Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

8.3 option60 role derivation

This thread has been viewed 0 times

  • 1.  8.3 option60 role derivation

    Posted Feb 01, 2019 05:21 PM

    I'm working on the advanced toubleshooting lab and have run into an issue with the role derivation. Support isn't helping much. I think it may be over their head. 

     

    My client is not receiving a DHCP address and the packet is getting dropped. Looking a little further up, you can see the controller running through the vendor options, but even though option 60 is matched, the controller will not put it in the new role. The UDR hit counter is increasing but the role is not being applied. I've also tried changing the case of the vendor option but it did not help.

     

    Here is the debug log for my client:

     

    Feb 1 04:01:40 :124004:  <4504> <DBUG> |authmgr|  match_rule Value Pair to match essid : P4-wificams14
Feb 1 04:01:40 :124004:  <4504> <DBUG> |authmgr|  match_rule Value Pair to match encryption-type : static-wpa2-aes
Feb 1 04:01:40 :124004:  <4504> <DBUG> |authmgr|  match_rule Value Pair to match macaddr : 70:4d:7b:10:9e:c6
Feb 1 04:01:40 :124004:  <4504> <DBUG> |authmgr|  match_rule Value Pair to match fw_mode : 0
Feb 1 04:01:40 :124004:  <4504> <DBUG> |authmgr|  Matching `user' rules to derive vlan ...
Feb 1 04:01:40 :124004:  <4504> <DBUG> |authmgr|   dhcp-option 'equals' 3c4d53465420352e30
Feb 1 04:01:40 :124046:  <4504> <DBUG> |authmgr|  VLAN derivation. New rule position=0, Old rule position=0.
Feb 1 04:01:40 :124004:  <4504> <DBUG> |authmgr|   User (70:4d:7b:10:9e:c6): Do dot1x supplicant up 
Feb 1 04:01:40 :124004:  <4504> <DBUG> |authmgr|  user_download: User N/A  Router Acl(0)
Feb 1 04:01:40 :124234:  <4504> <DBUG> |authmgr|  Tx message to Sibyte, blocking with ack, Opcode = 164, msglen = 352 1 user messages bundled, actions 
= 17
Feb 1 04:01:40 :124105:  <4504> <DBUG> |authmgr|  MM: mac=70:4d:7b:10:9e:c6, state=4, name=, role=deny-all, dev_type=, ip=0.0.0.0, new_rec=1.
Feb 1 04:01:40 :124004:  <4504> <DBUG> |authmgr|   User (70:4d:7b:10:9e:c6): User auth done
Feb 1 04:01:40 :124105:  <4504> <DBUG> |authmgr|  MM: mac=70:4d:7b:10:9e:c6, state=6, name=, role=deny-all, dev_type=, ip=0.0.0.0, new_rec=0.
Feb 1 04:01:41 :124524:  <3602> <DBUG> |authmgr|  DHCP pkt received of len=378
Feb 1 04:01:41 :124004:  <3602> <DBUG> |authmgr|  Matching `user' rules to derive role ...
Feb 1 04:01:41 :124004:  <3602> <DBUG> |authmgr|   dhcp-option 'equals' 3c4d53465420352e30
Feb 1 04:01:41 :124004:  <3602> <DBUG> |authmgr|  rule:   set role condition dhcp-option equals "3c4d53465420352e30" set-value wificams description "wi
ficams-option60" 
Feb 1 04:01:41 :124004:  <3602> <DBUG> |authmgr|  match_rule Value Pair to match dhcp-option : 3D01704D7B109EC6
Feb 1 04:01:41 :124004:  <3602> <DBUG> |authmgr|  Matching `user' rules to derive vlan ...
Feb 1 04:01:41 :124004:  <3602> <DBUG> |authmgr|   dhcp-option 'equals' 3c4d53465420352e30
Feb 1 04:01:41 :124046:  <3602> <DBUG> |authmgr|  VLAN derivation. New rule position=0, Old rule position=0.
Feb 1 04:01:41 :124004:  <3602> <DBUG> |authmgr|  Matching `user' rules to derive role ...
Feb 1 04:01:41 :124004:  <3602> <DBUG> |authmgr|   dhcp-option 'equals' 3c4d53465420352e30
Feb 1 04:01:41 :124004:  <3602> <DBUG> |authmgr|  rule:   set role condition dhcp-option equals "3c4d53465420352e30" set-value wificams description "wi
ficams-option60" 
Feb 1 04:01:41 :124004:  <3602> <DBUG> |authmgr|  match_rule Value Pair to match dhcp-option : 0C776972656C6573733134
Feb 1 04:01:41 :124004:  <3602> <DBUG> |authmgr|  Matching `user' rules to derive vlan ...
Feb 1 04:01:41 :124004:  <3602> <DBUG> |authmgr|   dhcp-option 'equals' 3c4d53465420352e30
Feb 1 04:01:41 :124046:  <3602> <DBUG> |authmgr|  VLAN derivation. New rule position=0, Old rule position=0.
Feb 1 04:01:41 :124004:  <3602> <DBUG> |authmgr|  Matching `user' rules to derive role ...
Feb 1 04:01:41 :124004:  <3602> <DBUG> |authmgr|   dhcp-option 'equals' 3c4d53465420352e30
Feb 1 04:01:41 :124004:  <3602> <DBUG> |authmgr|  rule:   set role condition dhcp-option equals "3c4d53465420352e30" set-value wificams description "wi
ficams-option60" 
Feb 1 04:01:41 :124004:  <3602> <DBUG> |authmgr|  match_rule Value Pair to match dhcp-option : 3C4D53465420352E30
Feb 1 04:01:41 :124004:  <3602> <DBUG> |authmgr|   logging role event for 0x25c3654: 0x10f68e4,0xc000d, index 2
Feb 1 04:01:41 :124004:  <3602> <DBUG> |authmgr|  Matching `user' rules to derive vlan ...
Feb 1 04:01:41 :124004:  <3602> <DBUG> |authmgr|   dhcp-option 'equals' 3c4d53465420352e30
Feb 1 04:01:41 :124046:  <3602> <DBUG> |authmgr|  VLAN derivation. New rule position=0, Old rule position=0.
Feb 1 04:01:41 :124004:  <3602> <DBUG> |authmgr|  Matching `user' rules to derive role ...
Feb 1 04:01:41 :124004:  <3602> <DBUG> |authmgr|   dhcp-option 'equals' 3c4d53465420352e30
Feb 1 04:01:41 :124004:  <3602> <DBUG> |authmgr|  rule:   set role condition dhcp-option equals "3c4d53465420352e30" set-value wificams description "wificams-option60" 
Feb 1 04:01:41 :124004:  <3602> <DBUG> |authmgr|  match_rule Value Pair to match dhcp-option : 370103060F1F212B2C2E2F79F9FC
Feb 1 04:01:41 :124004:  <3602> <DBUG> |authmgr|  Matching `user' rules to derive vlan ...
Feb 1 04:01:41 :124004:  <3602> <DBUG> |authmgr|   dhcp-option 'equals' 3c4d53465420352e30
Feb 1 04:01:41 :124046:  <3602> <DBUG> |authmgr|  VLAN derivation. New rule position=0, Old rule position=0.
Feb 1 04:01:41 :124080:  <3602> <DBUG> |authmgr|  Dropping dhcp packet for 70:4d:7b:10:9e:c6 vlan derivation.

     



  • 2.  RE: 8.3 option60 role derivation

    Posted May 21, 2019 08:59 PM


  • 3.  RE: 8.3 option60 role derivation

    Posted May 21, 2019 09:33 PM
    No, since it was training I didn’t pursue further. I’d contact TAC. Doesn’t seem like a configuration issue. Please post a resolution if you get one!