Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Is it Possible

This thread has been viewed 38 times

  • 1.  Is it Possible

    Posted Nov 09, 2020 03:31 PM

    Hi we are in the transition of switching from Cisco to Aruba (2930M Edges, 8230 Core) systems, we are having issues with configuring the ports for a dynamic set up and so far the current configuration is not functioning as we would like it, so before I ask the real question I want to make sure that what we are asking for is possible.

    On any single PoE port, we need to be able to have 5 different configurations depending on what we plugin:

    Requirements:
    1: Cisco IP Phone, using LLDP-MED
    2: PC, Using NPS and Workstation Security Group membership to set VLAN
    3: Aruba AP
    4: Both Cisco Phone and PC connected to Phones passthrough port.
    5: if any of the above fail to authenticate then fail the connecting device to VLAN 51

    Apart from Option 3, all can be done on a Cisco switch.

    Separately I can get options 1 & 2 working, but if I try to merge to get option 4 functionality the phone works but the PC doesn't, it just fails to authenticate.

    The Phone is using a Device Profile that uses the OUI 0012BB (I think).
    The PC is using AAA Port-Access Authenticator to query Radius (Windows Server 2012 NPS) for VLAN membership.

    Thanks.

    ########################### Update  ######################################

    This issue is resolved, we ended up having a senior Aruba engineer investigate issues the main fault was that the workstation was using LLDP if you disabled it, it would start to work as designed.   however, as you may have guessed we were not going to disable in 500+ devices manually.

    In the end, we upgraded the Switch OS to the most current release (WS16.and were able to take advantage of a code that allows us to use the device name as an identifier.  We changed the line

    device-identity name "Cisco-Phone" lldp oui 0012bb sub-type 1
    to 

    device-identity name "Cisco-Phone" lldp sys-desc "Cisco IP Phone"

    luckily after a quick check with Wireshark, all our phones all started "Cisco IP Phone"

    ------------------------------
    Simon Harbinson
    Senior Support Engineer

    ------------------------------
    ​​


  • 2.  RE: Is it Possible

    MVP GURU
    Posted Nov 09, 2020 03:35 PM
    Did you increase the client limit on the port authentication to 2?


    ------------------------------
    Dustin Burns
    ------------------------------

    Original Message


  • 3.  RE: Is it Possible

    MVP GURU
    Posted Nov 09, 2020 03:37 PM
    aaa authentication port-access client-limit <1-256>


    ------------------------------
    Dustin Burns
    ------------------------------

    Original Message


  • 4.  RE: Is it Possible

    Posted Nov 09, 2020 04:40 PM
    Hi Dustin, I aware of the command however thinking about I may have either not done is or set it was set to 5, I will confirm and update the call, but I guessing we are not trying the impossible. 

    Also, Stupid question is the client limit for the number of devices in total or concurrently, so if I was to add an option for the AP's would I increase to 3 or leave at 2 cus 2 devices will only ever be connected at once.

    ------------------------------
    Simon Harbinson
    ------------------------------

    Original Message


  • 5.  RE: Is it Possible

    Posted Nov 10, 2020 11:49 AM
    Hi Dustin, it was in place but I had set to 5, adjusted to 2,

    ------------------------------
    Simon Harbinson
    ------------------------------

    Original Message


  • 6.  RE: Is it Possible

    Posted Nov 10, 2020 09:22 AM
    What type of authentication are you using ?

    ------------------------------
    Victor Fabian
    ------------------------------

    Original Message


  • 7.  RE: Is it Possible

    Posted Nov 10, 2020 12:04 PM
    Hi Victor, its a mixture
    AAA Port-Access Authenticator and a Device-Profile but we have to change the config today and removed the LOCAL-MAC Auth as when attempting to set the Unauth-VID we got the message :

    # aaa port-access authenticator 2/3 unauth-vid 51
    Configuration change denied for port 2/3. Only Web or Local MAC or MAC-authenticator can
    have unauthenticated VLAN enabled if 802.1X authenticator is enabled on the
    same port. Please use unauthenticated VLAN for Web or Local MAC or MAC authentication
    instead.

    We now can get both PC and Phone to sit in the required VLANs but the new issue is that now we are using these together the aaa port-access authenticator 2/3 unauth-vid 51 is not working.

    If the unauthorized device is plugged in it gets a 169.254.x.x  address, not the required 10.51.x.x, as fun as it is if the device is getting its connection via the phones passthrough port then is get the required 10.51.x.x. address

    The config is now: 

    interface 2/3

       untagged vlan 1
       aaa port-access authenticator
       aaa port-access authenticator unauth-vid 51
       aaa port-access authenticator client-limit 2
       aaa port-access device-identity "Cisco-Phone" bypass
       spanning-tree bpdu-protection
       exit

    Simon



    ------------------------------
    Simon Harbinson
    ------------------------------

    Original Message