Security

Hello,

 

I'm trying to get DUR working on a 2930F switch. I get this error:

dca: 8021X Deauthenticating client 5C260A7BB28C on
port 1, downloaded user role DUR_OMO_MANAGED_1... is not valid as
Invalid cppm username/password.

 

But i know for a fact that the username/password is correct. 

The 2930F are managed by aruba central though. I tried logging in with the credentials on the CPPM and it works. Also there is HTTPS access to the CPPM from the aruba switch. 

 

Anybody else got this problem? I opened a TAC Case. 

 

With kind regards,

 

Martijn

 

 

Could you share the versions you are using, both on the switch and on ClearPass?

 

Also the switch config snippet would be helpful.

 

Have you followed the instructions in Wired Policy Guide?: https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=28803

Seems that the configuration template of aruba central is not forwarding the password of the DUR user. I can’t use cli snip because my OS version of the switch 16.05.

Workaround is to configure alle classes/policies and user roles static on the switch for now. I’m waiting if they find a solution for this.

Met vriendelijke groet,

Martijn Gruijters
Senior Solution Consultant
[Logo_4IP_Solutions_connectivity_RGB_Tagline_150dpi - Copy]

4IP Solutions
Eindhoven ● Amsterdam
Mahatma Gandhilaan 2
5653 ML Eindhoven

t +31 (0)88 428 48 88
m +31 (0)65 185 71 88
e martijn.gruijters@4ip.nl
w www.4ip.nl
[cid:image002.png@01D28CEF.75FAD190][cid:image003.png@01D28CEF.75FAD190]

Yes, definitely work with TAC.

Do you see any error reported in the Audit Trail of Central related to the template?

Please add this to all ZTP templates using Clearpass certificate downloads. Adds an "insurance policy" to induce a retry when the initial certificate download fails.

 

“crypto ca-download usage clearpass retry <secs>”

Yeah i have also come across this one, TAC case raised.

Did you happen to raise a TAC case and get an answer as to how to fix?

Did you get any respone on this problem? 

 

I have the exact same issue now. I have even tried to remove the switch from central and add the username and password manually with no luck.

What i found is if using Aruba Central to push configuration down to the switches  you need to add the following command in your Template.

 

include-credentials clearpass-key

 

Otherwise the key is not passed from Central to the Switch.

 

Example:

%_sys_template_header%
hostname "%_sys_hostname%"
%_sys_module_command%
no cwmp enable
include-credentials
include-credentials clearpass-key
password manager user-name "manager" sha1 "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
radius-server host 192.168.1.1 key "radiuskey"
radius-server host 192.168.1.1 dyn-authorization
radius-server host 192.168.1.1 time-window plus-or-minus-time-window
radius-server host 192.168.1.1 time-window 30
radius-server host "clearpass.fred.co.nz" key "radiuskey"
radius-server host "clearpass.fred.co.nz" clearpass
radius-server cppm identity "MY_apiadmin" key "apiuserpass"
timesync ntp

 

That did the trick!