Security

Reply
MVP

double dot1x lan clients when dot1x config wired and IAP?

So, topic says all.. sort off :P

 

I was happily configuring wired and wireless 802.1X but instead of a controller based setup I now had InstantAPs to work with. 

No problem, you can configue the IAPs to do wired auth also.

  

But then the and result is offcourse that the IAP does 802.1X just fine, but then any client that connects through that IAP hits the Aruba LAN switch that also demands authentication.

 

How do you guys usually handle this situation?  Disable 802.1X for the wired ports with IAPs connected to them?  Use port-based authentication instead of session based auth?

 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite

Re: double dot1x lan clients when dot1x config wired and IAP?

You can’t use user roles with bridged devices like APs or downstream switches. You need to instead return the port auth mode and other enforcement actions via RADIUS VSA.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP

Re: double dot1x lan clients when dot1x config wired and IAP?

Hi Tim,

 

Could you clarify that a bit more please?

 

If I understand correctly, on the IAP authenticating, I return a HP-Port-Auth-Mode-Dot1x VSA which overrides the default session based auth for the port.

Can I still send along HPE-Egress-VLAN-Name VSA's to open an untagged and several tagged vlans on this port then?

Will with port-based access clients landing in those ifferent vlans not trigger a new authentication for this port?

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite

Re: double dot1x lan clients when dot1x config wired and IAP?

Yes, you’d return both the port auth mode and Egress VLAN VSAs. Subsequent MAC addresses presented on the port will not be forced to authenticate.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: