Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
MVP Expert

Downloadable User Role is invalid message

I've been dabbling with DURs on a 2930 switch runnnig 16.8.3

 

1st one worked just fine and I can drop a clie t device into . vlan called roaming with an allow all policy.

 

2nd one set up Per User Tunnelling Node link for a Chromecast deice tha tunneled data up to our ArubaOS 8 mobility controller.

 

I then went back to one supposedly for a dhcp fingerprinted AP to drop it into a VLAN with name VLAN_5

Unfortunately I end up with the following error message

 

"W 06/06/19 13:06:14 05204 dca: ST1-CMDR: Failed to apply user role to macAuth client 204C0340ED11 on port 2/13: user role is invalid."

 

How can I find out whats wrong with the DUR? Al I did was copy a working one and changed the word "roaming" to "local_5" ?

 

If I change DUR no (2) then the version number increases on the switch so I know its being downloaded. 

 

Rgds

Alex

 

Profiles shown below

 

Downloadable profiles are shown below

1). 

xb-as-2930-1# sh user-role download detail
Downloaded user roles are preceded by *

User Role Information

Name : *UoY_DUP_Roaming___090318-3120-26
Type : downloaded
Reauthentication Period (seconds) : 3600
Cached Reauth Period (seconds) : 0
Logoff Period (seconds) : 300
Untagged VLAN : roaming
Tagged VLAN :
Captive Portal Profile :
Policy : PERMIT-ALL_UoY_DUP_Roaming___090318-31...

Statements for policy "PERMIT-ALL_UoY_DUP_Roaming___090318-3120-26"
policy user "PERMIT-ALL_UoY_DUP_Roaming___090318-3120-26"
10 class ipv4 "IP-ANY-ANY_UoY_DUP_Roaming___090318-3120-26" action permit
exit


Statements for class IPv4 "IP-ANY-ANY_UoY_DUP_Roaming___090318-3120-26"
class ipv4 "IP-ANY-ANY_UoY_DUP_Roaming___090318-3120-26"
10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

Tunnelednode Server Redirect : Disabled
Secondary Role Name :
Device Attributes : Disabled

 

2).

User Role Information

Name : *ROLE_AOS_S_DUR__LOCAL5_DEVICES-3155-5
Type : downloaded
Reauthentication Period (seconds) : 28800
Cached Reauth Period (seconds) : 0
Logoff Period (seconds) : 300
Untagged VLAN : local_5
Tagged VLAN :
Captive Portal Profile :
Policy : PERMIT-ALL_ROLE_AOS_S_DUR__LOCAL5_DEVI...

Statements for policy "PERMIT-ALL_ROLE_AOS_S_DUR__LOCAL5_DEVICES-3155-5"
policy user "PERMIT-ALL_ROLE_AOS_S_DUR__LOCAL5_DEVICES-3155-5"
10 class ipv4 "IP-ANY-ANY_ROLE_AOS_S_DUR__LOCAL5_DEVICES-3155-5" action
permit
exit


Statements for class IPv4 "IP-ANY-ANY_ROLE_AOS_S_DUR__LOCAL5_DEVICES-3155-5"
class ipv4 "IP-ANY-ANY_ROLE_AOS_S_DUR__LOCAL5_DEVICES-3155-5"
10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

Tunnelednode Server Redirect : Disabled
Secondary Role Name :
Device Attributes : Disabled

 

3).

User Role Information

Name : *ROLE_AOS_S_DUR_T__AIRGROUP_DEVICES-31...
Type : downloaded
Reauthentication Period (seconds) : 3600
Cached Reauth Period (seconds) : 0
Logoff Period (seconds) : 300
Untagged VLAN :
Tagged VLAN :
Captive Portal Profile :
Policy :
Tunnelednode Server Redirect : Enabled
Secondary Role Name : airgroup_devices
Device Attributes : Disabled

 


xb-as-2930-1#

 

 

Re: Downloadable User Role is invalid message

Can you share a sample of the actual user role configuration from ClearPass?

 

Have you tried running "debug security"?  That should give you the exact line the user role is failing on.

MVP Expert

Re: Downloadable User Role is invalid message

Also avoid too longer name for enforcement (and extra characters...)




PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info


PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info


PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)


PowerArubaIAP: Powershell Module to use Aruba Instant AP




ACMP 6.4 / ACMX #107 / ACCP 6.5
MVP Expert

Re: Downloadable User Role is invalid message

Sigh! 

The key is to look at the error message more carefully.

The message says 

 

W 06/07/19 10:00:27 05204 dca: ST1-CMDR: Failed to apply user role to macAuth
client 204C033A6089 on port 2/13: user role is invalid.

 

However, The user role I'm passing back ( based upon a fingerprint) is for mac address 204C033A6088

 

a

xb-as-2930-1(config)# sh mac-addres 2/13

 

gives

 

Status and Counters - Port Address Table - 2/13

MAC Address VLANs
----------------- ------------
204c03-3a6088 480
204c03-3a6089 4003

 

which is right, the "88" address is the one processed by clearpass. the "89" address is another one coming from the AP which clearspas doesn't know what to do with so it get dropped into our portal vlan.

 

thanks for the replies .. at least I know how to use the debug command now :-)

 

Rgds

Alex

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: