Security

 View Only
last person joined: 3 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

802.1x wired OS-CX switch, no authentication in access tracker

This thread has been viewed 29 times
  • 1.  802.1x wired OS-CX switch, no authentication in access tracker

    Posted Nov 15, 2023 05:50 AM

    Hi guys,

    In my current project, I'm having issues getting radius working on Aruba CX6100 switch.

    I used the CX wired enforcement PDF to configure the switch with the role and so on.

    While testing I don't see anything in acces tracker. When configuring radius on a old Aruba 2540 switch, it works.

    PS: users are working with HP docking stations USB-C G4 and G5. It seems to work behind a G5 docking not behind a G4 dock.

    Has anyone experience with it?

    I also configured radius tracking, that works perfectly.



  • 2.  RE: 802.1x wired OS-CX switch, no authentication in access tracker

    Posted Nov 15, 2023 06:07 AM

    Now tested on a Aruba OS switch both docks connecting a device behind both types of docks works.




  • 3.  RE: 802.1x wired OS-CX switch, no authentication in access tracker

    Posted Nov 21, 2023 07:05 AM

    anyone?




  • 4.  RE: 802.1x wired OS-CX switch, no authentication in access tracker

    Posted Nov 21, 2023 07:30 AM

    Hi Erik

    I do not have any experiance with the specific dockingstations your users have.

    But in general, if you do not see anything in Access Tracker I would say the two most common issues are, blocked Radius traffic between the switch and ClearPass or missconfigured or missing Network Device configuration under Network Devices.

    I have seen situations where the MTU size is wrong and packets get corrupted on the way, also seen a bug in a AOS switch firmware about 5 years ago stacking upp over 200 copies of the same attribute in a Radius reques. In that case ClearPass dropped the request without a trace.

    Can you do a pcap and check if you get the expexted traffic to ClearPass?



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: 802.1x wired OS-CX switch, no authentication in access tracker

    Posted Nov 21, 2023 08:00 AM

    Hi Jonas,

    thanks for your reply. In the meanwhile I opened a support case, but is a nastly problem.

    Debugging on the switches gives me this:

    2023-11-21T13:21:05.960782+0100 dot1x-suppd[552] <INFO> Event|12301|LOG_INFO|AMM|1/1|802.1X supplicant has blocked the interface 1/1/25.
    2023-11-21T13:21:09.417494+0100 intfd[596] <INFO> Event|404|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is down - Administratively down
    2023-11-21T13:21:09.607199+0100 dot1x-suppd[552] <INFO> Event|12302|LOG_INFO|AMM|1/1|802.1X supplicant has unblocked the interface 1/1/25.
    2023-11-21T13:21:09.949640+0100 ops-switchd[568] <INFO> Event|2110|LOG_INFO|AMM|1/1|Deleted Mac based VLAN entry for a8:b1:3b:ec:83:37 with VLAN 82 on port 1/1/25
    2023-11-21T13:21:19.032244+0100 intfd[596] <INFO> Event|403|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is up
    2023-11-21T13:21:19.473994+0100 port-accessd[2290] <INFO> Event|10502|LOG_INFO|AMM|1/1|Port 1/1/25 is blocked by port-access
    2023-11-21T13:21:23.277544+0100 intfd[596] <INFO> Event|404|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is down
    2023-11-21T13:21:24.033765+0100 dot1x-suppd[552] <INFO> Event|12302|LOG_INFO|AMM|1/1|802.1X supplicant has unblocked the interface 1/1/25.
    2023-11-21T13:21:24.266222+0100 port-accessd[2290] <INFO> Event|10503|LOG_INFO|AMM|1/1|Port 1/1/25 is unblocked by port-access
    2023-11-21T13:21:26.283550+0100 intfd[596] <INFO> Event|403|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is up
    2023-11-21T13:21:26.692447+0100 port-accessd[2290] <INFO> Event|10502|LOG_INFO|AMM|1/1|Port 1/1/25 is blocked by port-access
    2023-11-21T13:21:38.959497+0100 ops-switchd[568] <INFO> Event|2108|LOG_INFO|AMM|1/1|Created Mac based VLAN entry. VLAN 82 is mapped to client a8:b1:3b:ec:83:37 on port 1/1/25
    2023-11-21T13:21:39.206120+0100 port-accessd[2290] <INFO> Event|10503|LOG_INFO|AMM|1/1|Port 1/1/25 is unblocked by port-access
    2023-11-21T13:22:05.878532+0100 intfd[596] <INFO> Event|404|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is down
    2023-11-21T13:22:05.988913+0100 dot1x-suppd[552] <INFO> Event|12302|LOG_INFO|AMM|1/1|802.1X supplicant has unblocked the interface 1/1/25.
    2023-11-21T13:22:06.841729+0100 ops-switchd[568] <INFO> Event|2110|LOG_INFO|AMM|1/1|Deleted Mac based VLAN entry for a8:b1:3b:ec:83:37 with VLAN 504 on port 1/1/25
    2023-11-21T13:22:14.459156+0100 intfd[596] <INFO> Event|403|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is up
    2023-11-21T13:22:14.911076+0100 port-accessd[2290] <INFO> Event|10502|LOG_INFO|AMM|1/1|Port 1/1/25 is blocked by port-access

    2023-11-21T13:22:56.926873+0100 ops-switchd[568] <INFO> Event|2108|LOG_INFO|AMM|1/1|Created Mac based VLAN entry. VLAN 82 is mapped to client a8:b1:3b:ec:83:37 on port 1/1/25
    2023-11-21T13:22:57.171522+0100 port-accessd[2290] <INFO> Event|10503|LOG_INFO|AMM|1/1|Port 1/1/25 is unblocked by port-access

     vlan access 504
        rate-limit broadcast 100000 kbps
        spanning-tree port-type admin-edge
        port-access fallback-role Critical-Role
        aaa authentication port-access allow-cdp-bpdu
        aaa authentication port-access allow-lldp-bpdu
        aaa authentication port-access client-limit 2
        aaa authentication port-access critical-role Critical-Role
        aaa authentication port-access auth-role client
        aaa authentication port-access dot1x authenticator
            eapol-timeout 5
            max-eapol-requests 1
            max-retries 1
            enable

    port-access role Critical-Role
        vlan access 82

    show port-a clients int 1/1/25 det

    Port Access Client Status Details:

    Client a8:b1:3b:ec:83:37
    ========================
      Session Details
      ---------------
        Port         : 1/1/25
        Session Time : 154s
        IPv4 Address :
        IPv6 Address :
        Device Type  :

      VLAN Details
      ------------
        VLAN Group Name :
        VLANs Assigned  : 82
          Access          : 82
          Native Untagged :
          Allowed Trunk   :

      Authentication Details
      ----------------------
        Status          : Authentication Failed, Supplicant-Timeout
        Auth Precedence : dot1x - Unauthenticated, mac-auth - Not attempted
        Auth History    : dot1x - Unauthenticated, Supplicant-Timeout, 138s ago

      Authorization Details
      ----------------------
        Role   : Critical-Role, Fallback role
        Status : Applied


    Role Information:

    Name  : Critical-Role
    Type  : local
    ----------------------------------------------
        Reauthentication Period             :
        Cached Reauthentication Period      :
        Authentication Mode                 :
        Session Timeout                     :
        Client Inactivity Timeout           :
        Description                         :
        Access VLAN                         : 82
        Native VLAN                         :
        Allowed Trunk VLANs                 :
        Access VLAN Name                    :
        Native VLAN Name                    :
        Allowed Trunk VLAN Names            :
        VLAN Group Name                     :
        MTU                                 :
        QOS Trust Mode                      :
        STP Administrative Edge Port        :
        PoE Priority                        :
        Captive Portal Profile              :
        Policy                              :
        Device Type                         :

    the supplicant timeout drives me crazy.

    As I found: configuring the dot1x supplicant

    aaa authentication port-access dot1x supplicant
        enable
        policy CX_dot1x_supplicant
            held-period 30
            eapol-timeout 3
            max-retries 3
            eap-identity identity CXTME
            eap-identity password ciphertext AQBape5Wu36KVGRugeNTbk8v2b9IK4ttoDVItApjU0eTS3UKBQAAAKDsy/Fx
            eapol-force-multicast
            canned-eap-success
            discovery-timeout 15
            start-mode start-closed
            fail-mode fail-closed

    First I want to get the basic 802.1x EAP-TLS authentication right. Then I want ClearPass to sent the specific role(s) to the switch. Do I have to add a certificate to the switch?




  • 6.  RE: 802.1x wired OS-CX switch, no authentication in access tracker

    Posted Nov 21, 2023 08:18 AM

    Hi Erik

    Do you have the switch as a supplicant to authenticate the uplink port?

    For basic 802.1x you do not need to install a trusted CA certificate on the switch, but if you would like to implement Downloadable User Roles you need to create a TA profile and install the root certificate of the chain for the HTTPS certificate on ClearPass.

    The https certificate must include in the SAN field, or Common name, the FQDN's referenced as Radius servers. CX switches must use FQDN for the Radius server configuration, instead of IP addresses. The same is true also for the Dynamic Authorization settings.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 7.  RE: 802.1x wired OS-CX switch, no authentication in access tracker

    Posted Nov 21, 2023 08:29 AM

    Do you have the switch as a supplicant to authenticate the uplink port?

    No, just basic 802.1x is needed in this case.

    CX switches must use FQDN for the Radius server configuration, instead of IP addresses.

    I'm using IP-addresses. Going to change this first. 

    Strangely enough radius tracking works fine.




  • 8.  RE: 802.1x wired OS-CX switch, no authentication in access tracker

    Posted Nov 21, 2023 09:16 AM

    Changing it did not make any sense.

    I'll wait my colleague will configure the wired intune SCEP profile.

    I've another question. I have 7 client vlans at this customer and I want the users to be put in a vlan randomly instead of by building.

    I think VLAN pooling is the best option. I found the configuration in ASE. How can I test this authz source the  best way?

    Best regards,

    Erik




  • 9.  RE: 802.1x wired OS-CX switch, no authentication in access tracker

    Posted Nov 21, 2023 09:20 AM

    I have never tried VLAN pooling on wired, maybe someone else has an idea.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 10.  RE: 802.1x wired OS-CX switch, no authentication in access tracker

    Posted Nov 21, 2023 09:25 AM

    It's a pity, I hoped you ever did :)

    I'll ask TAC. Thank you.