Wired Intelligent Edge

Hi,
I'm successfully using downloadable user roles  via clearpass and now need to configure some local ones  in the event cppm is not accessible. (Switch code WC.16.10.21)
Thought I'd try something simple  so the allowall roole below should just let the client  connect via the statically defined vlan/port assignment. Got DHCP/DNS and allowall classes, at a later date the allowall class will be replaced with something   more representative

Unfortunately, it doesnt work.
I have
......
aaa port-access 1/1 critical-auth user-role allowall
......

Looking through the session logs when i forcve a reauth I can see

"dca: ST1-CMDR: Failed to apply user role to macAuth client <macaddress> on port 1/1: user role is invalid"

Aruba-2930F# show user-role allowall detailed

User Role Information

Name : allowall
Type : local
Reauthentication Period (seconds) : 3600
Cached Reauth Period (seconds) : 0
Logoff Period (seconds) : 300
Untagged VLAN :
Tagged VLAN :
Captive Portal Profile :
Policy : AllowAll


Statements for policy "AllowAll"
policy user "AllowAll"
10 class ipv4 "DHCP" action permit
20 class ipv4 "DNS" action permit
60 class ipv4 "allowall" action permit
exit



Statements for class IPv4 "DHCP"
class ipv4 "DHCP"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
exit



Statements for class IPv4 "DNS"
class ipv4 "DNS"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
exit



Statements for class IPv4 "allowall"
class ipv4 "allowall"
10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

Tunnelednode Server Redirect : Disabled
Secondary Role Name :
Device Attributes : Disabled

Should say that cppm is in monitor mode and not sending back a user-role. Even get the message when  I've assigned an explicit initial user-role, so is the log just telling me that it hasnt seen a downloaded user-role?

if I do show port-access 1/1 client

it shows that it has role "allowall" applied
A
Original Message:
Sent: Jul 04, 2022 08:52 AM
From: Alex Sharaz
Subject: Defining local user-roles for use in event cppm not contactable

Hi,
I'm successfully using downloadable user roles  via clearpass and now need to configure some local ones  in the event cppm is not accessible. (Switch code WC.16.10.21)
Thought I'd try something simple  so the allowall roole below should just let the client  connect via the statically defined vlan/port assignment. Got DHCP/DNS and allowall classes, at a later date the allowall class will be replaced with something   more representative

Unfortunately, it doesnt work.
I have
......
aaa port-access 1/1 critical-auth user-role allowall
......

Looking through the session logs when i forcve a reauth I can see

"dca: ST1-CMDR: Failed to apply user role to macAuth client <macaddress> on port 1/1: user role is invalid"

Aruba-2930F# show user-role allowall detailed

User Role Information

Name : allowall
Type : local
Reauthentication Period (seconds) : 3600
Cached Reauth Period (seconds) : 0
Logoff Period (seconds) : 300
Untagged VLAN :
Tagged VLAN :
Captive Portal Profile :
Policy : AllowAll


Statements for policy "AllowAll"
policy user "AllowAll"
10 class ipv4 "DHCP" action permit
20 class ipv4 "DNS" action permit
60 class ipv4 "allowall" action permit
exit



Statements for class IPv4 "DHCP"
class ipv4 "DHCP"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
exit



Statements for class IPv4 "DNS"
class ipv4 "DNS"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
exit



Statements for class IPv4 "allowall"
class ipv4 "allowall"
10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

Tunnelednode Server Redirect : Disabled
Secondary Role Name :
Device Attributes : Disabled

Hi Alex,

For me it looks like the CPPM is returning access accept messages only (CPPM Monitor mode: https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=22277) and these messages are having the wrong/or missing VSAs (https://community.arubanetworks.com/blogs/esupport1/2020/04/10/arubaos-switch-error-message-05204-dca-failed-to-apply-user-role-reported-in-the-log-file).

The error message is kind of confirming this (Description: User role VSA received for the client is invalid or does not exist.)

Event ID: 5204: https://support.hpe.com/hpesc/public/docDisplay?docId=a00093582en_us

Did you try the critical authentication with no connection to the CPPM?

Original Message:
Sent: Jul 04, 2022 10:36 AM
From: Alex Sharaz
Subject: Defining local user-roles for use in event cppm not contactable

Should say that cppm is in monitor mode and not sending back a user-role. Even get the message when  I've assigned an explicit initial user-role, so is the log just telling me that it hasnt seen a downloaded user-role?

if I do show port-access 1/1 client

it shows that it has role "allowall" applied
A
Original Message:
Sent: Jul 04, 2022 08:52 AM
From: Alex Sharaz
Subject: Defining local user-roles for use in event cppm not contactable

Hi,
I'm successfully using downloadable user roles  via clearpass and now need to configure some local ones  in the event cppm is not accessible. (Switch code WC.16.10.21)
Thought I'd try something simple  so the allowall roole below should just let the client  connect via the statically defined vlan/port assignment. Got DHCP/DNS and allowall classes, at a later date the allowall class will be replaced with something   more representative

Unfortunately, it doesnt work.
I have
......
aaa port-access 1/1 critical-auth user-role allowall
......

Looking through the session logs when i forcve a reauth I can see

"dca: ST1-CMDR: Failed to apply user role to macAuth client <macaddress> on port 1/1: user role is invalid"

Aruba-2930F# show user-role allowall detailed

User Role Information

Name : allowall
Type : local
Reauthentication Period (seconds) : 3600
Cached Reauth Period (seconds) : 0
Logoff Period (seconds) : 300
Untagged VLAN :
Tagged VLAN :
Captive Portal Profile :
Policy : AllowAll


Statements for policy "AllowAll"
policy user "AllowAll"
10 class ipv4 "DHCP" action permit
20 class ipv4 "DNS" action permit
60 class ipv4 "allowall" action permit
exit



Statements for class IPv4 "DHCP"
class ipv4 "DHCP"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
exit



Statements for class IPv4 "DNS"
class ipv4 "DNS"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
exit



Statements for class IPv4 "allowall"
class ipv4 "allowall"
10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

Tunnelednode Server Redirect : Disabled
Secondary Role Name :
Device Attributes : Disabled

Hi,
Yes I tried that on my dev server nasty home.
At home I have
class ipv4 "DNS"
10 match udp 0.0.0.0 255.255.255.255 192.168.1.152 0.0.0.0 eq 53
20 match udp 0.0.0.0 255.255.255.255 192.168.2.4 0.0.0.0 eq 53
30 match udp 0.0.0.0 255.255.255.255 192.168.1.88 0.0.0.0 eq 53
exit
class ipv4 "DHCP"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
exit
class ipv4 "ICMP"
10 match icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
class ipv4 "allowall"
10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
policy user "AllowAll"
10 class ipv4 "DHCP" action permit
20 class ipv4 "DNS" action permit
30 class ipv4 "ICMP" action permit
60 class ipv4 "allowall" action permit
exit

aaa authorization user-role name "servers"
policy "AllowAll"
reauth-period 3600
vlan-name "servers"
exit
aaa authorization user-role name "allowall"
policy "AllowAll"
reauth-period 3600
exit
aaa authorization user-role name "critical-role"
policy "AllowAll"
reauth-period 3600
exit
aaa authorization user-role name "aruba-instant-ap"
policy "AllowAll"
reauth-period 3600
vlan-name "DEFAULT_VLAN"
vlan-id-tagged 2-6,10,111,222,333
device
poe-allocate-by-class
admin-edge-port
port-mode
exit
exit

And finally …..

