Security

Looking for a way to connect Aruba IAP's to a Cisco switch configured with Wired Auth.  To date, I instruct customers to completely remove Auth on the port. This is less then desirable as we no longer have colorless ports and now administrative burden is  back on the engineer to one-off each of the IAP ports. I understand this is a limitation with what VSA's the cisco switch supports. 

With Aruba AOS and CX, we can send enforcement to push Untagged and Tagged VLANs to a switchport. In addition we can also enforce Port-Mode so the switchport only Authenticates the AP but not subsequent client connections. 

I have heard rumor this is possible but have never found a way to do it! 

Thanks!

------------------------------
Philip Wightman, ACEX (AMFX) #69. Aruba Partner Ambassador
------------------------------

Are you using ClearPass as the RADIUS server for the wired authentications? We have a few thousand Aruba APs and most are on NAC'd ports. We leverage DHCP profiling and Aruba Activate Sync to have our APs identified as APs and MAC auth them successfully. 

On router for the VLAN, add ClearPass as IP helper.
In Aruba Activate, create user account for Clearpass
On ClearPass add Activate as an Endpoint Context Server

If your using Activate, your purchases should be populated in the cloud at the Distribution center, so before you even receive the gear, it can be added to your endpoints database. Through the Role mapping policy, you can reference the device-type or source of Activate and MAC auth it successfully. If Distributor does not add your devices to Activate, you can open a TAC case to have this completed upon receipt of the hardware. If you want to add your existing APs, just pull the AP database (use the long command it includes the SN) and offer that to Aruba to work on. 

Hopefully some of that helps, good luck!


------------------------------
Michael Haring

AirHeads MVP 2017, 2019-2021
------------------------------

Original Message:
Sent: Aug 09, 2021 09:05 AM
From: Philip Wightman
Subject: Cisco Wired Auth - Enforcement - Trunk Port - Port Mode


Looking for a way to connect Aruba IAP's to a Cisco switch configured with Wired Auth.  To date, I instruct customers to completely remove Auth on the port. This is less then desirable as we no longer have colorless ports and now administrative burden is  back on the engineer to one-off each of the IAP ports. I understand this is a limitation with what VSA's the cisco switch supports. 

With Aruba AOS and CX, we can send enforcement to push Untagged and Tagged VLANs to a switchport. In addition we can also enforce Port-Mode so the switchport only Authenticates the AP but not subsequent client connections. 

I have heard rumor this is possible but have never found a way to do it! 

Thanks!

------------------------------
Philip Wightman, ACEX (AMFX) #69. Aruba Partner Ambassador
------------------------------

Thanks for your tips MHaring. These are not Campus AP's. These are Instant AP's. While your suggestion is perfect identifying devices, it does not help with Enforcement to put a Cisco switchport into a trunk configuration to support the Tagged and Untagged VLANs required for an Instant AP.

------------------------------
Philip Wightman, ACEX (AMFX) #69. Aruba Partner Ambassador
------------------------------

Original Message:
Sent: Nov 07, 2021 11:03 AM
From: Michael Haring
Subject: Cisco Wired Auth - Enforcement - Trunk Port - Port Mode

Are you using ClearPass as the RADIUS server for the wired authentications? We have a few thousand Aruba APs and most are on NAC'd ports. We leverage DHCP profiling and Aruba Activate Sync to have our APs identified as APs and MAC auth them successfully. 

On router for the VLAN, add ClearPass as IP helper.
In Aruba Activate, create user account for Clearpass
On ClearPass add Activate as an Endpoint Context Server

If your using Activate, your purchases should be populated in the cloud at the Distribution center, so before you even receive the gear, it can be added to your endpoints database. Through the Role mapping policy, you can reference the device-type or source of Activate and MAC auth it successfully. If Distributor does not add your devices to Activate, you can open a TAC case to have this completed upon receipt of the hardware. If you want to add your existing APs, just pull the AP database (use the long command it includes the SN) and offer that to Aruba to work on. 

Hopefully some of that helps, good luck!


------------------------------
Michael Haring

AirHeads MVP 2017, 2019-2021

Original Message:
Sent: Aug 09, 2021 09:05 AM
From: Philip Wightman
Subject: Cisco Wired Auth - Enforcement - Trunk Port - Port Mode


Looking for a way to connect Aruba IAP's to a Cisco switch configured with Wired Auth.  To date, I instruct customers to completely remove Auth on the port. This is less then desirable as we no longer have colorless ports and now administrative burden is  back on the engineer to one-off each of the IAP ports. I understand this is a limitation with what VSA's the cisco switch supports. 

With Aruba AOS and CX, we can send enforcement to push Untagged and Tagged VLANs to a switchport. In addition we can also enforce Port-Mode so the switchport only Authenticates the AP but not subsequent client connections. 

I have heard rumor this is possible but have never found a way to do it! 

Thanks!

------------------------------
Philip Wightman, ACEX (AMFX) #69. Aruba Partner Ambassador
------------------------------

It should be possible with Macros on Cisco switches but I found that Macros as defined in below post did not work on all Cisco series and a f/w update was needed on some. This customer had mostly 3950 on which some needed an update. The also had 4500 series that didn't support the macros so I never put this in production. This specific customer used controller based AP's with split-tunnel so we removed the need for the split tunnel instead.

See this thread:
https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=15574#bm3503483a-917c-4ecf-b14b-157404812613

rgds Erik

------------------------------
Erik Eckhardt
ACMX #1245, ACDX #968, ACCP, ACSP
------------------------------

Original Message:
Sent: Aug 09, 2021 09:05 AM
From: Philip Wightman
Subject: Cisco Wired Auth - Enforcement - Trunk Port - Port Mode


Looking for a way to connect Aruba IAP's to a Cisco switch configured with Wired Auth.  To date, I instruct customers to completely remove Auth on the port. This is less then desirable as we no longer have colorless ports and now administrative burden is  back on the engineer to one-off each of the IAP ports. I understand this is a limitation with what VSA's the cisco switch supports. 

With Aruba AOS and CX, we can send enforcement to push Untagged and Tagged VLANs to a switchport. In addition we can also enforce Port-Mode so the switchport only Authenticates the AP but not subsequent client connections. 

I have heard rumor this is possible but have never found a way to do it! 

Thanks!

------------------------------
Philip Wightman, ACEX (AMFX) #69. Aruba Partner Ambassador
------------------------------