This solution configures port authentication on an Aruba Mobility Access Switch. Various combinations of authentication methods can be configured including but not limited to MAC authentication only, MAC authentication + 802.1X authentication (with or without fail through enabled), and 802.1X authentication + Machine authentication. User/MAC/Machine authentication can be authenticated against the switch's internal database or a RADIUS server can be specified such as CPPM. The solution asks the user which interfaces to build the configuration for.
ArubaOS version 7.2 or greater is required to configure the RFC 3576 Dynamic Authorization feature. This feature allows the RADIUS server to dynamically send user disconnect and change-of-authorization (CoA) messages to the NAS device (switch/controller).
Warning: This solution creates multiple user roles for authenticated users, including individual roles for various authentication methods (MAC, 802.1X, and Machine Auth). All roles created by this solution give the user full access. It is highly suggested to place additional restrictions on each user role created by this solution to match your desired security policies. See the user guide for more information on creating user roles and ACLs.
When enabling both MAC authentication and 802.1X authentication on a port, ArubaOS offers a feature called "L2 Authentication Fail Through", which allows mixed authentication modes. If L2 auth fail through is not enabled, both the MAC authentication and the 802.1X authentication must be successful before the user is given access. Enabling L2 auth fail through allows the user to fail MAC authentication and still proceed to 802.1X authentication. See the Mixed Authentication Modes table below for the possible role assignments based on MAC/802.1X authentication results.
Machine Authentication provides a second authentication factor for 802.1X on Windows PCs. Successful machine authentication requests are cached by the switch/controller for 24 hours by default. This cache parameter can be changed. A user is placed in one of four different roles depending on the authentication result of both Machine Auth and User Auth. The role mappings are described in the table below.
Machine Auth Fail
Machine Auth Pass
User Auth Fail
User Auth Pass
Aruba Mobility Mobility Access Switch S2500 running AOS 22.214.171.124.
No special licenses are required.
User Guide: Aruba OS 7.2.0 (Mobility Switch)
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.