Security

Reply
Contributor II

aaa authorization role

Hello!

 

I have been using roles on the HP/aruba switches for a while.

 

I have some newer switches with the latest aruba firmware on them and a role that seems to work on the older switches is producing this error:

 

Failed to apply user role to macAuth client: user role is invalid

 

The role on the switch is:

 

aaa authorization user-role name "PROFILE"

captive-portal-profile "use-radius-vsa"

policy "CLEARPASS-REDIRECT"

reauth-period 180

vlan-name "profiling"

exit

 

The clearpass enforcement profile is:

1. Radius:Hewlett-Packard-Enterprise HPE-User-Role = PROFILE

2. Radius:Hewlett-Packard-Enterprise HPE-Captive-Portal-URL = (our internal url)

 The other roles - setup in a similar manner all seem to work OK

Guru Elite

Re: aaa authorization role

Are all elements of the role defined?

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: aaa authorization role

Yes, it all seems to be there.  Works on other switches (older programming).

 

PROFILE isn't a reserved name in user-roles?  (stab in the dark)

 

Guru Elite

Re: aaa authorization role

No, it’s not reserved. Please post all of the role elements.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: aaa authorization role

class ipv4 "DNS"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
exit
class ipv4 "DHCP"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
exit
class ipv4 "INTERNAL"
10 match ip 0.0.0.0 255.255.255.255 10.106.0.0 0.0.255.255
exit
class ipv4 "IP-ANY-ANY"
10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
class ipv4 "WEB-TRAFFIC"
10 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 80
20 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 443
exit
class ipv4 "CLEARPASS-WEB"
10 match tcp 0.0.0.0 255.255.255.255 192.168.80.1 0.0.0.0 eq 80
20 match tcp 0.0.0.0 255.255.255.255 192.168.80.1 0.0.0.0 eq 443
30 match tcp 0.0.0.0 255.255.255.255 192.168.70.8 0.0.0.0 eq 443
31 match tcp 0.0.0.0 255.255.255.255 192.168.70.9 0.0.0.0 eq 443
33 match tcp 0.0.0.0 255.255.255.255 192.168.70.9 0.0.0.0 eq 80
34 match tcp 0.0.0.0 255.255.255.255 192.168.70.8 0.0.0.0 eq 80
exit
policy user "CLEARPASS-REDIRECT"
10 class ipv4 "DNS" action permit
20 class ipv4 "DHCP" action permit
30 class ipv4 "CLEARPASS-WEB" action permit
50 class ipv4 "WEB-TRAFFIC" action redirect captive-portal
exit
policy user "DENY-INTERNAL"
10 class ipv4 "DNS" action permit
20 class ipv4 "DHCP" action permit
30 class ipv4 "INTERNAL" action deny
40 class ipv4 "IP-ANY-ANY" action permit
exit
policy user "PERMIT-ALL"
10 class ipv4 "IP-ANY-ANY" action permit
exit

 

vlan 107
   name "Profiling"
   untagged 1-8
   tagged 9-10
   no ip address
   ip igmp
   exit
Guru Elite

Re: aaa authorization role

Your VLAN is named “Profiling” but you referenced it as “profiling” in the role.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: aaa authorization role

Very True - slightly miffed I didn't spot that!

 

It does work on the HP branded switches, so perhaps they don't care about the case sensitivity.  

 

I will correct it - thank you

Contributor II

Re: aaa authorization role

for clarity - it seems I had used a lowercase p on the older switches and for some reason the vlan had an uppercase P on the new switches.

 

they are both case sensitive, it is just my careless use of capitals...

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: