Hi!We have recently started using AOS-CX switches at work and i'm trying to configure Radius for the same functionality as we did have on our old 2530 switches.Config on 2530 was as below.radius-server host 10.x.x.x key "******"
aaa authentication port-access eap-radius
aaa authentication mac-based peap-mschapv2
aaa port-access authenticator active
aaa authentication mac-based chap-radius
And then on the ports i configured as below.
aaa port-access authenticator 1-24
aaa port-access authenticator 1-24 client-limit 1
aaa port-access mac-based 1-24 unauth-vid 881
aaa port-access mac-based 1-24
aaa port-access mac-based 1-24 addr-limit 1
All above has been working fine and we knew devices connected we allowed access to internal infrastructure if verified.Now i have been trying to read up and configure our AOS-CX switches 6000,6001 and 6200 models for same feature but i'm unsure of the end result.I think the first part here is correct.radius-server host 10.x.x.x key plaintext "******"
aaa authentication port-access dot1x authenticator auth-method eap-radius
aaa authentication port-access mac-auth auth-method chap
aaa authentication port-access dot1x authenticator enable
aaa authentication port-access mac-auth enableIt's on ports that i'm unsure about config.
aaa authentication port-access dot1x authenticator
aaa authentication port-access client-limit 1
aaa authentication port-access mac-auth
aaa authentication port-access reject-role noauth <- Guide said to add reject-role noauth but this isn't possible there is no sure command.
Port-access role noauth
Description authentication failed
Would much appreciate some assistance to get this working correctly./Lee
interface 1/1/1-1/1/48description client-portno shutdownno routingvlan access 1port-access onboarding-method concurrent enableaaa authentication port-access client-limit 1aaa authentication port-access reject-role noauthaaa authentication port-access dot1x authenticatorenableaaa authentication port-access mac-authenableexit
Vlan access 881
Vlan access 881If i started with creating the port-access role and after that configured the ports it all worked out as it should.Thank you for your time and help!/Lee
Hi Lee, it looks like there are some differences in the product lines with respect to port access role definitions. Would you try creating a local user role that specifies the role to be used for the reject-role condition:port-access role Reject_Role vlan access 881interface 1/1/1no shutdownvlan access 1aaa authentication port-access reject-role Reject_RoleIf that isn't successful, we'll work with the security teams in the background to investigate why the behavior isn't consistent.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.