Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted

Debugging DUP issues

Hi,

I've got a 2930 runnig 16.8.3 which I use to play with all things clearpass and DUP.

 

I've A DUP profile that wors just fine for an eap-tls device which gets dropped into a named VLAN called "roaming"  This work just fine. ip address out of a pool and DDNS to get  FQDN name assigned to it.

 

I've also got an AP that I wanted to drop into the same VLAN, so I set up some clearpass configs and sent the same DUP.

 

However this time the switch   said

 

W 06/24/19 16:17:48 05204 dca: ST1-CMDR: Failed to apply user role
UoY_DUP_Roaming___090318-3120-26_7Z4q to macAuth client 204C033A6088
on port 2/13: user role is invalid.

 

Now couldn't see why it said thast as the same role was working with the dot1 device.

 

In the end  i suspect it was cleasrpas sending a DUR and a "standard" vlan assignment  that confiused things as when I removed the "2nd" vlan asignment into a "local_5" vlan  ( vlan 5 ,where we usually piut APs) things sprang into life

 

However, my question is, if on a switch you do see  "user role is invalid" and you know the role is o.k. what tools are there on the switch to find out what is going on. Think I fixed this by going "what if... " , I'm sure there must be a more logical way of debugging this

 

Highlighted
MVP Guru Elite

Re: Debugging DUP issues

do you have make a show log security ?



PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)

PowerArubaIAP: Powershell Module to use Aruba Instant AP

PowerArubaMC: Powershell Module to use Mobility Controller / Master


ACMP 6.4 / ACMX #107 / ACCP 6.5 / ACSP
Highlighted

Re: Debugging DUP issues

Believe I did try that at one point ..  didn't seem to show any useful info

Highlighted
MVP Guru Elite

Re: Debugging DUP issues

the name of DUR is not too longer ? (there is some limitation)

 

What the configuration generated by ClearPass ?



PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)

PowerArubaIAP: Powershell Module to use Aruba Instant AP

PowerArubaMC: Powershell Module to use Mobility Controller / Master


ACMP 6.4 / ACMX #107 / ACCP 6.5 / ACSP
Highlighted
Frequent Contributor I

Re: Debugging DUP issues

On Clearpass are you using the Standard or Advanced way of configuring the DUR?

With the Advanced way I've made some silly mistakes like forgetting a hypen in the vlan-id syntax. 

What you can do is in Clearpass, go to access tracker and find that specific request, go to output and the entire DUR should be there, you can try copying and pasting it to see if it throws an error at a specific point. 

As mentioned before, I've had issues with length as well. If the length of the enforcement profile is too long, it'll throw a fit.

Chris Wickline | Network Engineer | York College of Pennsylvania
Highlighted

Re: Debugging DUP issues

Do you get anything from "debug security" and "debug destination session"?  That should show the exact line the user role is failing on.

 

Does the VLAN ID exist on the switch you're trying to apply the role to?

Highlighted

Re: Debugging DUP issues

I this case I had a clearpass error that was downloading the profile and trying to set assignmant to a different named vlan.So the DUP was saying one named vlan and the Access-Accept packet was saying another. The DUP was happily working for another device so i knew it was o.k. and didn't have a name length problem.

 

Once I'd "tweaked" clearpass to only send the DUP and forced a device reauth it all sprang into life, os yup it was a silly mistake on my part.

 

Debug security didn;t seem to say much, never though to use "destination session "

 

Just need to write all these commands down so I don;t reinvent this wheel again  a few monthes down the line !

Rgds

Alex

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: