I'm looking to protect the ports on Aruba switches with dot1x / mac-auth via Clearpass. There are Instant access points which have untagged and tagged vlans (of course) to bridge the user traffic onto the network. This means that when enabeling dot1x/mac-auth on the port, all client traffic is also tagged via the wired policies (in stead of the wireless). Is there a way to handle this so the client traffic is allowed following the wireless policies, but the physical port is protected and only allows the physical connection as defined in the wired policies?
if i do understand correct you may need to change the port auth mode to port based so only the AP becomes authenticated and authorized and no other clients connected to the AP.
You may want to check: http://h22208.www2.hpe.com/eginfolib/networking/docs/switches/RA/15-18/5998-8151_ra_2620_asg/content/ch06s10.html
Meanwhile I figured out that the 'aaa port-access lldp-bypass %intf%' does exactly what I want. It opens the port completely when an Aruba access point is attached to it. With the 'show port-access lldp-bypass' command we can see all the mac addresses of the wireless clients on the Instant AP.
This also re-enables the device profile for the APs on those ports, which is also a benefit.
I also have the same problem.
Is this the only way to solve it?
What if we connect a switch? I believe all the clients "behind" the switch will have the same issue...
We can work with device-identity and device-profile and lldp-bypass to 'open' a port to which a specific device type (based on lldp or cdp) is connected. That enables easy config of i.e. Instant AP's. At the moment there is one limitation: when applying downloadable user roles with 'Device Configuration' (poe settings, admin edge port or port mode) enabled, the DUR fails with lldp-bypass enabled. I would suggest to use DUR even for AP's when deploying a 'colorless port' setup.
For the switch issue: it depends. I would say that this is exactly the behaviour that we want: authenticate all clients, even those behind another (unmanaged) switch. But if we want we can also put this link in port mode via DUR when the first client on the second switch authenticates, set client limits, ...
many thanks for your message.
I have cases where I have a mac-authentication enabled switch connected behind another mac-authentication switch. This means that the same client will be authorized by the first switch, and then, by the other one?
If I have 5 switches interconnected, will the same clients on the first switch be authorized 5 times?
If you configure the uplink ports with dot1x/mac auth, that could be the case indeed. It all depends on how you configure the ports. There are a lot of possibilites, especially in combination with Clearpass.
But maybe you don't need dot1x auth on the inter-switch links? If the switches are secured in a closed rack you could do without authentication on those links?
Physical protection is not so good...
But yeah, I'll have to go with that option (disable mac-auth on uplink ports).
Thanks for your help!
I enabled "aaa port-access lldp-bypass" on all ports, but this disabled 802.1x. Is it supported to disable 802.1x on the ports where Instant AP is connected?
Sure. You can do that. Or you can use dot1x to recognize the APs and set the port config dynamically without lldp-bypass.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.