Controllerless Networks

Reply
Super Contributor II

IAP-205H and wired port security

Hi,

 

I ran into some weird behavior with the IAP-205H and configuring the wired port security.

 

I want to be able to perform dot1x and MACAUTH on the switch ports available on the IAP-205H. 

Devices the do dot1x seem to work great all the time. But with MACAUTH devices, I get some strange behavior.

 

Port configured with both dot1x and MACAUTH

  • Device gets an IP address
  • Unable to communicate with anything
  • I see the auth request hitting the ClearPass.

Port configured with just MACAUTH

  • Device gets an IP address
  • Able to communicate normally.
  • I see the auth request hitting the ClearPass.

Any ideas as to why when I combine the two authentication methods on the port the device performing MACAUTH is not able to communicate correctly?

Re: IAP-205H and wired port security

Did you enable Authentication fail-thru?

mac-failthrough.png

With authentication fail-thru, access can be provided if any of the selected methods (MAC, 802.1X) succeeds; when disabled (default) both methods must succeed.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Super Contributor II

Re: IAP-205H and wired port security

I did test with "MAC Authentication fail-thru".

With this option turned on, the device will not even receive an IP address.

 

I will test again though just to confirm.

Super Contributor II

Re: IAP-205H and wired port security

I just tested with MAC Auth fail-thru.

With it turned on, the device doesn't receive an IP address.

 

Is what I am trying to do not possible?

Guru Elite

Re: IAP-205H and wired port security

What is the initial role in the AAA profile attached to the "Ethernet Interface X  port configuration:?  The initial role must have a firewall policy that allows DHCP.  The initial role decides what firewall policies are applied when the user has not authenticated yet and is essential for devices that do not authenticate via 802.1x



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor II

Re: IAP-205H and wired port security

Hi cjoseph,

 

I do not believe I have set an initial role. I didn't know that it would be required. I actually haven't seen a setting to configure an initial role in the IAP configuration.

Below are some screen shots of what I am working with:

Ports on the IAP-205H I am trying to configurePorts on the IAP-205H I am trying to configureUsing unrestrictedUsing unrestricted

I am using unrestricted so that the CPPM can pass back to the role to the IAP. Should I be using Role-Based access?

 

Sorry, I may have misunderstand your question in the context of an IAP environment. I am still pretty new to using the IAPs without a controller.

Super Contributor II

Re: IAP-205H and wired port security

Just a quick update on this.

I discovered that the MAC fail-thru is actually working, but the clients that auth via MAC do not take the role passed back from the ClearPass.

iap-325# show client wired

Wired Client List
-----------------
Name          IP Address      MAC Address        OS  Network  Access Point     Role      IPv6 Address  Speed (mbps)
----          ----------      -----------        --  -------  ------------     ----      ------------  ------------
408d5cxxxxxx  192.168.xxx.xxx  40:8d:5c:xx:xx:xx      eth2     iap-205h-xxxxxx  Deny All  --            -

The client keeps take the "Deny All" role, this is definitely not what I am passing back from the CPPM.

 

I think I have run into this already and you guys already explained to me why this happens, I just can't for the life of me remember why.

Re: IAP-205H and wired port security

Are you sending back an Access-Accept with the role from ClearPass? I can imagine that on an Access-Reject the role is either not sent by ClearPass or not evaluated by the IAP.

 

It may help if someone has a look with you what is happening. I would open a TAC case to get this investigated. Probably works better than posting snippets on this forum.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Super Contributor II

Re: IAP-205H and wired port security

Thanks Herman,

 

I will do that.

Super Contributor II

Re: IAP-205H and wired port security

I have opened a ticket with Aruba support. I spent 5 hours on the phone on Saturday trying to get things working, and nothing.

 

I am just curious, is anyone actually using any of the 3 switch ports available on any version of IAP models that have these ports available?

Specfically in a controllerless environment.

 

After a lot of trial and error I was successful at getting them to work in a controller environment. But so far I have had zero luck in using these ports when it is just an IAP cluster environment.

 

The weird behavior I am seeing now, the device will get an IP address and the correct user role, but there is no communication possible with the device. If I run a tracert to the device, the tracert never completes.

 

If anyone has any actual experience working with the IAP switch ports I would really appreciate any advice you can offer.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: