Wired Intelligent Edge

Good day!

Prior condition or prerequisite:

• Please connect any Radius-server to your CX switch or make sure radius-server is reachable.
• AOS-CX Radius-server simple steps to Configurehttps://community.arubanetworks.com/t5/Wired-Intelligent-Edge-Campus/AOS-CX-Radius-server-simple-steps-to-Configure/m-p/663009#M10219
• Open CX Security guide for your reference:https://techhub.hpe.com/eginfolib/Aruba/OS-CX_10.04/5200-6715/index.html

Let's Start

Step1:Validate Radius-server is configured properly and radius-server trackable as expected.

BLDG02-F1(config)# radius-server host aoss-cppm.tmelab.net tracking enable vrf mgmt

BLDG02-F1(config)# radius-server host aoss-cppm.tmelab.net clearpass-username HELLOUSERNAME clearpass-password plaintext HELLOPASSWD vrf mgmt

BLDG02-F1(config)# radius-server host aoss-cppm.tmelab.net key plaintext KEYENTER vrf mgmt

BLDG02-F1(config)# radius-server tracking interval 60

BLDG02-F1# sh radius-server detail
******* Global RADIUS Configuration *******

Shared-Secret: None
Timeout: 5
Auth-Type: pap
Retries: 1
TLS Timeout: 5
Tracking Time Interval (seconds): 60
Tracking Retries: 5
Tracking User-name: radius-tracking-user
Tracking Password: None
Number of Servers: 1

****** RADIUS Server Information ******
Server-Name : aoss-cppm.tmelab.net
Auth-Port : 1812
Accounting-Port : 1813
VRF : mgmt
TLS Enabled : No
Shared-Secret : AQBapdAz4irjSK61Zg/CFArsNYWKbn1LObqDD/v9SH1eMQ6ABQAAADY26liu
Timeout (default) : 5
Retries (default) : 1
Auth-Type (default) : pap
Server-Group (default) : radius
Default-Priority : 1
Tracking : enabled
Tracking-Mode : any
Reachability-Status : reachable
ClearPass-Username : admin
ClearPass-Password : AQBapYv/u3/YfG9vYRpFxmOTtsFLIWxuAX442RdG9j11jsZ6CQAAACZ5Y2/BK9FmhQ==

BLDG02-F1#

BLDG02-F1# sh running-config interface mgmt
interface mgmt
no shutdown
ip static 10.6.8.13/24
default-gateway 10.6.8.1
BLDG02-F1#

Note: I am using Aruba Clearpass as Radius-server, please find radius-tracking snapshot as below

Step2: Let's configure LUR on CX Switch

BLDG02-F1# sh running-config port-access

port-access role phone_role
description lur_mac_auth
auth-mode client-mode
client-inactivity timeout 400
poe-priority critical
reauth-period 3000
BLDG02-F1#

Step3: Let's enable authentication (mac-auth is enough for this case), let's enabled both dot1x and mac-auth.

BLDG02-F1(config)#aaa authentication port-access mac-auth enable

BLDG02-F1(config)#  aaa authentication port-access dot1x authenticator enable

Step4: Let's enabled mac-auth on cliented connected interface.

BLDG02-F1# sh running-config interface 1/1/5
interface 1/1/5
no shutdown
vlan access 1
exit
BLDG02-F1# sh mac-address-table
MAC age-time : 300 seconds
Number of MAC addresses : 6

MAC Address VLAN Type Port
--------------------------------------------------------------
2c:41:38:7f:27:05 1 dynamic 1/1/5
90:20:c2:dc:85:00 195 dynamic 1/1/52
90:20:c2:dc:85:00 197 dynamic 1/1/52
90:20:c2:dc:85:00 198 dynamic 1/1/52
90:20:c2:dc:85:00 199 dynamic 1/1/52
90:20:c2:dc:85:00 200 dynamic 1/1/52
BLDG02-F1#

BLDG02-F1# sh running-config interface 1/1/5
interface 1/1/5
no shutdown
vlan access 1
exit
BLDG02-F1#

BLDG02-F1# conf t

BLDG02-F1(config)#

BLDG02-F1(config-if)#aaa authentication port-access mac-auth enable

BLDG02-F1(config-if)# end

BLDG02-F1# sh running-config interface 1/1/5
interface 1/1/5
no shutdown
vlan access 1
aaa authentication port-access mac-auth
enable
exit
BLDG02-F1#

Step6: Let's add and configure CX switch, client Profiles, Policies and Services on Radius-server Clearpass.

Please note that same name as configured on CX switch is configured on radius-server. Screen snapshot is below:

Step6: Time to validate, we are ready to authenticate mac-auth client and assigned LUR.

BLDG02-F1# sh port-access clients

Port Access Clients
--------------------------------------------------------------------------------
Port MAC Address Onboarded Status Role
Method
--------------------------------------------------------------------------------
1/1/5 2c:41:38:7f:27:05 mac-auth Success phone_role

BLDG02-F1# sh port-access clients interface 1/1/5
detail Show detailed Port Access Client information.
<cr>
BLDG02-F1# sh port-access clients interface 1/1/5 detail

Port Access Client Status Details:

Client 2c:41:38:7f:27:05, 2c41387f2705
============================
Session Details
---------------
Port : 1/1/5
Session Time : 172s
IPv4 Address :
IPv6 Address :

Authentication Details
----------------------
Status : mac-auth Authenticated
Auth Precedence : dot1x - Not attempted, mac-auth - Authenticated

Authorization Details
----------------------
Role : phone_role
Status : Applied

Role Information:

Name : phone_role
Type : local
----------------------------------------------
Reauthentication Period : 3000 secs
Authentication Mode : client-mode
Session Timeout :
Client Inactivity Timeout : 400 secs
Description : lur_mac_auth
Gateway Zone :
UBT Gateway Role :
Access VLAN :
Native VLAN :
Allowed Trunk VLANs :
Access VLAN Name :
Native VLAN Name :
Allowed Trunk VLAN Names :
MTU :
QOS Trust Mode :
STP Administrative Edge Port :
PoE Priority : critical
Captive Portal Profile :
Policy :

BLDG02-F1#

Thank you,

Yash

Hi Yash

Do you plan to publish somewhere ? like github page or other ?