Hi,
Yes I tried that on my dev server nasty home.
At home I have
class ipv4 "DNS"
10 match udp 0.0.0.0 255.255.255.255 192.168.1.152 0.0.0.0 eq 53
20 match udp 0.0.0.0 255.255.255.255 192.168.2.4 0.0.0.0 eq 53
30 match udp 0.0.0.0 255.255.255.255 192.168.1.88 0.0.0.0 eq 53
exit
class ipv4 "DHCP"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
exit
class ipv4 "ICMP"
10 match icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
class ipv4 "allowall"
10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
policy user "AllowAll"
10 class ipv4 "DHCP" action permit
20 class ipv4 "DNS" action permit
30 class ipv4 "ICMP" action permit
60 class ipv4 "allowall" action permit
exit
aaa authorization user-role name "servers"
policy "AllowAll"
reauth-period 3600
vlan-name "servers"
exit
aaa authorization user-role name "allowall"
policy "AllowAll"
reauth-period 3600
exit
aaa authorization user-role name "critical-role"
policy "AllowAll"
reauth-period 3600
exit
aaa authorization user-role name "aruba-instant-ap"
policy "AllowAll"
reauth-period 3600
vlan-name "DEFAULT_VLAN"
vlan-id-tagged 2-6,10,111,222,333
device
poe-allocate-by-class
admin-edge-port
port-mode
exit
exit
And finally …..
aaa port-access 2 auth-order authenticator mac-based
aaa port-access 3 controlled-direction in
aaa port-access 3 auth-order authenticator mac-based
aaa port-access 3 auth-priority authenticator mac-based
aaa port-access 3 critical-auth user-role "aruba-instant-ap"
aaa port-access 4 controlled-direction in
aaa port-access 4 auth-order authenticator mac-based
aaa port-access 4 auth-priority authenticator mac-based
aaa port-access 4 critical-auth user-role "aruba-instant-ap"
aaa port-access 5 controlled-direction in
aaa port-access 5 auth-order authenticator mac-based
aaa port-access 5 auth-priority authenticator mac-based
aaa port-access 5 critical-auth user-role "aruba-instant-ap"
aaa port-access 6 controlled-direction in
aaa port-access 6 auth-order authenticator mac-based
aaa port-access 6 auth-priority authenticator mac-based
aaa port-access 7 controlled-direction in
aaa port-access 7 auth-order authenticator mac-based
aaa port-access 7 auth-priority authenticator mac-based
aaa port-access 7 critical-auth user-role "servers"
aaa port-access 8 controlled-direction in
aaa port-access 8 auth-order authenticator mac-based
aaa port-access 8 auth-priority authenticator mac-based
aaa port-access 8 critical-auth user-role "aruba-instant-ap”
Had a power cut at home and switches came back before cppm and ended up getting the following
W 07/06/22 09:58:23 05204 dca: Failed to apply user role to macAuth client
5AC41408495B on port 4: user role is invalid.
W 07/06/22 09:58:13 05204 dca: Failed to apply user role to macAuth client
DC4F22EC13FC on port 4: user role is invalid.
W 07/06/22 09:58:12 05204 dca: Failed to apply user role to macAuth client
DC4F22F2D31E on port 3: user role is invalid.
W 07/06/22 09:58:10 05204 dca: Failed to apply user role to macAuth client
1C30080934EE on port 4: user role is invalid.
W 07/06/22 09:58:09 05204 dca: Failed to apply user role to macAuth client
8A1E274C75F1 on port 4: user role is invalid.
W 07/06/22 09:58:09 05204 dca: Failed to apply user role to macAuth client
140AC5ACAD9D on port 4: user role is invalid.
W 07/06/22 09:58:08 05204 dca: Failed to apply user role to macAuth client
C8E265001B76 on port 3: user role is invalid.
The above relate to an Aruba instant AP which should have been in port mode so I shouldn’t have seen them. When cppm is there and I’m using DUP, works just fine
A
Original Message:
Sent: 7/6/2022 7:07:00 AM
From: snaydenov
Subject: RE: Defining local user-roles for use in event cppm not contactable
Hi Alex,
For me it looks like the CPPM is returning access accept messages only (CPPM Monitor mode: https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=22277) and these messages are having the wrong/or missing VSAs (https://community.arubanetworks.com/blogs/esupport1/2020/04/10/arubaos-switch-error-message-05204-dca-failed-to-apply-user-role-reported-in-the-log-file).
The error message is kind of confirming this (Description: User role VSA received for the client is invalid or does not exist.)
Event ID: 5204: https://support.hpe.com/hpesc/public/docDisplay?docId=a00093582en_us
Did you try the critical authentication with no connection to the CPPM?
Original Message:
Sent: Jul 04, 2022 10:36 AM
From: Alex Sharaz
Subject: Defining local user-roles for use in event cppm not contactable
Should say that cppm is in monitor mode and not sending back a user-role. Even get the message when I've assigned an explicit initial user-role, so is the log just telling me that it hasnt seen a downloaded user-role?
if I do show port-access 1/1 client
it shows that it has role "allowall" applied
A
Original Message:
Sent: Jul 04, 2022 08:52 AM
From: Alex Sharaz
Subject: Defining local user-roles for use in event cppm not contactable
Hi,
I'm successfully using downloadable user roles via clearpass and now need to configure some local ones in the event cppm is not accessible. (Switch code WC.16.10.21)
Thought I'd try something simple so the allowall roole below should just let the client connect via the statically defined vlan/port assignment. Got DHCP/DNS and allowall classes, at a later date the allowall class will be replaced with something more representative
Unfortunately, it doesnt work.
I have
......
aaa port-access 1/1 critical-auth user-role allowall
......
Looking through the session logs when i forcve a reauth I can see
"dca: ST1-CMDR: Failed to apply user role to macAuth client <macaddress> on port 1/1: user role is invalid"
Aruba-2930F# show user-role allowall detailed
User Role Information
Name : allowall
Type : local
Reauthentication Period (seconds) : 3600
Cached Reauth Period (seconds) : 0
Logoff Period (seconds) : 300
Untagged VLAN :
Tagged VLAN :
Captive Portal Profile :
Policy : AllowAll
Statements for policy "AllowAll"
policy user "AllowAll"
10 class ipv4 "DHCP" action permit
20 class ipv4 "DNS" action permit
60 class ipv4 "allowall" action permit
exit
Statements for class IPv4 "DHCP"
class ipv4 "DHCP"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
exit
Statements for class IPv4 "DNS"
class ipv4 "DNS"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
exit
Statements for class IPv4 "allowall"
class ipv4 "allowall"
10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
Tunnelednode Server Redirect : Disabled
Secondary Role Name :
Device Attributes : Disabled