Campus Switching and Routing

Reply
Frequent Contributor I

HPE ArubaOS 3810m - Inaccessible Authentication Bypass ???

Quickly glanced at that ArubaOS & Cisco IOS CLI Referenced Guide & I've read through both of the Switch Management and Configuration Guide & Switch Access Security Guide (KA_KB.16.03).  

 

I have yet to come across anything that would re-create Cisco's Inaccessible Authentication Bypass config to put a port in a VLAN in the event that the RADIUS server is unresponsive.  

 

 Access Security Guide does reference "No server(s) responding." messages, but it doesn't provide any more information regarding what alternative configurations are available.  

 

The Access Security Guide does reference 802.1X Open VLAN mode & both an Authorized-Client VLAN & an Unauthorized-Client VLAN, but no explicit mention of what happens when the RADIUS server is unrechable.  

 

As such, are we to assume that in the event that the RADIUS Authentication times out because the server is unresponsive, the authentication attempt will be treated as a REJECT & the client will land in the Unauthorized-Client VLAN, if configured?  

 

It would be really nice to be able to use a different VLANs for failed Authentication attempts (due to client configuration errors - bad username or passwords) and those that fail because they can't be serviced (Authentication Service Unavailable).

  

TIA,

 

--Raf
Aruba Employee

Re: HPE ArubaOS 3810m - Inaccessible Authentication Bypass ???

Greetings!

 

Just to be clear: are you asking about a third VLAN option, in addition to the 'authorized' and 'unauthorized' VLANs, for the case in which a user or device cannot be authenticated because the server is unreachable?  Or do you want the fallback option to be "the server is unreachable, so assign the device to the 'authorized' VLAN"?

 



Matthew Fern | Technical Marketing Engineer, Campus Networking
Aruba, a Hewlett Packard Enterprise Company
Frequent Contributor I

Re: HPE ArubaOS 3810m - Inaccessible Authentication Bypass ???

Hi Matthew, 

 

Thank you for your response.  

 

I'm asking about a 3rd VLAN option, an addition to "Authorized-Client VLAN" & "Unauthorized-Client VLAN", for when the authentication server is unavailable.  Cisco calls it "Inaccessible Authentication Bypass".

 

If an unresponsive RADIUS server equates to a failed authentication in an HPE ArubaOS-Switch according to the Access Security Guide, "When a client’s authentication attempt on an Unauthorized-Client VLAN fails, the port remains a member of the Unauthorized-Client VLAN until the client disconnects from the port."  

 

That's cool, I get that but I'd like to be able to assign a different VLAN; something other than the "Unauthorized-Client VLAN" nor the "Authorized-Client VLAN".  I'm sure if my RADIUS server could respond, it would be able to associate a different VLAN, but since it's unavailable...

 

Thanks,

 

 

--Raf
Occasional Contributor I

Re: HPE ArubaOS 3810m - Inaccessible Authentication Bypass ???

You can archieve that using the "authorized" option in the aaa eap-radius configuration:

 

Example:

aaa authentication port-access eap-radius authorized
aaa port-access authenticator 4
aaa port-access authenticator 4 auth-vid 10
aaa port-access authenticator 4 unauth-vid 20

 

Normal behavior (RADIUS reachable):

Users getting authorized and are assigned to the VLAN coming from the RADIUS Server, e.g. 50.

 

Radius Server is unavailable:
802.1X users getting assigned to VLAN 10

Other users getting assigned to VLAN 20

New Contributor

Re: HPE ArubaOS 3810m - Inaccessible Authentication Bypass ???

Dear Matthew,

 

We have a request where when a user or device cannot be authenticated because the CPPM server is unreachable, the switch should "disable" 802.1X authentication and ports should remain on the manually set VLAN. Is this possible?

Contributor I

Re: HPE ArubaOS 3810m - Inaccessible Authentication Bypass ???

Hi, it seems that you are talking about Guest VLAN feature at AOSS.

 

Please review the ArubaOS-Switch Access Security Guide

 

http://h20566.www2.hpe.com/hpsc/doc/public/display?sp4ts.oid=1008995294&docLocale=en_US&docId=emr_na-a00008378en_us

 

Configuring Guest VLAN

 

aaa port-ac local-mac unauth-vid 99

 

Restriction

 

Mixed port access mode allows 802.1X and Web/MAC authenticated and unauthenticated clients on the same port when the guest VLAN is the same as the port’s current untagged authenticated VLAN for authenticated clients, or when none of the authenticated clients are authorized on the untagged authenticated VLAN. Instead of having just one client per port, multiple clients can use the guest VLAN.

 

Radius service tracking
Radius service tracking locates the availability of the RADIUS service configured on the switch. It helps to minimize
the waiting period for new clients in the unauth-vid (Guest Vlan) when authentication fails because of service is not
available, as well as previously authenticated clients in unauth-vid (Guest Vlan) when re-authentication fails because
service is not available during the re-authentication period.
Note that this feature is disabled by default.

 

radius-server tracking <enable|disable>

 

 

 

*
If it helps please add Kudos
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: