Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

802.1x configuration AOS-CX

Jump to Best Answer
This thread has been viewed 15 times
  • 1.  802.1x configuration AOS-CX

    Posted Jul 12, 2022 05:11 AM

    Hi!
    We have recently started using AOS-CX switches at work and i'm trying to configure Radius for the same functionality as we did have on our old 2530 switches.
    Config on 2530 was as below.
    radius-server host 10.x.x.x key "******"

    aaa authentication port-access eap-radius

    aaa authentication mac-based peap-mschapv2

    aaa port-access authenticator active

    aaa authentication mac-based chap-radius

     
    And then on the ports i configured as below.

    aaa port-access authenticator 1-24

    aaa port-access authenticator 1-24 client-limit 1

    aaa port-access mac-based 1-24 unauth-vid 881

    aaa port-access mac-based 1-24

    aaa port-access mac-based 1-24 addr-limit 1


    All above has been working fine and we knew devices connected we allowed access to internal infrastructure if verified.
    Now i have been trying to read up and configure our AOS-CX switches 6000,6001 and 6200 models for same feature but i'm unsure of the end result.

    I think the first part here is correct.
    radius-server host 10.x.x.x key plaintext "******"

    aaa authentication port-access dot1x authenticator auth-method eap-radius

    aaa authentication port-access mac-auth auth-method chap

    aaa authentication port-access dot1x authenticator enable

    aaa authentication port-access mac-auth enable

    It's on ports that i'm unsure about config.

    interface 1/1/1-1/1/48

    aaa authentication port-access dot1x authenticator

    aaa authentication port-access client-limit 1

    exit

    aaa authentication port-access mac-auth

    enable

    aaa authentication port-access reject-role noauth <- Guide said to add reject-role noauth  but this isn't possible there is no sure command.

    exit

    Port-access role noauth

    Description authentication failed

    Vlan 881

    exit


    Would much appreciate some assistance to get this working correctly.
    /Lee



  • 2.  RE: 802.1x configuration AOS-CX
    Best Answer

    Posted Jul 13, 2022 01:11 AM
    Hi,

    Your configuration for reject-role is correct, it is used for applying unauth vid . It is available in interface context. For client limit, in 2530 switches its per authentication method - 802.1x/mac-auth. But in AOS-CX switches its overall authentication limit, not specific to authentication method. In your configuration client-limit=1,it will allow only one client irrespective of authentication method.  

    interface 1/1/1-1/1/48
    description client-port
    no shutdown
    no routing
    vlan access 1
    port-access onboarding-method concurrent enable
    aaa authentication port-access client-limit 1
    aaa authentication port-access reject-role noauth
    aaa authentication port-access dot1x authenticator
    enable
    aaa authentication port-access mac-auth
    enable
    exit

    Port-access role noauth

    Description authentication failed

    Vlan access 881

    exit



    ------------------------------
    Shobana
    Aruba
    ------------------------------



  • 3.  RE: 802.1x configuration AOS-CX

    Posted Jul 13, 2022 02:42 AM
    Hi Shobana!
    Thank you for replying to my question.

    I got it working with help from your post, what i had missed out on configuring was the acctual port-access role "noauth"

    Port-access role noauth

    Description authentication failed

    Vlan access 881

    If i started with creating the port-access role and after that configured the ports it all worked out as it should.

    Thank you for your time and help!

    /Lee




  • 4.  RE: 802.1x configuration AOS-CX

    EMPLOYEE
    Posted Jul 13, 2022 01:44 PM

    Hi Lee, it looks like there are some differences in the product lines with respect to port access role definitions. Would you try creating a local user role that specifies the role to be used for the reject-role condition:

    port-access role Reject_Role
    vlan access 881
    interface 1/1/1
    no shutdown
    vlan access 1
    aaa authentication port-access reject-role Reject_Role

    If that isn't successful, we'll work with the security teams in the background to investigate why the behavior isn't consistent.