Wired Intelligent Edge

I've configured a 2930F with local user roles, and the client gets assigned that role fine from ClearPass. With 'show port-access clients' I can see the user is connected to the network with the correct user role. However when I try to enable user-based tunneling, I'm getting these error messages.

2930F(eth-5)# enable
2930F(eth-5)#
I 10/08/19 18:32:12 00435 ports: port 5 is Blocked by AAA
0012:18:51:21.95 TNT mtnodeUserCtrl:aqLookupSpecify failed: result= -13
0012:18:51:21.95 TNT mtnodeUserCtrl:User Data Retrieval of type 1 for user b827eb-cb3eea failed
0012:18:51:21.95 TNT mtnodeUserCtrl:userTNodeProcAddUserReq: UAC FSM failed for USER_TNODE_UAC_START_EVT
I 10/08/19 18:32:12 00076 ports: port 5 is now on-line
I 10/08/19 18:32:12 00001 vlan: TUNNELED_NODE_SERVER_RESERVED virtual LAN enabled (11 times in 60 seconds)
I 10/08/19 18:32:12 00002 vlan: TUNNELED_NODE_SERVER_RESERVED virtual LAN disabled (11 times in 60 seconds)

And then the result=-13 error just repeats.

I have configured the secondary user role:

aaa authorization user-role name "UBT-LUR-Camera"
   policy "camera"
   vlan-id 3308
   tunneled-node-server-redirect secondary-role "UBT-Camera"

And on the mobility controller I have role UBT-Camera with VLAN 3308 enabled and with allowall ACL.

Connection to the controllers also seem fine:

# show tunneled-node-server state

 Local Master Server (LMS) State

 LMS Type     IP Address       State        Capability Role
 Primary   :  10.133.5.61      Complete     Per User   Operational Primary
 Secondary :  10.133.5.62      Complete     Per User   Operational Secondary

Any tips for troubleshooting this?

Thanks!

The tunnel is in a completed state with the switch from your output.

Is VLAN 3308 enabled on the switch?

Did you enable user roles on the switch?

aaa authorization user-role enable

Did you check your radius configuration on switch? Specifically if the RADIUS key is correct.

Lastly, Did you disable and enable the port?

int 5 

disable

enable

After this what do you see on the output for "show port-access clients"

What is the output of "show tunneled-node-users down".

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.

I have enabled user roles. (I was following the dynamic segmentation video series from Youtube). If I remove the secondary-role:

aaa authorization user-role name "UBT-LUR-Camera"
 no tunneled-node-server-redirect

Then enable port I can see:

Port  Client Name   MAC Address       IP Address      User Role         Type  VLAN
----- ------------- ----------------- --------------- ----------------- ----- ----
5     b827ebcb3eea  b827eb-cb3eea     n/a             UBT-LUR-Camera    MAC   3308

RADIUS is working too and I get the roles etc. But after enablind the redirect I get those error messages (after disabling the port and then enabling it again).

show port-access client and show tunneled-node-users are empty

When I followed the videos port-based tunneling worked, so I guess the controller is in somewhat working condition :)

On the switch is the port configured as an access port or a trunk port?

What is the image version of the controller ?

On the controller what is the output of "show tunneled-node config" , "show tunneled-node-mgr trace-buf" and "show tunneled-node-mgr stats".

Just to verify is the vlan 3308 in up state in the controller(MD that you are trying to redirect the user-traffic when you use the tunneled-node-server-redirect command)?

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.

It's an access port. Controllers are managed by Mobility Master, running the commands from the MC:

(i1-mc1) #show tunneled-node state

Tunneled Node State
-------------------
IP  MAC  port  state  vlan  tunnel  inactive-time
--  ---  ----  -----  ----  ------  -------------

(i1-mc1) #show tunneled-node config

Tunneled node Server:Enabled
Tunnel Loop Prevention:Disabled

(i1-mc1) #show vlan  3308

VLAN CONFIGURATION
------------------
VLAN   Description  Ports         AAA Profile  Option-82
----   -----------  -----         -----------  ---------
3308   VLAN3308     GE0/0/0-0/1   N/A          Disabled


(i1-mc1) #show interface gigabitethernet 0/0/1 trusted-vlan

Name:  GE0/0/1
Trusted Vlan(s)
3308

(i1-mc1) #show interface gigabitethernet 0/0/1

GE 0/0/1 is up, line protocol is up

gi0/0/1 is the uplink trunk port towards the rest of the network. Controllers are 8.4.0.4 and switch 16.09

Each tunneled-node client uses one AP license.

What is the output of show license-usage ap

Please refer this document to configure.

https://www.arubanetworks.com/techdocs/ArubaOS_81_Web_Help/Content/ArubaFrameStyles/Mux_config/Configuring_a_Wired_Tunn.htm

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.

(i1-mc1) #show license-usage ap

AP Licenses
-----------
Type                      Number
----                      ------
AP Licenses               16
PEF Licenses              16
MM Licenses               16
Controller License        True
Overall AP License Limit  16

AP Usage
--------
Type             Count
----             -----
Active CAPs      0
Active RAPs      0
Remote-node APs  0
Active MUX       0
Active PUTN      1
Total APs        1

Remaining AP Capacity
---------------------
Type  Number
----  ------
CAPs  15
RAPs  15

I believe I have everything configured that's in the link?

The PUTN is using one license so you are good on the license front.

What do you see in the logs for this user?

Show log security 50     

Show log user 50

I believe the user is wired, whats the scenario when you use a wireless user with the tunneled-node redirect command enabled?

Log's have only row about my admin login, but nothing related to the tunneled node (I tried disabling and then enabling the port).

Not really sure about the second part though... tunneled node is for wired users not wireless and the redirect is configured in the 2930F switch.

Ah yes, my bad. Was asking my routine wired users TShoot questions :D

The configuration looks legit. The only thing that comes to my mind is the GRE tunnel.

Is GRE Traffic allowed ?

The switch establishes a user GRE tunnel when you add the redirect command.

When the attribute "UBT-LUR-Camera" in matched in clearpass, then clearpass redirects this user over the GRE tunnel to MD.

The UBT-Camera (secondary role) should be mentioned in this redirect message.

What are you seeing wrt clearpass redirect message?

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.

I have that secondary role configured on the 2930F, so ClearPass doesn't need to return that. Just the primary role. On the switch I have

aaa authorization user-role name "UBT-LUR-Camera"
   policy "allowall"
   vlan-id 3308
   tunneled-node-server-redirect secondary-role "UBT-Camera"

and that UBT-Camera exists on the MC. Clearpass doesn't do any matching based on those roles or redirecting. It checks the user account and then sends back:

Radius:Hewlett-Packard-Enterprise:HPE-User-Role	= UBT-LUR-Camera

this works as you can see from my second post.

As port based tunneling worked like I wrote, GRE is allowed to the MC and back.

Well PPTN works like you've mentioned. Its the PUTN that is not working when the redirect command is set.

I think a switch only supports either one at any given time AFAIK.

Have you tried creating an new unused VLAN and using that VLAN for PUTN?

What ACLs are there in the default-tunneled-user AAA profile?

Have a TAC ticket opened in parallel to this post as well.

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.

Yes the switch only support either port or user based tunneling. I've switched the swtich to user based tunneling with command

tunneled-node-server mode role-based reserved-vlan 4091

PPTN doesn't use the secondary roles, you just set the controller IP and then match VLANs on MC and switch and port the port in that VLAN and voilá. With PUTN you need to have the secondary user role, either configured on the switch or push it down from CPPM with downlodable user roles and stuff. I'm just trying to get the first step working without going full CPPM. Which is to configure LUR on 2930F with secondary role.

Check "Aruba Networks Dynamic Segmentation Inside Out" from Airheads youtube channel for more information. I have my setup configured similarly as the author does in videos 9-10 but seems I'm still missing something.

Was the video using 8.4 as well? as there may be some new caveats (we may miss due to new features being introduced) to configuration to every new version.

What is the TAC's take on this?

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.

Hi, 

Can you try removing the policy line from the switch user role and see if that works?  Or add in all class/match statements into the user role.  If using a switch policy on the primary user role, it needs to have all class, policy, and match statements included as shown here:

https://techhub.hpe.com/eginfolib/Aruba/16.09/5200-5908/index.html#GUID-F7DC6844-AF1A-47AA-A85F-2E9E8974523E.html

I tried removing the policy under UBT-LUR-Camera role, but I'm getting the same error message.

Before that I had the user-role configured like this:

class ipv4 "alltraffic"
     10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
   exit
policy user "allowall"
     10 class ipv4 "alltraffic" action permit
   exit
aaa authorization user-role name "UBT-LUR-Camera"
   policy "allowall"
   vlan-id 3308
   tunneled-node-server-redirect secondary-role "UBT-Camera"

For simplicity I would also remove the vlan-id and policy command from the user role, all you really need is the tunneling command to get the tunnels up.

Do you get any output when running the command "debug usertn" and "debug destination buffer" (or session) on the switch?  

I've attached the debugging output (it's what I had in the original post too)

In this case I tried with just this config:

aaa authorization user-role name "UBT-LUR-Camera"
   tunneled-node-server-redirect secondary-role "UBT-Camera"
   exit

ClearPass returned (switch requested this 26 six times, CPPM replied with Accpet everytime)

Output RADIUS Attributes -
 Radius:Hewlett-Packard-Enterprise:HPE-User-Role = UBT-LUR-Camera

Attachment(s)

2930F-debug.txt   8 KB 1 version

Why does it say that your port 5 is blocked by AAA? Is this done intentionally?

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.

---

@Mr.RFC wrote:

Why does it say that your port 5 is blocked by AAA? Is this done intentionally?

Port of course starts in blocked state, because there has not been authentication yet. See for example this debug log without the UBT secondary role where I just get the LUR info from CPPM:

2930F-alempi(eth-5)# enable
2930F-alempi(eth-5)#
I 10/09/19 00:33:10 00435 ports: port 5 is Blocked by AAA
I 10/09/19 00:33:11 00076 ports: port 5 is now on-line
I 10/09/19 00:33:11 00001 vlan: VLAN3308 virtual LAN enabled (25 times in 60
            seconds)

2930F-alempi(eth-5)# show port-access client

 Port Access Client Status

  Port  Client Name   MAC Address       IP Address      User Role         Type  VLAN
  ----- ------------- ----------------- --------------- ----------------- ----- -------------------------------------------------------
  5     b827ebcb3eea  b827eb-cb3eea     n/a             UBT-LUR-Camera    MAC   3308

You should lab this dynamic segmentation setup yourself too so we wouldn't have to ge through each and every step :) Appreciate the help still.

Can you post the entire show tunneled-node-server state command?  Are the controllers showing up as UACs?  

Do you have enough resources in "show policy resources"?

I'm checking internally to find out what that output means specifically.

2930F-alempi# show tunneled-node-server state

 Local Master Server (LMS) State

 LMS Type     IP Address       State        Capability Role
 Primary   :  10.133.5.61      Complete     Per User   Operational Primary
 Secondary :  10.133.5.62      Complete     Per User   Operational Secondary

 Switch Anchor Controller (SAC) State

               IP Address       Mac Address             State
 SAC         : 10.133.5.61      204c03-0aaef0           Registered
 Standby-SAC : 10.133.5.62      204c03-269a0c           Registered

 User Anchor Controller (UAC) : 10.133.5.62
 User              Port       VLAN       State       Bucket ID

 User Anchor Controller (UAC) : 10.133.5.61
 User              Port       VLAN       State       Bucket ID

Attachment(s)

policyresources.txt   4 KB 1 version

TAC helped with this. We don't have RFP licenses so it was something related to that. They had to disable RFP licenses and enable them again or something along these lines, and it started to work