Wired

last person joined: an hour ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

802.1x Switch Configuration

Jump to Best Answer
  • 1.  802.1x Switch Configuration

    Posted Oct 08, 2013 10:09 AM

    Hi All,

     

    I've configured 802.1x auth on some switch ports in my lab and I'm using Clearpass as the RADIUS server using AD as the source. I've got clearpass configured to pass a role back to the switch if authentication is sucessful and that works great.


    Next step is to allow guest to plug in and for them to be assigned a different role, lets say the guest role.


    I don't want to do tunneled node as I don't want the potential extra overhead on my controller. I know in my lab this wont be an issue but for customers there's potential that it could be depending on certain factors.

     

    If this possible to do?

     

    At the moment when my "guest laptop" plugs in they fail authentication, enforment policies are ignored and they stay in the logon role on the switch.


    Cheers

    James



  • 2.  RE: 802.1x Switch Configuration

    Posted Oct 08, 2013 10:12 AM

    Do you want them to go through a registration process or just allow them on with a limited role?



  • 3.  RE: 802.1x Switch Configuration
    Best Answer

    Posted Oct 08, 2013 10:12 AM

    James,

    You'll want to create a MAC-Auth service that is configured to allow all MAC and in the enforcement policy, if it is an unknown MAC, pass back a role of Guest (or whatever name you chose). I'll post some screenshots of what I mean a little later today.

     

    Best regards,

     

    Madani



  • 4.  RE: 802.1x Switch Configuration

    Posted Oct 08, 2013 10:17 AM

    Hi,

     

    I don't want them to register, just but placed into a particular role.

     

    Screenshots would be perfect. :)



  • 5.  RE: 802.1x Switch Configuration

    Posted Oct 08, 2013 10:36 AM

    Just make the initial role "guest".  Upon a failed auth, they will be assigned guest.



  • 6.  RE: 802.1x Switch Configuration

    Posted Oct 08, 2013 10:55 AM

    @SethFiermonti wrote:

    Just make the initial role "guest".  Upon a failed auth, they will be assigned guest.


    Seth, great answer.

     

    I've gone for configurring an allow all MAC authentication source and an enforcement policy which matches any MAC auth requests, then assign a clearpass downloadable role. It's in a lab after all...



  • 7.  RE: 802.1x Switch Configuration

    Posted Oct 08, 2013 10:56 AM

    You'll have more flexibility in the future using ClearPass instead of the initial role.



  • 8.  RE: 802.1x Switch Configuration

    Posted Oct 08, 2013 11:11 AM
    Agreed. Didn't catch ClearPass was involved here


  • 9.  RE: 802.1x Switch Configuration

    Posted Oct 08, 2013 04:00 PM

    I know I like to keep my initial role as something that doesn't actually provide any IP connectivity at all, because some clients will not deal well with getting a DHCP lease, and then getting shuttled to another role assigned by a Clearpass RADIUS VSA with a different VLAN associated.  If you keep clients in the same VLAN the whole time and just your various user roles for ACL assignment, this wouldn't be a problem.

     

    I don't know if it's the best way to do it but my initial role has an "allow-all" ACL associated, but no VLAN, which means it should derive its VLAN from the switching profile in the interface or interface-group configuration.  If no switching profile is configured it would fall back to the default switching profile with VLAN 1, which in my case is not something that will provide any IP connectivity to clients.

     

    If the Aruba experts here think this isn't optimal please let me know.