Wired

hi there,

i have a accesspoint, it has 3 tagged vlans and one untagged and its working great.
the switch is a aruba 2530 and the portconfiguration is just a simple config:

interface 2
tagged vlan 17,20,23
untagged vlan 1

so now im testing 802.1x and mac-authentication with microsoft NPS , and that is also working great !

the config on a port is:
interface 1
untagged vlan 666
aaa port-access authenticator
aaa port-access authenticator auth-vid 1
aaa port-access authenticator client-limit 1
aaa port-access mac-based
aaa port-access mac-based unauth-period 60
aaa port-access mac-based auth-vid 1
aaa port-access mac-based unauth-vid 31
aaa port-access auth-order authenticator mac-based
aaa port-access auth-priority authenticator mac-based
exit


the fun begins now, when im trying to mac-authenticate a accesspoint on a 802.1x switchport.

i have successfully enabled the "Egress-vlanid" as i read about in this article:
Returning multiple tagged VLANS and untagged VLAN from ClearPass on HPE Switches (arubanetworks.com)
but keep in mind, i dont use clearpass, only microsoft nps.

so now my accesspoint is mac-authenticated on the port and untagged vlan 1 , and tagged vlan 17,20,23 is present.

(eth-13)# show port-access clients detailed
Client Base Details :
Port : 13 Authentication Type : mac-based
Client Status : authenticated Session Time : 2300 seconds
Client Name : 001977816f80 Session Timeout : 0 seconds
MAC Address : 001977-816f80
IP : n/a


but now when i try to connect with my wifi-clients, they are authorized in the nps, and the  rules are hitting just fine ...but something is wrong with my switchportconfig and the devices seem to be stuck on 802.1x ...not getting correct vlans ... 


anyone done this and could point me in the right direction ?

/Peter




------------------------------
peter persson
------------------------------

Dear Peter,

From your port vlan config below, it seems you the wireless traffic is not tunneled, and it is breaking out directly into the switch onto the vlans 17,20,23
interface 2
tagged vlan 17,20,23
untagged vlan 1

this means that from the switch point of view, all wireless client mac addresses will be visible and will have to be authenticated as well, however this won't be possible in your current setup especially that the client limit is 1 on the port and it is being used up by the AP, No further clients can be authenticated and the port is blocked for them.

To sort out this issue you have 3 possibilities, either
1- remove "aaa port-access authenticator client-limit 1" which will switch the authentication to port-based rather than client based and this implies that once the AP authenticates, the port will be opened and no wireless clients will be requested to authenticate.
2- tunnel the traffic to the controller, only the AP mac-address will be visible for the switch and no wireless clients will need to authenticate
3- use point 1 along with configuring authentication for the wireless clients on the AP (assuming no controller, and that you want to authenticate wireless clients)

hope that helps

------------------------------
ibrahim massad
------------------------------

Original Message:
Sent: Apr 26, 2022 11:56 AM
From: peter persson
Subject: using an accesspoint on a 802.1x port ?

hi there,

i have a accesspoint, it has 3 tagged vlans and one untagged and its working great.
the switch is a aruba 2530 and the portconfiguration is just a simple config:

interface 2
tagged vlan 17,20,23
untagged vlan 1

so now im testing 802.1x and mac-authentication with microsoft NPS , and that is also working great !

the config on a port is:
interface 1
untagged vlan 666
aaa port-access authenticator
aaa port-access authenticator auth-vid 1
aaa port-access authenticator client-limit 1
aaa port-access mac-based
aaa port-access mac-based unauth-period 60
aaa port-access mac-based auth-vid 1
aaa port-access mac-based unauth-vid 31
aaa port-access auth-order authenticator mac-based
aaa port-access auth-priority authenticator mac-based
exit


the fun begins now, when im trying to mac-authenticate a accesspoint on a 802.1x switchport.

i have successfully enabled the "Egress-vlanid" as i read about in this article:
Returning multiple tagged VLANS and untagged VLAN from ClearPass on HPE Switches (arubanetworks.com)
but keep in mind, i dont use clearpass, only microsoft nps.

so now my accesspoint is mac-authenticated on the port and untagged vlan 1 , and tagged vlan 17,20,23 is present.

(eth-13)# show port-access clients detailed
Client Base Details :
Port : 13 Authentication Type : mac-based
Client Status : authenticated Session Time : 2300 seconds
Client Name : 001977816f80 Session Timeout : 0 seconds
MAC Address : 001977-816f80
IP : n/a


but now when i try to connect with my wifi-clients, they are authorized in the nps, and the  rules are hitting just fine ...but something is wrong with my switchportconfig and the devices seem to be stuck on 802.1x ...not getting correct vlans ... 


anyone done this and could point me in the right direction ?

/Peter




------------------------------
peter persson
------------------------------

thank you for the answer , i will read up on your three pointers !

/P

------------------------------
peter
------------------------------

Original Message:
Sent: Apr 28, 2022 04:49 AM
From: ibrahim massad
Subject: using an accesspoint on a 802.1x port ?

Dear Peter,

From your port vlan config below, it seems you the wireless traffic is not tunneled, and it is breaking out directly into the switch onto the vlans 17,20,23
interface 2
tagged vlan 17,20,23
untagged vlan 1

this means that from the switch point of view, all wireless client mac addresses will be visible and will have to be authenticated as well, however this won't be possible in your current setup especially that the client limit is 1 on the port and it is being used up by the AP, No further clients can be authenticated and the port is blocked for them.

To sort out this issue you have 3 possibilities, either
1- remove "aaa port-access authenticator client-limit 1" which will switch the authentication to port-based rather than client based and this implies that once the AP authenticates, the port will be opened and no wireless clients will be requested to authenticate.
2- tunnel the traffic to the controller, only the AP mac-address will be visible for the switch and no wireless clients will need to authenticate
3- use point 1 along with configuring authentication for the wireless clients on the AP (assuming no controller, and that you want to authenticate wireless clients)

hope that helps

------------------------------
ibrahim massad

Original Message:
Sent: Apr 26, 2022 11:56 AM
From: peter persson
Subject: using an accesspoint on a 802.1x port ?

hi there,

i have a accesspoint, it has 3 tagged vlans and one untagged and its working great.
the switch is a aruba 2530 and the portconfiguration is just a simple config:

interface 2
tagged vlan 17,20,23
untagged vlan 1

so now im testing 802.1x and mac-authentication with microsoft NPS , and that is also working great !

the config on a port is:
interface 1
untagged vlan 666
aaa port-access authenticator
aaa port-access authenticator auth-vid 1
aaa port-access authenticator client-limit 1
aaa port-access mac-based
aaa port-access mac-based unauth-period 60
aaa port-access mac-based auth-vid 1
aaa port-access mac-based unauth-vid 31
aaa port-access auth-order authenticator mac-based
aaa port-access auth-priority authenticator mac-based
exit


the fun begins now, when im trying to mac-authenticate a accesspoint on a 802.1x switchport.

i have successfully enabled the "Egress-vlanid" as i read about in this article:
Returning multiple tagged VLANS and untagged VLAN from ClearPass on HPE Switches (arubanetworks.com)
but keep in mind, i dont use clearpass, only microsoft nps.

so now my accesspoint is mac-authenticated on the port and untagged vlan 1 , and tagged vlan 17,20,23 is present.

(eth-13)# show port-access clients detailed
Client Base Details :
Port : 13 Authentication Type : mac-based
Client Status : authenticated Session Time : 2300 seconds
Client Name : 001977816f80 Session Timeout : 0 seconds
MAC Address : 001977-816f80
IP : n/a


but now when i try to connect with my wifi-clients, they are authorized in the nps, and the  rules are hitting just fine ...but something is wrong with my switchportconfig and the devices seem to be stuck on 802.1x ...not getting correct vlans ... 


anyone done this and could point me in the right direction ?

/Peter




------------------------------
peter persson
------------------------------

adding to my comment above, you can also try the quick workaround of increasing the number of "aaa port-access authenticator client-limit 1" to be 10 for example and check the outcome.

------------------------------
ibrahim massad
------------------------------

Original Message:
Sent: Apr 28, 2022 05:27 AM
From: peter persson
Subject: using an accesspoint on a 802.1x port ?

thank you for the answer , i will read up on your three pointers !

/P

------------------------------
peter

Original Message:
Sent: Apr 28, 2022 04:49 AM
From: ibrahim massad
Subject: using an accesspoint on a 802.1x port ?

Dear Peter,

From your port vlan config below, it seems you the wireless traffic is not tunneled, and it is breaking out directly into the switch onto the vlans 17,20,23
interface 2
tagged vlan 17,20,23
untagged vlan 1

this means that from the switch point of view, all wireless client mac addresses will be visible and will have to be authenticated as well, however this won't be possible in your current setup especially that the client limit is 1 on the port and it is being used up by the AP, No further clients can be authenticated and the port is blocked for them.

To sort out this issue you have 3 possibilities, either
1- remove "aaa port-access authenticator client-limit 1" which will switch the authentication to port-based rather than client based and this implies that once the AP authenticates, the port will be opened and no wireless clients will be requested to authenticate.
2- tunnel the traffic to the controller, only the AP mac-address will be visible for the switch and no wireless clients will need to authenticate
3- use point 1 along with configuring authentication for the wireless clients on the AP (assuming no controller, and that you want to authenticate wireless clients)

hope that helps

------------------------------
ibrahim massad

Original Message:
Sent: Apr 26, 2022 11:56 AM
From: peter persson
Subject: using an accesspoint on a 802.1x port ?

hi there,

i have a accesspoint, it has 3 tagged vlans and one untagged and its working great.
the switch is a aruba 2530 and the portconfiguration is just a simple config:

interface 2
tagged vlan 17,20,23
untagged vlan 1

so now im testing 802.1x and mac-authentication with microsoft NPS , and that is also working great !

the config on a port is:
interface 1
untagged vlan 666
aaa port-access authenticator
aaa port-access authenticator auth-vid 1
aaa port-access authenticator client-limit 1
aaa port-access mac-based
aaa port-access mac-based unauth-period 60
aaa port-access mac-based auth-vid 1
aaa port-access mac-based unauth-vid 31
aaa port-access auth-order authenticator mac-based
aaa port-access auth-priority authenticator mac-based
exit


the fun begins now, when im trying to mac-authenticate a accesspoint on a 802.1x switchport.

i have successfully enabled the "Egress-vlanid" as i read about in this article:
Returning multiple tagged VLANS and untagged VLAN from ClearPass on HPE Switches (arubanetworks.com)
but keep in mind, i dont use clearpass, only microsoft nps.

so now my accesspoint is mac-authenticated on the port and untagged vlan 1 , and tagged vlan 17,20,23 is present.

(eth-13)# show port-access clients detailed
Client Base Details :
Port : 13 Authentication Type : mac-based
Client Status : authenticated Session Time : 2300 seconds
Client Name : 001977816f80 Session Timeout : 0 seconds
MAC Address : 001977-816f80
IP : n/a


but now when i try to connect with my wifi-clients, they are authorized in the nps, and the  rules are hitting just fine ...but something is wrong with my switchportconfig and the devices seem to be stuck on 802.1x ...not getting correct vlans ... 


anyone done this and could point me in the right direction ?

/Peter




------------------------------
peter persson
------------------------------