Community Feedback

Hi all.


I am changing my old Cisco switches infrastructure by an Aruba 2930F switches one.
During the migration, I would like to connect my old Cisco infrastructure to the new Aruba one, in order to make a more quiet migration :-).

It's OK for computers connected to Vlan access ports on the old Cisco switches, but it's NOK for equipments needing 802.1x authentication.

The 802.1x authentication queries aren't transmitted to the Clearpass by the Aruba switch from the Cisco one.

Does somebody have encountered this issue and know how fix it ?

I hope  my explications are enough clear. Let me know if not.


Kind regards.



Xavier

------------------------------
Xavier SIMON
------------------------------

I don't fully understand the scenario.

Do you have Cisco switches configured for 802.1X, and you connect a 2930F to such an 802.1X enabled port and you want the EAPOL packets run through the 2930F transparently to keep authentication on the Cisco switch?

What you probably want to do in such a case is to setup the 2930F on a 'trunk' port (non-authenticated) and do the 802.1X on your 2930F to get the equivalent functionality, and you can then move over your clients until the original switch is empty, at which point you can take it out and connect the 2930F directly to the uplink. Alternatively, put the 2930F on the uplink and connect your Cisco uplink to another port of the 2930F where you have the same VLANs.

Maybe you can post a drawing/diagram of what you want to do and where 802.1X is configured.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jan 14, 2022 08:09 AM
From: Xavier SIMON
Subject: Configuring an Aruba 2930F port to accept 802.1x queries from a Cisco switch

Hi all.


I am changing my old Cisco switches infrastructure by an Aruba 2930F switches one.
During the migration, I would like to connect my old Cisco infrastructure to the new Aruba one, in order to make a more quiet migration :-).

It's OK for computers connected to Vlan access ports on the old Cisco switches, but it's NOK for equipments needing 802.1x authentication.

The 802.1x authentication queries aren't transmitted to the Clearpass by the Aruba switch from the Cisco one.

Does somebody have encountered this issue and know how fix it ?

I hope  my explications are enough clear. Let me know if not.


Kind regards.



Xavier

------------------------------
Xavier SIMON
------------------------------

Hi Herman.

A diagram of what I want to do :

The issue is during the transition phase : 802.1x authentication is NOK. On the Clearpass, we don't have any Cisco IP phone authentication request.

During the previous phase and the final one, 802.1x authentication is OK. Cisco IP phone requests join the Clearpass.

I hope it's more clear.

I don't know why 802.1x authentication requests are not relayed by the Aruba 2930F and, for the moment, the solution for me is to pass very quickly to the final phase.

Kind regards.


Xavier

------------------------------
Xavier SIMON
------------------------------

Original Message:
Sent: Jan 18, 2022 04:34 AM
From: Herman Robers
Subject: Configuring an Aruba 2930F port to accept 802.1x queries from a Cisco switch

I don't fully understand the scenario.

Do you have Cisco switches configured for 802.1X, and you connect a 2930F to such an 802.1X enabled port and you want the EAPOL packets run through the 2930F transparently to keep authentication on the Cisco switch?

What you probably want to do in such a case is to setup the 2930F on a 'trunk' port (non-authenticated) and do the 802.1X on your 2930F to get the equivalent functionality, and you can then move over your clients until the original switch is empty, at which point you can take it out and connect the 2930F directly to the uplink. Alternatively, put the 2930F on the uplink and connect your Cisco uplink to another port of the 2930F where you have the same VLANs.

Maybe you can post a drawing/diagram of what you want to do and where 802.1X is configured.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 14, 2022 08:09 AM
From: Xavier SIMON
Subject: Configuring an Aruba 2930F port to accept 802.1x queries from a Cisco switch

Hi all.


I am changing my old Cisco switches infrastructure by an Aruba 2930F switches one.
During the migration, I would like to connect my old Cisco infrastructure to the new Aruba one, in order to make a more quiet migration :-).

It's OK for computers connected to Vlan access ports on the old Cisco switches, but it's NOK for equipments needing 802.1x authentication.

The 802.1x authentication queries aren't transmitted to the Clearpass by the Aruba switch from the Cisco one.

Does somebody have encountered this issue and know how fix it ?

I hope  my explications are enough clear. Let me know if not.


Kind regards.



Xavier

------------------------------
Xavier SIMON
------------------------------

That diagram makes it more clear, and sounds like a proper migration scenario.

In the transition mode, the 2930F that is sitting between the ClearPass and the 2960G should not do anything with the 802.1X, similar the 2960G should not do anything with 802.1X; just the 2960 PoE and the 2930F PoE. For the intermediate switches, that is just RADIUS traffic, and if you don't see the request coming in, make sure that on all hops (2960 PoE, 2960G, 2930F) all the relevant VLANs are passed through on the trunks. I expect the VLAN carrying the RADIUS traffic being missed, or an issue with the L3 if there is VLAN routing, or an ACL on one of the switches may be the issue.

I would hop by hop do some port mirroring to see where the RADIUS packets go lost. Shouldn't be too hard to find.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jan 18, 2022 09:39 AM
From: Xavier SIMON
Subject: Configuring an Aruba 2930F port to accept 802.1x queries from a Cisco switch

Hi Herman.

A diagram of what I want to do :

The issue is during the transition phase : 802.1x authentication is NOK. On the Clearpass, we don't have any Cisco IP phone authentication request.

During the previous phase and the final one, 802.1x authentication is OK. Cisco IP phone requests join the Clearpass.

I hope it's more clear.

I don't know why 802.1x authentication requests are not relayed by the Aruba 2930F and, for the moment, the solution for me is to pass very quickly to the final phase.

Kind regards.


Xavier

------------------------------
Xavier SIMON

Original Message:
Sent: Jan 18, 2022 04:34 AM
From: Herman Robers
Subject: Configuring an Aruba 2930F port to accept 802.1x queries from a Cisco switch

I don't fully understand the scenario.

Do you have Cisco switches configured for 802.1X, and you connect a 2930F to such an 802.1X enabled port and you want the EAPOL packets run through the 2930F transparently to keep authentication on the Cisco switch?

What you probably want to do in such a case is to setup the 2930F on a 'trunk' port (non-authenticated) and do the 802.1X on your 2930F to get the equivalent functionality, and you can then move over your clients until the original switch is empty, at which point you can take it out and connect the 2930F directly to the uplink. Alternatively, put the 2930F on the uplink and connect your Cisco uplink to another port of the 2930F where you have the same VLANs.

Maybe you can post a drawing/diagram of what you want to do and where 802.1X is configured.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 14, 2022 08:09 AM
From: Xavier SIMON
Subject: Configuring an Aruba 2930F port to accept 802.1x queries from a Cisco switch

Hi all.


I am changing my old Cisco switches infrastructure by an Aruba 2930F switches one.
During the migration, I would like to connect my old Cisco infrastructure to the new Aruba one, in order to make a more quiet migration :-).

It's OK for computers connected to Vlan access ports on the old Cisco switches, but it's NOK for equipments needing 802.1x authentication.

The 802.1x authentication queries aren't transmitted to the Clearpass by the Aruba switch from the Cisco one.

Does somebody have encountered this issue and know how fix it ?

I hope  my explications are enough clear. Let me know if not.


Kind regards.



Xavier

------------------------------
Xavier SIMON
------------------------------