The following steps are required to enable port authentication:
Configuration radius sever
user internal radius server
(ArubaS3500) #local-userdb add username test password test123 role authenticated
For MAC authentication, put the MAC address on the device as username/password in the local database.
user external radius server
(ArubaS3500) (config) #aaa authentication-server radius acs
ArubaS3500-24P-US) (RADIUS Server "acs") #host ?
<host> IP address/Hostname of radius server
(ArubaS3500) (RADIUS Server "acs") #host 10.4.135.132
(ArubaS3500) (RADIUS Server "acs") #key test
(ArubaS3500) (config) #
In the external radius server, Both MAS IP and Shared key need to be added. The username/password need to be added in the external radius database.
Configure authentication server group
These are the configurable parameters
(ArubaS3500) (Server Group "test") #?
allow-fail-through Allow authentication fail through
auth-server Assign authentication server
clone Copy data from another Server Group
no Delete Command
set Configure rules to derive Role/VLAN
The followings are two examples:
Internal server is used:
There is a predefined server group "internal"
External server is used
(ArubaS3500) (config) #aaa server-group acs
(ArubaS3500) (Server Group "acs") #auth-server acs
(ArubaS3500) (config) #
Configure user role
In aaa profile, initial role and autnentication default role need to be specified. In the user role, the user vlan, the access-list, voip-profile, qos-profile policer-porfile and reauthnetication-interval can be customized:
(ArubaS3500) (config) #user-role test
(ArubaS3500) (config-role) #?
access-list Apply access-lists to the role
no Delete Command
policer-profile Apply Policer Profile to this role
qos-profile Apply QoS Profile to this role
reauthentication-inte.. Configure reauthentication interval time
vlan Assign VLAN
voip-profile Apply VoIP Profile to this role
For example:
(ArubaS3500) (config) #user-role test
(ArubaS3500) (config-role) #vlan 100
(ArubaS3500) (config-role) #access-list stateless allowall-stateless
(ArubaS3500) (config) #
Configure the authentication profile
The port can be configured to perform MAC authentication only, DOT1x authentication only or both MAC and DOT1x authentications. To enable MAC autnentication, MAC authentication profile need to be spcified, TO enable DOT1x authentication, DOT1x authnetication profile need to be specified in the aaa profile.
For MAC authentication
The following parameters can be customized for MAC authentication:
(ArubaS3500) (config) #aaa authentication MAC test-mac
(ArubaS3500) (MAC Authentication Profile "test-mac") #?
case Case of MAC string for authentication
clone Copy data from another MAC Authentication Profile
delimiter Delimiter in MAC string for authentication
max-authentication-fa.. Maximum auth failures before user is blacklisted. Range: 0-1. Default: 0.
no Delete Command
For example:
(ArubaS3500) (config) #aaa authentication mac test-mac
(ArubaS3500) (MAC Authentication Profile "test-mac") #delimiter colon
(ArubaS3500) (config) #
For DOT1x authentication
The following parameters can be customized for DOT1x authentication:
(ArubaS3500) (config) #aaa authentication dot1x test-dot1x
(ArubaS3500) (802.1X Authentication Profile "test-dot1x") #?
ca-cert CA Certificate for Client Certificate Verification
cert-cn-lookup Check certificate common name against AAA server. Default is disabled.
clone Copy data from another 802.1X Authentication Profile
eapol-logoff Handle EAPOL-Logoff.Default is disabled
framed-mtu Set the Framed-MTU attribute sent to the authentication server
heldstate-bypass-coun.. Set the maximum number of times station can send bad user credentials and avoid going to held state by sending an EAPOL-Start
ignore-eap-id-match Ignore EAP ID during negotiation.Default is disabled
ignore-eapolstart-aft.. Ignore EAPOl-START after authentication.Default is disabled
machine-authentication Configure Machine Authentication Parameters
max-authentication-fa.. Maximum Number of Authentication Failures after which station is blacklisted. Range: 0-5. Default: 0.
max-requests Set maximum number of times Id-Requests is sent to the station
no Delete Command
reauth-max Set maximum number of times Id-Requests is sent to the station
reauthentication Enable or Disable Reauthentication.Default is disabled
server Set authentication server parameters
server-cert Server Certificate for EAP termination
termination Configure Dot1x Termination Parameters
timer Configure state machine timers
tls-guest-access Enable guest access for users with valid certificate.Default is disabled
tls-guest-role Assign TLS Guest role
Foe example:
(ArubaS3500) (config) #aaa authentication dot1x test-dot1x
(ArubaS3500) (802.1X Authentication Profile "test-dot1x") #
(ArubaS3500) (802.1X Authentication Profile "test-dot1x") #termination enable
(ArubaS3500) (config) #
Configure aaa profile to use MAC authentication or DOT1x authentication
The folllowing parameters can be customized or configured in aaa profile:
(ArubaS3500) (config) #aaa profile port-auth
(ArubaS3500) (AAA Profile "port-auth") #?
auth-failure-blacklis.. Amount of time to blacklist a STA if it fails repeated authentications. In seconds. 0 blocks indefinitely.
authentication-dot1x Configure 802.1X authentication profile
authentication-mac Configure MAC authentication profile
clone Copy data from another AAA Profile
dot1x-default-role Assign default role
dot1x-server-group 802.1X authentication server group
enforce-dhcp Require IP address to be obtained using DHCP
initial-role Role that is assigned to a user before authentication takes place
mac-default-role Assign MAC Auth default role
mac-server-group MAC authentication server group
no Delete Command
radius-accounting Configure server group for radius accounting
radius-interim-accoun.. Send RADIUS interim accounting records
user-derivation-rules Apply profile to derive VLAN/Role from user atributes
xml-api-server Configure XML API server
The port can be configured to perform MAC authentication only, DOT1x authentication only or both MAC and DOT1x authentications.
To enable MAC autnentication, MAC authentication profile need to be spcified,
To enable DOT1x authentication, DOT1x authnetication profile need to be specified in the aaa profile.
The following cases are three examples:
Only enable MAC authentication
(ArubaS3500) (config) #aaa profile port-auth
(ArubaS3500) (AAA Profile "port-auth") #initial-role logon
(ArubaS3500) (AAA Profile "port-auth") #authentication-mac test-mac
(ArubaS3500) (AAA Profile "port-auth") #mac-server-group acs
(ArubaS3500) (AAA Profile "port-auth") #mac-default-role authenticated
(ArubaS3500) (config) #
Only enable DOT1x authentication
(ArubaS3500) (config) #aaa profile port-auth
(ArubaS3500) (AAA Profile "port-auth") #initial-role logon
(ArubaS3500) (AAA Profile "port-auth") #authentication-dot1x test-dot1x
(ArubaS3500) (AAA Profile "port-auth") #dot1x-default-role authenticated
(ArubaS3500) (AAA Profile "port-auth") #dot1x-server-group acs
(ArubaS3500) (AAA Profile "port-auth") #exit
(ArubaS3500) (config) #
Enable both MAC and DOT1x authentication
(ArubaS3500) (config) #aaa profile port-auth
(ArubaS3500) (AAA Profile "port-auth") #initial-role logon
(ArubaS3500) (AAA Profile "port-auth") #authentication-mac test-mac
(ArubaS3500) (AAA Profile "port-auth") #mac-default-role test
(ArubaS3500) (AAA Profile "port-auth") #mac-server-group default
(ArubaS3500) (AAA Profile "port-auth") #authentication-dot1x test-dot1x
(ArubaS3500) (AAA Profile "port-auth") #dot1x-default-role authenticated
(ArubaS3500) (AAA Profile "port-auth") #dot1x-server-group acs
(ArubaS3500) (AAA Profile "port-auth") #exit
(ArubaS3500) (config) #
Bind the aaa profile to the port or port group
Apply the aaa profile in a port:
(ArubaS3500) (config) #interface gigabitethernet 0/0/1
(ArubaS3500) (gigabitethernet "0/0/1") #no trusted port
(ArubaS3500) (gigabitethernet "0/0/1") #aaa-profile port-auth
(ArubaS3500) (gigabitethernet "0/0/1") #exit
(ArubaS3500) (config) #
Apply the aaa profile in a port group:
(ArubaS3500) (config) #interface-group gigabitethernet port-auth
(ArubaS3500) (gigabitethernet "port-auth") #apply-to 0/0/45-0/0/47
(ArubaS3500) (gigabitethernet "port-auth") #no trusted port
(ArubaS3500) (gigabitethernet "port-auth") #aaa-profile port-auth
(ArubaS3500) (config) #
Fail-Open on MAS:
In terms of "fail-open" behavior when the authentication server is not available, this functionality is currently not supported. There are, however, some workarounds that can be implemented depending on the authentication requirement(s):
1. You can have more than 1 auth server in the server group for better availability, so if first server fails, it will try the next one, etc.
2. You can modify the logon role so it can be placed into a specific VLAN in such case, though this has obvious potential drawbacks
3. You can add MAC auth in addition to 802.1X so the client can still be authenticated in such case (using different/local server)
In terms of modifying the logon role, additional role can be placed for "auth-FAIL" scenario:
If RADIUS server active –
If auth pass then RADIUS replies role-A
If auth failed then RADIUS replies role-B
If RADIUS server in active
Role-C (actually we use logon role here)
The auth server needs to reply a role-B even when auth failed.