Security

Hello!

We have a problem with one of our switches that I do not know how to resolve.

We are getting a Parse error of the DUR role. Se logs below from debugging

The role works on other AOS switches in our enviroment. Currently, I have only seen this on one switch.

The 2540 switch are running YC.16.11.0013 but ran YC.16.10.0020 before. Same error on both.

The config is the same a a working AOS switch as I have done a config compare and also re-configured the CPPM details in the switch.

Anyone who has any ideas?

0251:17:36:55.01 AUOR  m8021xCtrl:Auth Order: Port 15: Client status updated for client: 04d9f5-7beccc, auth-method: 2 , auth-state: 1 .
0251:17:36:55.06 SSL  mcppmTask: (CLIENT)
0251:17:36:55.06 SSL  mcppmTask: Finished
0251:17:36:55.06 SSL  mcppmTask:

0251:17:36:55.09 SSL  mcppmTask:SSL_closeConnection() from AppType:
0251:17:36:55.09 SSL  mcppmTask:4
0251:17:36:55.09 UMIB mcppmTask:Download of userRole AAM_BBB_CC_STD-3036-7 is
   success
0251:17:36:55.09 UMIB mcppmTask:Parsing of downloaded userRole
   AA_BBB_CC_STD-3036-7 is Failed with reason PARSE_ERROR_NO_ENFORCEMENT
0251:17:36:55.09 UMIB mdcaCtrl: Sending message to authentication task for
   client with request-id 63
0251:17:36:55.09 1X   m8021xCtrl:Port 15: Received Auth Success for client
   04d9f5-7beccc, User xxx.xxxx@xxxx.com.
0251:17:36:55.09 UMIB mdcaCtrl:Removing DUR Client with request-id 63 for
   downloadable user role AA_BBB_CC_STD-3036-7 from waiting queue as role
   parsing failed
0251:17:36:55.09 UMIB m8021xCtrl:8021X Deauthenticating client 04D9F57BECCC on
   port 15, downloaded user role AA_BBB_CC_STD-3036-7 is not valid as
   enforcement profile not present.
0251:17:36:55.09 UMIB m8021xCtrl:Mac: 04d9f5-7beccc Port: 15 Adding auth client
   to DCA failed because of DUR parse error.

Hi Mikael

Sounds strange. Do I understand you correct that the same DUR with the same version number works fine on another switch running the same firmware version?

In some situations when I have had issues with downloadable user roles it have been when the DUR have been created in advanced mode and a new version have a syntax error. But clients already authenticated have an old working version.

In your exemple DUR name the last digit is the version number AA_BBB_CC_STD-3036-7.

Have the DUR been working on these switches or has it never been working on them?

------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Hello Jonas! 

Thank you for having a look at my issue and taking the time to respond.

The same version is working on other switches. Just confirmed it and re-checked.

I also downloaded configured it on a "new" switch that never had any aaa ports enabled. Worked as intended. Also a 2540, same version and config.

This is an ongoing Clearpass rollout and we are currently testing wired 1.x on a number of random clients. This switch has not hade any prior clients attached to it using EAP or Mac auth. The other switches that have a selected client on them works fine and I also ran a couple of tests today just adding a port and using my laptop (with cable) just to confirm it working on others but not on this one.

I also tried with our Mac based Access Point authentication as well as my role - same issue. Nothing worked and it complains on parsing.

And yes, it sounds like it's time to let the Tac have a look :)

Original Message:
Sent: Sep 07, 2023 09:48 AM
From: Jonas Hammarback
Subject: Parse error of downloaded userRole

Hi Mikael

Sounds strange. Do I understand you correct that the same DUR with the same version number works fine on another switch running the same firmware version?

In some situations when I have had issues with downloadable user roles it have been when the DUR have been created in advanced mode and a new version have a syntax error. But clients already authenticated have an old working version.

In your exemple DUR name the last digit is the version number AA_BBB_CC_STD-3036-7.

Have the DUR been working on these switches or has it never been working on them?

------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

i would also completely factory default that switch and start from scratch, to see if that makes a difference.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Original Message:
Sent: Sep 07, 2023 12:30 PM
From: mikael.svensson
Subject: Parse error of downloaded userRole

Hello Jonas! 

Thank you for having a look at my issue and taking the time to respond.

The same version is working on other switches. Just confirmed it and re-checked.

I also downloaded configured it on a "new" switch that never had any aaa ports enabled. Worked as intended. Also a 2540, same version and config.

This is an ongoing Clearpass rollout and we are currently testing wired 1.x on a number of random clients. This switch has not hade any prior clients attached to it using EAP or Mac auth. The other switches that have a selected client on them works fine and I also ran a couple of tests today just adding a port and using my laptop (with cable) just to confirm it working on others but not on this one.

I also tried with our Mac based Access Point authentication as well as my role - same issue. Nothing worked and it complains on parsing.

And yes, it sounds like it's time to let the Tac have a look :)

Original Message:
Sent: Sep 07, 2023 09:48 AM
From: Jonas Hammarback
Subject: Parse error of downloaded userRole

Hi Mikael

Sounds strange. Do I understand you correct that the same DUR with the same version number works fine on another switch running the same firmware version?

In some situations when I have had issues with downloadable user roles it have been when the DUR have been created in advanced mode and a new version have a syntax error. But clients already authenticated have an old working version.

In your exemple DUR name the last digit is the version number AA_BBB_CC_STD-3036-7.

Have the DUR been working on these switches or has it never been working on them?

------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Hey, 

i got the exact same error message and noticed this: 

We configure our switches with airwave templates. A new switch installed via template got this error (this never worked before, we are quite new in this topic).

I think it has something to do with this command: "radius-server cppm identity "<Role-Name>" key <Key>" (I stripped away to confidential information)

The template pushes this command to the switch. Then we get the error. When I execute this command manually on the ClI, everything works as desired and the error disappears.

Could anyone confirm this behavior? 

Original Message:
Sent: Sep 07, 2023 07:19 PM
From: ariyap
Subject: Parse error of downloaded userRole

i would also completely factory default that switch and start from scratch, to see if that makes a difference.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------


Original Message:
Sent: Sep 07, 2023 12:30 PM
From: mikael.svensson
Subject: Parse error of downloaded userRole

Hello Jonas! 

Thank you for having a look at my issue and taking the time to respond.

The same version is working on other switches. Just confirmed it and re-checked.

I also downloaded configured it on a "new" switch that never had any aaa ports enabled. Worked as intended. Also a 2540, same version and config.

This is an ongoing Clearpass rollout and we are currently testing wired 1.x on a number of random clients. This switch has not hade any prior clients attached to it using EAP or Mac auth. The other switches that have a selected client on them works fine and I also ran a couple of tests today just adding a port and using my laptop (with cable) just to confirm it working on others but not on this one.

I also tried with our Mac based Access Point authentication as well as my role - same issue. Nothing worked and it complains on parsing.

And yes, it sounds like it's time to let the Tac have a look :)

Original Message:
Sent: Sep 07, 2023 09:48 AM
From: Jonas Hammarback
Subject: Parse error of downloaded userRole

Hi Mikael

Sounds strange. Do I understand you correct that the same DUR with the same version number works fine on another switch running the same firmware version?

In some situations when I have had issues with downloadable user roles it have been when the DUR have been created in advanced mode and a new version have a syntax error. But clients already authenticated have an old working version.

In your exemple DUR name the last digit is the version number AA_BBB_CC_STD-3036-7.

Have the DUR been working on these switches or has it never been working on them?

------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution