The secondary user role is configured as static, so must be pre-configured on the gateway. From the above, the role to the switch is downloaded including the secondary user role which is then applied at the gateway.
What confuses me is that in ClearPass the secondary user-role is PBTGroupA, in the switch it shows as PBT-WiredDOT1X-GroupA. Are the screenshots collected at different moments in the troubleshooting process?
Also, the PBT is normally used for port-based-tunnel, while what you configure is UBT (user-based tunnel). It's just a naming thing and not a problem as long as it is understood what is done. As a best practice, naming should match as close as possible what it is doing.
Can you try to remove/untick the 'server-derived roles' option in your gateway configuration? That should not be needed as the gateway does not authenticate, but receives the role from the switch. I'm not sure if the setting may interfere.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------
Original Message:
Sent: Apr 29, 2021 05:04 AM
From: Michael Höflmaier
Subject: CPPM static user role not applied at controller (Wi-Fi)
Hi alagoutte,
now I am a bit confused....
Shouldn't it be a secondary static user role?
As off my understanding:
Static user roles are present on both CPPM and the gateway
Dynamic user roles are only present on CPPM and are downloaded to the gateway as needed
------------------------------
Michael
Original Message:
Sent: Apr 27, 2021 08:09 AM
From: Alexis La Goutte
Subject: CPPM static user role not applied at controller (Wi-Fi)
Hi,
it is not a static role because it create also on the controller...
------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...
PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)
PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..
ACEP / ACMX #107 / ACDX #1281
Original Message:
Sent: Apr 23, 2021 04:15 AM
From: Michael Höflmaier
Subject: CPPM static user role not applied at controller (Wi-Fi)
Hello dear Aruba-Warriors,
I am currently out and about testing DynSeg. Currently, me and my (much more experienced) college have troubles with DynSeg and Wi-Fi.
This is my wireless profile which is applied to my device when authenticating via Wi-Fi. This works just fine!
On my controller there are enough licences and downloading the user role from CPPM is enabled for this Wi-Fi:
I have no custom derivation rules defined.
This is the role created on my controller:
This role is totally blank with the only rule being "allowall".
Can the assignment of VLANs/roles be done this way, because I all my clients are getting placed into the default-role "authenticated"?
My college managed to get this to work with custom derivation rules, but I think this shouldn't be really necessary, because the rules should be auto-derived!
Am I missing something important? Is this only possible with custom derivation rules?
------------------------------
Michael
------------------------------