Wired Intelligent Edge

last person joined: 5 hours ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

AOS-CX Mac Auth and 802.1x

This thread has been viewed 78 times
  • 1.  AOS-CX Mac Auth and 802.1x

    Posted Aug 25, 2020 01:53 PM

    Hello,

     

    I'm trying to get to a good config for 802.1x and mac authentication on a AOS-CX switch running 10.05.0001 (6200F).

     

    On the same port I would like to use Mac Authentication and dot1x.

     

    I've setup the port as follows:

     

    interface 1/1/2
        no shutdown
        vlan access 1
        aaa authentication port-access dot1x authenticator
            max-eapol-requests 1
            max-retries 1
            enable
        aaa authentication port-access mac-auth
            enable

     

    This works fine if a client doesn't have an 802.1x supplicant enabled or if 802.1x are pre programmed.

     

    If no pre programmed credentials are present windows 10 shows a popup but before one can enter credentials mac auth kicks in.

     

    On procurve this wasn't an issue. 802.1x simply replaced the mac auth but AOS-CX seems to be a lot different in this case.

     

    I can offcourse put the max-eapol-requests and max-retries back to their defaults but then when a non 802.1x clients connects it takes more then 160 seconds to get network access.

     

    If you enable aaa authentication port-access auth-precedence mac-auth dot1x on the port dot1x also never gets triggered if mac-auth already assigned a role to the device.

     

    Any one any suggestions on whats the best approach?

     

    Regards,

     

    Rens 

     



  • 2.  RE: AOS-CX Mac Auth and 802.1x

    Posted Aug 25, 2020 02:38 PM

    I don't think the problem is with your switch configuration (the port config look good,) but at the NAC. Assuming you are using ClearPass.

    Check for the MAC wired service is higher position then the Dot1x.

    Make sure the switch vendor is Aruba.

    Did you see the host hit ClearPass in Access tracker? 

    If the supplicant configures as Dot1x authentication it will not hit the MAC authentication.

     

     



  • 3.  RE: AOS-CX Mac Auth and 802.1x

    Posted Aug 26, 2020 09:13 AM

    I don't think the problem is with your switch configuration (the port config look good,) but at the NAC. Assuming you are using ClearPass.

    Check for the MAC wired service is higher position then the Dot1x.

    Make sure the switch vendor is Aruba.

    Did you see the host hit ClearPass in Access tracker? 

    If the supplicant configures as Dot1x authentication it will not hit the MAC authentication.

     

    Hello Trinh,

     

    unfortunately the switches don't even seem to send out a radius request.

    So it doesn;t seem to be a ClearPass Issue.

     

    Regards,

     

    Rens



  • 4.  RE: AOS-CX Mac Auth and 802.1x

    Posted Aug 26, 2020 11:45 AM

    Rens,

    I have deployed Aruba 2900 and now 6300-CX colorless port successfully. The deployments are for MAC, dot1x, and pass-thru port from phone. The procedures are:
    1. If a device not dot1x like AP, phone, camera… it hits ClearPass (CPPM) MAC service.
    2. If device is a windows machine and dot1x enable for wire, it hits CPPM dot1x service.
    3. If a device is a windows box, but not dot1x enable, it hits CPPM MAC service.
    Suggestions: check your switch configuration or if possible post it here.
    I found this post for Local User Role you might want to take a look: https://community.arubanetworks.com/t5/Wired-Intelligent-Edge-Campus/AOS-CX-Local-User-Role-LUR-simple-steps-to-Configure/m-p/663150

     



  • 5.  RE: AOS-CX Mac Auth and 802.1x

    Posted Aug 27, 2020 02:26 AM

     

    Rens,

    I have deployed Aruba 2900 and now 6300-CX colorless port successfully. The deployments are for MAC, dot1x, and pass-thru port from phone. The procedures are:
    1. If a device not dot1x like AP, phone, camera… it hits ClearPass (CPPM) MAC service.
    2. If device is a windows machine and dot1x enable for wire, it hits CPPM dot1x service.
    3. If a device is a windows box, but not dot1x enable, it hits CPPM MAC service.
    Suggestions: check your switch configuration or if possible post it here.
    I found this post for Local User Role you might want to take a look: https://community.arubanetworks.com/t5/Wired-Intelligent-Edge-Campus/AOS-CX-Local-User-Role-LUR-simple-steps-to-Configure/m-p/663150

     

    ~Trinh Nguyen~
    Boys Town
     
    Hello Trinh,
    For me it doesn't seem to be an issue between switch and clearpass or clearpass not handeling the radius requests in the correct sequence.
     
