Wired Intelligent Edge

What are the attributes returned from ClearPass? Failed to assign VLAN typically is a conflict or wrong attributes, or a missing VLAN. Also, I'm not 100% sure if vlan names can be used in a role; have you tried with the vlan ids to see if it works with that?

I assume you mean these attributes?

regarding use of vlan names, we have an engagement with an Aruba engineer who has deployed this at other companies using vlan names. I can try to use the actual vlan ID, but that would force us to use different vlan ID's for every switch we use across campus (80+ switches) instead of using a uniform config using names.

What are the attributes returned from ClearPass? Failed to assign VLAN typically is a conflict or wrong attributes, or a missing VLAN. Also, I'm not 100% sure if vlan names can be used in a role; have you tried with the vlan ids to see if it works with that?

Aruba User Role is for AOS-CX, where HPE-User-Role is for older ArubaOS switches. Some switches don't like additional attributes that they don't understand. Can you see in Access Tracker what actually has been sent? Or (if you only have AOS-CX switches) remove the HPE-User-Role for now?

I assume you mean these attributes?

regarding use of vlan names, we have an engagement with an Aruba engineer who has deployed this at other companies using vlan names. I can try to use the actual vlan ID, but that would force us to use different vlan ID's for every switch we use across campus (80+ switches) instead of using a uniform config using names.

What are the attributes returned from ClearPass? Failed to assign VLAN typically is a conflict or wrong attributes, or a missing VLAN. Also, I'm not 100% sure if vlan names can be used in a role; have you tried with the vlan ids to see if it works with that?

I removed the HPE-User-Role temporarily and still receive the same error.

Here is the output from access tracker, AFTER i removed the HPE-User-Role

I am still receiving a fail on the interface.

6300(config-if)# show port-access clients 

Port Access Clients

Status Codes: d device-mode, c client-mode, m multi-domain 

-----------------------------------------------------------------------------------------------------------------
  Port     MAC-Address       Onboarding     Status               Role                                Device Type 
                             Method                                                                              
-----------------------------------------------------------------------------------------------------------------
c 1/1/1    f4:39:09:12:e8:d3 mac-auth       Success              LUR-UBT-User                        
c 1/1/2    10:e7:c6:b8:1c:0b dot1x          Fail                 COD-MACHINE                         

The strange thing is, this was working at one point. I may try to see if i can return a different role.

Aruba User Role is for AOS-CX, where HPE-User-Role is for older ArubaOS switches. Some switches don't like additional attributes that they don't understand. Can you see in Access Tracker what actually has been sent? Or (if you only have AOS-CX switches) remove the HPE-User-Role for now?

I assume you mean these attributes?

regarding use of vlan names, we have an engagement with an Aruba engineer who has deployed this at other companies using vlan names. I can try to use the actual vlan ID, but that would force us to use different vlan ID's for every switch we use across campus (80+ switches) instead of using a uniform config using names.

What are the attributes returned from ClearPass? Failed to assign VLAN typically is a conflict or wrong attributes, or a missing VLAN. Also, I'm not 100% sure if vlan names can be used in a role; have you tried with the vlan ids to see if it works with that?

Also, about 90% of our switches on campus are still the AOS style switches (5412R's). We only have migrated a small number of switches to CX style switches thus far, hence why we need both attributes on the clearpass profile

I removed the HPE-User-Role temporarily and still receive the same error.

Here is the output from access tracker, AFTER i removed the HPE-User-Role

I am still receiving a fail on the interface.

6300(config-if)# show port-access clients 

Port Access Clients

Status Codes: d device-mode, c client-mode, m multi-domain 

-----------------------------------------------------------------------------------------------------------------
  Port     MAC-Address       Onboarding     Status               Role                                Device Type 
                             Method                                                                              
-----------------------------------------------------------------------------------------------------------------
c 1/1/1    f4:39:09:12:e8:d3 mac-auth       Success              LUR-UBT-User                        
c 1/1/2    10:e7:c6:b8:1c:0b dot1x          Fail                 COD-MACHINE                         

The strange thing is, this was working at one point. I may try to see if i can return a different role.

Aruba User Role is for AOS-CX, where HPE-User-Role is for older ArubaOS switches. Some switches don't like additional attributes that they don't understand. Can you see in Access Tracker what actually has been sent? Or (if you only have AOS-CX switches) remove the HPE-User-Role for now?

I assume you mean these attributes?

regarding use of vlan names, we have an engagement with an Aruba engineer who has deployed this at other companies using vlan names. I can try to use the actual vlan ID, but that would force us to use different vlan ID's for every switch we use across campus (80+ switches) instead of using a uniform config using names.

What are the attributes returned from ClearPass? Failed to assign VLAN typically is a conflict or wrong attributes, or a missing VLAN. Also, I'm not 100% sure if vlan names can be used in a role; have you tried with the vlan ids to see if it works with that?

What are the attributes returned from ClearPass? Failed to assign VLAN typically is a conflict or wrong attributes, or a missing VLAN. Also, I'm not 100% sure if vlan names can be used in a role; have you tried with the vlan ids to see if it works with that?

It looks like the CX platform does have limitations with vlan NAMES where AOS did not. I changed the port-access role rules to use the actual vlan tags instead of the names, and it seems to work fine.

I think this can work, since we are not using downloadable user roles. I'm not sure how downloadable roles would work in an environment where every switch uses different VLANs and VLAN's don't span across the environment

port-access role COD-MACHINE                                   
    associate policy COD-Machines                              
    reauth-period 86400                                        
    vlan trunk native 1188                                     
    vlan trunk allowed 1188,1190,1196 

6300(config)# show port-access clients 

Port Access Clients

Status Codes: d device-mode, c client-mode, m multi-domain 

-----------------------------------------------------------------------------------------------------------------
  Port     MAC-Address       Onboarding     Status               Role                                Device Type 
                             Method                                                                              
-----------------------------------------------------------------------------------------------------------------
c 1/1/1    f4:39:09:12:e8:d3 mac-auth       Success              LUR-UBT-User                        
c 1/1/2    10:e7:c6:b8:1c:0b dot1x          Success              COD-MACHINE                         

What are the attributes returned from ClearPass? Failed to assign VLAN typically is a conflict or wrong attributes, or a missing VLAN. Also, I'm not 100% sure if vlan names can be used in a role; have you tried with the vlan ids to see if it works with that?

Regarding: I'm not sure how downloadable roles would work in an environment where every switch uses different VLANs and VLAN's don't span across the environment

You probably don't want to renumber all your VLANs but, for anyone else wondering this same thing, here's how I do it in my network.  All of my buildings have the same set of VLANs and they all use the same VLAN ID's.  In my environment data is 44, voice is 45, security cameras are 253, etc.  Each building has a unique subnet for each of its VLANs and they're routed at the building level.  From the Clearpass perspective, when a security camera connects I don't need to care which building it's in, I just return the DUR for security cameras which assigns VLAN 253.   Does that make sense?  It took me a while to get used to having dozens of distinct VLANs that had the same ID but once you wrap your head around it it actually works really well.  I especially like doing it with DUR's because changes are super easy to push out.

It looks like the CX platform does have limitations with vlan NAMES where AOS did not. I changed the port-access role rules to use the actual vlan tags instead of the names, and it seems to work fine.

I think this can work, since we are not using downloadable user roles. I'm not sure how downloadable roles would work in an environment where every switch uses different VLANs and VLAN's don't span across the environment

port-access role COD-MACHINE                                   
    associate policy COD-Machines                              
    reauth-period 86400                                        
    vlan trunk native 1188                                     
    vlan trunk allowed 1188,1190,1196 

6300(config)# show port-access clients 

Port Access Clients

Status Codes: d device-mode, c client-mode, m multi-domain 

-----------------------------------------------------------------------------------------------------------------
  Port     MAC-Address       Onboarding     Status               Role                                Device Type 
                             Method                                                                              
-----------------------------------------------------------------------------------------------------------------
c 1/1/1    f4:39:09:12:e8:d3 mac-auth       Success              LUR-UBT-User                        
c 1/1/2    10:e7:c6:b8:1c:0b dot1x          Success              COD-MACHINE                         

What are the attributes returned from ClearPass? Failed to assign VLAN typically is a conflict or wrong attributes, or a missing VLAN. Also, I'm not 100% sure if vlan names can be used in a role; have you tried with the vlan ids to see if it works with that?

how large is your environment? Our routing actually happens at the core level (Layer 3 at the core, Layer 2 at the IDF's) so we aren't able to use the same VLAN ID's across every switch. I do understand what you are doing with your subnets though.

We run 3 of the 8400's, in a bit of a triangle, in 3 separate datacenters. We run 5412 and 6405/10 chassis at the various BDF's and IDF's across campus that home run back to their respective cores (the 8400s). 

Regarding: I'm not sure how downloadable roles would work in an environment where every switch uses different VLANs and VLAN's don't span across the environment

You probably don't want to renumber all your VLANs but, for anyone else wondering this same thing, here's how I do it in my network.  All of my buildings have the same set of VLANs and they all use the same VLAN ID's.  In my environment data is 44, voice is 45, security cameras are 253, etc.  Each building has a unique subnet for each of its VLANs and they're routed at the building level.  From the Clearpass perspective, when a security camera connects I don't need to care which building it's in, I just return the DUR for security cameras which assigns VLAN 253.   Does that make sense?  It took me a while to get used to having dozens of distinct VLANs that had the same ID but once you wrap your head around it it actually works really well.  I especially like doing it with DUR's because changes are super easy to push out.

It looks like the CX platform does have limitations with vlan NAMES where AOS did not. I changed the port-access role rules to use the actual vlan tags instead of the names, and it seems to work fine.

I think this can work, since we are not using downloadable user roles. I'm not sure how downloadable roles would work in an environment where every switch uses different VLANs and VLAN's don't span across the environment

port-access role COD-MACHINE                                   
    associate policy COD-Machines                              
    reauth-period 86400                                        
    vlan trunk native 1188                                     
    vlan trunk allowed 1188,1190,1196 

6300(config)# show port-access clients 

Port Access Clients

Status Codes: d device-mode, c client-mode, m multi-domain 

-----------------------------------------------------------------------------------------------------------------
  Port     MAC-Address       Onboarding     Status               Role                                Device Type 
                             Method                                                                              
-----------------------------------------------------------------------------------------------------------------
c 1/1/1    f4:39:09:12:e8:d3 mac-auth       Success              LUR-UBT-User                        
c 1/1/2    10:e7:c6:b8:1c:0b dot1x          Success              COD-MACHINE                         

What are the attributes returned from ClearPass? Failed to assign VLAN typically is a conflict or wrong attributes, or a missing VLAN. Also, I'm not 100% sure if vlan names can be used in a role; have you tried with the vlan ids to see if it works with that?

What are the attributes returned from ClearPass? Failed to assign VLAN typically is a conflict or wrong attributes, or a missing VLAN. Also, I'm not 100% sure if vlan names can be used in a role; have you tried with the vlan ids to see if it works with that?

I also let our Aruba project manager and engineer know that the CX platform seems to struggle with VLAN names. We're paying for professional services for this project, but we are between sessions where we are trying to get this deployed to a test group of users before Aruba comes back on site to continue to help us push this out. It was their suggestion to use names, which seems to work perfectly in the AOS/5412 switches. CX seems to be a the problem child. He also steered us away from downloadable roles because of some issue he was aware of on the CX's

What are the attributes returned from ClearPass? Failed to assign VLAN typically is a conflict or wrong attributes, or a missing VLAN. Also, I'm not 100% sure if vlan names can be used in a role; have you tried with the vlan ids to see if it works with that?

Did they say what the issues were with DURs?  My network is 90% CX and every client gets a DUR.  I've had plenty of issues with DURs but they're all related to an admin messing things up, not an issue with CX itself.

I also let our Aruba project manager and engineer know that the CX platform seems to struggle with VLAN names. We're paying for professional services for this project, but we are between sessions where we are trying to get this deployed to a test group of users before Aruba comes back on site to continue to help us push this out. It was their suggestion to use names, which seems to work perfectly in the AOS/5412 switches. CX seems to be a the problem child. He also steered us away from downloadable roles because of some issue he was aware of on the CX's

What are the attributes returned from ClearPass? Failed to assign VLAN typically is a conflict or wrong attributes, or a missing VLAN. Also, I'm not 100% sure if vlan names can be used in a role; have you tried with the vlan ids to see if it works with that?

It had something to do with the a version of clearpass (11 maybe?) or something that had to do with Aruba central managed switches and how they don't work well there.

Did they say what the issues were with DURs?  My network is 90% CX and every client gets a DUR.  I've had plenty of issues with DURs but they're all related to an admin messing things up, not an issue with CX itself.

I also let our Aruba project manager and engineer know that the CX platform seems to struggle with VLAN names. We're paying for professional services for this project, but we are between sessions where we are trying to get this deployed to a test group of users before Aruba comes back on site to continue to help us push this out. It was their suggestion to use names, which seems to work perfectly in the AOS/5412 switches. CX seems to be a the problem child. He also steered us away from downloadable roles because of some issue he was aware of on the CX's

What are the attributes returned from ClearPass? Failed to assign VLAN typically is a conflict or wrong attributes, or a missing VLAN. Also, I'm not 100% sure if vlan names can be used in a role; have you tried with the vlan ids to see if it works with that?

It had something to do with the a version of clearpass (11 maybe?) or something that had to do with Aruba central managed switches and how they don't work well there.

Did they say what the issues were with DURs?  My network is 90% CX and every client gets a DUR.  I've had plenty of issues with DURs but they're all related to an admin messing things up, not an issue with CX itself.

I also let our Aruba project manager and engineer know that the CX platform seems to struggle with VLAN names. We're paying for professional services for this project, but we are between sessions where we are trying to get this deployed to a test group of users before Aruba comes back on site to continue to help us push this out. It was their suggestion to use names, which seems to work perfectly in the AOS/5412 switches. CX seems to be a the problem child. He also steered us away from downloadable roles because of some issue he was aware of on the CX's

What are the attributes returned from ClearPass? Failed to assign VLAN typically is a conflict or wrong attributes, or a missing VLAN. Also, I'm not 100% sure if vlan names can be used in a role; have you tried with the vlan ids to see if it works with that?