Yesterday I found some time to have again a look at this. But the outcome was the same.
I can't see any of the error messages you stated.
For now I suspect that I might do not have the correct config, even if its not that much and complicated.
If I got the workflow right, the client is authenticated by the switch. CPPM tells the switch to download the user role which includes the ubt and secondary role config.
the switch advises the MD to download the role which is set as secondary role. Therefore the MD show do a https call to CPPM and download the role information. If this is correct I should see traffic between the MD and CPPM, which I don't.
Side Note: I tested this setup with a different code (8.10.0.16) as well. Same behaviour.
Original Message:
Sent: Apr 03, 2025 09:08 AM
From: willembargeman
Subject: DUR on 8.10.x
I did some searching and if there is any error that should be logged. Hereby an example output that I found internally
(Aruba7010) *#show log user allMay 1 04:05:19 profmgr[3441]: <334200> <ERROR> |profmgr| Node /mm already has elements in itMay 1 05:28:24 authmgr[3467]: <522280> <3467> <ERRS> |authmgr| MAC=8a:32:54:2d:e6:2b Dldb Role:1c_ctrl_DUR1-3053-11 Cannot be assigned downloadable role, role is in error state(Aruba7010) *#(Aruba7010) *#show log security allMay 1 05:22:47 authmgr[3467]: <124830> <3467> <ERRS> |authmgr| Dldb Role 1c_ctrl_DUR1-3053-11: Usersdequeued, role in incomplete state
Please also check the show tunneled-node-mgr trace-buf logs
------------------------------
Willem Bargeman
Systems Engineer Aruba
ACEX #125
Original Message:
Sent: Apr 03, 2025 08:49 AM
From: FreddyG
Subject: DUR on 8.10.x
10.100.80.10 34:48:ed:2d:ae:61 3448ed2dae61 guest 00:00:22 Tunneled-User-MAC 10.13.128.136 Tunneled tunnel 582/14:ab:ec:c6:f6:c0/1/1/48 default-tunneled-user tunnel TUNNELED USER
Apr 3 14:24:08.356 Role assigned * 34:48:ed:2d:ae:61 00:00:00:00:00:00 - -
Apr 3 14:24:08.357 Vlan assigned * 34:48:ed:2d:ae:61 00:00:00:00:00:00 - -
Apr 3 14:24:08.360 user-gsm-publish * 34:48:ed:2d:ae:61 00:00:00:00:00:00 - -
Apr 3 14:24:08.360 mac-user-gsm-priv-section-update 34:48:ed:2d:ae:61 14:ab:ec:c6:f6:c0 - - 34:48:ed:2d:ae:61
Apr 3 14:24:08.360 cluster-user-gsm-stby-info-update 34:48:ed:2d:ae:61 00:00:00:00:00:00 - -
Apr 3 14:24:08.634 User IP Add * 34:48:ed:2d:ae:61 00:00:00:00:00:00 - -
Apr 3 14:24:08.636 user-gsm-publish * 34:48:ed:2d:ae:61 00:00:00:00:00:00 - -
Apr 3 14:24:08.637 gsm-ip-user-publish 34:48:ed:2d:ae:61 00:00:00:00:00:00 - -
Apr 3 14:24:08.637 ip-user-gsm-notify 34:48:ed:2d:ae:61 00:00:00:00:00:00 - - 10.100.80.10
Apr 3 14:24:08.638 mac-user-gsm-priv-section-update 34:48:ed:2d:ae:61 14:ab:ec:c6:f6:c0 - - 34:48:ed:2d:ae:61
Apr 3 14:24:08.638 cluster-user-gsm-stby-info-update 34:48:ed:2d:ae:61 00:00:00:00:00:00 - -
Apr 3 14:24:08.638 ip-user-gsm-priv-section-update 34:48:ed:2d:ae:61 14:ab:ec:c6:f6:c0 - - 34:48:ed:2d:ae:61
------------------------------
Frederik
Original Message:
Sent: Apr 03, 2025 08:40 AM
From: willembargeman
Subject: DUR on 8.10.x
Can you also share the output of the commands
#show user-table ip <user-ip>
#show auth-tracebuf mac <client-mac>
------------------------------
Willem Bargeman
Systems Engineer Aruba
ACEX #125
Original Message:
Sent: Apr 03, 2025 08:32 AM
From: FreddyG
Subject: DUR on 8.10.x
Thanks again for your help.
This is the output of the user-debug
Apr 3 14:21:14 2025 :522303: <10343> <DBUG> |authmgr| Auth GSM : USER delete for mac 34:48:ed:2d:ae:61 uuid 204c03028800000000129267
Apr 3 14:21:14 2025 :522262: <10343> <DBUG> |authmgr| "User MAC:34:48:ed:2d:ae:61: Total users purged = 1.
Apr 3 14:24:08 2025 :522035: <10343> <INFO> |authmgr| MAC=34:48:ed:2d:ae:61 Station UP: BSSID=14:ab:ec:c6:f6:c0 ESSID=TUNNELED_NODE_ESSID VLAN=180 AP-name=(null) u-encr-alg=0x1 m-encr-alg=0x1 at 14:24:08.354575
Apr 3 14:24:08 2025 :522164: <10343> <DBUG> |authmgr| 14:24:08.354575 Handling station up - down : mac: 33:34:3a:34:38:3a User type: Tunneled User cluster enabled: 1
Apr 3 14:24:08 2025 :522077: <10343> <DBUG> |authmgr| MAC=34:48:ed:2d:ae:61 ingress 0x10246 (tunnel 582), u_encr 0x1, m_encr 0x1, slotport 0x246 wired, type: local, FW mode: 0, AP IP: 0.0.0.0 mdie 0 ft_complete 0
Apr 3 14:24:08 2025 :522264: <10343> <DBUG> |authmgr| "MAC:34:48:ed:2d:ae:61: Allocating UUID: 204c0302880000000012926f
Apr 3 14:24:08 2025 :522004: <10343> <DBUG> |authmgr| ac_active_add_mac_to_bucket: station 34:48:ed:2d:ae:61 in essid TUNNELED_NODE_ESSID (mac_user 0x36bf954) being added to bucket-map
Apr 3 14:24:08 2025 :522004: <10343> <DBUG> |authmgr| auth_cluster_add_active_mac: essid TUNNELED_NODE_ESSID b_num 226 mu_mac 34:48:ed:2d:ae:61 macuser 0x36bf954
Apr 3 14:24:08 2025 :522004: <10343> <DBUG> |authmgr| handle_sta_up_dn: mac 34:48:ed:2d:ae:61 macuser 00x36bf954 essid TUNNELED_NODE_ESSID user->essid TUNNELED_NODE_ESSID repready 0 repkey -1
Apr 3 14:24:08 2025 :522258: <10343> <DBUG> |authmgr| "VDR - Add to history of user user 34:48:ed:2d:ae:61 vlan 0 derivation_type Reset VLANs for Station up index 0.
Apr 3 14:24:08 2025 :522255: <10343> <DBUG> |authmgr| "VDR - set vlan in user for 34:48:ed:2d:ae:61 vlan 180 fwdmode 0 derivation_type Default VLAN.
Apr 3 14:24:08 2025 :522258: <10343> <DBUG> |authmgr| "VDR - Add to history of user user 34:48:ed:2d:ae:61 vlan 180 derivation_type Default VLAN index 1.
Apr 3 14:24:08 2025 :522255: <10343> <DBUG> |authmgr| "VDR - set vlan in user for 34:48:ed:2d:ae:61 vlan 180 fwdmode 0 derivation_type Current VLAN updated.
Apr 3 14:24:08 2025 :522258: <10343> <DBUG> |authmgr| "VDR - Add to history of user user 34:48:ed:2d:ae:61 vlan 180 derivation_type Current VLAN updated index 2.
Apr 3 14:24:08 2025 :522158: <10343> <DBUG> |authmgr| Role Derivation for user N/A-34:48:ed:2d:ae:61-3448ed2dae61 N/A Set AAA profile defaults.
Apr 3 14:24:08 2025 :522142: <10343> <DBUG> |authmgr| Setting default role to guest for user 34:48:ed:2d:ae:61".
Apr 3 14:24:08 2025 :522127: <10343> <DBUG> |authmgr| {L2} Update role from logon to guest for IP=N/A, MAC=34:48:ed:2d:ae:61.
Apr 3 14:24:08 2025 :522049: <10343> <INFO> |authmgr| MAC=34:48:ed:2d:ae:61,IP=N/A User role updated, existing Role=logon/none, new Role=guest/none, reason=Set AAA profile defaults
Apr 3 14:24:08 2025 :522341: <10343> <DBUG> |authmgr| Client 34:48:ed:2d:ae:61 idle timeout 300 profile global
Apr 3 14:24:08 2025 :522254: <10343> <DBUG> |authmgr| VDR - mac 34:48:ed:2d:ae:61 rolename guest fwdmode 0 derivation_type Initial Role Contained vp not present.
Apr 3 14:24:08 2025 :522258: <10343> <DBUG> |authmgr| "VDR - Add to history of user user 34:48:ed:2d:ae:61 vlan 0 derivation_type Reset Role Based VLANs index 3.
Apr 3 14:24:08 2025 :522083: <10343> <DBUG> |authmgr| Skip User-Derivation, mba:0 udr_exist:0,default_role:guest,pDefRole:0x0x2719ed4
Apr 3 14:24:08 2025 :522255: <10343> <DBUG> |authmgr| "VDR - set vlan in user for 34:48:ed:2d:ae:61 vlan 180 fwdmode 0 derivation_type Current VLAN updated.
Apr 3 14:24:08 2025 :522258: <10343> <DBUG> |authmgr| "VDR - Add to history of user user 34:48:ed:2d:ae:61 vlan 180 derivation_type Current VLAN updated index 4.
Apr 3 14:24:08 2025 :522260: <10343> <DBUG> |authmgr| "VDR - Cur VLAN updated 34:48:ed:2d:ae:61 mob 0 inform 1 remote 0 wired 1 defvlan 180 exportedvlan 0 curvlan 180.
Apr 3 14:24:08 2025 :522308: <10343> <DBUG> |authmgr| Device Type index derivation for 34:48:ed:2d:ae:61 : dhcp (0,0,0) oui (0,0) ua (0,0,0) derived (0):
Apr 3 14:24:08 2025 :522128: <10343> <DBUG> |authmgr| download-L2: acl=7/0 role=guest, tunl=0x10246, PA=0, HA=1, RO=0, VPN=0 L3MOB=0.
Apr 3 14:24:08 2025 :522050: <10343> <INFO> |authmgr| MAC=34:48:ed:2d:ae:61,IP=N/A User data downloaded to datapath, new Role=guest/7, bw Contract=0/0, reason=layer 2 event driven download, Downloaded value for idle-timeout=10
Apr 3 14:24:08 2025 :522004: <10343> <DBUG> |authmgr| auth_gsm_publish_channels: mac 34:48:ed:2d:ae:61 publish_list 3 user VALID macuser VALID ipuser NULL
Apr 3 14:24:08 2025 :522301: <10343> <DBUG> |authmgr| Auth GSM : USER publish for uuid 204c0302880000000012926f mac 34:48:ed:2d:ae:61 name 3448ed2dae61 role guest devtype wired 1 authtype 30 subtype 0 encrypt-type 0 conn-port 582 fwd-mode 0 roam 0 repkey -1
Apr 3 14:24:08 2025 :522287: <10343> <DBUG> |authmgr| Auth GSM : MAC_USER publish for mac 34:48:ed:2d:ae:61 bssid 14:ab:ec:c6:f6:c0 vlan 180 type 5 data-ready 0 HA-IP n.a
Apr 3 14:24:08 2025 :522004: <10343> <DBUG> |authmgr| auth_gsm_update_sections: publish_list 3 user VALID macuser VALID ipuser NULL rep-ready 0
Apr 3 14:24:08 2025 :522004: <10343> <DBUG> |authmgr| auth_gsm_set_section_user_priv: In gsm_section_update for uuid 204c0302880000000012926f mac 34:48:ed:2d:ae:61 user_vp = FALSE
Apr 3 14:24:08 2025 :522004: <10343> <DBUG> |authmgr| auth_gsm_publish_user_section: gsm_section_update success for uuid 204c0302880000000012926f mac 34:48:ed:2d:ae:61
Apr 3 14:24:08 2025 :522004: <10343> <DBUG> |authmgr| auth_gsm_publish_mac_user_section: gsm_section_update success for mac 34:48:ed:2d:ae:61
Apr 3 14:24:08 2025 :522004: <10343> <DBUG> |authmgr| auth_gsm_publish_cluster_sta_section: csta_section_update success for mac 34:48:ed:2d:ae:61 stby_ip = 10.126.124.67
Apr 3 14:24:08 2025 :522026: <8753> <INFO> |authmgr| MAC=34:48:ed:2d:ae:61 IP=10.100.80.10 User miss: ingress=0x10246, VLAN=180 flags=0x40000040
Apr 3 14:24:08 2025 :522122: <8753> <DBUG> |authmgr| Reset BWM contract: MAC=34:48:ed:2d:ae:61 userrole=guest, contract= (0/0), type=Per role, newrole=guest, bwmname=NA.
Apr 3 14:24:08 2025 :522006: <8753> <INFO> |authmgr| MAC=34:48:ed:2d:ae:61 IP=10.100.80.10 User entry added: reason=Sibtye
Apr 3 14:24:08 2025 :522270: <8753> <DBUG> |authmgr| During User miss marking the user 34:48:ed:2d:ae:61 with ingress 0x10246, connection-type 6 as wired, muxtunnel = no
Apr 3 14:24:08 2025 :522169: <8753> <DBUG> |authmgr| Station inherit: IP=10.100.80.10 start bssid:14:ab:ec:c6:f6:c0 essid: TUNNELED_NODE_ESSID port:0x10246 (0x10246).
Apr 3 14:24:08 2025 :522341: <8753> <DBUG> |authmgr| Client 34:48:ed:2d:ae:61 idle timeout 300 profile global
Apr 3 14:24:08 2025 :522171: <8753> <DBUG> |authmgr| station inherit IP=10.100.80.10 bssid:14:ab:ec:c6:f6:c0 essid: TUNNELED_NODE_ESSID auth:1 type:Tunneled-User-MAC role:guest port:0x10246.
Apr 3 14:24:08 2025 :522341: <8753> <DBUG> |authmgr| Client 34:48:ed:2d:ae:61 idle timeout 300 profile global
Apr 3 14:24:08 2025 :522128: <8753> <DBUG> |authmgr| download-L2: acl=7/0 role=guest, tunl=0x10246, PA=0, HA=1, RO=0, VPN=0 L3MOB=0.
Apr 3 14:24:08 2025 :522050: <8753> <INFO> |authmgr| MAC=34:48:ed:2d:ae:61,IP=10.100.80.10 User data downloaded to datapath, new Role=guest/7, bw Contract=0/0, reason=New user IP processing, Downloaded value for idle-timeout=10
Apr 3 14:24:08 2025 :522004: <8753> <DBUG> |authmgr| auth_gsm_publish_channels: mac 34:48:ed:2d:ae:61 publish_list 5 user VALID macuser VALID ipuser VALID
Apr 3 14:24:08 2025 :522004: <8753> <DBUG> |authmgr| auth_cluster_get_repkey_for_user: station 34:48:ed:2d:ae:61 standby_uac_index 1 setting repkey to -1 match essid TUNNELED_NODE_ESSID b_num 226 repkey 8
Apr 3 14:24:08 2025 :522301: <8753> <DBUG> |authmgr| Auth GSM : USER publish for uuid 204c0302880000000012926f mac 34:48:ed:2d:ae:61 name 3448ed2dae61 role guest devtype wired 1 authtype 30 subtype 0 encrypt-type 0 conn-port 582 fwd-mode 0 roam 0 repkey 8
Apr 3 14:24:08 2025 :522287: <8753> <DBUG> |authmgr| Auth GSM : MAC_USER publish for mac 34:48:ed:2d:ae:61 bssid 14:ab:ec:c6:f6:c0 vlan 180 type 5 data-ready 0 HA-IP n.a
Apr 3 14:24:08 2025 :522004: <8753> <DBUG> |authmgr| auth_gsm_change_tunneled_user_repkey: Tunneled User repkey change success for mac 34:48:ed:2d:ae:61 repkey 8
Apr 3 14:24:08 2025 :522004: <8753> <DBUG> |authmgr| auth_gsm_update_sections: publish_list 7 user VALID macuser VALID ipuser VALID rep-ready 1
Apr 3 14:24:08 2025 :522004: <8753> <DBUG> |authmgr| auth_gsm_set_section_user_priv: In gsm_section_update for uuid 204c0302880000000012926f mac 34:48:ed:2d:ae:61 user_vp = FALSE
Apr 3 14:24:08 2025 :522004: <8753> <DBUG> |authmgr| auth_gsm_publish_user_section: gsm_section_update success for uuid 204c0302880000000012926f mac 34:48:ed:2d:ae:61
Apr 3 14:24:08 2025 :522004: <8753> <DBUG> |authmgr| auth_gsm_publish_mac_user_section: gsm_section_update success for mac 34:48:ed:2d:ae:61
Apr 3 14:24:08 2025 :522004: <8753> <DBUG> |authmgr| auth_gsm_publish_cluster_sta_section: csta_section_update success for mac 34:48:ed:2d:ae:61 stby_ip = 10.126.124.67
Apr 3 14:24:08 2025 :522004: <8753> <DBUG> |authmgr| auth_gsm_publish_ip_user_section: gsm_section_update success for ip 10.100.80.10 mac 34:48:ed:2d:ae:61
Apr 3 14:24:19 2025 :522137: <8753> <DBUG> |authmgr| Sibyte-34:48:ed:2d:ae:61/10.100.80.10 : No match for User-Agent: FSpace HTTP.
Apr 3 14:24:19 2025 :522299: <8753> <DBUG> |authmgr| Auth GSM : DEV_ID_CACHE publish for mac 34:48:ed:2d:ae:61 dev-id:(0) os-version:(0) cassified-by: Auth(0)
I also checked the errorlog but there is nothing in regarding a failed download attempt.
------------------------------
Frederik
Original Message:
Sent: Apr 03, 2025 04:27 AM
From: willembargeman
Subject: DUR on 8.10.x
Please enable user-debug logging for the client MAC address. Than check the user debug logs and auth trace buf logs. Please also check the tunneled node mgr logs and enable security debugging.
I would expect to see something in the user-debug logs
#enable debug user-debug loglogging user-debug <client-mac> level debugging#show user-debug logs and auth-trace-bufshow log user-debug 500show auth-tracebuf mac <client-mac>#tunneled-node mgr logshow tunneled-node-mgr trace-buf#security debug loglogging security level debuggingshow log security 500
------------------------------
Willem Bargeman
Systems Engineer Aruba
ACEX #125
Original Message:
Sent: Apr 02, 2025 04:36 PM
From: FreddyG
Subject: DUR on 8.10.x
do you have any hint in which log an error could be visible? Or do I have to enable deeper debugging?
------------------------------
Frederik
Original Message:
Sent: Apr 02, 2025 10:46 AM
From: willembargeman
Subject: DUR on 8.10.x
Ok. ClearPass username/password is also configured on the Gateways I guess and IP traffic between gateway and ClearPass is allowed? Do you see any error in the gateway log files?
------------------------------
Willem Bargeman
Systems Engineer Aruba
ACEX #125
Original Message:
Sent: Apr 02, 2025 10:43 AM
From: FreddyG
Subject: DUR on 8.10.x
Thanks for the quick answer.
Yes I also use DUR on the gateways and the root ca cert is also imported to the config.
The "Download Role from CPPM" checkbox is also set.
currently the running version is: 8.10.0.15
btw: with a static secondary role everything works as expected
------------------------------
Frederik
Original Message:
Sent: Apr 02, 2025 10:33 AM
From: willembargeman
Subject: DUR on 8.10.x
You don't need to configure any AAA profile for this, a default profile is used for this. The secondary role (name) is shared with the Gateway / Controller via PAPI.
On the gateways you're also using Downloadable User Roles? If yes, is the Gateway able to fetch the Role from ClearPass? For this the root certificate should be installed on the gateway.
Besides the certificate you also have to enable "Download Role from CPPM" in the AAA profile "default-tunneled-user" ( if I remember correctly)
What is the AOS version on the Gateway?
------------------------------
Willem Bargeman
Systems Engineer Aruba
ACEX #125
Original Message:
Sent: Apr 02, 2025 10:20 AM
From: FreddyG
Subject: DUR on 8.10.x
Hi all,
Currently, I have a lab setup that is supposed to map UBT with DURs. For this, I authenticate a client on a switch port and assign the required role via ClearPass. The role downloaded to the switch includes a secondary role for the mobility gateway.
After successful authentication on the switch, the switch also downloads the role, and the client is tunneled. However, at the gateway, the client receives the user role "guest" instead of the one that the gateway is supposed to download.
I assume there is an error in my configuration on the gateway, preventing the download from working or being initiated correctly.
Which AAA profile is used on the controller for UBT, and what settings do I need to configure to ensure it works correctly?
------------------------------
Frederik
------------------------------