aaa port-access 2 auth-order authenticator mac-based
aaa port-access 3 controlled-direction in
aaa port-access 3 auth-order authenticator mac-based
aaa port-access 3 auth-priority authenticator mac-based
aaa port-access 3 critical-auth user-role "aruba-instant-ap"
aaa port-access 4 controlled-direction in
aaa port-access 4 auth-order authenticator mac-based
aaa port-access 4 auth-priority authenticator mac-based
aaa port-access 4 critical-auth user-role "aruba-instant-ap"
aaa port-access 5 controlled-direction in
aaa port-access 5 auth-order authenticator mac-based
aaa port-access 5 auth-priority authenticator mac-based
aaa port-access 5 critical-auth user-role "aruba-instant-ap"
aaa port-access 6 controlled-direction in
aaa port-access 6 auth-order authenticator mac-based
aaa port-access 6 auth-priority authenticator mac-based
aaa port-access 7 controlled-direction in
aaa port-access 7 auth-order authenticator mac-based
aaa port-access 7 auth-priority authenticator mac-based
aaa port-access 7 critical-auth user-role "servers"
aaa port-access 8 controlled-direction in
aaa port-access 8 auth-order authenticator mac-based
aaa port-access 8 auth-priority authenticator mac-based
aaa port-access 8 critical-auth user-role "aruba-instant-ap”


Had a power cut at home and switches came back before cppm and ended up getting the following

W 07/06/22 09:58:23 05204 dca: Failed to apply user role to macAuth client
5AC41408495B on port 4: user role is invalid.
W 07/06/22 09:58:13 05204 dca: Failed to apply user role to macAuth client
DC4F22EC13FC on port 4: user role is invalid.
W 07/06/22 09:58:12 05204 dca: Failed to apply user role to macAuth client
DC4F22F2D31E on port 3: user role is invalid.
W 07/06/22 09:58:10 05204 dca: Failed to apply user role to macAuth client
1C30080934EE on port 4: user role is invalid.
W 07/06/22 09:58:09 05204 dca: Failed to apply user role to macAuth client
8A1E274C75F1 on port 4: user role is invalid.
W 07/06/22 09:58:09 05204 dca: Failed to apply user role to macAuth client
140AC5ACAD9D on port 4: user role is invalid.
W 07/06/22 09:58:08 05204 dca: Failed to apply user role to macAuth client
C8E265001B76 on port 3: user role is invalid.

The above relate to an Aruba instant AP which should have been in port mode so I shouldn’t have seen them. When cppm is there and I’m using DUP, works just fine
A


Original Message:
Sent: 7/6/2022 7:07:00 AM
From: snaydenov
Subject: RE: Defining local user-roles for use in event cppm not contactable

Hi Alex,

For me it looks like the CPPM is returning access accept messages only (CPPM Monitor mode: https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=22277) and these messages are having the wrong/or missing VSAs (https://community.arubanetworks.com/blogs/esupport1/2020/04/10/arubaos-switch-error-message-05204-dca-failed-to-apply-user-role-reported-in-the-log-file).

The error message is kind of confirming this (Description: User role VSA received for the client is invalid or does not exist.)

Event ID: 5204: https://support.hpe.com/hpesc/public/docDisplay?docId=a00093582en_us

Did you try the critical authentication with no connection to the CPPM?

Original Message:
Sent: Jul 04, 2022 10:36 AM
From: Alex Sharaz
Subject: Defining local user-roles for use in event cppm not contactable

Should say that cppm is in monitor mode and not sending back a user-role. Even get the message when  I've assigned an explicit initial user-role, so is the log just telling me that it hasnt seen a downloaded user-role?

if I do show port-access 1/1 client

it shows that it has role "allowall" applied
A
Original Message:
Sent: Jul 04, 2022 08:52 AM
From: Alex Sharaz
Subject: Defining local user-roles for use in event cppm not contactable

Hi,
I'm successfully using downloadable user roles  via clearpass and now need to configure some local ones  in the event cppm is not accessible. (Switch code WC.16.10.21)
Thought I'd try something simple  so the allowall roole below should just let the client  connect via the statically defined vlan/port assignment. Got DHCP/DNS and allowall classes, at a later date the allowall class will be replaced with something   more representative

Unfortunately, it doesnt work.
I have
......
aaa port-access 1/1 critical-auth user-role allowall
......

