Wired Intelligent Edge

 View Only
Back to discussions
Expand all | Collapse all

switch fails to save local user policy

This thread has been viewed 25 times

  • 1.  switch fails to save local user policy

    Posted May 05, 2023 08:53 AM

    I have a couple of 2930 switches running 16.10.24 & 16.11.10  firmware.  On both I have the following defined

    class ipv4 "DNS"
         10 match udp 0.0.0.0 255.255.255.255 192.168.1.152 0.0.0.0 eq 53
         20 match udp 0.0.0.0 255.255.255.255 192.168.2.4 0.0.0.0 eq 53
         30 match udp 0.0.0.0 255.255.255.255 192.168.1.88 0.0.0.0 eq 53
       exit
    class ipv4 "DHCP"
         10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
       exit
    class ipv4 "ICMP"
         10 match icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
       exit
    class ipv4 "allowall"
         10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
       exit
    class ipv4 "Permit-All"
         10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.25.255
       exit
    policy user "AllowAll"
         10 class ipv4 "DNS" action permit
         20 class ipv4 "DHCP" action permit
         30 class ipv4 "ICMP" action permit
         40 class ipv4 "Permit-All" action permit
       exit

    which gives me a  basicl setup to start from when creating local user roles to use with DURs

    The above works .... until yuo reboot the switch then wen it comes back the policy statement is empty and you have to re-enger them manually... would rather not do this when a site has 10's of switches


    Anyone seen this behaviour before?

    Have typed the class statemnts within the policy with quote  class name  of  unquoted name, doesnt make a difference, still doesn't work when you reboot the switch
    :-(
    A



  • 2.  RE: switch fails to save local user policy

    Posted May 05, 2023 09:28 AM

    Apologies if this is a stupid question, but did you save (write mem) the configuration before the switch reboot?
    Have you enabled role-based in the switch configuration? I think you can't even configure if you have not, but just to be sure.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: switch fails to save local user policy

    Posted May 05, 2023 10:38 AM
    Yup ,
    Numerous write moms
    Yes role-based enabled, downloadable user roles set up
    Cna see DUrs appesring on switch , change one on Cppm and one on switch gets updated

    This is my dev stuff at home .


    Original Message


  • 4.  RE: switch fails to save local user policy

    Posted May 09, 2023 12:47 AM

    Did the client onboarded successfully after reboot ? Since its DUR asking this question



    ------------------------------
    Shobana
    Aruba
    ------------------------------

    Original Message


  • 5.  RE: switch fails to save local user policy

    Posted May 09, 2023 03:37 AM
    Hi,
    So after trying a few firmware releases between WC.16.10.21 and WC.16.11.10 all of which exhibited the same issue, I upgraded my 2 2930s to WC.16.11.11 and when they rebooted, … the policy was there after the “boot sys fl xx”


    Thought that had fixed it so I rebooted again, no changesand next time … they weren’t there again.

    Just did a copy fl. fl pro to bet both flasher to 16.11.11 and rebooted into the new primary … and it came back with the policy present, so no idea why it.s doing what it does

    Alos re the DUR not being installed,

    A sh port-access clients show
    Aruba-2930F# sh port-access clients

    Downloaded user roles are preceded by *

    Port Access Client Status

    Port Client Name MAC Address IP Address User Role Type. VLAN
    ----- ------------- ----------------- --------------- ----------------- —— ------------------------------
    3 ND-SpareRo... 204c03-5ad8be 192.168.4.8 mydevices-role 8021X 4
    4 ND-TV-Room... 204c03-3aa640 192.168.4.10 mydevices-role 8021X 4
    5 Barn@aruba.ap 204c03-183124 192.168.4.11 mydevices-role 8021X 4
    6 20-4C-03-3... 204c03-3bf72c 192.168.5.2 *GreenlnkWifi_... MAC 5
    7 68-27-19-A... 682719-a562b6 192.168.2.4 servers MAC 2
    8 ND-Kitchen... 204c03-1792c8 192.168.4.13 mydevices-role 8021X 4



    While a sh user-role down gives

    Aruba-2930F# sh user-role down

    Downloaded user roles are preceded by *

    Downloaded User Roles

    Enabled : Yes
    Type Name
    ---------- ------------------------------------------------------
    downloaded *APs-3264-3
    downloaded *GreenlnkWifi_DUR-3232-3
    downloaded *mydevices_DUR_Switch-3221-14



    Adding detail show that the contents are correct.

    Change DUR on Cppm and the version number on the switch increases

    Force a wreath on a client and you get.


    W 05/09/23 08:11:12 05204 dca: Failed to apply user role APs-3264-3_7Z4q to
    8021X client 204C03183124 on port 5: user role is invalid.


    The key bit here is the fact that theres a _7Z4q at the end of the user-role thats failing … and of course that doest exist


    So the goods news is that at least they are using the local user-roles and. That 1 downloadable one is being used …
    The bad news is that no idea why the other. User-roles aren’t being used or why. The erroneous role that the bit at the end

    Really stumped with this

    A


    Original Message


  • 6.  RE: switch fails to save local user policy

    Posted Dec 08, 2025 12:41 PM

    Hello,

    I have exactly the same issue, did you ever resolved this? 

    I have like 5 DURs working as expected on the same switch, but the last one added does not work; I can see the role gets downloaded by ClearPass but afterwards, the role cannot be applied due to the _7Z4q  at the end added to the Role; when i check with a wireshark capture, i can see that ClearPass is sending the correct role without the _7Z4q  at the end; but for some reason the switch adds the _7Z4q  to the user-role

    Thanks  in advance! 

    Thomas



    ------------------------------
    Thomas
    ------------------------------

    Original Message


  • 7.  RE: switch fails to save local user policy

    Posted Dec 09, 2025 03:21 AM
    Hi,
    Only thought is are you sure the DUR is valid?When creating it did you use “Standard” or “Advanced” setting ? Did you specify the correct type of DUR for your switch
    A


    Original Message


  • 8.  RE: switch fails to save local user policy

    Posted Dec 09, 2025 03:37 AM

    hey,

    yes I am sure it is correct, it is a copy of other working DURs on the same switch, only the vlan was changed, I also see the role being downloaded and installed on the switch with the correct settings.

    but clients are not assigned. On our CX switches we don't have the issue, only on the AOS-S switches and only with the last created DURs, others are working fine 

    I now even created a simple test, with the most simple configuration assinging a client to a named vlan, but still it fails to assign the user to the role:

    This is the log:
    Now I've read the release notes of the switch and i can see this, maybe it is related? 
    I proposed to my end-customer to upgrade the switch, to the latest version, let's see what will happen :-) 
    kr,

    Thomas



    ------------------------------
    Thomas
    ------------------------------

    Original Message


  • 9.  RE: switch fails to save local user policy

    Posted Dec 09, 2025 03:41 AM
    Following on from my previous message … suspect the extra chars you see are part of the name when it’s downloaded to the switch, It’s then. Renamed without the extra charts into the <durname-processid-version> format
    A


    Original Message


  • 10.  RE: switch fails to save local user policy

    Posted Dec 09, 2025 04:45 AM

    out of interest how many chars are in the DUR that fails as compared to the others that work?



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------

    Original Message


  • 11.  RE: switch fails to save local user policy

    Posted Dec 09, 2025 04:52 AM

    I know what you mean, but I already checked that part. 🙂
    The maximum is around 52 characters, if I remember correctly.

    • The ones that are working are between 21 and 32 characters.
    • The one that doesn't work is 25 characters.


    ------------------------------
    Thomas
    ------------------------------

    Original Message


Related Content