Hi Victor, its a mixture
AAA Port-Access Authenticator and a Device-Profile but we have to change the config today and removed the LOCAL-MAC Auth as when attempting to set the Unauth-VID we got the message :
# aaa port-access authenticator 2/3 unauth-vid 51
Configuration change denied for port 2/3. Only Web or Local MAC or MAC-authenticator can
have unauthenticated VLAN enabled if 802.1X authenticator is enabled on the
same port. Please use unauthenticated VLAN for Web or Local MAC or MAC authentication
instead.
We now can get both PC and Phone to sit in the required VLANs but the new issue is that now we are using these together the aaa port-access authenticator 2/3 unauth-vid 51 is not working.
If the unauthorized device is plugged in it gets a 169.254.x.x address, not the required 10.51.x.x, as fun as it is if the device is getting its connection via the phones passthrough port then is get the required 10.51.x.x. address
The config is now:
interface 2/3
untagged vlan 1
aaa port-access authenticator
aaa port-access authenticator unauth-vid 51
aaa port-access authenticator client-limit 2
aaa port-access device-identity "Cisco-Phone" bypass
spanning-tree bpdu-protection
exit
Simon
------------------------------
Simon Harbinson
------------------------------
Original Message:
Sent: Nov 10, 2020 09:21 AM
From: Victor Fabian
Subject: Is it Possible
What type of authentication are you using ?
------------------------------
Victor Fabian
Original Message:
Sent: Nov 09, 2020 03:30 PM
From: Simon Harbinson
Subject: Is it Possible
Hi we are in the transition of switching from Cisco to Aruba (2930M Edges, 8230 Core) systems, we are having issues with configuring the ports for a dynamic set up and so far the current configuration is not functioning as we would like it, so before I ask the real question I want to make sure that what we are asking for is possible.
On any single PoE port, we need to be able to have 5 different configurations depending on what we plugin:
Requirements:
1: Cisco IP Phone, using LLDP-MED
2: PC, Using NPS and Workstation Security Group membership to set VLAN
3: Aruba AP
4: Both Cisco Phone and PC connected to Phones passthrough port.
5: if any of the above fail to authenticate then fail the connecting device to VLAN 51
Apart from Option 3, all can be done on a Cisco switch.
Separately I can get options 1 & 2 working, but if I try to merge to get option 4 functionality the phone works but the PC doesn't, it just fails to authenticate.
The Phone is using a Device Profile that uses the OUI 0012BB (I think).
The PC is using AAA Port-Access Authenticator to query Radius (Windows Server 2012 NPS) for VLAN membership.
Thanks.
------------------------------
Simon Harbinson
Senior Support Engineer
------------------------------