How to: Configure Authentication on Mobility Access Switches

Community Administrator
Community Administrator

The following steps are required to enable port authentication:

 

Configuration radius sever

user internal radius server

(ArubaS3500) #local-userdb add username test password test123 role authenticated

For MAC authentication, put the MAC address on the device as username/password in the local database.

user external radius server

 (ArubaS3500) (config) #aaa authentication-server radius acs 

 ArubaS3500-24P-US) (RADIUS Server "acs") #host ?

 <host>                  IP address/Hostname of radius server 

 (ArubaS3500) (RADIUS Server "acs") #host 10.4.135.132 

 (ArubaS3500) (RADIUS Server "acs") #key test 

 (ArubaS3500) (config) # 

In the external radius server, Both MAS IP and Shared key need to be added. The username/password need to be added in the external radius database.

Configure authentication server group

These are the configurable parameters

(ArubaS3500) (Server Group "test") #?

allow-fail-through      Allow authentication fail through

auth-server             Assign authentication server

clone                   Copy data from another Server Group

no                      Delete Command

set                     Configure rules to derive Role/VLAN

The followings are two examples:

Internal server is used:

There is a predefined server group "internal"

External server is used

(ArubaS3500) (config) #aaa server-group acs

(ArubaS3500) (Server Group "acs") #auth-server acs

(ArubaS3500) (config) #

Configure user role

In aaa profile, initial role and autnentication default role need to be specified. In the user role, the user vlan, the access-list, voip-profile, qos-profile policer-porfile and reauthnetication-interval can be customized:

(ArubaS3500) (config) #user-role test


(ArubaS3500) (config-role) #?

access-list             Apply access-lists to the role

no                      Delete Command

policer-profile         Apply Policer Profile to this role

qos-profile             Apply QoS Profile to this role

reauthentication-inte.. Configure reauthentication interval time

vlan                    Assign VLAN

voip-profile            Apply VoIP Profile to this role

For example:

(ArubaS3500) (config) #user-role test

(ArubaS3500) (config-role) #vlan 100

(ArubaS3500) (config-role) #access-list stateless allowall-stateless

(ArubaS3500) (config) #

Configure the authentication profile

The port can be configured to perform MAC authentication only, DOT1x authentication only or both MAC and DOT1x authentications. To enable MAC autnentication, MAC authentication profile need to be spcified, TO enable DOT1x authentication, DOT1x authnetication profile need to be specified in the aaa profile.

For MAC authentication

The following parameters can be customized for MAC authentication:

(ArubaS3500) (config) #aaa authentication MAC test-mac


(ArubaS3500) (MAC Authentication Profile "test-mac") #?

case Case of MAC string for authentication

clone Copy data from another MAC Authentication Profile

delimiter Delimiter in MAC string for authentication

max-authentication-fa.. Maximum auth failures before user is blacklisted. Range: 0-1. Default: 0.

no Delete Command


For example:

(ArubaS3500) (config) #aaa authentication mac test-mac

(ArubaS3500) (MAC Authentication Profile "test-mac") #delimiter colon

(ArubaS3500) (config) #

 

For DOT1x authentication

The following parameters can be customized for DOT1x authentication:

(ArubaS3500) (config) #aaa authentication dot1x test-dot1x


(ArubaS3500) (802.1X Authentication Profile "test-dot1x") #?

ca-cert                 CA Certificate for Client Certificate Verification

cert-cn-lookup          Check certificate common name against AAA server. Default is disabled.

clone                   Copy data from another 802.1X Authentication Profile

eapol-logoff            Handle EAPOL-Logoff.Default is disabled

framed-mtu              Set the Framed-MTU attribute sent to the authentication server

heldstate-bypass-coun.. Set the maximum number of times station can send bad user credentials and avoid going to held state by sending an EAPOL-Start

ignore-eap-id-match     Ignore EAP ID during negotiation.Default is disabled

ignore-eapolstart-aft.. Ignore EAPOl-START after authentication.Default is disabled

machine-authentication  Configure Machine Authentication Parameters

max-authentication-fa.. Maximum Number of Authentication Failures after which station is blacklisted. Range: 0-5. Default: 0.

max-requests            Set maximum number of times Id-Requests is sent to the station

no                      Delete Command

reauth-max              Set maximum number of times Id-Requests is sent to the station

reauthentication        Enable or Disable Reauthentication.Default is disabled

server                  Set authentication server parameters

server-cert             Server Certificate for EAP termination

termination             Configure Dot1x Termination Parameters

timer                   Configure state machine timers

tls-guest-access        Enable guest access for users with valid certificate.Default is disabled

tls-guest-role          Assign TLS Guest role

Foe example:

(ArubaS3500) (config) #aaa authentication dot1x test-dot1x

(ArubaS3500) (802.1X Authentication Profile "test-dot1x") #

(ArubaS3500) (802.1X Authentication Profile "test-dot1x") #termination enable

(ArubaS3500) (config) #

Configure aaa profile to use MAC authentication or DOT1x authentication

 

The folllowing parameters can be customized or configured in aaa profile:

(ArubaS3500) (config) #aaa profile port-auth


(ArubaS3500) (AAA Profile "port-auth") #?

auth-failure-blacklis.. Amount of time to blacklist a STA if it fails repeated authentications. In seconds. 0 blocks indefinitely.

authentication-dot1x    Configure 802.1X authentication profile

authentication-mac      Configure MAC authentication profile

clone                   Copy data from another AAA Profile

dot1x-default-role      Assign default role

dot1x-server-group      802.1X authentication server group

enforce-dhcp            Require IP address to be obtained using DHCP

initial-role            Role that is assigned to a user before authentication takes place

mac-default-role        Assign MAC Auth default role

mac-server-group        MAC authentication server group

no                      Delete Command

radius-accounting       Configure server group for radius accounting

radius-interim-accoun.. Send RADIUS interim accounting records

user-derivation-rules   Apply profile to derive VLAN/Role from user atributes

xml-api-server          Configure XML API server


The port can be configured to perform MAC authentication only, DOT1x authentication only or both MAC and DOT1x authentications. 

To enable MAC autnentication, MAC authentication profile need to be spcified, 

To enable DOT1x authentication, DOT1x authnetication profile need to be specified in the aaa profile.

The following cases are three examples:

 

Only enable MAC authentication

(ArubaS3500) (config) #aaa profile port-auth

(ArubaS3500) (AAA Profile "port-auth") #initial-role logon

(ArubaS3500) (AAA Profile "port-auth") #authentication-mac test-mac

(ArubaS3500) (AAA Profile "port-auth") #mac-server-group acs

(ArubaS3500) (AAA Profile "port-auth") #mac-default-role authenticated

(ArubaS3500) (config) #

 

Only enable DOT1x authentication

(ArubaS3500) (config) #aaa profile port-auth

(ArubaS3500) (AAA Profile "port-auth") #initial-role logon

(ArubaS3500) (AAA Profile "port-auth") #authentication-dot1x test-dot1x

(ArubaS3500) (AAA Profile "port-auth") #dot1x-default-role authenticated

(ArubaS3500) (AAA Profile "port-auth") #dot1x-server-group acs

(ArubaS3500) (AAA Profile "port-auth") #exit

(ArubaS3500) (config) #

Enable both MAC and DOT1x authentication

(ArubaS3500) (config) #aaa profile port-auth

(ArubaS3500) (AAA Profile "port-auth") #initial-role logon

(ArubaS3500) (AAA Profile "port-auth") #authentication-mac test-mac

(ArubaS3500) (AAA Profile "port-auth") #mac-default-role test

(ArubaS3500) (AAA Profile "port-auth") #mac-server-group default

(ArubaS3500) (AAA Profile "port-auth") #authentication-dot1x test-dot1x

(ArubaS3500) (AAA Profile "port-auth") #dot1x-default-role authenticated

(ArubaS3500) (AAA Profile "port-auth") #dot1x-server-group acs

(ArubaS3500) (AAA Profile "port-auth") #exit

(ArubaS3500) (config) #

Bind the aaa profile to the port or port group

Apply the aaa profile in a port:

(ArubaS3500) (config) #interface gigabitethernet 0/0/1

(ArubaS3500) (gigabitethernet "0/0/1") #no trusted port

(ArubaS3500) (gigabitethernet "0/0/1") #aaa-profile port-auth

(ArubaS3500) (gigabitethernet "0/0/1") #exit

(ArubaS3500) (config) #

 

Apply the aaa profile in a port group:

(ArubaS3500) (config) #interface-group gigabitethernet port-auth

(ArubaS3500) (gigabitethernet "port-auth") #apply-to 0/0/45-0/0/47

(ArubaS3500) (gigabitethernet "port-auth") #no trusted port

(ArubaS3500) (gigabitethernet "port-auth") #aaa-profile port-auth

(ArubaS3500) (config) #

 

Fail-Open on MAS:

In terms of "fail-open" behavior when the authentication server is not available, this functionality is currently not supported. There are, however, some workarounds that can be implemented depending on the authentication requirement(s):

1. You can have more than 1 auth server in the server group for better availability, so if first server fails, it will try the next one, etc.
2. You can modify the logon role so it can be placed into a specific VLAN in such case, though this has obvious potential drawbacks
3. You can add MAC auth in addition to 802.1X so the client can still be authenticated in such case   (using different/local server)
 
In terms of modifying the logon role, additional role can be placed for "auth-FAIL" scenario:
 
If RADIUS server active –
    If auth pass then RADIUS replies role-A
    If auth failed then RADIUS replies role-B
If RADIUS server in active
   Role-C (actually we use logon role here)
 
The auth server needs to reply a role-B even when auth failed.  
Version history
Revision #:
1 of 1
Last update:
‎09-25-2014 12:15 PM
Updated by:
 
Labels (1)
Contributors
Comments

You can fail-open when AAA servers are unavailable by using the unreachable-role.

 

(AAA Profile "zTest") #unreachable-role allowall

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: