Campus Switching and Routing

Reply
MVP
Posts: 992
Registered: ‎04-13-2009

802.1x Switch Configuration

Hi All,

 

I've configured 802.1x auth on some switch ports in my lab and I'm using Clearpass as the RADIUS server using AD as the source. I've got clearpass configured to pass a role back to the switch if authentication is sucessful and that works great.


Next step is to allow guest to plug in and for them to be assigned a different role, lets say the guest role.


I don't want to do tunneled node as I don't want the potential extra overhead on my controller. I know in my lab this wont be an issue but for customers there's potential that it could be depending on certain factors.

 

If this possible to do?

 

At the moment when my "guest laptop" plugs in they fail authentication, enforment policies are ignored and they stay in the logon role on the switch.


Cheers

James

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: 802.1x Switch Configuration

Do you want them to go through a registration process or just allow them on with a limited role?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba
Posts: 429
Registered: ‎05-30-2012

Re: 802.1x Switch Configuration

James,

You'll want to create a MAC-Auth service that is configured to allow all MAC and in the enforcement policy, if it is an unknown MAC, pass back a role of Guest (or whatever name you chose). I'll post some screenshots of what I mean a little later today.

 

Best regards,

 

Madani

MVP
Posts: 992
Registered: ‎04-13-2009

Re: 802.1x Switch Configuration

Hi,

 

I don't want them to register, just but placed into a particular role.

 

Screenshots would be perfect. :)

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: 802.1x Switch Configuration

Just make the initial role "guest".  Upon a failed auth, they will be assigned guest.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
MVP
Posts: 992
Registered: ‎04-13-2009

Re: 802.1x Switch Configuration


SethFiermonti wrote:

Just make the initial role "guest".  Upon a failed auth, they will be assigned guest.


Seth, great answer.

 

I've gone for configurring an allow all MAC authentication source and an enforcement policy which matches any MAC auth requests, then assign a clearpass downloadable role. It's in a lab after all...

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: 802.1x Switch Configuration

You'll have more flexibility in the future using ClearPass instead of the initial role.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: 802.1x Switch Configuration

Agreed. Didn't catch ClearPass was involved here
Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor II
Posts: 12
Registered: ‎03-12-2013

Re: 802.1x Switch Configuration

I know I like to keep my initial role as something that doesn't actually provide any IP connectivity at all, because some clients will not deal well with getting a DHCP lease, and then getting shuttled to another role assigned by a Clearpass RADIUS VSA with a different VLAN associated.  If you keep clients in the same VLAN the whole time and just your various user roles for ACL assignment, this wouldn't be a problem.

 

I don't know if it's the best way to do it but my initial role has an "allow-all" ACL associated, but no VLAN, which means it should derive its VLAN from the switching profile in the interface or interface-group configuration.  If no switching profile is configured it would fall back to the default switching profile with VLAN 1, which in my case is not something that will provide any IP connectivity to clients.

 

If the Aruba experts here think this isn't optimal please let me know.

Search Airheads
Showing results for 
Search instead for 
Did you mean: