Security

Hi, Hope someone came across this before. We setup Wired 802.1X for a customer trying to do machine authentication. Certificate is loaded onto test laptop, service created on ClearPass. CPPM Service: Authentication -> [EAP PEAP], [EAP TLS]; Enforcement Policy -> Certificate:Issuer CN - Contains - (CN from RADIUS certificate) Windows 7 client: "Enable IEEE 802.1X authentication" box ticked; Authentication Method -> Smart Card or other certificate; Settings: "Use a certificate on this computer" radio button selected, "Use simple certificate selection" box ticked, "Validate server certificate" box ticked; Advanced Settings -> Computer authentication After connecting laptop to a wired port (HPE 2930 switch) Access Tracker is showing that authentication went OK (Login Status is "Accept"), but client device is showing "Authentication failed"?!?! Thanks in advance for any ideas. Regards, NesaM

Please the instructions in Cappalli’s ClearPass wired guide:

http://community.arubanetworks.com/t5/Security/ClearPass-Solution-Guide-Wired-Policy-Enforcement/m-p/298161


Thank you

Victor Fabian

Pardon typos sent from Mobile

Hi Victor,

 

I have read the guide, and tried to follow the instructions. What seemed to be a problem in my case was that although I defined user-role on switch that was referencing to my Enforcement Profile on CPPM (together with specifying VLAN ID where I wanted to send my client device), predefined user-role (denyall) was taking over and enforcing itself. After disabling user-roles completely test laptop was placed in proper VLAN.

 

As I would still want to implement user-roles (even DURs, if possible), I am looking at why was denyall the only one applied. Thanks.

 

 

 

Regards, NesaM

What version are you running on the switch ?



Thank you

Victor Fabian

Pardon typos sent from Mobile

Hi,

 

It is 16.05.

 

 

Regards,

NesaM

Bit more information on this one. After running debug during authentication, we noticed this:

 

"0029:06:56:19.60 1X   m8021xCtrl:Failed to apply user role  to 8021X client

   40B0340E7E61 on port 1/20: user role is invalid"

 

There were two roles on our test switch, first one denyall (predefined), and the role XXXXX-Corporate, that is in effect Enforcement Profile on CPPM for type of device we were testing. the quoted debug line was showing us that denyall role was being pushed on the port, thus killing of authentication. Quick and dirty fix was to disable user-role, which made test laptop to authenticate on CPPM straight away (and to get on the network without issues). 

 

However, this raises new set of questions (I am just looking into documentation to try to figure it out):

 

1. Why was XXXXX-Corporate role not being applied in our case, but only denyall one as initial?
2. What should have been type of XXXXX-Corporate role in working solution, local (as it is currently showing on the switch) or something else?
3. What have we lost by disabling user-role in 802.1X, and is that impacting only functionality or security as well?
4. Can we apply Downlodable User Roles in our case (HPE 2920 switch with 16.05 firmware), and in this case should we as Product use ArubaOS-Switch or Aruba Mobility Switch?

Hope that I am not widening this topic too much, and that someone will be able to chip in.

 

 

Regards,

NesaM

1) If you're seeing invalid role, then there something wrong with the contents of your DUR. Are you using Standard or Advanced mode?

2) Downloaded

3) User-roles are global. You lose role-based visibility and enforcement, simplified policy creation and overall flexibility. It is not recommended to run without user roles.

4) Downloadable user roles are not supported on the 2920. Local user roles are, however.

---

@cappalliwrote:

1) If you're seeing invalid role, then there something wrong with the contents of your DUR. Are you using Standard or Advanced mode?

2) Downloaded

3) User-roles are global. You lose role-based visibility and enforcement, simplified policy creation and overall flexibility. It is not recommended to run without user roles.

4) Downloadable user roles are not supported on the 2920. Local user roles are, however.

