Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

MAC Authentication AOS-S

This thread has been viewed 53 times

  • 1.  MAC Authentication AOS-S

    Posted Jul 28, 2020 02:23 PM

    Hi guys,

    I think I starred to long at this to get the behaviour of an MAC Auth Port right. Is it normal that a port on a AOS-S (former Provision) 2530 switch configured with MAC Authentication authenticates every MAC he learns? Isn't there a config option for MAC auth like port-based / user-based mode on a "authenticator" port?

    Scenario:
    I have a Meraki cloud managed AP which does not support 802.1X wired authentication. I choose to configure the switchport to authenticate the device (AP) via its MAC and set dynamically he needed vlans to it (works fine). As there are bridged SSIDs on the AP the wireless clients are bridged locally into a vlan on the same switchport. The switch wants to authenticate every newly learned / seen MAC addresson the wired side.

    Again the question. Is this behaviour normal or did I miss some configuration?
    Does anyone have a hint to achieve a partly acceptable authentication for Meraki APs?


    #2530


  • 2.  RE: MAC Authentication AOS-S
    Best Answer

    EMPLOYEE
    Posted Jul 30, 2020 04:08 AM

    If you want to do MAC authentication on an AP that carries tagged VLANs, you will need to return the following attributes to switch to port-mode (don't authenticate the clients that reach the switch in the VLANs from the AP:

    Screen Shot 2020-07-30 at 09.58.47.png

    This example uses VLAN names, and the number in front of the VLAN name means 2 for untagged or 1 for tagged. So the VLAN 'Management VLAN' is applied untagged, where 'Corporate VLAN', 'Voice VLAN', etc are applied tagged.

     

    You will need to run on your switch 16.02.0012 or newer for these attributes to be recognized.

     

    In case you authenticate your AP with 802.1X instead of MAC Authentication, the attributes are slightly different:

    Screen Shot 2020-07-30 at 10.01.41.pngNote that both line 6 and 7 are different for MAC Auth vs 802.1X, but in the end, they do similar things: Authenticate the AP (or other devices), Return native and tagged VLANs, and change to port mode to prevent clients behind the AP from being authenticated on the switch.

     

    I can't find the version where the HPE-Port-Dot1x-Port-Mode attribute was introduced, but if you run 16.06 or newer it should be present. If the attributes are not accepted, check the documentation for the version of firmware that you run to see if it is supported, or just upgrade to the latest version.



  • 3.  RE: MAC Authentication AOS-S

    Posted Jul 31, 2020 02:36 PM

    Hey Herman,

     

    that's done the trick! Thanks alot for the quick help! 
    As I read it I thought I have read it before in some guide?!

     

    Thanks again and have a nice and sunny weekend!



  • 4.  RE: MAC Authentication AOS-S

    Posted Nov 28, 2021 11:07 AM
    Another way to do it, will be sending the HPE user role from clearpass and configure the role in the Switch or even download the role form clearpass.

    The role would look like this

    *** role config in switch ***
    class ipv4 "class-allowall-acl"
    10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
    exit

    policy user "pol-allowall"
    10 class ipv4 "class-allowall-acl" action permit
    exit

    aaa authorization user-role name "Wired_AP"
    policy "pol-allowall"
    vlan-id 100
    vlan-id-tagged 101-102
    device
    port-mode
    exit
    exit

    *** Enforcement profile in Clearpass ***


    Regards

    ------------------------------
    Ulises Cazares
    ------------------------------

    Original Message


  • 5.  RE: MAC Authentication AOS-S

    Posted Sep 15, 2022 05:00 AM
    Apologies for resurrecting an old post but the question is relevant.

    How do we perform the above on Comware and CX switches?
    Original Message


  • 6.  RE: MAC Authentication AOS-S

    EMPLOYEE
    Posted Sep 15, 2022 08:30 AM
    If your question is how to assign native + tagged VLANs on a port through authentication, for example for Access-Points, this is how the role would look like for AOS-CX:
    port-access role instant-ap
    auth-mode device-mode
    vlan trunk native name Management VLAN
    vlan trunk allowed name Corporate VLAN
    vlan trunk allowed name Guest VLAN
    vlan trunk allowed name Untrusted VLAN
    vlan trunk allowed name Voice VLAN​
    Unfortunately can't help you for Comware.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 7.  RE: MAC Authentication AOS-S

    Posted Sep 16, 2022 03:43 AM
    Thanks Herman!
    Original Message