Security

Hi guys,

In my current project, I'm having issues getting radius working on Aruba CX6100 switch.

I used the CX wired enforcement PDF to configure the switch with the role and so on.

While testing I don't see anything in acces tracker. When configuring radius on a old Aruba 2540 switch, it works.

PS: users are working with HP docking stations USB-C G4 and G5. It seems to work behind a G5 docking not behind a G4 dock.

Has anyone experience with it?

I also configured radius tracking, that works perfectly.

Now tested on a Aruba OS switch both docks connecting a device behind both types of docks works.

Hi guys,

In my current project, I'm having issues getting radius working on Aruba CX6100 switch.

I used the CX wired enforcement PDF to configure the switch with the role and so on.

While testing I don't see anything in acces tracker. When configuring radius on a old Aruba 2540 switch, it works.

PS: users are working with HP docking stations USB-C G4 and G5. It seems to work behind a G5 docking not behind a G4 dock.

Has anyone experience with it?

I also configured radius tracking, that works perfectly.

anyone?

Now tested on a Aruba OS switch both docks connecting a device behind both types of docks works.

Hi guys,

In my current project, I'm having issues getting radius working on Aruba CX6100 switch.

I used the CX wired enforcement PDF to configure the switch with the role and so on.

While testing I don't see anything in acces tracker. When configuring radius on a old Aruba 2540 switch, it works.

PS: users are working with HP docking stations USB-C G4 and G5. It seems to work behind a G5 docking not behind a G4 dock.

Has anyone experience with it?

I also configured radius tracking, that works perfectly.

Hi Erik

I do not have any experiance with the specific dockingstations your users have.

But in general, if you do not see anything in Access Tracker I would say the two most common issues are, blocked Radius traffic between the switch and ClearPass or missconfigured or missing Network Device configuration under Network Devices.

I have seen situations where the MTU size is wrong and packets get corrupted on the way, also seen a bug in a AOS switch firmware about 5 years ago stacking upp over 200 copies of the same attribute in a Radius reques. In that case ClearPass dropped the request without a trace.

Can you do a pcap and check if you get the expexted traffic to ClearPass?

anyone?

Now tested on a Aruba OS switch both docks connecting a device behind both types of docks works.

Hi guys,

In my current project, I'm having issues getting radius working on Aruba CX6100 switch.

I used the CX wired enforcement PDF to configure the switch with the role and so on.

While testing I don't see anything in acces tracker. When configuring radius on a old Aruba 2540 switch, it works.

PS: users are working with HP docking stations USB-C G4 and G5. It seems to work behind a G5 docking not behind a G4 dock.

Has anyone experience with it?

I also configured radius tracking, that works perfectly.

Hi Jonas,

thanks for your reply. In the meanwhile I opened a support case, but is a nastly problem.

Debugging on the switches gives me this:

2023-11-21T13:21:05.960782+0100 dot1x-suppd[552] <INFO> Event|12301|LOG_INFO|AMM|1/1|802.1X supplicant has blocked the interface 1/1/25.
2023-11-21T13:21:09.417494+0100 intfd[596] <INFO> Event|404|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is down - Administratively down
2023-11-21T13:21:09.607199+0100 dot1x-suppd[552] <INFO> Event|12302|LOG_INFO|AMM|1/1|802.1X supplicant has unblocked the interface 1/1/25.
2023-11-21T13:21:09.949640+0100 ops-switchd[568] <INFO> Event|2110|LOG_INFO|AMM|1/1|Deleted Mac based VLAN entry for a8:b1:3b:ec:83:37 with VLAN 82 on port 1/1/25
2023-11-21T13:21:19.032244+0100 intfd[596] <INFO> Event|403|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is up
2023-11-21T13:21:19.473994+0100 port-accessd[2290] <INFO> Event|10502|LOG_INFO|AMM|1/1|Port 1/1/25 is blocked by port-access
2023-11-21T13:21:23.277544+0100 intfd[596] <INFO> Event|404|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is down
2023-11-21T13:21:24.033765+0100 dot1x-suppd[552] <INFO> Event|12302|LOG_INFO|AMM|1/1|802.1X supplicant has unblocked the interface 1/1/25.
2023-11-21T13:21:24.266222+0100 port-accessd[2290] <INFO> Event|10503|LOG_INFO|AMM|1/1|Port 1/1/25 is unblocked by port-access
2023-11-21T13:21:26.283550+0100 intfd[596] <INFO> Event|403|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is up
2023-11-21T13:21:26.692447+0100 port-accessd[2290] <INFO> Event|10502|LOG_INFO|AMM|1/1|Port 1/1/25 is blocked by port-access
2023-11-21T13:21:38.959497+0100 ops-switchd[568] <INFO> Event|2108|LOG_INFO|AMM|1/1|Created Mac based VLAN entry. VLAN 82 is mapped to client a8:b1:3b:ec:83:37 on port 1/1/25
2023-11-21T13:21:39.206120+0100 port-accessd[2290] <INFO> Event|10503|LOG_INFO|AMM|1/1|Port 1/1/25 is unblocked by port-access
2023-11-21T13:22:05.878532+0100 intfd[596] <INFO> Event|404|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is down
2023-11-21T13:22:05.988913+0100 dot1x-suppd[552] <INFO> Event|12302|LOG_INFO|AMM|1/1|802.1X supplicant has unblocked the interface 1/1/25.
2023-11-21T13:22:06.841729+0100 ops-switchd[568] <INFO> Event|2110|LOG_INFO|AMM|1/1|Deleted Mac based VLAN entry for a8:b1:3b:ec:83:37 with VLAN 504 on port 1/1/25
2023-11-21T13:22:14.459156+0100 intfd[596] <INFO> Event|403|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is up
2023-11-21T13:22:14.911076+0100 port-accessd[2290] <INFO> Event|10502|LOG_INFO|AMM|1/1|Port 1/1/25 is blocked by port-access

2023-11-21T13:22:56.926873+0100 ops-switchd[568] <INFO> Event|2108|LOG_INFO|AMM|1/1|Created Mac based VLAN entry. VLAN 82 is mapped to client a8:b1:3b:ec:83:37 on port 1/1/25
2023-11-21T13:22:57.171522+0100 port-accessd[2290] <INFO> Event|10503|LOG_INFO|AMM|1/1|Port 1/1/25 is unblocked by port-access

 vlan access 504
    rate-limit broadcast 100000 kbps
    spanning-tree port-type admin-edge
    port-access fallback-role Critical-Role
    aaa authentication port-access allow-cdp-bpdu
    aaa authentication port-access allow-lldp-bpdu
    aaa authentication port-access client-limit 2
    aaa authentication port-access critical-role Critical-Role
    aaa authentication port-access auth-role client
    aaa authentication port-access dot1x authenticator
        eapol-timeout 5
        max-eapol-requests 1
        max-retries 1
        enable

port-access role Critical-Role
    vlan access 82

show port-a clients int 1/1/25 det

Port Access Client Status Details:

Client a8:b1:3b:ec:83:37
========================
  Session Details
  ---------------
    Port         : 1/1/25
    Session Time : 154s
    IPv4 Address :
    IPv6 Address :
    Device Type  :

  VLAN Details
  ------------
    VLAN Group Name :
    VLANs Assigned  : 82
      Access          : 82
      Native Untagged :
      Allowed Trunk   :

  Authentication Details
  ----------------------
    Status          : Authentication Failed, Supplicant-Timeout
    Auth Precedence : dot1x - Unauthenticated, mac-auth - Not attempted
    Auth History    : dot1x - Unauthenticated, Supplicant-Timeout, 138s ago

  Authorization Details
  ----------------------
    Role   : Critical-Role, Fallback role
    Status : Applied

Role Information:

Name  : Critical-Role
Type  : local
----------------------------------------------
    Reauthentication Period             :
    Cached Reauthentication Period      :
    Authentication Mode                 :
    Session Timeout                     :
    Client Inactivity Timeout           :
    Description                         :
    Access VLAN                         : 82
    Native VLAN                         :
    Allowed Trunk VLANs                 :
    Access VLAN Name                    :
    Native VLAN Name                    :
    Allowed Trunk VLAN Names            :
    VLAN Group Name                     :
    MTU                                 :
    QOS Trust Mode                      :
    STP Administrative Edge Port        :
    PoE Priority                        :
    Captive Portal Profile              :
    Policy                              :
    Device Type                         :

the supplicant timeout drives me crazy.

As I found: configuring the dot1x supplicant

aaa authentication port-access dot1x supplicant
    enable
    policy CX_dot1x_supplicant
        held-period 30
        eapol-timeout 3
        max-retries 3
        eap-identity identity CXTME
        eap-identity password ciphertext AQBape5Wu36KVGRugeNTbk8v2b9IK4ttoDVItApjU0eTS3UKBQAAAKDsy/Fx
        eapol-force-multicast
        canned-eap-success
        discovery-timeout 15
        start-mode start-closed
        fail-mode fail-closed

First I want to get the basic 802.1x EAP-TLS authentication right. Then I want ClearPass to sent the specific role(s) to the switch. Do I have to add a certificate to the switch?

Hi Erik

I do not have any experiance with the specific dockingstations your users have.

But in general, if you do not see anything in Access Tracker I would say the two most common issues are, blocked Radius traffic between the switch and ClearPass or missconfigured or missing Network Device configuration under Network Devices.

I have seen situations where the MTU size is wrong and packets get corrupted on the way, also seen a bug in a AOS switch firmware about 5 years ago stacking upp over 200 copies of the same attribute in a Radius reques. In that case ClearPass dropped the request without a trace.

Can you do a pcap and check if you get the expexted traffic to ClearPass?

anyone?

Now tested on a Aruba OS switch both docks connecting a device behind both types of docks works.

Hi guys,

In my current project, I'm having issues getting radius working on Aruba CX6100 switch.

I used the CX wired enforcement PDF to configure the switch with the role and so on.

While testing I don't see anything in acces tracker. When configuring radius on a old Aruba 2540 switch, it works.

PS: users are working with HP docking stations USB-C G4 and G5. It seems to work behind a G5 docking not behind a G4 dock.

Has anyone experience with it?

I also configured radius tracking, that works perfectly.

Hi Erik

Do you have the switch as a supplicant to authenticate the uplink port?

For basic 802.1x you do not need to install a trusted CA certificate on the switch, but if you would like to implement Downloadable User Roles you need to create a TA profile and install the root certificate of the chain for the HTTPS certificate on ClearPass.

The https certificate must include in the SAN field, or Common name, the FQDN's referenced as Radius servers. CX switches must use FQDN for the Radius server configuration, instead of IP addresses. The same is true also for the Dynamic Authorization settings.

Hi Jonas,

thanks for your reply. In the meanwhile I opened a support case, but is a nastly problem.

Debugging on the switches gives me this:

2023-11-21T13:21:05.960782+0100 dot1x-suppd[552] <INFO> Event|12301|LOG_INFO|AMM|1/1|802.1X supplicant has blocked the interface 1/1/25.
2023-11-21T13:21:09.417494+0100 intfd[596] <INFO> Event|404|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is down - Administratively down
2023-11-21T13:21:09.607199+0100 dot1x-suppd[552] <INFO> Event|12302|LOG_INFO|AMM|1/1|802.1X supplicant has unblocked the interface 1/1/25.
2023-11-21T13:21:09.949640+0100 ops-switchd[568] <INFO> Event|2110|LOG_INFO|AMM|1/1|Deleted Mac based VLAN entry for a8:b1:3b:ec:83:37 with VLAN 82 on port 1/1/25
2023-11-21T13:21:19.032244+0100 intfd[596] <INFO> Event|403|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is up
2023-11-21T13:21:19.473994+0100 port-accessd[2290] <INFO> Event|10502|LOG_INFO|AMM|1/1|Port 1/1/25 is blocked by port-access
2023-11-21T13:21:23.277544+0100 intfd[596] <INFO> Event|404|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is down
2023-11-21T13:21:24.033765+0100 dot1x-suppd[552] <INFO> Event|12302|LOG_INFO|AMM|1/1|802.1X supplicant has unblocked the interface 1/1/25.
2023-11-21T13:21:24.266222+0100 port-accessd[2290] <INFO> Event|10503|LOG_INFO|AMM|1/1|Port 1/1/25 is unblocked by port-access
2023-11-21T13:21:26.283550+0100 intfd[596] <INFO> Event|403|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is up
2023-11-21T13:21:26.692447+0100 port-accessd[2290] <INFO> Event|10502|LOG_INFO|AMM|1/1|Port 1/1/25 is blocked by port-access
2023-11-21T13:21:38.959497+0100 ops-switchd[568] <INFO> Event|2108|LOG_INFO|AMM|1/1|Created Mac based VLAN entry. VLAN 82 is mapped to client a8:b1:3b:ec:83:37 on port 1/1/25
2023-11-21T13:21:39.206120+0100 port-accessd[2290] <INFO> Event|10503|LOG_INFO|AMM|1/1|Port 1/1/25 is unblocked by port-access
2023-11-21T13:22:05.878532+0100 intfd[596] <INFO> Event|404|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is down
2023-11-21T13:22:05.988913+0100 dot1x-suppd[552] <INFO> Event|12302|LOG_INFO|AMM|1/1|802.1X supplicant has unblocked the interface 1/1/25.
2023-11-21T13:22:06.841729+0100 ops-switchd[568] <INFO> Event|2110|LOG_INFO|AMM|1/1|Deleted Mac based VLAN entry for a8:b1:3b:ec:83:37 with VLAN 504 on port 1/1/25
2023-11-21T13:22:14.459156+0100 intfd[596] <INFO> Event|403|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is up
2023-11-21T13:22:14.911076+0100 port-accessd[2290] <INFO> Event|10502|LOG_INFO|AMM|1/1|Port 1/1/25 is blocked by port-access

2023-11-21T13:22:56.926873+0100 ops-switchd[568] <INFO> Event|2108|LOG_INFO|AMM|1/1|Created Mac based VLAN entry. VLAN 82 is mapped to client a8:b1:3b:ec:83:37 on port 1/1/25
2023-11-21T13:22:57.171522+0100 port-accessd[2290] <INFO> Event|10503|LOG_INFO|AMM|1/1|Port 1/1/25 is unblocked by port-access

 vlan access 504
    rate-limit broadcast 100000 kbps
    spanning-tree port-type admin-edge
    port-access fallback-role Critical-Role
    aaa authentication port-access allow-cdp-bpdu
    aaa authentication port-access allow-lldp-bpdu
    aaa authentication port-access client-limit 2
    aaa authentication port-access critical-role Critical-Role
    aaa authentication port-access auth-role client
    aaa authentication port-access dot1x authenticator
        eapol-timeout 5
        max-eapol-requests 1
        max-retries 1
        enable

port-access role Critical-Role
    vlan access 82

show port-a clients int 1/1/25 det

Port Access Client Status Details:

Client a8:b1:3b:ec:83:37
========================
  Session Details
  ---------------
    Port         : 1/1/25
    Session Time : 154s
    IPv4 Address :
    IPv6 Address :
    Device Type  :

  VLAN Details
  ------------
    VLAN Group Name :
    VLANs Assigned  : 82
      Access          : 82
      Native Untagged :
      Allowed Trunk   :

  Authentication Details
  ----------------------
    Status          : Authentication Failed, Supplicant-Timeout
    Auth Precedence : dot1x - Unauthenticated, mac-auth - Not attempted
    Auth History    : dot1x - Unauthenticated, Supplicant-Timeout, 138s ago

  Authorization Details
  ----------------------
    Role   : Critical-Role, Fallback role
    Status : Applied

Role Information:

Name  : Critical-Role
Type  : local
----------------------------------------------
    Reauthentication Period             :
    Cached Reauthentication Period      :
    Authentication Mode                 :
    Session Timeout                     :
    Client Inactivity Timeout           :
    Description                         :
    Access VLAN                         : 82
    Native VLAN                         :
    Allowed Trunk VLANs                 :
    Access VLAN Name                    :
    Native VLAN Name                    :
    Allowed Trunk VLAN Names            :
    VLAN Group Name                     :
    MTU                                 :
    QOS Trust Mode                      :
    STP Administrative Edge Port        :
    PoE Priority                        :
    Captive Portal Profile              :
    Policy                              :
    Device Type                         :

the supplicant timeout drives me crazy.

As I found: configuring the dot1x supplicant

aaa authentication port-access dot1x supplicant
    enable
    policy CX_dot1x_supplicant
        held-period 30
        eapol-timeout 3
        max-retries 3
        eap-identity identity CXTME
        eap-identity password ciphertext AQBape5Wu36KVGRugeNTbk8v2b9IK4ttoDVItApjU0eTS3UKBQAAAKDsy/Fx
        eapol-force-multicast
        canned-eap-success
        discovery-timeout 15
        start-mode start-closed
        fail-mode fail-closed

First I want to get the basic 802.1x EAP-TLS authentication right. Then I want ClearPass to sent the specific role(s) to the switch. Do I have to add a certificate to the switch?

Hi Erik

I do not have any experiance with the specific dockingstations your users have.

But in general, if you do not see anything in Access Tracker I would say the two most common issues are, blocked Radius traffic between the switch and ClearPass or missconfigured or missing Network Device configuration under Network Devices.

I have seen situations where the MTU size is wrong and packets get corrupted on the way, also seen a bug in a AOS switch firmware about 5 years ago stacking upp over 200 copies of the same attribute in a Radius reques. In that case ClearPass dropped the request without a trace.

