Wired

last person joined: yesterday 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

Is it Possible

  • 1.  Is it Possible

    Posted 19 days ago

    Hi we are in the transition of switching from Cisco to Aruba (2930M Edges, 8230 Core) systems, we are having issues with configuring the ports for a dynamic set up and so far the current configuration is not functioning as we would like it, so before I ask the real question I want to make sure that what we are asking for is possible.

    On any single PoE port, we need to be able to have 5 different configurations depending on what we plugin:

    Requirements:
    1: Cisco IP Phone, using LLDP-MED
    2: PC, Using NPS and Workstation Security Group membership to set VLAN
    3: Aruba AP
    4: Both Cisco Phone and PC connected to Phones passthrough port.
    5: if any of the above fail to authenticate then fail the connecting device to VLAN 51

    Apart from Option 3, all can be done on a Cisco switch.

    Separately I can get options 1 & 2 working, but if I try to merge to get option 4 functionality the phone works but the PC doesn't, it just fails to authenticate.

    The Phone is using a Device Profile that uses the OUI 0012BB (I think).
    The PC is using AAA Port-Access Authenticator to query Radius (Windows Server 2012 NPS) for VLAN membership.

    Thanks.



    ------------------------------
    Simon Harbinson
    Senior Support Engineer

    ------------------------------


  • 2.  RE: Is it Possible

    Posted 19 days ago
    Did you increase the client limit on the port authentication to 2?


    ------------------------------
    Dustin Burns
    ------------------------------



  • 3.  RE: Is it Possible

    Posted 19 days ago
    aaa authentication port-access client-limit <1-256>


    ------------------------------
    Dustin Burns
    ------------------------------



  • 4.  RE: Is it Possible

    Posted 19 days ago
    Hi Dustin, I aware of the command however thinking about I may have either not done is or set it was set to 5, I will confirm and update the call, but I guessing we are not trying the impossible. 

    Also, Stupid question is the client limit for the number of devices in total or concurrently, so if I was to add an option for the AP's would I increase to 3 or leave at 2 cus 2 devices will only ever be connected at once.

    ------------------------------
    Simon Harbinson
    ------------------------------



  • 5.  RE: Is it Possible

    Posted 18 days ago
    Hi Dustin, it was in place but I had set to 5, adjusted to 2,

    ------------------------------
    Simon Harbinson
    ------------------------------



  • 6.  RE: Is it Possible

    Posted 18 days ago
    What type of authentication are you using ?

    ------------------------------
    Victor Fabian
    ------------------------------



  • 7.  RE: Is it Possible

    Posted 18 days ago
    Hi Victor, its a mixture
    AAA Port-Access Authenticator and a Device-Profile but we have to change the config today and removed the LOCAL-MAC Auth as when attempting to set the Unauth-VID we got the message :

    # aaa port-access authenticator 2/3 unauth-vid 51
    Configuration change denied for port 2/3. Only Web or Local MAC or MAC-authenticator can
    have unauthenticated VLAN enabled if 802.1X authenticator is enabled on the
    same port. Please use unauthenticated VLAN for Web or Local MAC or MAC authentication
    instead.

    We now can get both PC and Phone to sit in the required VLANs but the new issue is that now we are using these together the aaa port-access authenticator 2/3 unauth-vid 51 is not working.

    If the unauthorized device is plugged in it gets a 169.254.x.x  address, not the required 10.51.x.x, as fun as it is if the device is getting its connection via the phones passthrough port then is get the required 10.51.x.x. address

    The config is now: 

    interface 2/3

       untagged vlan 1
       aaa port-access authenticator
       aaa port-access authenticator unauth-vid 51
       aaa port-access authenticator client-limit 2
       aaa port-access device-identity "Cisco-Phone" bypass
       spanning-tree bpdu-protection
       exit

    Simon



    ------------------------------
    Simon Harbinson
    ------------------------------