Security

Reply
Guru Elite

Re: Downloadable roles on CPPM

Are you running 16.05? tagged-vlan-id/tagged-vlan-name was added in this release.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor I

Re: Downloadable roles on CPPM

I beleive we are. Will have to check. Thanks very much!

Occasional Contributor I

Re: Downloadable roles on CPPM

Hi Tim,

 

Running KB.16.05.0007 I am not able to get the tagged VLAN to work with downloadable user roles.  Clearpass is 6.7.1 and the DUR is configured as follows:

 

aaa authorization user-role name DUR_TEST
vlan-id-tagged 123
exit

But the switch's logs show that "tagged-vlan-id" is not a valid command:

 

W 05/14/18 09:50:44 05619 dca: ST1-CMDR: macAuth Deauthenticating client
            94F1288B1234 on port 1/23, downloaded user role DUR_TEST
            is not valid as it contains non user role commands.
W 05/14/18 09:50:44 05630 dca: ST1-CMDR: Faulty line: tagged-vlan-id 123.

If you go to create a local user-role on the switch, the commands are as follows:

 

 vlan-id               Set the untagged VLAN that users will be assigned to.
 vlan-id-tagged        Set the tagged VLAN that users will be assigned to.
 vlan-name             Set the untagged VLAN name that users will be assigned to.
 vlan-name-tagged      Set the tagged VLAN name that users will be assigned to.

So I tried changing the DUR to be "vlan-id-tagged" instead of "tagged-vlan-id" but then the switch reports the DUR is empty:

 

W 05/14/18 09:52:38 05619 dca: ST1-CMDR: macAuth Deauthenticating client
            94F1288B1234 on port 1/23, downloaded user role DUR_TEST
            is not valid as downloaded file is empty.

Any ideas?  Regular DURs are working, we just want to have one that tags a VLAN on the port.

 

Thanks,

Eric

Occasional Contributor I

Re: Downloadable roles on CPPM

Weird, after some time, it just started working...

MVP Expert

Re: Downloadable roles on CPPM

Did you try this with more than one tagged VLAN? On the switch (show vlan interface 1) I'm not seeing more than one of the tagged vlan's added through DUR. Running 16.07.


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP Expert

Re: Downloadable roles on CPPM

Never mind - I see Tim said earlier that it support only one tagged - weird design choice? For Aastra VoIP phones it seems the config has to be 1 untagged + 2 tagged ..


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Frequent Contributor I

Re: Downloadable roles on CPPM

Agreed. Allowing more than one tagged VLAN would greatly increase the deployment flexability for DUR.

 

Does anyone know if this is somethig in the works?

Guru Elite

Re: Downloadable roles on CPPM

Please reach out to your Aruba team to discuss future enhancements.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP Expert

Re: Downloadable roles on CPPM

The limit isn't in DUR - it's in the User-Role. Found that out when I tried working around the problem by using LUR.. Yes I am working with local Aruba team, but I need the solution now.

Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Highlighted
MVP Expert

Re: Downloadable roles on CPPM

Funny thing - just a week or two after this post 16.008 was released with support for more than one tagged VLAN in User-Roles ;)


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: