Wired Intelligent Edge (Campus Switching and Routing)

Troubleshooting issues with Downloadable User Roles On Aruba Switches

MVP Expert
MVP Expert

Unable to get DUR working on Aruba switches.


Check the following on the switch and CPPM:


1. Check if user roles are enabled on the switch using the command "show user-role".

HPE-3810M-Switch(config)# show user-role

 User Roles

  Enabled       : Yes
  Initial Role  : denyall

  Type       Name
  ---------- ------------------------------------------------------
  predefined denyall


2. Check if downloadable user role is enabled on the switch using the command "show user-role downloaded"

HPE-3810M-Switch(config)# show user-role downloaded
Downloaded user roles are preceded by *

 Downloaded User Roles

  Enabled       : Yes
  Type       Name
  ---------- ------------------------------------------------------


3. Check if the switch has the Aruba CPPM login credentials.

HPE-3810M-Switch(config)# show radius

 Status and Counters - General RADIUS Information

 Dead RADIUS server are preceded by *

  Deadtime (minutes)             : 0
  Timeout (seconds)              : 5
  Retransmit Attempts            : 3
  Global Encryption Key          :
  Dynamic Authorization UDP Port : 3799
  Source IP Selection            : Outgoing Interface
  Tracking                       : Disabled
  Request Packet Count           : 3
  Track Dead Servers Only        : Disabled
  Tracking Period (seconds)      : 300
  CPPM Identity                  : aruba


4. Check if the switch has the VLAN created on it which is sent in the user role. 


5. Check if the user role is correctly configured on CPPM.

     a. Check if the classifiers contain any source ip info. This should be set to "any"

     b. Check if all the names defined and used are the same.

     c. the best way to ensure that a user role is correctly configured is to configure the same on the switch.



6.  Ensure that the user role is sent to the switch from CPPM using the VSA "HPE-CPPM-Role".


7. Ensure that the CPPM servers HTTPS root certificate is installed on the switch as a TA profile. 


8. If the switch is running 16.08 and above, ensure that the CPPM server ip address is defined as a clearpass server with the below command.


HPE-3810M-Switch(config)# radius-server host clearpass

This allows the switch to download root certificate from the Clearpass server to the switch automatically. 


9. Ensure that a tunnel is formed or active on the switch towards the Aruba controller if we are using PUTN or tunneled-node-redirect option.


10. Ensure that the time on the switch is correct or is set to get the same from NTP server. A time mismatch would cause issues since the switch would validate the https certificate on the Clearpass and one of the important parameters is certificate Validity field.


11. Check if the user role is being downloaded from a browser. Use the following URL to verify the same.

https://x.x.x.x/async_netd/arubacppmapi/downloadableconfig?role=<USER-ROLE NAME>


x.x.x.x being the ip address of Clearpass and the user role name would be the name as seen in the RADIUS accept message.



Please log a case with Aruba TAC if you see anomalies in the above outputs.

Version history
Revision #:
1 of 1
Last update:
‎07-27-2019 10:28 AM
Updated by:
Search Airheads
Showing results for 
Search instead for 
Did you mean: