Wired Intelligent Edge (Campus Switching and Routing)

DUR Not Working For MAC-Based Clients -- Event Log Shows Assigned Role Failed To Apply

MVP Expert
MVP Expert
Problem:

When switch is configured as downloaded user role with ClearPass (CPPM), in certain condition following log event may be generated.

 

W 07/10/19 20:57:58 05204 dca: Failed to apply user role TEST_DUR-3045-1_7Z4q to macAuth client 005056831001 on port 2: user role is invalid.

 

In the above log event client MAC is 005056831001 and DUR name is TEST_DUR-3045-1.

 



Diagnostics:

When switch is configured as downloaded user role with ClearPass (CPPM), in certain condition following log event may be generated.

 

W 07/10/19 20:57:58 05204 dca: Failed to apply user role TEST_DUR-3045-1_7Z4q to macAuth client 005056831001 on port 2: user role is invalid.

 

In the above log event client MAC is 005056831001 and DUR name is TEST_DUR-3045-1. Following is couple of debug message for mac-based which indicates similar message.

 

0012:20:57:58.29 MAC  mWebAuth:Failed to apply user role TEST_DUR-3045-1_7Z4q to macAuth client 005056831001 on port 2: user role is invalid.

0012:20:58:08.16 MAC  mWebAuthSmiley Tongueort: 2 MAC: 005056-831001 [58] assigned role 'TEST_DUR-3045-1_7Z4q' failed, attempting to apply initial role.

 

------------------------Debug Commands------------------------

 

SW-1# debug destination session

SW-1# debug destination buffer

SW-1# debug security radius-server

SW-1# debug security ssl          

SW-1# debug security port-access mac-based include port <port_number>

 

Following is the output of debug message of SSL-

 

0012:20:57:24.38 SSL  mcppmTask:handleClientHandshakeMessages() returns status =

0012:20:57:24.47 SSL  mcppmTask:ERR_CERT_START_TIME_VALID_IN_FUTURE

 

Above message clearly suggests issue is with valid start time mentioned in certificate. Valid start time is in future then the switch local time.

 



Solution

Following are 2 steps that can be used to solve the issue.

 

1. Correct switch local time and date manually. Also make sure to correct it every time when switch reboots.

 

Format to configure time is "time MM/DD[/[YY]YY] HH:MM[Smiley FrustratedS]" and it has to done in configuration mode. Following is the example.

 

SW-1(config)# time 01/01/2019 00:01:10

 

2. Best solution is to sync switch time with NTP. Configure NTP parameters to resolve the issue.

 

---------------------NTP Configuration---------------------

SW-1(config)#timesync ntp

SW-1(config)#ntp enable

SW-1(config)#ntp server 192.168.1.10       //ntp server <IP_ADDR>

 

You can use server-name as well but make sure to configure dns on switch as well.

Version history
Revision #:
1 of 1
Last update:
‎07-27-2019 10:20 AM
Updated by:
 
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: