I'll ask TAC. Thank you.
Original Message:
Sent: Nov 21, 2023 09:19 AM
From: jonas.hammarback
Subject: 802.1x wired OS-CX switch, no authentication in access tracker
I have never tried VLAN pooling on wired, maybe someone else has an idea.
------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Nov 21, 2023 09:15 AM
From: erik.boss
Subject: 802.1x wired OS-CX switch, no authentication in access tracker
Changing it did not make any sense.
I'll wait my colleague will configure the wired intune SCEP profile.
I've another question. I have 7 client vlans at this customer and I want the users to be put in a vlan randomly instead of by building.
I think VLAN pooling is the best option. I found the configuration in ASE. How can I test this authz source the best way?
Best regards,
Erik
Original Message:
Sent: Nov 21, 2023 08:28 AM
From: erik.boss
Subject: 802.1x wired OS-CX switch, no authentication in access tracker
Do you have the switch as a supplicant to authenticate the uplink port?
No, just basic 802.1x is needed in this case.
CX switches must use FQDN for the Radius server configuration, instead of IP addresses.
I'm using IP-addresses. Going to change this first.
Strangely enough radius tracking works fine.
Original Message:
Sent: Nov 21, 2023 08:17 AM
From: jonas.hammarback
Subject: 802.1x wired OS-CX switch, no authentication in access tracker
Hi Erik
Do you have the switch as a supplicant to authenticate the uplink port?
For basic 802.1x you do not need to install a trusted CA certificate on the switch, but if you would like to implement Downloadable User Roles you need to create a TA profile and install the root certificate of the chain for the HTTPS certificate on ClearPass.
The https certificate must include in the SAN field, or Common name, the FQDN's referenced as Radius servers. CX switches must use FQDN for the Radius server configuration, instead of IP addresses. The same is true also for the Dynamic Authorization settings.
------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Nov 21, 2023 07:59 AM
From: erik.boss
Subject: 802.1x wired OS-CX switch, no authentication in access tracker
Hi Jonas,
thanks for your reply. In the meanwhile I opened a support case, but is a nastly problem.
Debugging on the switches gives me this:
2023-11-21T13:21:05.960782+0100 dot1x-suppd[552] <INFO> Event|12301|LOG_INFO|AMM|1/1|802.1X supplicant has blocked the interface 1/1/25.
2023-11-21T13:21:09.417494+0100 intfd[596] <INFO> Event|404|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is down - Administratively down
2023-11-21T13:21:09.607199+0100 dot1x-suppd[552] <INFO> Event|12302|LOG_INFO|AMM|1/1|802.1X supplicant has unblocked the interface 1/1/25.
2023-11-21T13:21:09.949640+0100 ops-switchd[568] <INFO> Event|2110|LOG_INFO|AMM|1/1|Deleted Mac based VLAN entry for a8:b1:3b:ec:83:37 with VLAN 82 on port 1/1/25
2023-11-21T13:21:19.032244+0100 intfd[596] <INFO> Event|403|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is up
2023-11-21T13:21:19.473994+0100 port-accessd[2290] <INFO> Event|10502|LOG_INFO|AMM|1/1|Port 1/1/25 is blocked by port-access
2023-11-21T13:21:23.277544+0100 intfd[596] <INFO> Event|404|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is down
2023-11-21T13:21:24.033765+0100 dot1x-suppd[552] <INFO> Event|12302|LOG_INFO|AMM|1/1|802.1X supplicant has unblocked the interface 1/1/25.
2023-11-21T13:21:24.266222+0100 port-accessd[2290] <INFO> Event|10503|LOG_INFO|AMM|1/1|Port 1/1/25 is unblocked by port-access
2023-11-21T13:21:26.283550+0100 intfd[596] <INFO> Event|403|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is up
2023-11-21T13:21:26.692447+0100 port-accessd[2290] <INFO> Event|10502|LOG_INFO|AMM|1/1|Port 1/1/25 is blocked by port-access
2023-11-21T13:21:38.959497+0100 ops-switchd[568] <INFO> Event|2108|LOG_INFO|AMM|1/1|Created Mac based VLAN entry. VLAN 82 is mapped to client a8:b1:3b:ec:83:37 on port 1/1/25
2023-11-21T13:21:39.206120+0100 port-accessd[2290] <INFO> Event|10503|LOG_INFO|AMM|1/1|Port 1/1/25 is unblocked by port-access
2023-11-21T13:22:05.878532+0100 intfd[596] <INFO> Event|404|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is down
2023-11-21T13:22:05.988913+0100 dot1x-suppd[552] <INFO> Event|12302|LOG_INFO|AMM|1/1|802.1X supplicant has unblocked the interface 1/1/25.
2023-11-21T13:22:06.841729+0100 ops-switchd[568] <INFO> Event|2110|LOG_INFO|AMM|1/1|Deleted Mac based VLAN entry for a8:b1:3b:ec:83:37 with VLAN 504 on port 1/1/25
2023-11-21T13:22:14.459156+0100 intfd[596] <INFO> Event|403|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is up
2023-11-21T13:22:14.911076+0100 port-accessd[2290] <INFO> Event|10502|LOG_INFO|AMM|1/1|Port 1/1/25 is blocked by port-access
2023-11-21T13:22:56.926873+0100 ops-switchd[568] <INFO> Event|2108|LOG_INFO|AMM|1/1|Created Mac based VLAN entry. VLAN 82 is mapped to client a8:b1:3b:ec:83:37 on port 1/1/25
2023-11-21T13:22:57.171522+0100 port-accessd[2290] <INFO> Event|10503|LOG_INFO|AMM|1/1|Port 1/1/25 is unblocked by port-access
vlan access 504
rate-limit broadcast 100000 kbps
spanning-tree port-type admin-edge
port-access fallback-role Critical-Role
aaa authentication port-access allow-cdp-bpdu
aaa authentication port-access allow-lldp-bpdu
aaa authentication port-access client-limit 2
aaa authentication port-access critical-role Critical-Role
aaa authentication port-access auth-role client
aaa authentication port-access dot1x authenticator
eapol-timeout 5
max-eapol-requests 1
max-retries 1
enable
port-access role Critical-Role
vlan access 82
show port-a clients int 1/1/25 det
Port Access Client Status Details:
Client a8:b1:3b:ec:83:37
========================
Session Details
---------------
Port : 1/1/25
Session Time : 154s
IPv4 Address :
IPv6 Address :
Device Type :
VLAN Details
------------
VLAN Group Name :
VLANs Assigned : 82
Access : 82
Native Untagged :
Allowed Trunk :
Authentication Details
----------------------
Status : Authentication Failed, Supplicant-Timeout
Auth Precedence : dot1x - Unauthenticated, mac-auth - Not attempted
Auth History : dot1x - Unauthenticated, Supplicant-Timeout, 138s ago
Authorization Details
----------------------
Role : Critical-Role, Fallback role
Status : Applied
Role Information:
Name : Critical-Role
Type : local
----------------------------------------------
Reauthentication Period :
Cached Reauthentication Period :
Authentication Mode :
Session Timeout :
Client Inactivity Timeout :
Description :
Access VLAN : 82
Native VLAN :
Allowed Trunk VLANs :
Access VLAN Name :
Native VLAN Name :
Allowed Trunk VLAN Names :
VLAN Group Name :
MTU :
QOS Trust Mode :
STP Administrative Edge Port :
PoE Priority :
Captive Portal Profile :
Policy :
Device Type :
the supplicant timeout drives me crazy.
As I found: configuring the dot1x supplicant
aaa authentication port-access dot1x supplicant
enable
policy CX_dot1x_supplicant
held-period 30
eapol-timeout 3
max-retries 3
eap-identity identity CXTME
eap-identity password ciphertext AQBape5Wu36KVGRugeNTbk8v2b9IK4ttoDVItApjU0eTS3UKBQAAAKDsy/Fx
eapol-force-multicast
canned-eap-success
discovery-timeout 15
start-mode start-closed
fail-mode fail-closed
First I want to get the basic 802.1x EAP-TLS authentication right. Then I want ClearPass to sent the specific role(s) to the switch. Do I have to add a certificate to the switch?
Original Message:
Sent: Nov 21, 2023 07:30 AM
From: jonas.hammarback
Subject: 802.1x wired OS-CX switch, no authentication in access tracker
Hi Erik
I do not have any experiance with the specific dockingstations your users have.
But in general, if you do not see anything in Access Tracker I would say the two most common issues are, blocked Radius traffic between the switch and ClearPass or missconfigured or missing Network Device configuration under Network Devices.
I have seen situations where the MTU size is wrong and packets get corrupted on the way, also seen a bug in a AOS switch firmware about 5 years ago stacking upp over 200 copies of the same attribute in a Radius reques. In that case ClearPass dropped the request without a trace.
Can you do a pcap and check if you get the expexted traffic to ClearPass?
------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Nov 21, 2023 07:04 AM
From: erik.boss
Subject: 802.1x wired OS-CX switch, no authentication in access tracker
anyone?
Original Message:
Sent: Nov 15, 2023 06:07 AM
From: erik.boss
Subject: 802.1x wired OS-CX switch, no authentication in access tracker
Now tested on a Aruba OS switch both docks connecting a device behind both types of docks works.
Original Message:
Sent: Nov 15, 2023 05:49 AM
From: erik.boss
Subject: 802.1x wired OS-CX switch, no authentication in access tracker
Hi guys,
In my current project, I'm having issues getting radius working on Aruba CX6100 switch.
I used the CX wired enforcement PDF to configure the switch with the role and so on.
While testing I don't see anything in acces tracker. When configuring radius on a old Aruba 2540 switch, it works.
PS: users are working with HP docking stations USB-C G4 and G5. It seems to work behind a G5 docking not behind a G4 dock.
Has anyone experience with it?
I also configured radius tracking, that works perfectly.