Wired Intelligent Edge

Hi there,

I see some discussions about DUR and Secondary Roles, but I'm facing issues even with Primary roles and DUR.

I configured the switch with a ta-profile, and my radius server has cppm user and password with permissions to download roles.

I then setup a enforcement profile with type "Mobility Switch".

My interface config:

interface 1/1/3
    no shutdown
    description COLORLESS-PORT
    no routing
    vlan access 170
    spanning-tree link-type point-to-point
    aaa authentication port-access auth-precedence mac-auth dot1x
    aaa authentication port-access allow-cdp-bpdu
    aaa authentication port-access allow-lldp-bpdu
    aaa authentication port-access client-limit 8
    aaa authentication port-access mac-auth
        cached-reauth
        reauth
        enable
    exit

I see the request on ClearPass, and it answers with the role.

The switch log shows "2020-02-21T18:03:17.134578+00:00 f2sw01 port-accessd[3222]: Event|Unknown Event Name CERT_CHAIN_VERIFIED", meaning it is communicating with ClearPass.

But no role is applied to the interface:

# show aaa authentication port-access interface 1/1/3 client-status

Port Access Client Status Details

Client 00:xx:xx:xx:xx:xx, 000xxxxxxxx
============================
  Session Details
  ---------------
    Port         : 1/1/3
    Session Time : 342s

  Authentication Details
  ----------------------
    Status          : mac-auth Authenticated
    Auth Precedence : mac-auth - Authenticated, dot1x - Not attempted

  Authorization Details
  ----------------------
    Role   :
    Status : Not Ready


Client 00:xx:xx:xx:xx:xx, 000xxxxxxxx
============================
  Session Details
  ---------------
    Port         : 1/1/3
    Session Time : 391s

  Authentication Details
  ----------------------
    Status          : mac-auth Authenticated
    Auth Precedence : mac-auth - Authenticated, dot1x - Not attempted

  Authorization Details
  ----------------------
    Role   :
    Status : Not Ready

No errors are shown under event log.

Can someone explain what should I configure for ARUBA-CPPM-ROLE attribute under ClearPass?

I'm really starting to regret buying these half baked switches... No device fingerprinting support, no support on Clearpass, no DOCUMENTATION... Really miss my 2930f.

Thanks

Debug logs show:

2020-02-21:18:21:38.490158|port-accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_ROLE|logID=507960 Result of download operation for role ROLE_AOS_CX_DUR_PHONE-3067-1 is No error
2020-02-21:18:21:38.490519|port-accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_ROLE|logID=507961 Failed to parse XML file for ClearPass role 'ROLE_AOS_CX_DUR_PHONE-3067-1'
2020-02-21:18:21:38.491156|port-accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_ROLE|logID=507961 DB operation Insert is successfully completed for role ROLE_AOS_CX_DUR_PHONE-3067-1

Role is:

ROLE_AOS_CX_DUR_PHONE-3067-1
user-role cppmrole
    vlan 174
    reauthentication-interval 1440
    voip-profile hq-wired_174
!

What it the voip-profile XXX on the cppmrole ?

A simple vlan only role also does not work.

user-role cppmrole
vlan 174
!

I tried both Mobility Access Switch and ArubaOS. None work.

Bounce Port CoA also does not work. Terminate CoA seems to terminate the session forever.

Getting HTTP user agent info and DHCP (without ip helpers to ClearPass) for profiling also does not work/is non existent.

Only thing that seems to work is standard radius attributes like tunnel-private-group-id to set the vlan; but that doesn't work for ACLs.

Documentation is also severely lacking; some info is only found in AirHeads posts... Some other I got from a draft presentation from an Aruba representantive.

Comparing the current state of 6300 to 2930, really makes it look like Switch Backwards, not Switch Forward.

Hi ricard,

I think, a ClearPass coming with feature for ArubaCX (for DUR)

Also missing from AOS-CX Switches: 

- Framed IP Address on Accounting messages

And I do have dhcpv4 snooping enabled.

I think, a ClearPass coming with feature for ArubaCX (for DUR)

Exactly. AOS-CX 6300/6400 switches are currently not production ready for any network that uses ClearPass.

If you need something that works today, go with HPE based AOS switches.

I figured it out how to send a DUR to the switch.

Syntax:

class ip all-ipv4
1 match ip any any
exit
port-access policy ALLOW-ALL
10 class ip all-ipv4
exit
port-access role MANAGED
auth-mode client-mode
vlan access 170
associate policy ALLOW-ALL
exit

Inside a Aruba-CPPM-Role radius attribute.

Yes... the syntax on ArubaCX Switch...

They should improve documentation.