    It seems to be a sequence thing in the switch.
    If dot1q first fails, after this mac auth succeeds. If I then use the "windows logon prompts" to enter my 802.1x credentials. Those credentials seem to never get processed by the switch and in consequence the cleaspass.
    Hopefully you have a different experience,
    Hereby my config.
     
     

     

    Current configuration:
    !
    !Version ArubaOS-CX ML.10.05.0001
    !export-password: default
    user admin group administrators password ciphertext AQB...
    clock timezone europe/amsterdam
    aruba-central
        disable
    ntp server 5.200.6.34 iburst
    ntp server 80.100.15.186 iburst
    ntp enable
    cli-session
        timeout 0
    !
    !
    !
    !
    radius-server host clearpass.domain.nl key ciphertext AQB... clearpass-username duradmin clearpass-password ciphertext AQB...
    aaa authentication allow-fail-through
    !
    radius dyn-authorization enable
    !
    radius dyn-authorization client clearpass.domain.nl secret-key ciphertext AQB...
    ssh server vrf default
    ssh server vrf mgmt
    crypto pki ta-profile trust_anchor_profile
        ta-certificate
            -----BEGIN CERTIFICATE-----
    		....
            -----END CERTIFICATE-----
            END_OF_CERTIFICATE
    crypto pki ta-profile trust_anchor_profile_root
        ta-certificate
            -----BEGIN CERTIFICATE-----
    		....
            -----END CERTIFICATE-----
            END_OF_CERTIFICATE
    vsf member 1
        type jl728a
    vlan 1,1000
    spanning-tree
    spanning-tree priority 0
    interface mgmt
        no shutdown
        ip dhcp
    ubt-client-vlan 1000
    ubt zone default vrf default
        primary-controller ip 10.210.60.41
        backup-controller ip 10.210.60.42
        enable
    aaa authentication port-access dot1x authenticator
        enable
    aaa authentication port-access mac-auth
        enable
    interface 1/1/1
        no shutdown
        vlan access 1
        aaa authentication port-access client-limit 3
        aaa authentication port-access dot1x authenticator
            max-eapol-requests 1
            max-retries 1
            enable
        aaa authentication port-access mac-auth
            enable
    interface vlan 1
        ip address 10.210.60.30/24
        no ip dhcp
    ip route 0.0.0.0/0 10.210.60.1
    ip dns server-address 10.210.60.80
    !
    !
    !
    !
    !
    ip source-interface ubt 10.210.60.30
    ip source-interface all interface vlan1
    https-server vrf default
    https-server vrf mgmt

     

    Regards,

     

    Rens



  • 6.  RE: AOS-CX Mac Auth and 802.1x

    Posted Aug 27, 2020 04:06 AM

    Can't you get away by using Windows "Single Sign On" and/or the "Automatically use my Windows logon name and password"?

    It will post your credentials regardless of the phase the switch is into, and do the dot1x auth.

     



  • 7.  RE: AOS-CX Mac Auth and 802.1x

    Posted Aug 28, 2020 02:21 AM

    Can't you get away by using Windows "Single Sign On" and/or the "Automatically use my Windows logon name and password"?

    It will post your credentials regardless of the phase the switch is into, and do the dot1x auth.

     

    I believe I can and that is working but it's very annoying during testing. You expect certain behavior based on other product lines and or vendors. Then CX comes along and does certain things a little different.



  • 8.  RE: AOS-CX Mac Auth and 802.1x

    Posted Aug 27, 2020 09:23 AM

    Rens,

    Try to add these lines in your switch config to see if it makes any difference:

    ...

    aaa authentication port-access dot1x authenticator
    radius server-group radius
    enable
    aaa authentication port-access mac-auth
    radius server-group radius
    enable
    interface 1/1/1
    no shutdown
    ....



  • 9.  RE: AOS-CX Mac Auth and 802.1x

    Posted Aug 28, 2020 02:25 AM

    Rens,

    Try to add these lines in your switch config to see if it makes any difference:

    ...

    aaa authentication port-access dot1x authenticator
    radius server-group radius
    enable
    aaa authentication port-access mac-auth
    radius server-group radius
    enable
    interface 1/1/1
    no shutdown
    ....

    ~Trinh Nguyen~
    Boys Town
     
    Thanks for analyzing my config but I don't think this is the issue. The radius request is being send for dot1x as well as for mac auth. Until you first do a successfull mac auth, then dot1x isn't processed any more.
     
    Anyhow I'll test your commands and try to find any behavioral changes.
    I'll keep you updated.


  • 10.  RE: AOS-CX Mac Auth and 802.1x

    Posted Aug 25, 2020 08:58 PM

    The best approach is to buy Cisco.

    IBNS C3PL allows you to configure whatever you like: simultaneous dot1x and mab; what to do when one fails; when to retry; keep trying dot1x for some time after mac auth succeeds; etc.

     

    Second best approach is to convince Aruba to do things properly.



  • 11.  RE: AOS-CX Mac Auth and 802.1x

    Posted Aug 26, 2020 05:08 AM

    Good day!

     

    Hello,

    CX will support simultaneous dot1x and mab soon.

    Can you please check below eapol and max-retries configuration helps?

    I am using below configuration for pc behind phone use case and it works as expected.

    6300-1-VSF# sh port-access clients

    Port Access Clients
    --------------------------------------------------------------------------------
    Port MAC Address Onboarded Status Role
    Method
    --------------------------------------------------------------------------------
    2/1/3 2c:41:38:7f:db:42 mac-auth Success RADIUS_773420618
    2/1/3 00:50:56:8e:86:27 dot1x Success RADIUS_773420618

    6300-1-VSF# sh running-config interface 2/1/3
    interface 2/1/3
    no shutdown
    no routing
    vlan trunk native 10
    vlan trunk allowed 10,112
    aaa authentication port-access allow-cdp-bpdu
    aaa authentication port-access allow-lldp-bpdu
    aaa authentication port-access client-limit 2
    port-access security violation action shutdown
    aaa authentication port-access dot1x authenticator
    max-eapol-requests 1
    max-retries 1
    reauth
    enable
    aaa authentication port-access mac-auth
    cached-reauth
    cached-reauth-period 86400
    quiet-period 30
    enable
    exit
    6300-1-VSF#

     

    Thank you,

    Yash



  • 12.  RE: AOS-CX Mac Auth and 802.1x

    Posted Aug 26, 2020 06:49 AM

    The "will be supported soon" is a cool statement for people that don't have to put the switches into real use today.



  • 13.  RE: AOS-CX Mac Auth and 802.1x

    Posted Aug 26, 2020 09:18 AM

    Hello Yash,

     

    Your config seems to be quite similar to mine.

     

    Does it work for you if a device first successfully has authenticated with mac and the enable for example 802.1x by starting the wired autoconfig service?

     

    For me it seems to chose one option being either mac or dot1q. Not first mac and then overwrite it with dot1q.

     

    Regards,

     

    Rens



  • 14.  RE: AOS-CX Mac Auth and 802.1x

    Posted Aug 26, 2020 09:14 AM

    The best approach is to buy Cisco.

    IBNS C3PL allows you to configure whatever you like: simultaneous dot1x and mab; what to do when one fails; when to retry; keep trying dot1x for some time after mac auth succeeds; etc.

     

    Second best approach is to convince Aruba to do things properly.

     

    I guess I need to go for the second option. Not being cisco it might be easyer to get them to listen.

     

    Both the Comware and Procurve seem to handle this better.



  • 15.  RE: AOS-CX Mac Auth and 802.1x

    Posted Aug 26, 2020 09:53 AM

    Good luck also if you use Computers connected to Phones and like to prevent IP or ARP spoof (enable ARP inspection or ipv4 source-lockdown). Or if you want to prevent IP spoof and also use UBT.

     

    Advice: don't enable them.



  • 16.  RE: AOS-CX Mac Auth and 802.1x

    Posted Aug 26, 2020 10:36 AM

    ricardoduarte,

     

    If you are not being helpful, please do not post.

     



  • 17.  RE: AOS-CX Mac Auth and 802.1x

    Posted Aug 26, 2020 11:18 AM

    I guess I'm being helpful.

    If he enabled what I told, for sure he will have problems.

    So, just trying to spare him from headaches.



  • 18.  RE: AOS-CX Mac Auth and 802.1x

    Posted Aug 26, 2020 11:39 AM

    Helpful would be relating what needs to be done to achieve a goal.  If you cannot do that, please allow others to help.



  • 19.  RE: AOS-CX Mac Auth and 802.1x

    Posted Aug 26, 2020 11:47 AM

    @cjoseph: There's nothing to be done other than wait for Aruba to implement it properly.

     

    Either he sets up the switch to wait more than a minute for dot1x, or he sets a short timeout to fallback to mac-auth, leading to the problem he complains.


    To enforce dot1x to work even with a short timeout, he has to manually enable it on the network interface and not rely on "windows logon prompts".



  • 20.  RE: AOS-CX Mac Auth and 802.1x

    Posted Aug 26, 2020 12:01 PM

    Others are answering.  Please continue allow others to answer to see if a solution can be found that satisfies the op.  You have already stated your opinion which is valuable.



  • 21.  RE: AOS-CX Mac Auth and 802.1x

    Posted 30 days ago
    Has there been any progress on this feature of doing MAC Auth and Dot1x on the same port?  It is critical that people are able to  plug in a phone to the wall and have a computer plug into the phone. 

    I just updated to the latest version 10.08.0001 and it still doesn't seem to work. Both my MAC auth and dot1x work fine individually.

    ------------------------------
    Scott Jamison
    ------------------------------



  • 22.  RE: AOS-CX Mac Auth and 802.1x

    Posted 29 days ago
    dot1x as primary and mac-authentication as secondary works fine in my deployments running 10.07.0004


  • 23.  RE: AOS-CX Mac Auth and 802.1x

    Posted 29 days ago
    With the following command, you can even define the order of authentication on a per-port basis:
    aaa authentication port-access auth-precedence 

    it is either
    dot1x-->mac auth

    or

    mac auth -->dot1x

    BR
    Florian



    ------------------------------
    -------------------------------------------------------------------------------
    Florian Baaske
    -------------------------------------------------------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    -------------------------------------------------------------------------------
    Also visit the AirHeads Youtube Channel:
    https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
    -------------------------------------------------------------------------------
    Feel free to visit my personal Blog
    https://www.flomain.de
    ------------------------------



  • 24.  RE: AOS-CX Mac Auth and 802.1x

    Posted 29 days ago
    I have gotten this to work at a client site with 10.06.0130 using Clearpass, but they were not relying on prompts; they had machine auth set in group policy.  My first suggestion would be to lengthen the EAP timeout.  As you pointed out, this lengthens the time it takes for a bypass.  There is a new port-access command introduced in 10.06 that may be helpful:  "port-access onboarding-method concurrent enable".  It will need to be set on a per-port basis.  I recommend reading up on it in the AOS-CX security guide for your firmware.  I think it might get closer to the behavior you are wanting.  With that in place, you can lengthen the EAP timeouts/retries without worrying about holding up MAC bypass.

    If you do this, I also recommend also creating a critical-role on the switch with a fairly short reauth timer (props to Emil Gogushev for this suggestion).  One issue I ran into with fast MAC bypass was that we got auth failures on phones after a power failure at the aggregation switch going back to clearpass, due to the access switches coming online with the phones before the aggregation switch.  Setting the critical role should ensure the access switches would reattempt auth fairly soon if the failure reason was an unreachable Clearpass.

    ------------------------------
    Daniel Waites
    ------------------------------