Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Contributor I

Clearpass DUR - Multiple Tagged VLANs

Dear all,

 

Setup:

  • ClearPass Policy Manager 6.8.3.110034 on C2000V platform as L3-Cluster without VIP
  • Aruba 2930M Switch-Stack with WC.16.09.0004 Firmware

We can enforce DUR without hassle. All currently running DURs only include a untaged VLAN:

2019-11-13 16_52_21-ClearPass Policy Manager - Aruba Networks.png

Task:

We would like to enforce a DUR with multiple tagged VLAN (either as name or ID). Apprently, the Switch doesn't accept it:

2019-11-13 17_01_57-ClearPass Policy Manager - Aruba Networks.png

2019-11-13 17_03_41-nbg-srvmgmt1 - nbg-srvmgmt1 - Remotedesktopverbindung.png

Error:

2019-11-13 17_05_01-ClearPass Policy Manager - Aruba Networks.png2019-11-13 17_05_07-nbg-srvmgmt1 - nbg-srvmgmt1 - Remotedesktopverbindung.png

Is this a bug? Because I can't remove the "poe-priority low" line in the Standard DUR configuration?!

 

So I made another (advanced) DUR, where I remove the "poe-priority low" line. Its enforced aswell but the switch still doesn't accept it:

2019-11-13 17_10_13-ClearPass Policy Manager - Aruba Networks.png2019-11-13 17_10_36-nbg-srvmgmt1 - nbg-srvmgmt1 - Remotedesktopverbindung.png

 

 

 

Do you have any more troubleshooting suggestions?

 

 

Best regards,

Stefan

 


Accepted Solutions
Highlighted
Contributor I

Re: Clearpass DUR - Multiple Tagged VLANs

Hello all,

 

after opening a TAC Case and going thorugh all of this with a very good TAC engineer I can say that:

 

HPE Aruba ist not supporting multiple named tagged VLANs in a user role! (Multiple tagged VLANs by IDs are supported though).

 

Please keep that in mind ...

 

Best regards

Stefan

View solution in original post


All Replies
Highlighted
MVP Guru Elite

Re: Clearpass DUR - Multiple Tagged VLANs

No sure, it is possible to push multiple vlan name, do you have try with vlan id ?



PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)

PowerArubaIAP: Powershell Module to use Aruba Instant AP

PowerArubaMC: Powershell Module to use Mobility Controller / Master


ACMP 6.4 / ACMX #107 / ACCP 6.5 / ACSP
Highlighted
Contributor I

Re: Clearpass DUR - Multiple Tagged VLANs

Hi alagoutte,

 

thanks for the fast reply.

I just tried it with multiple IDs but same problem:

2019-11-14 08_57_21-ClearPass Policy Manager - Aruba Networks.png2019-11-14 09_07_32-ClearPass Policy Manager - Aruba Networks.png

2019-11-14 09_07_38-nbg-srvmgmt1 - nbg-srvmgmt1 - Remotedesktopverbindung.png

 

So we also tried to only set ONE untagged and ONE tagged VLAN via ID. Doesn't work either!

2019-11-14 09_19_48-ClearPass Policy Manager - Aruba Networks.png2019-11-14 09_19_54-nbg-srvmgmt1 - nbg-srvmgmt1 - Remotedesktopverbindung.png2019-11-14 09_20_17-nbg-srvmgmt1 - nbg-srvmgmt1 - Remotedesktopverbindung.png

Highlighted
Frequent Contributor I

Re: Clearpass DUR - Multiple Tagged VLANs

Can you try to create the enforcement profile and select advanced mode? Then type the value yourself. 

 

Example:

aaa authorization user-role name "cppmrole_80d101107fb045a"
vlan-id 21
vlan-id-tagged 1,4,5
exit

 

Highlighted
Contributor I

Re: Clearpass DUR - Multiple Tagged VLANs

Hello AirBubble,

 

thanks for your comment.

With your code it works fine:

2019-11-18 10_56_37-ClearPass Policy Manager - Aruba Networks.png2019-11-18 10_56_45-nbg-srvmgmt1 - nbg-srvmgmt1 - Remotedesktopverbindung.png

 

But as soon as I want to use VLAN-names instead of IDs, it fails:

2019-11-18 11_01_15-ClearPass Policy Manager - Aruba Networks.png2019-11-18 11_01_26-nbg-srvmgmt1 - nbg-srvmgmt1 - Remotedesktopverbindung.png

Is this a software bug? Why can't we assign multiple tagged VLANs using their names?

Highlighted
MVP Guru Elite

Re: Clearpass DUR - Multiple Tagged VLANs

Hi,

 

Do you have try directly with CLI ? may be the wrong synthax



PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)

PowerArubaIAP: Powershell Module to use Aruba Instant AP

PowerArubaMC: Powershell Module to use Mobility Controller / Master


ACMP 6.4 / ACMX #107 / ACCP 6.5 / ACSP
Highlighted
Contributor I

Re: Clearpass DUR - Multiple Tagged VLANs

Hello,

 

good idea! I've tried to create the user-role manually and it works without any parsing-errors:

2019-11-18 16_06_39-nbg-srvmgmt1 - nbg-srvmgmt1 - Remotedesktopverbindung.png

 

I can also see that all details of the role have been passed and parsed correctly from CPPM to Switch.

2019-11-18 16_27_44-nbg-srvmgmt1 - nbg-srvmgmt1 - Remotedesktopverbindung.png

 

Any ideas why the role is not mapped to the port? Insted the "denyall" role is used ...

2019-11-18 16_29_28-nbg-srvmgmt1 - nbg-srvmgmt1 - Remotedesktopverbindung.png

Highlighted
Contributor I

Re: Clearpass DUR - Multiple Tagged VLANs

I just did some more checks: The exactly same role (sent via Clearpass) produces execution errors on the switch while copy pasting the exact same output from clearpass directly into the switch CLI works like a charm! This is really weird!

 

Clearpass OutputClearpass OutputLeads to execution error because of "faulty line"Leads to execution error because of "faulty line"Copying the exact same output directly into the switch CLI works like a charmCopying the exact same output directly into the switch CLI works like a charm

Highlighted
MVP Guru Elite

Re: Clearpass DUR - Multiple Tagged VLANs

Open a case to TAC...



PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)

PowerArubaIAP: Powershell Module to use Aruba Instant AP

PowerArubaMC: Powershell Module to use Mobility Controller / Master


ACMP 6.4 / ACMX #107 / ACCP 6.5 / ACSP
Highlighted
Contributor I

Re: Clearpass DUR - Multiple Tagged VLANs

Hello all,

 

after opening a TAC Case and going thorugh all of this with a very good TAC engineer I can say that:

 

HPE Aruba ist not supporting multiple named tagged VLANs in a user role! (Multiple tagged VLANs by IDs are supported though).

 

Please keep that in mind ...

 

Best regards

Stefan

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: