Cloud Managed Networks

Hi,

Quick about the setup:

* Aruba Central managed with switches and access points.
* Aruba 3810M core switch connected to the ISP router connected to our companys data centre. (everything on the WAN side is working)
* Aruba 2530 access switches
* Aruba AP505
*  AP is added and is using the Virtual Controller.
* ClearPass is installed and working, but I have not applied 802.1X and MAC auth for all switches. This is because we have not migrated everything over and doing things in steps to keep old and new setup in parallell.
* This is a Network-as-a-Service solution and is supposed to be simple and scalable, easy to add and remove devices.


The issue I have at the moment:
1. Activated MAC-auth and 802.1X on 1 switch for all ports except uplinks.
2. Connected an Aruba 505 AP to a switchport
3. the Switch (NAD) sends a RADIUS request to ClearPass. NAD is added as network device so that is ok. 
4. ClearPass classifies it as a role I named Aruba_AP and returns untagged VLAN and several Tagged VLANs (HPE-Egress-VLAN-ID) and looks like this:
5. The switch sets VLAN1 untagged and tags the other VLANs correctly for the switch port.
6. The SSID is set up with WPA/PSK (their old setup) and is set to Static VLAN 30.
7. The device that connects with the correct password gets VLAN30 but no IP address.
8. ClearPass also picks up every device that is trying to connect with MAC auth and is allowing the connection and returning VLAN30 as the value.

Q: How can I prevent every user from trying to MAC Auth to ClearPass after successfully authenticating with the password?
Q: Why is it not receiving an IP from the DHCP server after successfully connecting to a SSID with a static VLAN when the switchport is tagged correctly.
NB! This works with an SSID that has ClearPass as authentication when connecting with a valid certificate with EAP-TLS as auth method and is returned VLAN10, VLAN30 also works and Dynamic VLAN assignment is added. Not for PSK and static. I also tried PSK and dynamic.

------
However it works without MAC Auth and 802.1X and the setup is like this:
1. Aruba AP is connected to the switch.
2. The switch has activated "Device Profile" and sets the untagged and tagged VLAN values to the switchport when it know it is an AP connected.
3. Users connect to the same SSID with the same PW.
4. Static VLAN 30 is returned to the user
5. The user receives an IP address and voila.

Q: Why is this working and not the other solution involving ClearPass when it returns the same VLANs?

---
Another issue that has been noticed is that Aruba switches has had problems receiving IP addresses on a port to the ISP.
DHCP relay is added on the ISP router, but it was not working on a trunk port untill moved to another L3 port.

Is DHCP relay needed to be added pr. switch basis even if directly connected to the router?

---

Anyone have any similar setups and experienced these issues?

------------------------------
Rikard Berg
------------------------------

Hi Rikard,

The problem you describe is very common and known. The port is authenticating the IAP and also every other device coming through that port. This is the default behaviour but not desired for a port with an AP connected. The client is authenticated at the AP and there is no need to authenticate at the port as well. 

to get this solved, the switch port can run in user mode (every mac is authenticated) or in port mode. The last one will only authenticate the first mac and every other mac does not trigger any authentication. The last mode is the one you will use. 

There are some VSA you use in order to change this. 

HPE-Port-Dot1x-Port-Mode (for dot1x authentication)
HPE-Port-MA-Port-Mode (for mac auth)

you can also configure this statically on the port as well but I would prefer the VSA emthod. 

I have created a blog port to this topic some time ago:

https://www.flomain.de/2020/03/aruba-ap-authentication/

BR
Florian

------------------------------
-------------------------------------------------------------------------------
Florian Baaske
-------------------------------------------------------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
-------------------------------------------------------------------------------
Also visit the AirHeads Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
-------------------------------------------------------------------------------
Feel free to visit my personal Blog
https://www.flomain.de
------------------------------

Original Message:
Sent: Jun 17, 2021 05:33 AM
From: Rikard Berg
Subject: Aruba Central MSP NaaS with IAP + ClearPass

Hi,

Quick about the setup:

* Aruba Central managed with switches and access points.
* Aruba 3810M core switch connected to the ISP router connected to our companys data centre. (everything on the WAN side is working)
* Aruba 2530 access switches
* Aruba AP505
*  AP is added and is using the Virtual Controller.
* ClearPass is installed and working, but I have not applied 802.1X and MAC auth for all switches. This is because we have not migrated everything over and doing things in steps to keep old and new setup in parallell.
* This is a Network-as-a-Service solution and is supposed to be simple and scalable, easy to add and remove devices.


The issue I have at the moment:
1. Activated MAC-auth and 802.1X on 1 switch for all ports except uplinks.
2. Connected an Aruba 505 AP to a switchport
3. the Switch (NAD) sends a RADIUS request to ClearPass. NAD is added as network device so that is ok. 
4. ClearPass classifies it as a role I named Aruba_AP and returns untagged VLAN and several Tagged VLANs (HPE-Egress-VLAN-ID) and looks like this:
5. The switch sets VLAN1 untagged and tags the other VLANs correctly for the switch port.
6. The SSID is set up with WPA/PSK (their old setup) and is set to Static VLAN 30.
7. The device that connects with the correct password gets VLAN30 but no IP address.
8. ClearPass also picks up every device that is trying to connect with MAC auth and is allowing the connection and returning VLAN30 as the value.

Q: How can I prevent every user from trying to MAC Auth to ClearPass after successfully authenticating with the password?
Q: Why is it not receiving an IP from the DHCP server after successfully connecting to a SSID with a static VLAN when the switchport is tagged correctly.
NB! This works with an SSID that has ClearPass as authentication when connecting with a valid certificate with EAP-TLS as auth method and is returned VLAN10, VLAN30 also works and Dynamic VLAN assignment is added. Not for PSK and static. I also tried PSK and dynamic.

------
However it works without MAC Auth and 802.1X and the setup is like this:
1. Aruba AP is connected to the switch.
2. The switch has activated "Device Profile" and sets the untagged and tagged VLAN values to the switchport when it know it is an AP connected.
3. Users connect to the same SSID with the same PW.
4. Static VLAN 30 is returned to the user
5. The user receives an IP address and voila.

Q: Why is this working and not the other solution involving ClearPass when it returns the same VLANs?

---
Another issue that has been noticed is that Aruba switches has had problems receiving IP addresses on a port to the ISP.
DHCP relay is added on the ISP router, but it was not working on a trunk port untill moved to another L3 port.

Is DHCP relay needed to be added pr. switch basis even if directly connected to the router?

---

Anyone have any similar setups and experienced these issues?

------------------------------
Rikard Berg
------------------------------