Security

 View Only
  • 1.  2530 Switch MAC Authentication

    Posted Aug 02, 2023 03:27 PM

    Hi,

    I'm trying to configure RADIUS authentication with Clearpass on Aruba 2530 Switch. I'm trying to use 802.1x and fallback to MAC authentication.

    aaa server-group radius "clearpass" host 10.0.80.200
    aaa accounting update periodic 3
    aaa accounting network start-stop radius server-group "clearpass"
    aaa authentication port-access eap-radius server-group "clearpass"
    aaa authentication mac-based chap-radius server-group "clearpass"
    aaa port-access authenticator 1-22
    aaa port-access authenticator 1 client-limit 1

    aaa port-access authenticator active
    aaa port-access mac-based 1-22

    aaa port-access 1 auth-order authenticator mac-based
    aaa port-access 1 auth-priority authenticator mac-based

     I've created auth-order and auth-priority, but i have problem with 2 things:

    1. How can I change time after which the authentication switches from 802.1x to MAC? Now, it takes a long time to switch over and authorize device.
    2. After MAC authorization, there are 2 clients on that port, one type is MAC, and second is 802.1x. What can i do to delete unused 802.1x? I tried switching client limit to 0 on 802.1x auth but i can't do it while MAC auth is turned on. Client status hangs on connecting.Thanks in advance.


  • 2.  RE: 2530 Switch MAC Authentication

    Posted Aug 03, 2023 02:34 AM

    Take out the commands:

    aaa port-access 1 auth-order authenticator mac-based
    aaa port-access 1 auth-priority authenticator mac-based

    That will bring the behavior back to the default of 'concurrent onboarding'. The switch will try MAC and 802.1X at the same time, 802.1X will take precedence if succeeded.

    The MAC entry should disappear after some time for 802.1X authenticated clients.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: 2530 Switch MAC Authentication

    Posted Aug 03, 2023 03:21 AM

    Thanks Herman, but when device is authenticating through MAC, there are 2 unnecessary entries using 802.1x, one is with different mac, they are not dissapearing. Is there a way to leave only client with MAC auth?




  • 4.  RE: 2530 Switch MAC Authentication

    Posted Aug 03, 2023 03:47 AM

    If you see a different MAC, the device sends out traffic with that different MAC. What type of device is this?

    The 802.1X entry should go away after some time (may be few minutes) if the client does not respond to 802.1X.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: 2530 Switch MAC Authentication

    Posted Aug 03, 2023 04:25 AM

    Both devices are Aruba Access Points, one is IAP205, and second is AP515. One entry is always with same MAC 0180c2000003 for all devices. I was waiting more than hour and 802.1x are still present.