Aruba Solution Exchange

Mobility Access Switch MAC/802.1X Authentication

Mobility Access Switch MAC/802.1X Authentication

 

Summary

This solution configures port authentication on an Aruba Mobility Access Switch.  Various combinations of authentication methods can be configured including but not limited to MAC authentication only, MAC authentication + 802.1X authentication (with or without fail through enabled), and 802.1X authentication + Machine authentication.  User/MAC/Machine authentication can be authenticated against the switch's internal database or a RADIUS server can be specified such as CPPM.  The solution asks the user which interfaces to build the configuration for.

 

Minimum Software Version(s) Required

ArubaOS version 7.2 or greater is required to configure the RFC 3576 Dynamic Authorization feature.  This feature allows the RADIUS server to dynamically send user disconnect and change-of-authorization (CoA) messages to the NAS device (switch/controller).

 

Configuration Notes

Warning: This solution creates multiple user roles for authenticated users, including individual roles for various authentication methods (MAC, 802.1X, and Machine Auth).  All roles created by this solution give the user full access.  It is highly suggested to place additional restrictions on each user role created by this solution to match your desired security policies.  See the user guide for more information on creating user roles and ACLs.

 

When enabling both MAC authentication and 802.1X authentication on a port, ArubaOS offers a feature called "L2 Authentication Fail Through", which allows mixed authentication modes.  If L2 auth fail through is not enabled, both the MAC authentication and the 802.1X authentication must be successful before the user is given access.  Enabling L2 auth fail through allows the user to fail MAC authentication and still proceed to 802.1X authentication.  See the Mixed Authentication Modes table below for the possible role assignments based on MAC/802.1X authentication results.

 

Mixed Authentication Modes when L2 Authentication Fail Through is Enabled

Authentication

1

2

3

4

5

6

MAC authentication

Success

Success

Success

Fail

Fail

Fail

802.1X authentication

Success

Fail

Success

Fail

Role Assignment

802.1x

MAC

802.1x

logon


Machine Authentication provides a second authentication factor for 802.1X on Windows PCs.  Successful machine authentication requests are cached by the switch/controller for 24 hours by default.  This cache parameter can be changed.  A user is placed in one of four different roles depending on the authentication result of both Machine Auth and User Auth.  The role mappings are described in the table below.  

 
Role Derivation when Machine Authentication is Enabled
 

Machine Auth Fail

Machine Auth Pass

User Auth Fail

Initial Role Machine-Auth Machine-Default-Role

User Auth Pass

Machine-Auth User-Default-Role Dot1x Default Role

 

Platform(s) Tested

Aruba Mobility Mobility Access Switch S2500 running AOS 7.2.2.1.

 

Licensing

No special licenses are required.

 

References

User Guide: Aruba OS 7.2.0 (Mobility Switch)

Version History
Revision #:
1 of 1
Last update:
‎09-17-2014 02:19 PM
Updated by:
 
Labels (2)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.