Security

Hi guys,

i have MM-MD running 8.2.2.1 and CPPM running 6.7.7.

i have issue with user role derivation using Aruba VSA Aruba-User-Role. so the case is my user won't get proper role as assign by the clearpass server and yes the role is existed in my MD.

tried to do user-debug and i can see the controller already assigning my user to the proper role (eduroam_smartphone) but somehow derived it back to guest role (default role in AAA i guess?)

there is a line saying role (role=guest//eduroam_smartphone/logon). what does it mean by using '//' and '/' with multiple role?

and there is another saying these:

Setting cached role to NULL for user 8c:f5:a3:d0:de:7a".

Setting cached role to guest for user 8c:f5:a3:d0:de:7a".

which it changes back from the role given by clearpass back to its AAA default role. is it a new behaviour expected in ArubaOS 8?

*it's my first time testing clearpass and ArubaOS 8

Nov 8 00:49:52 authmgr[3531]: <522016> <3531> <INFO> |authmgr| MAC=8c:f5:a3:d0:de:7a IP=?? Derived role 'eduroam_smartphone' from Aruba VSA
Nov 8 00:49:52 authmgr[3531]: <522029> <3531> <INFO> |authmgr| MAC=8c:f5:a3:d0:de:7a Station authenticate: method=8021x-User, role=guest//eduroam_smartphone/logon, VLAN=21/21, Derivation=8/1, Value Pair=0
Nov 8 00:49:52 authmgr[3531]: <522029> <3531> <INFO> |authmgr| MAC=8c:f5:a3:d0:de:7a Station authenticate: method=8021x-User, role=guest//eduroam_smartphone/logon, VLAN=21/21, Derivation=8/1, Value Pair=1
Nov 8 00:49:52 authmgr[3531]: <522038> <3531> <NOTI> |authmgr| username=ricky@acsgroup.co.id MAC=8c:f5:a3:d0:de:7a IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=CPPM
Nov 8 00:49:52 authmgr[3531]: <522044> <3531> <INFO> |authmgr| MAC=8c:f5:a3:d0:de:7a Station authenticate(start): method=8021x-User, role=guest//authenticated/logon, VLAN=21/21, Derivation=8/1, Value Pair=1, flags=0x2
Nov 8 00:49:52 authmgr[3531]: <522044> <3531> <INFO> |authmgr| MAC=8c:f5:a3:d0:de:7a Station authenticate(start): method=8021x-User, role=guest//eduroam_smartphone/logon, VLAN=21/21, Derivation=8/1, Value Pair=0, flags=0x4
Nov 8 00:49:52 authmgr[3531]: <522049> <3531> <INFO> |authmgr| MAC=8c:f5:a3:d0:de:7a,IP=N/A User role updated, existing Role=guest/none, new Role=guest/none, reason=station Authenticated with auth type: 802.1x User Authentication
Nov 8 00:49:52 authmgr[3531]: <522050> <3531> <INFO> |authmgr| MAC=8c:f5:a3:d0:de:7a,IP=N/A User data downloaded to datapath, new Role=guest/7, bw Contract=0/0, reason=Download driven by user role setting, idle-timeout=300
Nov 8 00:49:52 authmgr[3531]: <522053> <3531> <DBUG> |authmgr| PMK Cache getting updated for 8c:f5:a3:d0:de:7a, (def, cur, vhow) = (21, 21, 1) with vlan=0 vlanhow=0 essid=eduroam role=guest rhow=8
Nov 8 00:49:52 authmgr[3531]: <522127> <3531> <DBUG> |authmgr| {L2} Update role from guest to guest for IP=N/A, MAC=8c:f5:a3:d0:de:7a.
Nov 8 00:49:52 authmgr[3531]: <522136> <3531> <DBUG> |authmgr| {L2} guest from profile "eduroam" for user 8c:f5:a3:d0:de:7a.
Nov 8 00:49:52 authmgr[3531]: <522142> <3531> <DBUG> |authmgr| Setting cached role to NULL for user 8c:f5:a3:d0:de:7a".
Nov 8 00:49:52 authmgr[3531]: <522142> <3531> <DBUG> |authmgr| Setting cached role to guest for user 8c:f5:a3:d0:de:7a".

"Station authenticate: method=8021x-User, "

Turn off "Enforce Machine Authentication" in the 802.1x profile.

oh wow that was quicker than expected Collin.

and my problem's solved yay. thanks.