Wired Intelligent Edge (Campus Switching and Routing)

Guest Blogger

Downloadable User-Role and NTP sync

I have an issue with the usage of downloadable user-role and NTP time sync. Downloadable user-role are working like a charm, but this happens when the switch returns from a power outage.


I configured two NTP servers with the iburst option for aggressive polling, but the successful time sync happens just after the wired auth. Because the time is off, the user-role cannot be downloaded and the ports get the default denyall user-role. This role doesn't have a reauth period configured.


I 02/12/19 10:04:15 04910 ntp: ST1-CMDR: All the NTP server associations reset.
I 02/12/19 10:04:15 04909 ntp: ST1-CMDR: The NTP Stratum was changed from 16 to 4.
I 02/12/19 10:04:15 04908 ntp: ST1-CMDR: The system clock time was changed by  918810079 sec 463263273 nsec. The new time is Tue Feb 12 10:04:15 2019
I 01/01/90 01:02:55 05747 DFP: ST1-CMDR: device_fingerPrinting: Hardware Rules updated successfully for port:1/1, protocol:80, client:08:00:0F:9D:45:BF
W 01/01/90 01:02:55 05204 dca: ST1-CMDR: Failed to apply user role _VOIP___DUR_-3005-1_7Z4q to macAuth client 08000F9D45BF on port 1/1: user role is invalid.
W 01/01/90 01:02:55 05620 dca: ST1-CMDR: macAuth client 08000F9D45BF on port 1/1 assigned to initial role as downloading failed for user role  _VOIP___DUR_-3005-1.
I 01/01/90 01:02:53 04911 ntp: ST1-CMDR: The NTP Server is unreachable.

Since the denyall user-role is read-only, I cannot change the reauthentication period from the user-role.


 User Role Information

   Name                              : denyall
   Type                              : predefined
   Reauthentication Period (seconds) : 0
   Cached Reauth Period (seconds)    : 0
   Logoff Period (seconds)           : 300
   Untagged VLAN                     : 
   Tagged VLAN                       : 
   Captive Portal Profile            : 
   Policy                            : denyall_104112101032097114117098097032098105108108
   Tunnelednode Server Redirect      : Disabled
   Secondary Role Name               : 
   Device Attributes                 : Disabled

I am curious if somebody experienced the same issue and how you resolved it.


I "fixed" it via the configuration of a new initial role with a reauth period of 10 seconds. The full configuration can be found on here my personal blog page www.booches.nl.


@rene_booches | AMFX #26, ACMX #438, ACCX #725, ACDX #760, CCNP R&S, CEH | Co-owner/Solution Specialist@4IP / blog owner@booches.nl
MVP Expert

Re: Downloadable User-Role and NTP sync



A software fix for the clock reset on cold boot/power loss issue on the 2930F and 2540 is in the works, and is expected to be released by the end of February.

Matt Fern
Senior Technical Marketing Engineer, Aruba Switching

Aruba, a Hewlett Packard Enterprise company

T: 916.540.1759  |  E: mfern@hpe.com   |   Matt @ Twitter
Search Airheads
Showing results for 
Search instead for 
Did you mean: