Wired Intelligent Edge

last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Clearpass DUR - Multiple Tagged VLANs

This thread has been viewed 25 times

  • 1.  Clearpass DUR - Multiple Tagged VLANs

    Posted Nov 13, 2019 11:11 AM

    Dear all,

     

    Setup:

    • ClearPass Policy Manager 6.8.3.110034 on C2000V platform as L3-Cluster without VIP
    • Aruba 2930M Switch-Stack with WC.16.09.0004 Firmware

    We can enforce DUR without hassle. All currently running DURs only include a untaged VLAN:

    2019-11-13 16_52_21-ClearPass Policy Manager - Aruba Networks.png

    Task:

    We would like to enforce a DUR with multiple tagged VLAN (either as name or ID). Apprently, the Switch doesn't accept it:

    2019-11-13 17_01_57-ClearPass Policy Manager - Aruba Networks.png

    2019-11-13 17_03_41-nbg-srvmgmt1 - nbg-srvmgmt1 - Remotedesktopverbindung.png

    Error:

    2019-11-13 17_05_01-ClearPass Policy Manager - Aruba Networks.png2019-11-13 17_05_07-nbg-srvmgmt1 - nbg-srvmgmt1 - Remotedesktopverbindung.png

    Is this a bug? Because I can't remove the "poe-priority low" line in the Standard DUR configuration?!

     

    So I made another (advanced) DUR, where I remove the "poe-priority low" line. Its enforced aswell but the switch still doesn't accept it:

    2019-11-13 17_10_13-ClearPass Policy Manager - Aruba Networks.png2019-11-13 17_10_36-nbg-srvmgmt1 - nbg-srvmgmt1 - Remotedesktopverbindung.png

     

     

     

    Do you have any more troubleshooting suggestions?

     

     

    Best regards,

    Stefan

     



  • 2.  RE: Clearpass DUR - Multiple Tagged VLANs

    MVP GURU
    Posted Nov 13, 2019 04:27 PM

    No sure, it is possible to push multiple vlan name, do you have try with vlan id ?



  • 3.  RE: Clearpass DUR - Multiple Tagged VLANs

    Posted Nov 14, 2019 03:10 AM

    Hi alagoutte,

     

    thanks for the fast reply.

    I just tried it with multiple IDs but same problem:

    2019-11-14 08_57_21-ClearPass Policy Manager - Aruba Networks.png2019-11-14 09_07_32-ClearPass Policy Manager - Aruba Networks.png

    2019-11-14 09_07_38-nbg-srvmgmt1 - nbg-srvmgmt1 - Remotedesktopverbindung.png

     

    So we also tried to only set ONE untagged and ONE tagged VLAN via ID. Doesn't work either!

    2019-11-14 09_19_48-ClearPass Policy Manager - Aruba Networks.png2019-11-14 09_19_54-nbg-srvmgmt1 - nbg-srvmgmt1 - Remotedesktopverbindung.png2019-11-14 09_20_17-nbg-srvmgmt1 - nbg-srvmgmt1 - Remotedesktopverbindung.png



  • 4.  RE: Clearpass DUR - Multiple Tagged VLANs

    Posted Nov 14, 2019 10:38 AM

    Can you try to create the enforcement profile and select advanced mode? Then type the value yourself. 

     

    Example:

    aaa authorization user-role name "cppmrole_80d101107fb045a"
    vlan-id 21
    vlan-id-tagged 1,4,5
    exit

     



  • 5.  RE: Clearpass DUR - Multiple Tagged VLANs

    Posted Nov 18, 2019 05:03 AM

    Hello AirBubble,

     

    thanks for your comment.

    With your code it works fine:

    2019-11-18 10_56_37-ClearPass Policy Manager - Aruba Networks.png2019-11-18 10_56_45-nbg-srvmgmt1 - nbg-srvmgmt1 - Remotedesktopverbindung.png

     

    But as soon as I want to use VLAN-names instead of IDs, it fails:

    2019-11-18 11_01_15-ClearPass Policy Manager - Aruba Networks.png2019-11-18 11_01_26-nbg-srvmgmt1 - nbg-srvmgmt1 - Remotedesktopverbindung.png

    Is this a software bug? Why can't we assign multiple tagged VLANs using their names?



  • 6.  RE: Clearpass DUR - Multiple Tagged VLANs

    MVP GURU
    Posted Nov 18, 2019 05:14 AM

    Hi,

     

    Do you have try directly with CLI ? may be the wrong synthax



  • 7.  RE: Clearpass DUR - Multiple Tagged VLANs

    Posted Nov 18, 2019 10:08 AM

    Hello,

     

    good idea! I've tried to create the user-role manually and it works without any parsing-errors:

    2019-11-18 16_06_39-nbg-srvmgmt1 - nbg-srvmgmt1 - Remotedesktopverbindung.png

     

    I can also see that all details of the role have been passed and parsed correctly from CPPM to Switch.

    2019-11-18 16_27_44-nbg-srvmgmt1 - nbg-srvmgmt1 - Remotedesktopverbindung.png

     

    Any ideas why the role is not mapped to the port? Insted the "denyall" role is used ...

    2019-11-18 16_29_28-nbg-srvmgmt1 - nbg-srvmgmt1 - Remotedesktopverbindung.png



  • 8.  RE: Clearpass DUR - Multiple Tagged VLANs

    Posted Nov 18, 2019 10:46 AM

    I just did some more checks: The exactly same role (sent via Clearpass) produces execution errors on the switch while copy pasting the exact same output from clearpass directly into the switch CLI works like a charm! This is really weird!

     

    Clearpass OutputClearpass OutputLeads to execution error because of "faulty line"Leads to execution error because of "faulty line"Copying the exact same output directly into the switch CLI works like a charmCopying the exact same output directly into the switch CLI works like a charm



  • 9.  RE: Clearpass DUR - Multiple Tagged VLANs

    MVP GURU
    Posted Nov 18, 2019 11:07 AM

    Open a case to TAC...



  • 10.  RE: Clearpass DUR - Multiple Tagged VLANs
    Best Answer

    Posted Nov 25, 2019 07:16 AM

    Hello all,

     

    after opening a TAC Case and going thorugh all of this with a very good TAC engineer I can say that:

     

    HPE Aruba ist not supporting multiple named tagged VLANs in a user role! (Multiple tagged VLANs by IDs are supported though).

     

    Please keep that in mind ...

     

    Best regards

    Stefan



  • 11.  RE: Clearpass DUR - Multiple Tagged VLANs

    Posted Oct 15, 2020 10:47 AM

    Hi, any update on this? Maybe in a new switch version?



  • 12.  RE: Clearpass DUR - Multiple Tagged VLANs

    MVP GURU
    Posted Oct 17, 2020 09:56 AM
    @AirBubble wrote:

    Hi, any update on this? Maybe in a new switch version?

    No change on for moment about multiple named vlan (you can ask on innovate zone, if you want / need support)



  • 13.  RE: Clearpass DUR - Multiple Tagged VLANs

    Posted Oct 17, 2020 12:19 PM

    Ok thanks.