you can try radius debug and also 'show events -r' might also give some insight.
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: Apr 19, 2023 10:32 AM
From: davidwk
Subject: Aruba CX DUR - Port status In-progress
So the RADIUS part is working fine but the switch can't log back into Clearpass after it gets the RADIUS response to download the role. Does the dur-admin user in Clearpass have the 'Aruba User Role Download' privilege level and have you verified that the password for that user is correct both in Clearpass and in the switch?
Original Message:
Sent: Apr 19, 2023 09:59 AM
From: David Hurley
Subject: Aruba CX DUR - Port status In-progress
abc-SW01# show port-access role clearpass
Role Information:
Name : test_dh-3026-2
Type : clearpass
Status: Failed, Server Authentication Failure
----------------------------------------------
Reauthentication Period :
Cached Reauthentication Period :
Authentication Mode :
Session Timeout :
Client Inactivity Timeout :
Description :
Gateway Zone :
UBT Gateway Role :
UBT Gateway Clearpass Role :
Access VLAN :
Native VLAN :
Allowed Trunk VLANs :
Access VLAN Name :
Native VLAN Name :
Allowed Trunk VLAN Names :
VLAN Group Name :
MTU :
QOS Trust Mode :
STP Administrative Edge Port :
PoE Priority :
PVLAN Port Type :
Captive Portal Profile :
Policy :
GBP :
Device Type :
Here is the syntax from clearpass
The role name does match which is good !
However, The port status is still 'In-Progress'
Original Message:
Sent: Apr 19, 2023 09:33 AM
From: davidwk
Subject: Aruba CX DUR - Port status In-progress
Sorry, I just noticed the screenshot you posted. Try taking the 'exit' off of the end of the Clearpass role.
Original Message:
Sent: Apr 19, 2023 09:13 AM
From: davidwk
Subject: Aruba CX DUR - Port status In-progress
That's really interesting. What's the role that you're returning from Clearpass? If you do a
show port-access role clearpass
does the role show up and does it match what you're expecting based on what Clearpass is sending?
Also, a lot has changed in the firmware since 10.09. It would probably be worthwhile upgrading to 10.11. I'm not sure if it would impact this issue at all but there have been a number of stability and security improvements.
Original Message:
Sent: Apr 19, 2023 08:58 AM
From: David Hurley
Subject: Aruba CX DUR - Port status In-progress
Hi David,
Apologies the config was present on the switch , I didn't capture it when posting
The switch and firmware is:
Vendor : Aruba
Product Name : JL658A 6300M 24SFP+ 4SFP56 Swch
ArubaOS-CX Version : FL.10.09.1070
Whats interesting is the status is 'Authenticated' when running the below
ABC-SW01# show aaa authentication port-access mac-auth interface 1/1/1 client-status
Port Access Client Status Details
Client 9c:1c:12:ca:72:4e, 9c1c12ca724e, 1/1/1
=========================================
Authentication Details
----------------------
Status : Authenticated
Auth-Method : chap
Auth Failure reason :
Time Since Last State Change : 2787s
Authentication Statistics
-------------------------
Authentication : 1
Authentication Timeout : 0
Successful Authentication : 1
Failed Authentication : 0
Re-Authentication : 44
Successful Re-Authentication : 44
Failed Re-Authentication : 0
Re-Auths When Authenticated : 44
Cached Re-Authentication : 0
But from a port-access command it still present as 'In-Progress'
abc-SW01# show port-access clients
Port Access Clients
Status Codes: d device-mode, c client-mode, m multi-domain
--------------------------------------------------------------------------------------------------------
Port MAC-Address Onboarding Status Role Device Type
Method
--------------------------------------------------------------------------------------------------------
c 1/1/1 9c:1c:12:ca:72:4e In-Progress
Original Message:
Sent: Apr 19, 2023 08:43 AM
From: davidwk
Subject: Aruba CX DUR - Port status In-progress
Also, which switch model are you using and which version of the firmware is it running?
Original Message:
Sent: Apr 19, 2023 08:40 AM
From: David King
Subject: Aruba CX DUR - Port status In-progress
Jumbo frames shouldn't be required for DUR. If you want to use UBT you might want to consider it but it's still not a requirement. Looking through your config you tell the switch to use the Clearpass server group for accounting but you never tell it to use that group for authentication. Try adding
aaa authentication port-access dot1x authenticator
radius server-group Clearpass
enable
aaa authentication port-access mac-auth
radius server-group Clearpass
enable
It seems weird to me that you're seeing the requests in Clearpass without those settings but it's possible that Clearpass is receiving the accounting updates without getting an auth request first.
Original Message:
Sent: Apr 19, 2023 05:31 AM
From: David Hurley
Subject: Aruba CX DUR - Port status In-progress
Hi,
Would anyone have any suggestions, is jumbo frames required >
Original Message:
Sent: Apr 17, 2023 08:29 AM
From: allied_assault123
Subject: Aruba CX DUR - Port status In-progress
Hi,
Thanks for the reply
The Root cert is correctly seen on the switch (I have an Aruba OS switch which downloads the cert automatically and I have compared also)
Here is the interface config
interface 1/1/1
no shutdown
no routing
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree tcn-guard
spanning-tree port-type admin-edge
port-access onboarding-method concurrent enable
aaa authentication port-access allow-cdp-bpdu
aaa authentication port-access allow-lldp-bpdu
aaa authentication port-access client-limit 25
aaa authentication port-access dot1x authenticator
cached-reauth
cached-reauth-period 86400
reauth
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
reauth
enable
loop-protect
loop-protect action tx-rx-disable
exit
radius-server tracking interval 60
radius-server tracking retries 5
ntp server xxx
ntp server xxx
ntp server xxx iburst
ntp server pool.ntp.org minpoll 4 maxpoll 4 iburst
ntp enable
!
!
!
radius-server key ciphertext xxx
radius-server service-type in-access-request
!
radius-server host abc1.co.uk key ciphertext xxx clearpass-username dur-admin clearpass-password ciphertext xxx
radius-server host abc2.co.uk key ciphertext xxx clearpass-username dur-admin clearpass-password ciphertext xxx
!
!
aaa group server radius Clearpass
server abc1.co.uk
server abc2.co.uk
!
aaa accounting port-access start-stop interim 5 group Clearpass
!
radius dyn-authorization enable
!
radius dyn-authorization client abc1.co.uk secret-key ciphertext xxx
radius dyn-authorization client abc2.co.uk secret-key ciphertext xxx
TIA
Original Message:
Sent: Apr 17, 2023 08:00 AM
From: davidwk
Subject: Aruba CX DUR - Port status In-progress
My first thought would be to ensure that the ClearPass certificates are installed as trust anchors on the switch. If you do a
show crypto pki ta-profile
does it list the certificates you expect? If it doesn't you'll need to install the certificates on the switch. If they're already there could you post your sanitized switch output?
Original Message:
Sent: Apr 17, 2023 07:41 AM
From: allied_assault123
Subject: Aruba CX DUR - Port status In-progress
Hi all,
I'm having trouble utilizing DUR's on the CX platform utilizing CPPM