Wired Intelligent Edge

last person joined: 15 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

HPE ArubaOS 3810m - Inaccessible Authentication Bypass ???

This thread has been viewed 4 times

  • 1.  HPE ArubaOS 3810m - Inaccessible Authentication Bypass ???

    Posted May 02, 2017 04:33 PM

    Quickly glanced at that ArubaOS & Cisco IOS CLI Referenced Guide & I've read through both of the Switch Management and Configuration Guide & Switch Access Security Guide (KA_KB.16.03).  

     

    I have yet to come across anything that would re-create Cisco's Inaccessible Authentication Bypass config to put a port in a VLAN in the event that the RADIUS server is unresponsive.  

     

     Access Security Guide does reference "No server(s) responding." messages, but it doesn't provide any more information regarding what alternative configurations are available.  

     

    The Access Security Guide does reference 802.1X Open VLAN mode & both an Authorized-Client VLAN & an Unauthorized-Client VLAN, but no explicit mention of what happens when the RADIUS server is unrechable.  

     

    As such, are we to assume that in the event that the RADIUS Authentication times out because the server is unresponsive, the authentication attempt will be treated as a REJECT & the client will land in the Unauthorized-Client VLAN, if configured?  

     

    It would be really nice to be able to use a different VLANs for failed Authentication attempts (due to client configuration errors - bad username or passwords) and those that fail because they can't be serviced (Authentication Service Unavailable).

      

    TIA,

     


    #3810


  • 2.  RE: HPE ArubaOS 3810m - Inaccessible Authentication Bypass ???

    EMPLOYEE
    Posted May 05, 2017 12:37 PM

    Greetings!

     

    Just to be clear: are you asking about a third VLAN option, in addition to the 'authorized' and 'unauthorized' VLANs, for the case in which a user or device cannot be authenticated because the server is unreachable?  Or do you want the fallback option to be "the server is unreachable, so assign the device to the 'authorized' VLAN"?

     



  • 3.  RE: HPE ArubaOS 3810m - Inaccessible Authentication Bypass ???

    Posted May 05, 2017 04:25 PM

    Hi Matthew, 

     

    Thank you for your response.  

     

    I'm asking about a 3rd VLAN option, an addition to "Authorized-Client VLAN" & "Unauthorized-Client VLAN", for when the authentication server is unavailable.  Cisco calls it "Inaccessible Authentication Bypass".

     

    If an unresponsive RADIUS server equates to a failed authentication in an HPE ArubaOS-Switch according to the Access Security Guide, "When a client’s authentication attempt on an Unauthorized-Client VLAN fails, the port remains a member of the Unauthorized-Client VLAN until the client disconnects from the port."  

     

    That's cool, I get that but I'd like to be able to assign a different VLAN; something other than the "Unauthorized-Client VLAN" nor the "Authorized-Client VLAN".  I'm sure if my RADIUS server could respond, it would be able to associate a different VLAN, but since it's unavailable...

     

    Thanks,

     

     



  • 4.  RE: HPE ArubaOS 3810m - Inaccessible Authentication Bypass ???

    EMPLOYEE
    Posted May 10, 2017 12:06 PM

    You can archieve that using the "authorized" option in the aaa eap-radius configuration:

     

    Example:

    aaa authentication port-access eap-radius authorized
    aaa port-access authenticator 4
    aaa port-access authenticator 4 auth-vid 10
    aaa port-access authenticator 4 unauth-vid 20

     

    Normal behavior (RADIUS reachable):

    Users getting authorized and are assigned to the VLAN coming from the RADIUS Server, e.g. 50.

     

    Radius Server is unavailable:
    802.1X users getting assigned to VLAN 10

    Other users getting assigned to VLAN 20



  • 5.  RE: HPE ArubaOS 3810m - Inaccessible Authentication Bypass ???

    Posted Aug 10, 2017 05:49 AM

    Dear Matthew,

     

    We have a request where when a user or device cannot be authenticated because the CPPM server is unreachable, the switch should "disable" 802.1X authentication and ports should remain on the manually set VLAN. Is this possible?



  • 6.  RE: HPE ArubaOS 3810m - Inaccessible Authentication Bypass ???

    EMPLOYEE
    Posted Sep 07, 2017 07:22 PM

    Hi, it seems that you are talking about Guest VLAN feature at AOSS.

     

    Please review the ArubaOS-Switch Access Security Guide

     

    http://h20566.www2.hpe.com/hpsc/doc/public/display?sp4ts.oid=1008995294&docLocale=en_US&docId=emr_na-a00008378en_us

     

    Configuring Guest VLAN

     

    aaa port-ac local-mac unauth-vid 99

     

    Restriction

     

    Mixed port access mode allows 802.1X and Web/MAC authenticated and unauthenticated clients on the same port when the guest VLAN is the same as the port’s current untagged authenticated VLAN for authenticated clients, or when none of the authenticated clients are authorized on the untagged authenticated VLAN. Instead of having just one client per port, multiple clients can use the guest VLAN.

     

    Radius service tracking
    Radius service tracking locates the availability of the RADIUS service configured on the switch. It helps to minimize
    the waiting period for new clients in the unauth-vid (Guest Vlan) when authentication fails because of service is not
    available, as well as previously authenticated clients in unauth-vid (Guest Vlan) when re-authentication fails because
    service is not available during the re-authentication period.
    Note that this feature is disabled by default.

     

    radius-server tracking <enable|disable>