Wired Intelligent Edge (Campus Switching and Routing)

Reply
Frequent Contributor I

DUR fails after reboot

Hi there,

 

I'm currently testing a 2930F with ClearPass and Downloadable user roles.

Everything works fine, until I reboot the switch.

After the switch boots, I can see the log saying it could not download the role, and all devices get a DenyAll  role.

If I then disable and re-enable the ports, they all get their role properly.

Any idea what can be the problem?

 

Thanks

Guru Elite

Re: DUR fails after reboot

It’s likely that time sync hasn’t occurred yet.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor I

Re: DUR fails after reboot

And how can I overcome the problem?

How can I delay the port authentications to that I can ensure everything is Ok by the time the first request is sent to ClearPass?

Guru Elite

Re: DUR fails after reboot

Unfortunately you can’t today. I would recommend reaching out to your Aruba team to inquire about potential changes in the future.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Aruba Employee

Re: DUR fails after reboot

 

There are multiple ways you can deal with this problem:


Personally I would recommend point 2 and 3 from the following list:

 

1. Lower (S)NTP snyc time from the default 720s=20min to 120s=2min that time get synchronized quickly after a reboot. Otherwise you may have to wait 20min before DUR will work if the first SNTP request failed.

 

2. Set an approximate time which is used by the switch after a a power loss or reboot using job-scheduler command, e.g.:

 

job "set_time" at reboot "time 12/24/2018 00:00:00"

 

This is a least more accurate before the time is successfully updated via S(NTP) than the default date (01/01/90 00:00:00) which is used after a power loss .

 

3. Create a new user-role to be used as the initial role with a reauth-period defined. Otherwise failed authentications when the radius server is not reachable in time after a reboot cause clients to get stuck in the default initial role (denyall).

 

class ipv4 "denyall-ipv4"
  10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

 

class ipv6 "denyall-ipv6"
  10 match ipv6 ::/0 ::/0
exit

 

policy user "denyall"
  10 class ipv4 "denyall-ipv4" action deny
  20 class ipv6 "denyall-ipv6" action deny
exit

 

aaa authorization user-role name "denyall-reauth"
  policy "denyall"
  reauth-period 60
exit

 

aaa authorization user-role initial-role "denyall-reauth"

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: