3 weeks ago
Quickly glanced at that ArubaOS & Cisco IOS CLI Referenced Guide & I've read through both of the Switch Management and Configuration Guide & Switch Access Security Guide (KA_KB.16.03).
I have yet to come across anything that would re-create Cisco's Inaccessible Authentication Bypass config to put a port in a VLAN in the event that the RADIUS server is unresponsive.
Access Security Guide does reference "No server(s) responding." messages, but it doesn't provide any more information regarding what alternative configurations are available.
The Access Security Guide does reference 802.1X Open VLAN mode & both an Authorized-Client VLAN & an Unauthorized-Client VLAN, but no explicit mention of what happens when the RADIUS server is unrechable.
As such, are we to assume that in the event that the RADIUS Authentication times out because the server is unresponsive, the authentication attempt will be treated as a REJECT & the client will land in the Unauthorized-Client VLAN, if configured?
It would be really nice to be able to use a different VLANs for failed Authentication attempts (due to client configuration errors - bad username or passwords) and those that fail because they can't be serviced (Authentication Service Unavailable).
3 weeks ago
Just to be clear: are you asking about a third VLAN option, in addition to the 'authorized' and 'unauthorized' VLANs, for the case in which a user or device cannot be authenticated because the server is unreachable? Or do you want the fallback option to be "the server is unreachable, so assign the device to the 'authorized' VLAN"?
Matthew Fern | Technical Marketing Engineer, Campus Networking
Aruba, a Hewlett Packard Enterprise Company
3 weeks ago
Thank you for your response.
I'm asking about a 3rd VLAN option, an addition to "Authorized-Client VLAN" & "Unauthorized-Client VLAN", for when the authentication server is unavailable. Cisco calls it "Inaccessible Authentication Bypass".
If an unresponsive RADIUS server equates to a failed authentication in an HPE ArubaOS-Switch according to the Access Security Guide, "When a client’s authentication attempt on an Unauthorized-Client VLAN fails, the port remains a member of the Unauthorized-Client VLAN until the client disconnects from the port."
That's cool, I get that but I'd like to be able to assign a different VLAN; something other than the "Unauthorized-Client VLAN" nor the "Authorized-Client VLAN". I'm sure if my RADIUS server could respond, it would be able to associate a different VLAN, but since it's unavailable...
2 weeks ago
You can archieve that using the "authorized" option in the aaa eap-radius configuration:
aaa authentication port-access eap-radius authorized
aaa port-access authenticator 4
aaa port-access authenticator 4 auth-vid 10
aaa port-access authenticator 4 unauth-vid 20
Normal behavior (RADIUS reachable):
Users getting authorized and are assigned to the VLAN coming from the RADIUS Server, e.g. 50.
Radius Server is unavailable:
802.1X users getting assigned to VLAN 10
Other users getting assigned to VLAN 20