client-inactivity timeout none (so when printers go to sleep they dont lose auth on switch)
stp-admin-edge-port
vlan access 150
port-access role bbVoIP_role
description bb_IP_Phones
auth-mode client-mode
poe-priority high
trust-mode dscp
stp-admin-edge-port
device-traffic-class voice
vlan trunk allowed 119
Original Message:
Sent: Apr 17, 2024 01:54 PM
From: Pascal RIGNANESE
Subject: 8021X - ARUBA 6000 OSCX - IP Phone and Computer
You're welcome @steadymind :)
Just for my information, can you share me your switch configuration for 802.1X setting, specialy about mac-auth ?
i don't use mac-auth at this time but maybe i can soon :)
Have a good day
Original Message:
Sent: Apr 17, 2024 01:36 PM
From: steadymind
Subject: 8021X - ARUBA 6000 OSCX - IP Phone and Computer
@Pascal RIGNANESE thank you very much for sharing your post definitely set me on the right path. The only difference in my config was i set mac-auth on the switch port as opposed to using the auth-role as you did in your config above. But it works!
Here si what my interface config looks like
interface 1/1/12
no shutdown
energy-efficient-ethernet
vlan access 1000
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree tcn-guard
spanning-tree port-type admin-edge
port-access onboarding-method concurrent enable
aaa authentication port-access allow-lldp-bpdu
aaa authentication port-access client-limit 3
aaa authentication port-access reject-role Guest
port-access security violation action shutdown
port-access security violation action shutdown recovery-timer 300
aaa authentication port-access dot1x authenticator
enable
aaa authentication port-access mac-auth
enable
loop-protect
loop-protect action tx-rx-disable
exit
Original Message:
Sent: Mar 14, 2024 10:26 AM
From: Pascal RIGNANESE
Subject: 8021X - ARUBA 6000 OSCX - IP Phone and Computer
Many thank for your help
i've find solution with your help for always allow my VOIP phone on the voice vlan but allow force computer (only OR behind PHONE) to authenticate with 802.1X
Explaination
VLAN 1 - DATA
VLAN 3 - VOIP (Voice VLAN)
SWITCH ARUBA 6000 - all ports have a phone connect directly and a computer is connect behind phone
Configuration :
# Create and configure voice vlan
vlan 3
voice
# Create radius server entry with Secret-Shared (Radius server have a NPS Microsoft feature Enable and Configured)
radius-server host XXX.XXX.XXX.XXX key plaintext abcdefghijklmnopqrstuvwxyz
# Create a mac-group with 6 first digit of all PHONE mac address vendor of my company
mac-group PHONE
seq 10 match mac-oui xx:xx:xx
seq 20 match mac-oui xx:xx:xx
seq 30 match mac-oui xx:xx:xx
...
...
# Create a port-access for tag vlan 3 (voice)
port-access role PHONE
vlan trunk allowed 3
#Create a port-access device-profile for apply and combine role PHONE + MAC-GROU PHONE
port-access device-profile PHONE
enable
associate role PHONE
associate mac-group PHONE
# Enable authentication dot1x feature on switch
aaa authentication port-access dot1x authenticator
enable
# Enable and format MAC-AUTHENTICATION (MAC ADDRESS text send to RADIUS NPS Format : XX-XX-XX-XX-XX-XX)
aaa authentication port-access mac-auth
addr-format multi-dash-uppercase
enable
All xCo port (With other switch or Core Switch) are a classic configuration (TRUNK NATIVE and ALLOWED VLAN)
If you want to authorise a specific port without 802.1X authentication, simply configure port like a xCo port (TRUNK NATIVE and ALLOWED VLAN)
If you want to force 802.1X authentication on a specific port (computer only or computer behind phone)
Exemple :
interface 1/1/1
description PC+PHONE-OK
no shutdown
vlan trunk native 1
vlan trunk allowed 1,3
aaa authentication port-access client-limit 3
aaa authentication port-access auth-role PHONE
aaa authentication port-access dot1x authenticator
reauth
enable
# Above, client-limit option is a mac address limit authorize on this port (PHONE include) - this count is reset in 15 minutes after computer is unlink
I hope my sharing helps people :)
Have a good day
Pascal R.
Original Message:
Sent: Mar 11, 2024 04:46 PM
From: 802.zak
Subject: 8021X - ARUBA 6000 OSCX - IP Phone and Computer
Based on this scenario the best place to start is the below TechDoc, which includes "multi-domain"
Port Access Security
------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
Original Message:
Sent: Mar 09, 2024 08:41 AM
From: Pascal RIGNANESE
Subject: 8021X - ARUBA 6000 OSCX - IP Phone and Computer
Hello everyone,
I need your help because I couldn't find my answer on the forum
I have ARUBA 6000 OS CX switches and I have configured radius EAP-TLS authentication with computer certificate
I have computers in vlan 1 and IP phones in vlan 3
Everything works if I only have one computer on the port
If I have an IP phone on the port and behind a computer it doesn't work
According to the rules that I made on my NPS server (Microsoft) and on the ports of my switch,
Either the phone is not authorized and the port remains blocked or the phone is authorized but so is the computer, while the PC should be blocked by default and be authorized if the 8021X configuration is good.
What I want is that the phones in vlan 3 are always authorized and tagged in the vlan and that the equipment behind the phone is required to authenticate on the radius to have network
Is it possible ? do you have a method or advice to help me?
Thank you very much for your time and have a nice day