Looking through the session logs when i forcve a reauth I can see

"dca: ST1-CMDR: Failed to apply user role to macAuth client <macaddress> on port 1/1: user role is invalid"

Aruba-2930F# show user-role allowall detailed

User Role Information

Name : allowall
Type : local
Reauthentication Period (seconds) : 3600
Cached Reauth Period (seconds) : 0
Logoff Period (seconds) : 300
Untagged VLAN :
Tagged VLAN :
Captive Portal Profile :
Policy : AllowAll


Statements for policy "AllowAll"
policy user "AllowAll"
10 class ipv4 "DHCP" action permit
20 class ipv4 "DNS" action permit
60 class ipv4 "allowall" action permit
exit



Statements for class IPv4 "DHCP"
class ipv4 "DHCP"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
exit



Statements for class IPv4 "DNS"
class ipv4 "DNS"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
exit



Statements for class IPv4 "allowall"
class ipv4 "allowall"
10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

Tunnelednode Server Redirect : Disabled
Secondary Role Name :
Device Attributes : Disabled

Hi Alex,

Have you tried to enable debugging to see more details? 
You can try the debugs for port-access and radius (debug security port-access/radius).
Original Message:
Sent: Jul 06, 2022 09:39 AM
From: Alex Sharaz
Subject: Defining local user-roles for use in event cppm not contactable

Hi,
Yes I tried that on my dev server nasty home.
At home I have
class ipv4 "DNS"
10 match udp 0.0.0.0 255.255.255.255 192.168.1.152 0.0.0.0 eq 53
20 match udp 0.0.0.0 255.255.255.255 192.168.2.4 0.0.0.0 eq 53
30 match udp 0.0.0.0 255.255.255.255 192.168.1.88 0.0.0.0 eq 53
exit
class ipv4 "DHCP"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
exit
class ipv4 "ICMP"
10 match icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
class ipv4 "allowall"
10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
policy user "AllowAll"
10 class ipv4 "DHCP" action permit
20 class ipv4 "DNS" action permit
30 class ipv4 "ICMP" action permit
60 class ipv4 "allowall" action permit
exit

aaa authorization user-role name "servers"
policy "AllowAll"
reauth-period 3600
vlan-name "servers"
exit
aaa authorization user-role name "allowall"
policy "AllowAll"
reauth-period 3600
exit
aaa authorization user-role name "critical-role"
policy "AllowAll"
reauth-period 3600
exit
aaa authorization user-role name "aruba-instant-ap"
policy "AllowAll"
reauth-period 3600
vlan-name "DEFAULT_VLAN"
vlan-id-tagged 2-6,10,111,222,333
device
poe-allocate-by-class
admin-edge-port
port-mode
exit
exit

And finally …..

aaa port-access 2 auth-order authenticator mac-based
aaa port-access 3 controlled-direction in
aaa port-access 3 auth-order authenticator mac-based
aaa port-access 3 auth-priority authenticator mac-based
aaa port-access 3 critical-auth user-role "aruba-instant-ap"
aaa port-access 4 controlled-direction in
aaa port-access 4 auth-order authenticator mac-based
aaa port-access 4 auth-priority authenticator mac-based
aaa port-access 4 critical-auth user-role "aruba-instant-ap"
aaa port-access 5 controlled-direction in
aaa port-access 5 auth-order authenticator mac-based
aaa port-access 5 auth-priority authenticator mac-based
aaa port-access 5 critical-auth user-role "aruba-instant-ap"
aaa port-access 6 controlled-direction in
aaa port-access 6 auth-order authenticator mac-based
aaa port-access 6 auth-priority authenticator mac-based
aaa port-access 7 controlled-direction in
aaa port-access 7 auth-order authenticator mac-based
aaa port-access 7 auth-priority authenticator mac-based
aaa port-access 7 critical-auth user-role "servers"
aaa port-access 8 controlled-direction in
aaa port-access 8 auth-order authenticator mac-based
aaa port-access 8 auth-priority authenticator mac-based
aaa port-access 8 critical-auth user-role "aruba-instant-ap"


Had a power cut at home and switches came back before cppm and ended up getting the following

W 07/06/22 09:58:23 05204 dca: Failed to apply user role to macAuth client
5AC41408495B on port 4: user role is invalid.
W 07/06/22 09:58:13 05204 dca: Failed to apply user role to macAuth client
DC4F22EC13FC on port 4: user role is invalid.
W 07/06/22 09:58:12 05204 dca: Failed to apply user role to macAuth client
DC4F22F2D31E on port 3: user role is invalid.
W 07/06/22 09:58:10 05204 dca: Failed to apply user role to macAuth client
1C30080934EE on port 4: user role is invalid.
W 07/06/22 09:58:09 05204 dca: Failed to apply user role to macAuth client
8A1E274C75F1 on port 4: user role is invalid.
W 07/06/22 09:58:09 05204 dca: Failed to apply user role to macAuth client
140AC5ACAD9D on port 4: user role is invalid.
W 07/06/22 09:58:08 05204 dca: Failed to apply user role to macAuth client
C8E265001B76 on port 3: user role is invalid.

The above relate to an Aruba instant AP which should have been in port mode so I shouldn't have seen them. When cppm is there and I'm using DUP, works just fine
A


Original Message:
Sent: 7/6/2022 7:07:00 AM
From: snaydenov
Subject: RE: Defining local user-roles for use in event cppm not contactable

Hi Alex,

For me it looks like the CPPM is returning access accept messages only (CPPM Monitor mode: https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=22277) and these messages are having the wrong/or missing VSAs (https://community.arubanetworks.com/blogs/esupport1/2020/04/10/arubaos-switch-error-message-05204-dca-failed-to-apply-user-role-reported-in-the-log-file).

The error message is kind of confirming this (Description: User role VSA received for the client is invalid or does not exist.)

Event ID: 5204: https://support.hpe.com/hpesc/public/docDisplay?docId=a00093582en_us

Did you try the critical authentication with no connection to the CPPM?

Original Message:
Sent: Jul 04, 2022 10:36 AM
From: Alex Sharaz
Subject: Defining local user-roles for use in event cppm not contactable

Should say that cppm is in monitor mode and not sending back a user-role. Even get the message when  I've assigned an explicit initial user-role, so is the log just telling me that it hasnt seen a downloaded user-role?

if I do show port-access 1/1 client

it shows that it has role "allowall" applied
A
Original Message:
Sent: Jul 04, 2022 08:52 AM
From: Alex Sharaz
Subject: Defining local user-roles for use in event cppm not contactable

Hi,
I'm successfully using downloadable user roles  via clearpass and now need to configure some local ones  in the event cppm is not accessible. (Switch code WC.16.10.21)
Thought I'd try something simple  so the allowall roole below should just let the client  connect via the statically defined vlan/port assignment. Got DHCP/DNS and allowall classes, at a later date the allowall class will be replaced with something   more representative

Unfortunately, it doesnt work.
I have
......
aaa port-access 1/1 critical-auth user-role allowall
......

Looking through the session logs when i forcve a reauth I can see

"dca: ST1-CMDR: Failed to apply user role to macAuth client <macaddress> on port 1/1: user role is invalid"

Aruba-2930F# show user-role allowall detailed

User Role Information

Name : allowall
Type : local
Reauthentication Period (seconds) : 3600
Cached Reauth Period (seconds) : 0
Logoff Period (seconds) : 300
Untagged VLAN :
Tagged VLAN :
Captive Portal Profile :
Policy : AllowAll


Statements for policy "AllowAll"
policy user "AllowAll"
10 class ipv4 "DHCP" action permit
20 class ipv4 "DNS" action permit
60 class ipv4 "allowall" action permit
exit



Statements for class IPv4 "DHCP"
class ipv4 "DHCP"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
exit



Statements for class IPv4 "DNS"
class ipv4 "DNS"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
exit



Statements for class IPv4 "allowall"
class ipv4 "allowall"
10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

Tunnelednode Server Redirect : Disabled
Secondary Role Name :
Device Attributes : Disabled