Security

 View Only
last person joined: 14 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

6200 DUR not getting roles

This thread has been viewed 21 times

  • 1.  6200 DUR not getting roles

    Posted 10 days ago
    I am having an issue with both do1x and mac auth on a 6200:

    sh port-access client

    Port Access Clients

    Status Codes: d device-mode, c client-mode, m multi-domain

    -----------------------------------------------------------------------------------------------------------------
    Port MAC-Address Onboarding Status Role Device Type
    Method
    -----------------------------------------------------------------------------------------------------------------
    c 1/1/4 c8:1f:ea:bb:98:38 mac-auth Role-Download-Failed dur2_phone_aruba_profile-3088-2
    c 1/1/6 2c:ea:7f:2f:57:cf dot1x Success RADIUS_0

    6200# sh log ging -r | i fail
    2024-05-09T09:08:37.622529-04:00 6200 port-accessd[4171]: Event|7709|LOG_WARN|CDTR|1|Certificate boscpauth.jud.state.ma.us rejected due to verification failure (20)
    2024-05-09T13:05:27.142155+00:00 6200 ztpd[3293]: Event|8709|LOG_CRIT|UKWN|1|ZTP service status changed to failed because of non-default startup configuration
    2024-05-09T13:05:27.138697+00:00 6200 ztpd[3293]: Event|8730|LOG_CRIT|UKWN|1|ZTP service status changed to failed because configuration file download encountered unexpected error. Reason: User


  • 2.  RE: 6200 DUR not getting roles

    EMPLOYEE
    Posted 10 days ago

    Looks like you need to fix the certificate trust.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------

    Original Message


  • 3.  RE: 6200 DUR not getting roles

    Posted 10 days ago

    Thank you.

    I reapplied the certificate and it seems to be ok.

    I am still getting the following error message :

    200(config)# sho crypto pki ta-profile 
     
    TA Profile Name                  TA Certificate       Revocation Check
    -------------------------------- -------------------- ----------------
    clearpass                        Not Installed        disabled
    DUR_clearpass                    Installed, valid     disabled
     
    6200(config)# sh port-access client
     
    Port Access Clients
     
    Status Codes: d device-mode, c client-mode, m multi-domain 
     
    -----------------------------------------------------------------------------------------------------------------
      Port     MAC-Address       Onboarding     Status               Role                                Device Type 
                                 Method                                                                              
    -----------------------------------------------------------------------------------------------------------------
    c 1/1/6    2c:ea:7f:2f:57:cf dot1x          Success              RADIUS_0                            
     
    6200(config)# sho logging -r | i fail
    2024-05-10T15:54:59.138050+00:00 6200 ztpd[3264]: Event|8709|LOG_CRIT|UKWN|1|ZTP service status changed to failed because of non-default startup configuration
    2024-05-10T15:54:59.135084+00:00 6200 ztpd[3264]: Event|8730|LOG_CRIT|UKWN|1|ZTP service status changed to failed because configuration file download encountered unexpected error. Reason: User
    6200(config)# 
    Any help would be greatly appreciated.
    Barry

    Original Message


  • 4.  RE: 6200 DUR not getting roles

    EMPLOYEE
    Posted 10 days ago

    Those error messages are related to ZTP, not DUR.

    What is the role "RADIUS_0" and where is that coming from?  You might want to look at the information for a specific client/port rather than the summary for all connected devices.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------

    Original Message


  • 5.  RE: 6200 DUR not getting roles

    Posted 10 days ago
    sh port-access clients detail 
     
    Port Access Client Status Details:
     
    Client 2c:ea:7f:2f:57:cf, host/JISDTG4626.jud.state.ma.us
    =========================================================
      Session Details
      ---------------
        Port         : 1/1/6
        Session Time : 9904s
        IPv4 Address : 
        IPv6 Address : 
        Device Type  : 
     
      VLAN Details
      ------------
        VLAN Group Name : 
        VLANs Assigned  : 1
          Access          : 1
          Native Untagged : 
          Allowed Trunk   : 
     
      Authentication Details
      ----------------------
        Status          : dot1x Authenticated
        Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted
        Auth History    : dot1x - Authenticated, 9902s ago
     
      Authorization Details
      ----------------------
        Role   : RADIUS_0
        Status : Applied
     
     
    Role Information:
     
    Name  : RADIUS_0
    Type  : radius
    ----------------------------------------------
        Reauthentication Period             : 
        Cached Reauthentication Period      : 
        Authentication Mode                 : 
        Session Timeout                     : 
        Client Inactivity Timeout           : 
        Description                         : 
        Gateway Zone                        : 
        UBT Gateway Role                    : 
        UBT Gateway Clearpass Role          : 
        Access VLAN                         : 
        Native VLAN                         : 
        Allowed Trunk VLANs                 : 
        Access VLAN Name                    : 
        Native VLAN Name                    : 
        Allowed Trunk VLAN Names            : 
        VLAN Group Name                     : 
        MTU                                 : 
        QOS Trust Mode                      : 
        STP Administrative Edge Port        : 
        PoE Priority                        : 
        PVLAN Port Type                     : 
        Captive Portal Profile              : 
        Policy                              : 
        Device Type                         : 

     RADIUS_0 is not a configured role. I assumed that it was a default role in the OS.


    Original Message


  • 6.  RE: 6200 DUR not getting roles

    EMPLOYEE
    Posted 10 days ago

    If you are getting RADIUS_0 as the role then that is a bug, I believe that was fixed in a later 10.10 release but I'd recommend upgrading to 10.13.  If you are already upgraded past 10.10 then please open a case with TAC for troubleshooting.

    That doesn't mean that you have a working DUR setup, just that the failure of DUR is putting you in a weird or unexpected state.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------

    Original Message


  • 7.  RE: 6200 DUR not getting roles

    Posted 9 days ago

    Thank that did get rid of that error. I am still having the issue, see below.

     

    6200# sho port-access role

     

    Role Information:

    Attributes overridden by RADIUS are prefixed by '*'.

     

    Name  : RADIUS_0

    Type  : radius

    ----------------------------------------------

     

    6200# sho logging -r | i fail

    2024-05-10T20:49:31.897507+00:00 6200 ztpd[4361]: Event|8709|LOG_INFO|UKWN|1|ZTP service status changed to failed because of non-default startup configuration

    2024-05-10T20:49:31.891693+00:00 6200 ztpd[4361]: Event|8730|LOG_ERR|UKWN|1|ZTP service status changed to failed because configuration file download encountered unexpected error. Reason: User created configuration found

    6200# sho port-access cli int 1/1/6

     

    Port Access Clients

     

    RADIUS overridden user roles are suffixed with '*'

     

    Flags: Onboarding-Method|Mode|Device-Type|Status

     

    Onboarding-Method: 1x 802.1X, ma MAC-Auth, ps Port-Security, dp Device-Profile

    Mode: c Client-Mode, d Device-Mode, m Multi-Domain

    Device-Type: d Data, v Voice

    Status: s Success, f Failed, p In-Progress, d Role-Download-Failed

     

    --------------------------------------------------------------------------------------------------------------

    Port     Client-Name             IPv4-Address    User-Role                           VLAN            Flags   

    --------------------------------------------------------------------------------------------------------------

    1/1/6    host/JISDTG4626.jud....                                                     (u)1            1x|c|-|s

     

    6200#

     




    Original Message


  • 8.  RE: 6200 DUR not getting roles

    EMPLOYEE
    Posted 9 days ago

    Flags show that everything was successful.  You sure you have DUR setup properly for that switch?  What does the Access Tracker entry look like from ClearPass?  Is the DUR profile being returned?  Might be useful to look through the events and not filter on "fail".



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------

    Original Message


  • 9.  RE: 6200 DUR not getting roles

    Posted 7 days ago

     

    Thanks for your help on Friday.

     

    Here is what I have:

     

     

    What is the error: 2024-05-13T13:00:00.792079+00:00 6200 ztpd[3220]: Event|8730|LOG_ERR|UKWN|1|ZTP service status changed to failed because configuration file download encountered unexpected error. Reason: User created configuration found

     

    I do not have a user configured in the  6200.

     

     

    6200(config-if)# sho port-access cli int 1/1/6

     

    Port Access Clients

     

    RADIUS overridden user roles are suffixed with '*'

     

    Flags: Onboarding-Method|Mode|Device-Type|Status

     

    Onboarding-Method: 1x 802.1X, ma MAC-Auth, ps Port-Security, dp Device-Profile

    Mode: c Client-Mode, d Device-Mode, m Multi-Domain

    Device-Type: d Data, v Voice

    Status: s Success, f Failed, p In-Progress, d Role-Download-Failed

     

    --------------------------------------------------------------------------------------------------------------

    Port     Client-Name             IPv4-Address    User-Role                           VLAN            Flags   

    --------------------------------------------------------------------------------------------------------------

    1/1/6    host/JISDTG4626.jud....                                                     (u)1            1x|c|-|s

     

    6200(config-if)# exit

    6200(config)# sho logging -r | i fail

    2024-05-13T13:00:00.798303+00:00 6200 ztpd[3220]: Event|8709|LOG_INFO|UKWN|1|ZTP service status changed to failed because of non-default startup configuration

    2024-05-13T13:00:00.792079+00:00 6200 ztpd[3220]: Event|8730|LOG_ERR|UKWN|1|ZTP service status changed to failed because configuration file download encountered unexpected error. Reason: User created configuration found

    6200(config)#




    Original Message


  • 10.  RE: 6200 DUR not getting roles

    EMPLOYEE
    Posted 7 days ago

    As mentioned previously, both of those messages are related to ZTP and informing as to why ZTP will not run. The statements "non-default startup configuration" and "User created configuration" is the system detecting that you've configured the switch.  Neither of those have anything to do with DUR.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------

    Original Message


  • 11.  RE: 6200 DUR not getting roles

    Posted 7 days ago

    Ok, got it.  Any idea why this is not working?

     

    DUR=

    port-access role dur2_dot1x_aruba
    vlan access name DATA
    exi

     

    Config =:

     

    !Version ArubaOS-CX ML.10.12.1040

    !export-password: default

    user admin group administrators password ciphertext AQBapUGYHMOo8alHfoDwNlOCZo69D2d4FayrjAahflW02z6CYgAAALapICLX52cvad2SLfWf8jqpF9HU48V1zCSVOgPhbHMt7+IkBqDisIZQw9V9iJRhu8RPymmsMzYasOCujqN2nsIxwq2ySlekpfcmbfJXApYsOYG31jNSedFT8+DIcIZYY4ZG

    user barry group administrators password ciphertext AQBapTGT6X8M4Ech9bpMik4kJ8vd0k7f3jz4xixsnC4phGElYgAAAFqCB1rrYAKtwpzmIdjWhjCD7HyqaD1zAeY19rZGsHawz8ilU+fdcJeZRSlK3AQ3yqQ7tj332yX5V++d2kciXqkSTbNWSl26NryjqA0O+h5OogqhQwgwdt2SxY1JukXYixXq

    clock timezone us/eastern

    ntp server 10.24.1.100 minpoll 4 maxpoll 4 iburst

    ntp enable

    cli-session

        timeout 43200

    !

    !

    tacacs-server key ciphertext AQBapX1WfLxo7k12NMXqHm9FDMOGCBrq4WRP/x/Nb3l2E4AIDgAAAJILDecDDlhyC+Y7x7AZ

    tacacs-server timeout 20

    !

    !

    tacacs-server host 10.3.1.96

    !

    radius-server host 10.3.1.96 key ciphertext AQBapWNzyk4iaLVksTiJFoXNuydMSPD495pnbKoB4uujvl2cDgAAAMASz22FFLcqnjNbvvGH clearpass-username switch-dur clearpass-password ciphertext AQBape2i9seFFlBLmBEsJnSbJzj3MPelgw2awj7UQ/25REJBCgAAAEM3S0j3jmAKD1w=

    aaa authentication allow-fail-through

    !

    !

    aaa group server tacacs tacacs1

        server 10.3.1.96

    !

    aaa group server radius clearpass

        server 10.3.1.96

    !

    aaa authentication login https-server group clearpass

    aaa authentication login ssh group tacacs1 tacacs

    aaa authorization commands ssh group tacacs1

    !

    radius dyn-authorization enable

    ssh server vrf default

    ssh server vrf mgmt

    crypto pki ta-profile DUR_clearpass

        ta-certificate

            -----BEGIN CERTIFICATE-----

            MIIEyDCCA7CgAwIBAgIQDPW9BitWAvR6uFAsI8zwZjANBgkqhkiG9w0BAQsFADBh

            MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3

            d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH

            MjAeFw0yMTAzMzAwMDAwMDBaFw0zMTAzMjkyMzU5NTlaMFkxCzAJBgNVBAYTAlVT

            MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxMzAxBgNVBAMTKkRpZ2lDZXJ0IEdsb2Jh

            bCBHMiBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTCCASIwDQYJKoZIhvcNAQEBBQAD

            ggEPADCCAQoCggEBAMz3EGJPprtjb+2QUlbFbSd7ehJWivH0+dbn4Y+9lavyYEEV

            cNsSAPonCrVXOFt9slGTcZUOakGUWzUb+nv6u8W+JDD+Vu/E832X4xT1FE3LpxDy

            FuqrIvAxIhFhaZAmunjZlx/jfWardUSVc8is/+9dCopZQ+GssjoP80j812s3wWPc

            3kbW20X+fSP9kOhRBx5Ro1/tSUZUfyyIxfQTnJcVPAPooTncaQwywa8WV0yUR0J8

            osicfebUTVSvQpmowQTCd5zWSOTOEeAqgJnwQ3DPP3Zr0UxJqyRewg2C/Uaoq2yT

            zGJSQnWS+Jr6Xl6ysGHlHx+5fwmY6D36g39HaaECAwEAAaOCAYIwggF+MBIGA1Ud

            EwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHSFgMBmx9833s+9KTeqAx2+7c0XMB8G

            -----END CERTIFICATE-----

            END_OF_CERTIFICATE

    crypto pki ta-profile clearpass

    vsf member 1                                                   

        type jl728a

    client track ip

    vlan 1

    vlan 88

        name DATA

    vlan 99

        name Voice

        voice

        description VLAN99

    vlan 102

        name IOT

    vlan 234

        description Security

    vlan 254

        description Printers

    vlan 255

        description Building Management

    vlan 1722

        name CC_Proc

    spanning-tree

    interface mgmt

        no shutdown

        ip dhcp

    qos dscp-map 0 local-priority 0

    qos dscp-map 1 local-priority 0

    qos dscp-map 2 local-priority 0

    qos dscp-map 3 local-priority 0

    qos dscp-map 4 local-priority 0

    qos dscp-map 5 local-priority 0

    qos dscp-map 6 local-priority 0

    qos dscp-map 7 local-priority 0

    qos dscp-map 8 local-priority 1

    qos dscp-map 9 local-priority 1

    qos dscp-map 10 local-priority 1

    qos dscp-map 11 local-priority 1

    qos dscp-map 12 local-priority 1

    qos dscp-map 13 local-priority 1

    qos dscp-map 14 local-priority 1

    qos dscp-map 15 local-priority 1

    aaa authentication port-access dot1x authenticator

        radius server-group clearpass

        enable

    aaa authentication port-access mac-auth

        radius server-group clearpass

        enable

    interface 1/1/1

        no shutdown

        no routing

        vlan access 1

        client track ip disable

    interface 1/1/2

        no shutdown

       no routing

        vlan access 1

        aaa authentication port-access dot1x authenticator

            enable

        aaa authentication port-access mac-auth

            enable

    interface 1/1/3

        no shutdown

        no routing

        vlan access 1

     




    Original Message


  • 12.  RE: 6200 DUR not getting roles

    EMPLOYEE
    Posted 7 days ago

    If you are configuring the ClearPass server with a "aaa server" entry by IP address, the IP address has to be specified in the certificate which isn't a usual thing to do.  Typical would be to define the ClearPass server using the FQDN instead, which should already match the certificate installed on ClearPass.

    https://community.arubanetworks.com/discussion/aos-cx-downloadable-user-role-dur-simple-steps-to-configure



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------

    Original Message


  • 13.  RE: 6200 DUR not getting roles

    Posted 7 days ago

    Carson,

    Thang you for the response. I did change the config and am having the same issue:

     

    tacacs-server key ciphertext AQBapX1WfLxo7k12NMXqHm9FDMOGCBrq4WRP/x/Nb3l2E4AIDgAAAJILDecDDlhyC+Y7x7AZ

    tacacs-server timeout 20

    !

    !

    tacacs-server host 10.3.1.96

    !

    radius-server host 10.3.1.96 key ciphertext AQBapWNzyk4iaLVksTiJFoXNuydMSPD495pnbKoB4uujvl2cDgAAAMASz22FFLcqnjNbvvGH clearpass-username switch-dur clearpass-password ciphertext AQBape2i9seFFlBLmBEsJnSbJzj3MPelgw2awj7UQ/25REJBCgAAAEM3S0j3jmAKD1w=

    radius-server host ewbf1ctrl96.jud.state.ma.us clearpass-password ciphertext AQBapVKgXXvADDwapqwUvCKqupePjD9mNEtJ1Yqj/Hx/qjcnDgAAAC84LXKqAlcwN9WExXJg

    aaa authentication allow-fail-through

    !

    !

    aaa group server tacacs tacacs1

        server 10.3.1.96

    !

    aaa group server radius clearpass

        server ewbf1ctrl96.jud.state.ma.us

    !

    aaa authentication login https-server group clearpass

    aaa authentication login ssh group tacacs1 tacacs

    aaa authorization commands ssh group tacacs1

    !

     

    6200# sho port-access cli

     

    Port Access Clients

     

    RADIUS overridden user roles are suffixed with '*'

     

    Flags: Onboarding-Method|Mode|Device-Type|Status

     

    Onboarding-Method: 1x 802.1X, ma MAC-Auth, ps Port-Security, dp Device-Profile

    Mode: c Client-Mode, d Device-Mode, m Multi-Domain

    Device-Type: d Data, v Voice

    Status: s Success, f Failed, p In-Progress, d Role-Download-Failed

     

    --------------------------------------------------------------------------------------------------------------

    Port     Client-Name             IPv4-Address    User-Role                           VLAN            Flags   

    --------------------------------------------------------------------------------------------------------------

    1/1/4    c8:1f:ea:bb:98:38                                                                           --|c|-|f

    1/1/6    host/JISDTG4626.jud....                                                                     --|c|-|f

     

     

     

     

     

     




    Original Message


  • 14.  RE: 6200 DUR not getting roles

    EMPLOYEE
    Posted 7 days ago

    That's not the same result, that's a complete failure of the authentication attempt.  I notice that the clearpass-username isn't defined in your FQDN aaa definition.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------

    Original Message