Wired

 View Only
last person joined: yesterday 

Expand all | Collapse all

using an accesspoint on a 802.1x port ?

This thread has been viewed 17 times
  • 1.  using an accesspoint on a 802.1x port ?

    Posted Apr 26, 2022 11:56 AM
    hi there,

    i have a accesspoint, it has 3 tagged vlans and one untagged and its working great.
    the switch is a aruba 2530 and the portconfiguration is just a simple config:

    interface 2
    tagged vlan 17,20,23
    untagged vlan 1

    so now im testing 802.1x and mac-authentication with microsoft NPS , and that is also working great !

    the config on a port is:
    interface 1
    untagged vlan 666
    aaa port-access authenticator
    aaa port-access authenticator auth-vid 1
    aaa port-access authenticator client-limit 1
    aaa port-access mac-based
    aaa port-access mac-based unauth-period 60
    aaa port-access mac-based auth-vid 1
    aaa port-access mac-based unauth-vid 31
    aaa port-access auth-order authenticator mac-based
    aaa port-access auth-priority authenticator mac-based
    exit


    the fun begins now, when im trying to mac-authenticate a accesspoint on a 802.1x switchport.

    i have successfully enabled the "Egress-vlanid" as i read about in this article:
    Returning multiple tagged VLANS and untagged VLAN from ClearPass on HPE Switches (arubanetworks.com)
    but keep in mind, i dont use clearpass, only microsoft nps.

    so now my accesspoint is mac-authenticated on the port and untagged vlan 1 , and tagged vlan 17,20,23 is present.

    (eth-13)# show port-access clients detailed
    Client Base Details :
    Port : 13 Authentication Type : mac-based
    Client Status : authenticated Session Time : 2300 seconds
    Client Name : 001977816f80 Session Timeout : 0 seconds
    MAC Address : 001977-816f80
    IP : n/a


    but now when i try to connect with my wifi-clients, they are authorized in the nps, and the  rules are hitting just fine ...but something is wrong with my switchportconfig and the devices seem to be stuck on 802.1x ...not getting correct vlans ... 


    anyone done this and could point me in the right direction ?

    /Peter




    ------------------------------
    peter persson
    ------------------------------


  • 2.  RE: using an accesspoint on a 802.1x port ?

    Posted Apr 28, 2022 04:49 AM
    Dear Peter,

    From your port vlan config below, it seems you the wireless traffic is not tunneled, and it is breaking out directly into the switch onto the vlans 17,20,23
    interface 2
    tagged vlan 17,20,23
    untagged vlan 1

    this means that from the switch point of view, all wireless client mac addresses will be visible and will have to be authenticated as well, however this won't be possible in your current setup especially that the client limit is 1 on the port and it is being used up by the AP, No further clients can be authenticated and the port is blocked for them.

    To sort out this issue you have 3 possibilities, either
    1- remove "aaa port-access authenticator client-limit 1" which will switch the authentication to port-based rather than client based and this implies that once the AP authenticates, the port will be opened and no wireless clients will be requested to authenticate.
    2- tunnel the traffic to the controller, only the AP mac-address will be visible for the switch and no wireless clients will need to authenticate
    3- use point 1 along with configuring authentication for the wireless clients on the AP (assuming no controller, and that you want to authenticate wireless clients)

    hope that helps


    ------------------------------
    ibrahim massad
    ------------------------------



  • 3.  RE: using an accesspoint on a 802.1x port ?

    Posted Apr 28, 2022 05:27 AM
    thank you for the answer , i will read up on your three pointers !

    /P

    ------------------------------
    peter
    ------------------------------



  • 4.  RE: using an accesspoint on a 802.1x port ?

    Posted Apr 28, 2022 08:25 AM
    adding to my comment above, you can also try the quick workaround of increasing the number of "aaa port-access authenticator client-limit 1" to be 10 for example and check the outcome.

    ------------------------------
    ibrahim massad
    ------------------------------