Security

Reply
Occasional Contributor I
Posts: 7
Registered: ‎05-11-2012

02.1x authentication with username/password on Internal DB

Hi,

I would like to do a 802.1X authentication with username/password on Internal DB.

Following username, I would like to allow the right vlan, I have 4 vlans.

I have already added the names and passwords of the users to be authenticated in Internal DB and I put different role following username. with different vlan.


I already configure AAA profile with Server group (Internal) and I enable termination to finish authentication on controller.

But I don't know how I can configure default-role and 802.1X Authentication Default Role.

 

Thanks for your help

cCIl

Guru Elite
Posts: 20,815
Registered: ‎03-29-2007

Re: 02.1x authentication with username/password on Internal DB

The default 802.1x role is in the AAA profile.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 7
Registered: ‎05-11-2012

Re: 02.1x authentication with username/password on Internal DB

On Internal DB, I configure :

aaa server-group "interne"
   allow-fail-through
 auth-server Internal
 set role condition User-Name contains "ccil" set-value ccil-vlan4   : in fact, I will configure all users on Internal DB with different vlans

aaa profile "Entreprise_AAA"
   initial-role "Entreprise_role"
   authentication-dot1x "Entreprise_dot1x"
   dot1x-default-role "ccil-vlan4"
   dot1x-server-group "interne"


aaa authentication dot1x "Entreprise_dot1x"
   machine-authentication enable
   machine-authentication machine-default-role "Entreprise_role"
   machine-authentication user-default-role "ccil-vlan4"
   termination enable


   termination eap-type eap-tls
   termination eap-type eap-peap
   termination inner-eap-type eap-gtc
   termination inner-eap-type eap-mschapv2

Someone can explain me each role :

initial-role "Entreprise_role"
dot1x-default-role "ccil-vlan4"

machine-authentication machine-default-role "Entreprise_role"
machine-authentication user-default-role "ccil-vlan4"

 

With different vlan, I cannot understand where I have to configure the server derivation and how.

 

cCil

 

Guru Elite
Posts: 20,815
Registered: ‎03-29-2007

Re: 802.1x authentication with username/password on Internal DB

[ Edited ]

Two words of advice:

 

1- Turn off (Enforce) Machine Authentication (machine authentication and Termination don't work.  You also are not going to put a machine's credentials into the internal database, so don't bother.  Enforce Machine Authentication is an advanced topic.)

2- The commands that sets the 802.1x role  is below:

aaa profile "Entreprise_AAA"
   initial-role "Entreprise_role"
   authentication-dot1x "Entreprise_dot1x"
   dot1x-default-role "ccil-vlan4"
   dot1x-server-group "interne"

 3 - 

Someone can explain me each role :

initial-role "Entreprise_role"   - Initial role for AAA profile.  Only valid for PSK or Open SSIDs.  NOTused for 802.1x
dot1x-default-role "ccil-vlan4"  - Basic Role for when a client passes 802.1x

 

(Enforce) Machine Authentication - Only in effect when Enforce Machine Authentication is activated.  Does not work with Termination, and is not used when Termination is off.

machine-authentication machine-default-role "Entreprise_role"
machine-authentication user-default-role "ccil-vlan4"



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 7
Registered: ‎05-11-2012

Re: 802.1x authentication with username/password on Internal DB

Thanks for your help.

 

I have a question about vlans. Do you think I can allow specifc vlans following username when I used the same SSID and the same authentication ?

 

cCil

Guru Elite
Posts: 20,815
Registered: ‎03-29-2007

Re: 802.1x authentication with username/password on Internal DB

ccil,

 

Do you want:

 

If X user authenticates, let them go to VLAN Y?

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 7
Registered: ‎05-11-2012

Re: 802.1x authentication with username/password on Internal DB

Hi,

 

I have 80 users with 4 vlans :

users1 => go to vlan 10

users2 => go to vlan 20

users3 => go to vlan 30

...

with only 4 vlans not more

 

cCil

Guru Elite
Posts: 20,815
Registered: ‎03-29-2007

Re: 802.1x authentication with username/password on Internal DB

ccil,

 

Before I answer your question:

 

- Is this to replace an existing system?

- Are you using VLANs for security or access?  If so, what type?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: