Wireless Access

Worked with support yesterday configuring ClearPass to be our new radius server over Windows.  We got everything set up so if a user is in a Windows group "students" Clear Pass assigns Role-Student and passes to controller.  Controller has a role called Role-Student as well and user should get this but is getting guest role which is default in ClearPass service.  Finally, tech stopped and said it was a controller issue and passed me to them.  I know this should be simple so if anyone has ideas for me to check let me know.  Thanks and stay safe out there.

"Finally, tech stopped and said it was a controller issue and passed me to them".  Passed you to who?

Either way, you need an enforcement profile that returns the Aruba-User-Role attribute to the controller to set the role upon authentication.

ClearPass support passed me to controller support.

I have the following enforcement policy in Cpass:

This is the same name as the role on controller.

So when my test user connected to SSID this is the radius response in ClearPass which looks correct -

However, when you look on controller the user is assigned the guest role and placed in guest VLAN

Not to correct you, but you would configure that in an Enforcement Profile in Clearpass.

In the "Output" and "Alerts" tab in the Access Tracker, does it show that ClearPass is returning that attribute to the controller?  If it is, you need to type "show user ip <ip address of user> | include Role" on the controller to see how the role was set on the user:

(Babarella) #show user ip 192.168.1.114 | include Role
This operation can take a while depending on number of users. Please be patient ....
Role: authenticated (how: ROLE_DERIVATION_DOT1X), ACL: 96/0

Lastly, you need to do a "aaa user delete <ip address of user>", and disconnect the user's WLAN card after you make changes on ClearPass, so that you will not be using cached information.

The flow:

ClearPass returns an "Accept" and the Aruba-User-Role attribute.  That will be reflected in the access tracker in the "output" and maybe the "alerts" tab in ClearPass.  That Attribute automatically sets the role on the controller and you don't need to do anything on the controller side.

"show user ip" should show you how the user obtained the role.

use "aaa user delete" between changes to disconnect the user so that you are not using cached info"

Lastly the Aruba-User-Role attribute is case sensitive.  If you do not type the role name in clear pass exactly as it is defined on the controller the user will simply obtain the default 802.1x role in the AAA profile, which is typically guest.

Show user

Profiles AAA:OpenDoors_aaa_prof, dot1x:OpenDoors_dot1_aut, mac: CP:n/a def-role: 'guest' via-auth-profile:''
Reauth-interval from role: 0

I do see on CPass user authenticated and got the correct enforcement profile but guest role for some reason.  Also see

This is the portion that is needed:

Role: authenticated (how: ROLE_DERIVATION_DOT1X), ACL: 96/0

Can you expand a little on this?  Not enough coffee yet.

show user ip <ip address of user> will say how the role for the user was derived.

You are probably misspelling the role name in ClearPass.  It has to be exact when it is passed to the controller, otherwise you will obtain the default role.

I would continue to work with TAC in parallel so that you can get specific advice and instruction from someone who has your logs and access to your system....  over here, we are just guessing what could be wrong and that is very inefficient.

Agreed - will keep working with TAC.  I checked and do not see misspell but good thought.  Here is the show command of one that works and one that does not

no.

In the output of show user ip <ip address of user>  there is a line:

Role: authenticated (how: ROLE_DERIVATION_DOT1X), ACL: 96/0

That basically says how a user got its role (how:).  That is what you should be looking at.  In the line above, it said it got its role from role derivation.  Your user should have a reason, as well.

You also have two different aaa profiles for the one that works and the one that doesn't work, but that does not mean anything.

Double checked and do not see this in the CLI show user <IP ADDRESS>

Role:authenticated (how: ROLE_DERIVATION_DOT1X)., ACL: 96/0

What version of ArubaOS is this?

Please PM me that entire output

For a shorter output, try "show user mac <mac address of user>"