that tags a VLAN on the port.

     

    Thanks,

    Eric



  • 14.  RE: Downloadable roles on CPPM

    Posted May 14, 2018 12:48 PM

    Weird, after some time, it just started working...



  • 15.  RE: Downloadable roles on CPPM

    Posted Nov 16, 2018 05:22 AM

    Did you try this with more than one tagged VLAN? On the switch (show vlan interface 1) I'm not seeing more than one of the tagged vlan's added through DUR. Running 16.07.



  • 16.  RE: Downloadable roles on CPPM

    Posted Nov 16, 2018 06:11 AM

    Never mind - I see Tim said earlier that it support only one tagged - weird design choice? For Aastra VoIP phones it seems the config has to be 1 untagged + 2 tagged ..



  • 17.  RE: Downloadable roles on CPPM

    Posted Nov 16, 2018 06:17 PM

    Agreed. Allowing more than one tagged VLAN would greatly increase the deployment flexability for DUR.

     

    Does anyone know if this is somethig in the works?



  • 18.  RE: Downloadable roles on CPPM

    EMPLOYEE
    Posted Nov 16, 2018 06:24 PM
    Please reach out to your Aruba team to discuss future enhancements.


  • 19.  RE: Downloadable roles on CPPM

    Posted Nov 17, 2018 06:10 AM
    The limit isn't in DUR - it's in the User-Role. Found that out when I tried working around the problem by using LUR.. Yes I am working with local Aruba team, but I need the solution now.


  • 20.  RE: Downloadable roles on CPPM

    Posted Dec 21, 2018 03:29 PM

    Funny thing - just a week or two after this post 16.008 was released with support for more than one tagged VLAN in User-Roles ;)



  • 21.  RE: Downloadable roles on CPPM

    Posted Jan 31, 2022 08:03 AM
    hi,

    di you ever solve this issue ?

    ------------------------------
    nichlas eltzholtz
    ------------------------------

    Original Message


  • 22.  RE: Downloadable roles on CPPM

    EMPLOYEE
    Posted Jan 31, 2022 10:53 AM
    You replied to an old topic.

    Please upgrade to recent firmware versions, and open a TAC case or new topic on Airheads with the information about the issue you have now.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message