I can imagine that the initial role cannot have reauth in it, because any authenticaiton happening after it will override the initial role. Initial role is applied before authentication happens, and would allow you to send traffic to a port before it authenticates, or set a role if authentication is disabled. You might need to create a separate role without the reauth as inititial role. It may also be useful to work with TAC to find out if this is indeed expected, and possibly get this 'resolved' as it would be nice to have the same role as initial role and quarantine/profiling role, and the error messages are far from clear (good you found the solution).
If you have a 'failed to apply user role', no traffic is allowed at all (fail-close), so I can imagine that dhcp fingerprinting is not working either. TAC may have a good workaround.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jul 10, 2023 06:02 AM
From: alexs-nd
Subject: local user roles for initial role and critical role, what is allowed in them
Hi,
Been tracing a switch log error about invalid user roles.
W 07/10/23 09:36:26 05204 dca: Failed to apply user role to macAuth client
02017CB3A025 on port 4: user role is invalid.
What I had was
aaa authorization user-role name "servers"
policy "AllowAll"
reauth-period 3600
vlan-name "servers"
exit
then i used them as follows
aaa port-access 4 auth-order authenticator mac-based
aaa port-access 4 auth-priority authenticator mac-based
aaa port-access 4 critical-auth user-role "servers"
aaa port-access 4 initial-role "servers"
The above generated the error. removing the reauth-period entry fixed the message..... replacing initial-role servers with another user-role without the reauth also sorted it allowing me to leave reauth-period in the servers userrole and use to for critical role statements.
The docn for initial-role is rather brief ...like. "this is an initial role " and not much else.
So whats allowed in an initial role
A side effect of the above error is. that if you have dhcp fingerprinting set up ... it doesnt work.
show device-fingerprinting client-... gives nothing
and not logs show any discovery relating to collector output. fixing the user-role install and it all springs into life
Rgds
Alex