ArubaOS and Controllers

Reply
Frequent Contributor II
Posts: 149
Registered: ‎04-20-2009

Un-trusted ports and user authentication

A while back I set up an un-trusted port to authenticate users on non Aruba access points through the captive portal on my M3 Controller. Works like a charm.

I was recently asked if 802.1x could be used instead of the Captive Portal login page to authenticate wired users on an un-trusted port. My recollection is that all traffic on such a port is automatically directed to the Captive Portal so the web login is the only choice for wired users but I am hoping to be proven wrong.

Is there a way to configure an un-trusted port to authenticate users using 802.1x PEAP/MsChap v2. ?
Guru Elite
Posts: 20,011
Registered: ‎03-29-2007

Re: Un-trusted ports and user authentication

The issue with wired 802.1x is that it is "link local". That means that the first switch that encounters an EAPOL or 802.1x frame either needs to process it, or discard it. So, the switch between the aruba controller and your clients will typically discard an eapol frame. There are a few switches, few and far between that have EAP passthrough, and just regular HUBS that will pass an EAPOL frame onto the Aruba.

With that being said what you have to do to do wired 802.1x:

aaa authentication wired
profile

Profile can be the AAA profile that you want to use for wired 802.1x
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Frequent Contributor II
Posts: 149
Registered: ‎04-20-2009

So its back to the drawing board.

Thanks Colin,

I had previously tried the aaa authentication wired line in my config without success. The point you make about 802.1x being link local makes perfect sense though and is likely the reason for my lack of success. Oh well back to the drawing board as they say but at least I learned something new about 802.1x.




The issue with wired 802.1x is that it is "link local". That means that the first switch that encounters an EAPOL or 802.1x frame either needs to process it, or discard it. So, the switch between the aruba controller and your clients will typically discard an eapol frame. There are a few switches, few and far between that have EAP passthrough, and just regular HUBS that will pass an EAPOL frame onto the Aruba.

With that being said what you have to do to do wired 802.1x:

aaa authentication wired
profile

Profile can be the AAA profile that you want to use for wired 802.1x


Search Airheads
Showing results for 
Search instead for 
Did you mean: