Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

aaa authorization role

This thread has been viewed 4 times

  • 1.  aaa authorization role

    Posted Jul 06, 2018 08:44 AM

    Hello!

     

    I have been using roles on the HP/aruba switches for a while.

     

    I have some newer switches with the latest aruba firmware on them and a role that seems to work on the older switches is producing this error:

     

    Failed to apply user role to macAuth client: user role is invalid

     

    The role on the switch is:

     

    aaa authorization user-role name "PROFILE"

    captive-portal-profile "use-radius-vsa"

    policy "CLEARPASS-REDIRECT"

    reauth-period 180

    vlan-name "profiling"

    exit

     

    The clearpass enforcement profile is:

    1. Radius:Hewlett-Packard-Enterprise HPE-User-Role = PROFILE

    2. Radius:Hewlett-Packard-Enterprise HPE-Captive-Portal-URL = (our internal url)

     The other roles - setup in a similar manner all seem to work OK



  • 2.  RE: aaa authorization role

    EMPLOYEE
    Posted Jul 06, 2018 09:07 AM
    Are all elements of the role defined?


  • 3.  RE: aaa authorization role

    Posted Jul 06, 2018 09:29 AM

    Yes, it all seems to be there.  Works on other switches (older programming).

     

    PROFILE isn't a reserved name in user-roles?  (stab in the dark)

     



  • 4.  RE: aaa authorization role

    EMPLOYEE
    Posted Jul 06, 2018 09:31 AM
    No, it’s not reserved. Please post all of the role elements.


  • 5.  RE: aaa authorization role

    Posted Jul 06, 2018 09:37 AM

    class ipv4 "DNS"
    10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
    exit
    class ipv4 "DHCP"
    10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
    exit
    class ipv4 "INTERNAL"
    10 match ip 0.0.0.0 255.255.255.255 10.106.0.0 0.0.255.255
    exit
    class ipv4 "IP-ANY-ANY"
    10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
    exit
    class ipv4 "WEB-TRAFFIC"
    10 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 80
    20 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 443
    exit
    class ipv4 "CLEARPASS-WEB"
    10 match tcp 0.0.0.0 255.255.255.255 192.168.80.1 0.0.0.0 eq 80
    20 match tcp 0.0.0.0 255.255.255.255 192.168.80.1 0.0.0.0 eq 443
    30 match tcp 0.0.0.0 255.255.255.255 192.168.70.8 0.0.0.0 eq 443
    31 match tcp 0.0.0.0 255.255.255.255 192.168.70.9 0.0.0.0 eq 443
    33 match tcp 0.0.0.0 255.255.255.255 192.168.70.9 0.0.0.0 eq 80
    34 match tcp 0.0.0.0 255.255.255.255 192.168.70.8 0.0.0.0 eq 80
    exit
    policy user "CLEARPASS-REDIRECT"
    10 class ipv4 "DNS" action permit
    20 class ipv4 "DHCP" action permit
    30 class ipv4 "CLEARPASS-WEB" action permit
    50 class ipv4 "WEB-TRAFFIC" action redirect captive-portal
    exit
    policy user "DENY-INTERNAL"
    10 class ipv4 "DNS" action permit
    20 class ipv4 "DHCP" action permit
    30 class ipv4 "INTERNAL" action deny
    40 class ipv4 "IP-ANY-ANY" action permit
    exit
    policy user "PERMIT-ALL"
    10 class ipv4 "IP-ANY-ANY" action permit
    exit

     

    vlan 107
   name "Profiling"
   untagged 1-8
   tagged 9-10
   no ip address
   ip igmp
   exit


  • 6.  RE: aaa authorization role
    Best Answer

    EMPLOYEE
    Posted Jul 06, 2018 09:43 AM
    Your VLAN is named “Profiling” but you referenced it as “profiling” in the role.


  • 7.  RE: aaa authorization role

    Posted Jul 06, 2018 09:47 AM

    Very True - slightly miffed I didn't spot that!

     

    It does work on the HP branded switches, so perhaps they don't care about the case sensitivity.  

     

    I will correct it - thank you



  • 8.  RE: aaa authorization role

    Posted Jul 06, 2018 11:01 AM

    for clarity - it seems I had used a lowercase p on the older switches and for some reason the vlan had an uppercase P on the new switches.

     

    they are both case sensitive, it is just my careless use of capitals...