[PacketFence-users] Issue with Radius User Role attribut name (ARUBA CX 10.X): HP-User-Role vs Aruba-User-Role

Maxime KIEFFER via PacketFence-users Tue, 07 May 2024 07:46:30 -0700

Hello Community,

I’m working with ARUBA 6000 Switch with firmware 10.13.1010 and Role mapping by 
Switch Role.
It seems that Switch type  “Aruba::ArubaOS_CX_10_x” send Radius attribute 
HP-User-Role, instead of Aruba-User-Role while “Aruba Instant” type send the 
good one.
However, Aruba::ArubaOS_CX_10_x “Disconnect” work while it doesn’t with Aruba 
Instant type ☹.


Any idea where to change this attribute name in the model of 
Aruba::ArubaOS_CX_10_x ?


With Aruba::ArubaOS_CX_10_x, no mapping occurs, but Disconnect work (if role 
previously forced):

Request Time
RADIUS Request
CHAP-Challenge = "**",
CHAP-Password = "**",
Called-Station-Id = "**",
Calling-Station-Id = "**",
Event-Timestamp = "May  7 2024 15:00:48 CEST",
FreeRADIUS-Client-IP-Address = "10.130.10.203",
Message-Authenticator = "**",
NAS-IP-Address = "**",
NAS-Identifier = "**",
NAS-Port = "3",
NAS-Port-Id = "1\/1\/3",
NAS-Port-Type = "Ethernet",
PacketFence-KeyBalanced = "**",
PacketFence-Radius-Ip = "**",
Realm = "null",
Service-Type = "Call-Check",
Stripped-User-Name = "**",
User-Name = "**",
User-Password = "******"

RADIUS Reply
HP-User-Role = "UEZ-VOICE",
REST-HTTP-Status-Code = "200"


# show port-access client

Port Access Clients

RADIUS overridden user roles are suffixed with '*'

Flags: Onboarding-Method|Mode|Device-Type|Status

Onboarding-Method: 1x 802.1X, ma MAC-Auth, ps Port-Security, dp Device-Profile
Mode: c Client-Mode, d Device-Mode, m Multi-Domain
Device-Type: d Data, v Voice
Status: s Success, f Failed, p In-Progress, d Role-Download-Failed

--------------------------------------------------------------------------------------------------------------
Port     Client-Name             IPv4-Address    User-Role                      
     VLAN            Flags
--------------------------------------------------------------------------------------------------------------
1/1/3    80:5e:0c:d9:b4:64                                                      
     (u)1            ma|c|-|s


Disconnect (works):

Request Time
RADIUS Request
NAS-IP-Address = ** "
User-Name = ** "
NAS-Port =  "
Calling-Station-Id = **-**-**-**-**-**",

RADIUS Reply
Code = Disconnect-ACK "
Acct-Terminate-Cause = Admin-Reset



Using switch type “Aruba Instant” User-role is correctly mapped, but Disconnect 
and CoA doesn’t work :

Request Time
RADIUS Request
CHAP-Challenge = "**",
CHAP-Password = "**",
Called-Station-Id = "**",
Calling-Station-Id = "**",
Event-Timestamp = "May  7 2024 15:25:34 CEST",
FreeRADIUS-Client-IP-Address = "**",
Message-Authenticator = "**",
NAS-IP-Address = "**",
NAS-Identifier = "**",
NAS-Port = "3",
NAS-Port-Id = "1\/1\/3",
NAS-Port-Type = "Ethernet",
PacketFence-KeyBalanced = "**",
PacketFence-Radius-Ip = "**",
Realm = "null",
Service-Type = "Call-Check",
Stripped-User-Name = "**",
User-Name = "**",
User-Password = "******"

RADIUS Reply
Aruba-User-Role = "UEZ-VOICE",
REST-HTTP-Status-Code = "200"


# show port-access client

Port Access Clients

RADIUS overridden user roles are suffixed with '*'

Flags: Onboarding-Method|Mode|Device-Type|Status

Onboarding-Method: 1x 802.1X, ma MAC-Auth, ps Port-Security, dp Device-Profile
Mode: c Client-Mode, d Device-Mode, m Multi-Domain
Device-Type: d Data, v Voice
Status: s Success, f Failed, p In-Progress, d Role-Download-Failed

--------------------------------------------------------------------------------------------------------------
Port     Client-Name             IPv4-Address    User-Role                      
     VLAN            Flags
--------------------------------------------------------------------------------------------------------------
1/1/3    80:5e:0c:d9:b4:64                       UEZ-VOICE                      
     (t)25           ma|c|-|s



Disconnect (doesn’t work):
Request Time
RADIUS Request
Calling-Station-Id = ** "
NAS-IP-Address = ** "
User-Name = **",

RADIUS Reply
Code = Disconnect-NAK "
Error-Cause = Invalid-Request


For any references:

# show version
-----------------------------------------------------------------------------
ArubaOS-CX
(c) Copyright 2017-2024 Hewlett Packard Enterprise Development LP
-----------------------------------------------------------------------------
Version      : PL.10.13.1010
Build Date   : 2024-04-09 00:21:30 UTC
Build ID     : ArubaOS-CX:PL.10.13.1010:ef2109377880:202404090010
Build SHA    : ef21093778805e954ec130b0939d34927bb7ba19
Hot Patches  :
Active Image : primary

Service OS Version : PL.01.14.0002
BIOS Version       : PL.02.0002

# show system inventory

Type                 Location Product          Description                      
                  Serial           Hardware
                              Number                                            
                  Number           Version
-------------------- -------- ---------------- 
-------------------------------------------------- ---------------- -----------
Chassis              1        R8N87A           6000 24G Class4 PoE 4SFP 370W 
Switch               **********       3

Thank you !
Maxime Kieffer

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Issue with Radius User Role attribut name (ARUBA CX 10.X): HP-User-Role vs Aruba-User-Role

Reply via email to