View Only
last person joined: yesterday 

Expand all | Collapse all

AOS-CX Port Authentication Fail open

This thread has been viewed 12 times
  • 1.  AOS-CX Port Authentication Fail open

    Posted Nov 03, 2021 12:36 PM


    Does anyone know the command or feature within aos-cx that matches this procurve command:

    aaa authentication port-access eap-radius authorized

    I want to fail the ports open if the radius server is seen as unavailable. i have checked the manuals and i cant see any features that protect you from a radius server going offline.

    thanks in advance

    Benjamin Milton

  • 2.  RE: AOS-CX Port Authentication Fail open

    Posted Nov 04, 2021 11:16 AM

    You can use the critical-role to allow limited or full access to users when the RADIUS server is not reachable and the authentication cannot be completed.
    Here is the description from the Security Guide, page 320

    Critical role
    The critical role is applied to devices when the RADIUS server is unreachable during the first authentication
    process or during reauthentication. This role helps ensure that the devices have limited access to the
    network even though the authentication is not completed. Once the RADIUS server is available for
    authentication, the devices are authenticated and the ultimate role is applied.

    Another approach would be to enable cached reauthentication for 802.1x or mac-ath (this is actually already available in ProCurve or AOS-S)

    Enables cached reauthentication on a port. Cached reauthentication allows 802.1X reauthentications to
    succeed when the RADIUS server is unavailable. Users already authenticated retain their currently assigned
    RADIUS attributes.

    Emil Gogushev

  • 3.  RE: AOS-CX Port Authentication Fail open

    Posted Nov 04, 2021 11:29 AM

    Thanks. Yes i have tested that today. Its an option, i was hoping for a global command per switch rather than individual port configurations and having to create local roles per switch. Its a lot of extra configuration compared to the other vendors. This same configuration scenario on aruba OS (procurve) works well with one global command.

    Benjamin Milton