Wired Intelligent Edge

 View Only
  • 1.  802.1x Supplicant - Aruba 2930F and 2530

    Posted May 17, 2023 01:45 PM

    Hello community,

    we are in the process of securing our wired networks with 802.1x and Windows NPS.
    Unfortunately sometimes there are not enough outlets. We have some 2530-8G switches for these cases.

    These are then connected to 2930F switches in our network closets.

    Here is the relevant config from our 2930F:

    radius-server host 192.168.2.184
    radius-server host 192.168.2.185
    aaa authentication port-access eap-radius
    aaa authentication mac-based peap-mschapv2
    aaa port-access gvrp-vlans
    aaa port-access authenticator active
     
    interface 1/1
       unknown-vlans disable
       qos trust dscp
       untagged vlan 2222
       aaa port-access authenticator
       aaa port-access authenticator reauth-period 3600
       aaa port-access authenticator client-limit 8
       aaa port-access mac-based
       aaa port-access mac-based addr-limit 8
       aaa port-access mac-based reauth-period 3600
       aaa port-access auth-order authenticator mac-based
       aaa port-access auth-priority authenticator mac-based
       exit
    


    And the 2530:

    interface 9
       qos trust dscp
       tagged vlan 10,103
       aaa port-access supplicant
       aaa port-access supplicant identity "edge-swi-09" encrypted-secret xxx
     exit
    


    When activated the 2930F tries to authenticate the clients on port 1/1 but sees only MAC addresses, which fails.

    If I remove the client limit from port 1/1 and make it port-based authentication everything works and the 2530 gets authenticated.

    If I connect a CX-6000 12G switch with a similar configuration authentication in user mode works.


    Is this expected behavior? Is there something I'm missing?


    Regards,
    Tobias





  • 2.  RE: 802.1x Supplicant - Aruba 2930F and 2530

    Posted May 18, 2023 04:05 PM
    Edited by Holger Hasenaug May 18, 2023 04:06 PM
      |   view attached
    Hello Tobias
    If the 2530 switch authenticates itself via EAP-MD5 on the 2930F switch, the port on the 2930F switch must be switched from "client-based" to "port-based" mode via the correct RADIUS attributes which are in your case:
    HP-Port-Auth-Mode-Dot1x = 1
    HP-Port-Client-Limit-MA = 0

    See also 
    Aruba 2930F / 2930M Access Security Guide for ArubaOS-Switch 16.10
    https://asp.arubanetworks.com/downloads/documents/RmlsZTo1MDk5ODgzYS0xOTk4LTExZWItODlmNS05YmMwYzMwODM4ZDU%3D 
    See Page 310 where it is explained for an AP with MAC Auth instead.
    Page 814 shows the RADIUS attributes.
    With this the 2530 switch opens the port on the 2930F for all other MAC addresses. So the 2530 switch will need to authenticate all clients itself. In addition, of course, all possible VLANs must be included as RADIUS attributes. Below is an example how you configure it on Aruba ClearPass first using VLAN IDs and second using VLAN names.
    Regards Holger


  • 3.  RE: 802.1x Supplicant - Aruba 2930F and 2530

    Posted May 19, 2023 06:48 AM

    Hello Holger,

    I already set it up like this.

    Here is a working sample with Aruba IAP connected:

    Port Access Status Summary
    
    Port-access authenticator activated [No] : Yes
    Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : Yes
    Use LLDP data to authenticate [No] : No
    Dot1X EAP Identifier Compliance [Disabled] : Disabled
    Allow incremental EAP identifier only [Disabled] : Disabled
    
    Note: * indicates values dynamically overridden by RADIUS.
    
          |   Authenticator    |   Web Auth   |      MAC Auth      |  Local MAC
    Port  | Enable Mode  Limit | Enable Limit | Enable Mode  Limit | Enable Limit
    ----- - ------ ----- ----- - ------ ----- - ------ ----- ----- - ------ -----
    2/46  | Yes    Port* 8     | No     1     | No*    User  8     | No     1
    2/47  | Yes    Port* 8     | No     1     | No*    User  8     | No     1
    2/48  | Yes    Port* 8     | No     1     | No*    User  8     | No     1
    


    The problem is that when in user-mode I don't receive the configured account but only MAC addresses.

    When I configure port mode on the 2930F authentication is working and the radius server sends VLANs and the HP VSAs.


    Regards,
    Tobias