Hi Tim,

 

In reply to your answers:

1) I was not using DURs, but creating user-role on the switch myself (in the light of your answer under 4) this was the only way of doing it :-)) using command "

aaa authorization user-role name <ENFORCEMENT-PROFILE as created on CPPM>

vlan-id <VLAN-ID>

exit "

2) As role was created locally, than role type I am seeing is OK (Thanks)

3) (Thanks for explanation)

4) (Thanks for explanation)

 

In the light of you answer under 4), and my original problem where predefined role (denyall) was taking precedence when authentication request was made, would you be able to tell me (or, point me in the direction of material explaining it) how should I make role(s) I created getting applied before predefined one? Thanks.

 

 

Regards,

NesaM

Did you follow the ClearPass Solution Guide for Wired Policy Enforcement? It goes through all of this step by step.

 

---

@cappalli wrote:

 

4) Downloadable user roles are not supported on the 2920. Local user roles are, however.

---

It is a mistake, the Aruba 2920 support DUR !

Hi, i have the same issues with configured local user roles on the switch:

"Failed to apply user role to 8021X client"

Does anyone have a solution ?

it´s a aruba 2530-8G switch with version 16.11.0006

regards,

Benjamin
Original Message:
Sent: May 04, 2018 06:19 AM
From: Nebojsa Markovic
Subject: Wired 802.1X - Accept on CPPM, failed on client

Bit more information on this one. After running debug during authentication, we noticed this:

 

"0029:06:56:19.60 1X   m8021xCtrl:Failed to apply user role  to 8021X client

   40B0340E7E61 on port 1/20: user role is invalid"

 

There were two roles on our test switch, first one denyall (predefined), and the role XXXXX-Corporate, that is in effect Enforcement Profile on CPPM for type of device we were testing. the quoted debug line was showing us that denyall role was being pushed on the port, thus killing of authentication. Quick and dirty fix was to disable user-role, which made test laptop to authenticate on CPPM straight away (and to get on the network without issues). 

 

However, this raises new set of questions (I am just looking into documentation to try to figure it out):

 

1. Why was XXXXX-Corporate role not being applied in our case, but only denyall one as initial?
2. What should have been type of XXXXX-Corporate role in working solution, local (as it is currently showing on the switch) or something else?
3. What have we lost by disabling user-role in 802.1X, and is that impacting only functionality or security as well?
4. Can we apply Downlodable User Roles in our case (HPE 2920 switch with 16.05 firmware), and in this case should we as Product use ArubaOS-Switch or Aruba Mobility Switch?

Hope that I am not widening this topic too much, and that someone will be able to chip in.

 

 

Regards,

NesaM

i think it is better to start a new discussion thread.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Oct 11, 2022 04:29 AM
From: Benjamin Krause
Subject: Wired 802.1X - Accept on CPPM, failed on client

Hi, i have the same issues with configured local user roles on the switch:

"Failed to apply user role to 8021X client"

Does anyone have a solution ?

it´s a aruba 2530-8G switch with version 16.11.0006

regards,

Benjamin
Original Message:
Sent: May 04, 2018 06:19 AM
From: Nebojsa Markovic
Subject: Wired 802.1X - Accept on CPPM, failed on client

Bit more information on this one. After running debug during authentication, we noticed this:

 

"0029:06:56:19.60 1X   m8021xCtrl:Failed to apply user role  to 8021X client

   40B0340E7E61 on port 1/20: user role is invalid"

 

There were two roles on our test switch, first one denyall (predefined), and the role XXXXX-Corporate, that is in effect Enforcement Profile on CPPM for type of device we were testing. the quoted debug line was showing us that denyall role was being pushed on the port, thus killing of authentication. Quick and dirty fix was to disable user-role, which made test laptop to authenticate on CPPM straight away (and to get on the network without issues). 

 

However, this raises new set of questions (I am just looking into documentation to try to figure it out):

 

1. Why was XXXXX-Corporate role not being applied in our case, but only denyall one as initial?
2. What should have been type of XXXXX-Corporate role in working solution, local (as it is currently showing on the switch) or something else?
3. What have we lost by disabling user-role in 802.1X, and is that impacting only functionality or security as well?
4. Can we apply Downlodable User Roles in our case (HPE 2920 switch with 16.05 firmware), and in this case should we as Product use ArubaOS-Switch or Aruba Mobility Switch?

Hope that I am not widening this topic too much, and that someone will be able to chip in.

 

 

Regards,

NesaM