Wired Intelligent Edge

 View Only
last person joined: 15 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

802.1x Supplicant - Aruba 2930F and 2530

This thread has been viewed 21 times

  • 1.  802.1x Supplicant - Aruba 2930F and 2530

    Posted May 17, 2023 01:45 PM

    Hello community,

    we are in the process of securing our wired networks with 802.1x and Windows NPS.
    Unfortunately sometimes there are not enough outlets. We have some 2530-8G switches for these cases.

    These are then connected to 2930F switches in our network closets.

    Here is the relevant config from our 2930F:

    radius-server host 192.168.2.184
radius-server host 192.168.2.185
aaa authentication port-access eap-radius
aaa authentication mac-based peap-mschapv2
aaa port-access gvrp-vlans
aaa port-access authenticator active
 
interface 1/1
   unknown-vlans disable
   qos trust dscp
   untagged vlan 2222
   aaa port-access authenticator
   aaa port-access authenticator reauth-period 3600
   aaa port-access authenticator client-limit 8
   aaa port-access mac-based
   aaa port-access mac-based addr-limit 8
   aaa port-access mac-based reauth-period 3600
   aaa port-access auth-order authenticator mac-based
   aaa port-access auth-priority authenticator mac-based
   exit


    And the 2530:

    interface 9
   qos trust dscp
   tagged vlan 10,103
   aaa port-access supplicant
   aaa port-access supplicant identity "edge-swi-09" encrypted-secret xxx
 exit


    When activated the 2930F tries to authenticate the clients on port 1/1 but sees only MAC addresses, which fails.

    If I remove the client limit from port 1/1 and make it port-based authentication everything works and the 2530 gets authenticated.

    If I connect a CX-6000 12G switch with a similar configuration authentication in user mode works.


    Is this expected behavior? Is there something I'm missing?


    Regards,
    Tobias





  • 2.  RE: 802.1x Supplicant - Aruba 2930F and 2530

    EMPLOYEE
    Posted May 18, 2023 04:05 PM
      |   view attached
    Hello Tobias
    If the 2530 switch authenticates itself via EAP-MD5 on the 2930F switch, the port on the 2930F switch must be switched from "client-based" to "port-based" mode via the correct RADIUS attributes which are in your case:
    HP-Port-Auth-Mode-Dot1x = 1
    HP-Port-Client-Limit-MA = 0

    See also 
    Aruba 2930F / 2930M Access Security Guide for ArubaOS-Switch 16.10
    https://asp.arubanetworks.com/downloads/documents/RmlsZTo1MDk5ODgzYS0xOTk4LTExZWItODlmNS05YmMwYzMwODM4ZDU%3D 
    See Page 310 where it is explained for an AP with MAC Auth instead.
    Page 814 shows the RADIUS attributes.
    With this the 2530 switch opens the port on the 2930F for all other MAC addresses. So the 2530 switch will need to authenticate all clients itself. In addition, of course, all possible VLANs must be included as RADIUS attributes. Below is an example how you configure it on Aruba ClearPass first using VLAN IDs and second using VLAN names.
    Regards Holger


  • 3.  RE: 802.1x Supplicant - Aruba 2930F and 2530

    Posted May 19, 2023 06:48 AM

    Hello Holger,

    I already set it up like this.

    Here is a working sample with Aruba IAP connected:

    Port Access Status Summary

Port-access authenticator activated [No] : Yes
Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : Yes
Use LLDP data to authenticate [No] : No
Dot1X EAP Identifier Compliance [Disabled] : Disabled
Allow incremental EAP identifier only [Disabled] : Disabled

Note: * indicates values dynamically overridden by RADIUS.

      |   Authenticator    |   Web Auth   |      MAC Auth      |  Local MAC
Port  | Enable Mode  Limit | Enable Limit | Enable Mode  Limit | Enable Limit
----- - ------ ----- ----- - ------ ----- - ------ ----- ----- - ------ -----
2/46  | Yes    Port* 8     | No     1     | No*    User  8     | No     1
2/47  | Yes    Port* 8     | No     1     | No*    User  8     | No     1
2/48  | Yes    Port* 8     | No     1     | No*    User  8     | No     1


    The problem is that when in user-mode I don't receive the configured account but only MAC addresses.

    When I configure port mode on the 2930F authentication is working and the radius server sends VLANs and the HP VSAs.


    Regards,
    Tobias


    Original Message