Hi guys,I think I starred to long at this to get the behaviour of an MAC Auth Port right. Is it normal that a port on a AOS-S (former Provision) 2530 switch configured with MAC Authentication authenticates every MAC he learns? Isn't there a config option for MAC auth like port-based / user-based mode on a "authenticator" port?Scenario:I have a Meraki cloud managed AP which does not support 802.1X wired authentication. I choose to configure the switchport to authenticate the device (AP) via its MAC and set dynamically he needed vlans to it (works fine). As there are bridged SSIDs on the AP the wireless clients are bridged locally into a vlan on the same switchport. The switch wants to authenticate every newly learned / seen MAC addresson the wired side.Again the question. Is this behaviour normal or did I miss some configuration?Does anyone have a hint to achieve a partly acceptable authentication for Meraki APs?
If you want to do MAC authentication on an AP that carries tagged VLANs, you will need to return the following attributes to switch to port-mode (don't authenticate the clients that reach the switch in the VLANs from the AP:
This example uses VLAN names, and the number in front of the VLAN name means 2 for untagged or 1 for tagged. So the VLAN 'Management VLAN' is applied untagged, where 'Corporate VLAN', 'Voice VLAN', etc are applied tagged.
You will need to run on your switch 16.02.0012 or newer for these attributes to be recognized.
In case you authenticate your AP with 802.1X instead of MAC Authentication, the attributes are slightly different:
Note that both line 6 and 7 are different for MAC Auth vs 802.1X, but in the end, they do similar things: Authenticate the AP (or other devices), Return native and tagged VLANs, and change to port mode to prevent clients behind the AP from being authenticated on the switch.
I can't find the version where the HPE-Port-Dot1x-Port-Mode attribute was introduced, but if you run 16.06 or newer it should be present. If the attributes are not accepted, check the documentation for the version of firmware that you run to see if it is supported, or just upgrade to the latest version.
that's done the trick! Thanks alot for the quick help! As I read it I thought I have read it before in some guide?!
Thanks again and have a nice and sunny weekend!
port-access role instant-ap
vlan trunk native name Management VLAN
vlan trunk allowed name Corporate VLAN
vlan trunk allowed name Guest VLAN
vlan trunk allowed name Untrusted VLAN
vlan trunk allowed name Voice VLAN
port-access role instant-ap auth-mode device-mode vlan trunk native name Management VLAN vlan trunk allowed name Corporate VLAN vlan trunk allowed name Guest VLAN vlan trunk allowed name Untrusted VLAN vlan trunk allowed name Voice VLAN
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.