Can you do a pcap and check if you get the expexted traffic to ClearPass?

anyone?

Now tested on a Aruba OS switch both docks connecting a device behind both types of docks works.

Hi guys,

In my current project, I'm having issues getting radius working on Aruba CX6100 switch.

I used the CX wired enforcement PDF to configure the switch with the role and so on.

While testing I don't see anything in acces tracker. When configuring radius on a old Aruba 2540 switch, it works.

PS: users are working with HP docking stations USB-C G4 and G5. It seems to work behind a G5 docking not behind a G4 dock.

Has anyone experience with it?

I also configured radius tracking, that works perfectly.

Do you have the switch as a supplicant to authenticate the uplink port?

No, just basic 802.1x is needed in this case.

CX switches must use FQDN for the Radius server configuration, instead of IP addresses.

I'm using IP-addresses. Going to change this first. 

Strangely enough radius tracking works fine.

Hi Erik

Do you have the switch as a supplicant to authenticate the uplink port?

For basic 802.1x you do not need to install a trusted CA certificate on the switch, but if you would like to implement Downloadable User Roles you need to create a TA profile and install the root certificate of the chain for the HTTPS certificate on ClearPass.

The https certificate must include in the SAN field, or Common name, the FQDN's referenced as Radius servers. CX switches must use FQDN for the Radius server configuration, instead of IP addresses. The same is true also for the Dynamic Authorization settings.

Hi Jonas,

thanks for your reply. In the meanwhile I opened a support case, but is a nastly problem.

Debugging on the switches gives me this:

2023-11-21T13:21:05.960782+0100 dot1x-suppd[552] <INFO> Event|12301|LOG_INFO|AMM|1/1|802.1X supplicant has blocked the interface 1/1/25.
2023-11-21T13:21:09.417494+0100 intfd[596] <INFO> Event|404|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is down - Administratively down
2023-11-21T13:21:09.607199+0100 dot1x-suppd[552] <INFO> Event|12302|LOG_INFO|AMM|1/1|802.1X supplicant has unblocked the interface 1/1/25.
2023-11-21T13:21:09.949640+0100 ops-switchd[568] <INFO> Event|2110|LOG_INFO|AMM|1/1|Deleted Mac based VLAN entry for a8:b1:3b:ec:83:37 with VLAN 82 on port 1/1/25
2023-11-21T13:21:19.032244+0100 intfd[596] <INFO> Event|403|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is up
2023-11-21T13:21:19.473994+0100 port-accessd[2290] <INFO> Event|10502|LOG_INFO|AMM|1/1|Port 1/1/25 is blocked by port-access
2023-11-21T13:21:23.277544+0100 intfd[596] <INFO> Event|404|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is down
2023-11-21T13:21:24.033765+0100 dot1x-suppd[552] <INFO> Event|12302|LOG_INFO|AMM|1/1|802.1X supplicant has unblocked the interface 1/1/25.
2023-11-21T13:21:24.266222+0100 port-accessd[2290] <INFO> Event|10503|LOG_INFO|AMM|1/1|Port 1/1/25 is unblocked by port-access
2023-11-21T13:21:26.283550+0100 intfd[596] <INFO> Event|403|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is up
2023-11-21T13:21:26.692447+0100 port-accessd[2290] <INFO> Event|10502|LOG_INFO|AMM|1/1|Port 1/1/25 is blocked by port-access
2023-11-21T13:21:38.959497+0100 ops-switchd[568] <INFO> Event|2108|LOG_INFO|AMM|1/1|Created Mac based VLAN entry. VLAN 82 is mapped to client a8:b1:3b:ec:83:37 on port 1/1/25
2023-11-21T13:21:39.206120+0100 port-accessd[2290] <INFO> Event|10503|LOG_INFO|AMM|1/1|Port 1/1/25 is unblocked by port-access
2023-11-21T13:22:05.878532+0100 intfd[596] <INFO> Event|404|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is down
2023-11-21T13:22:05.988913+0100 dot1x-suppd[552] <INFO> Event|12302|LOG_INFO|AMM|1/1|802.1X supplicant has unblocked the interface 1/1/25.
2023-11-21T13:22:06.841729+0100 ops-switchd[568] <INFO> Event|2110|LOG_INFO|AMM|1/1|Deleted Mac based VLAN entry for a8:b1:3b:ec:83:37 with VLAN 504 on port 1/1/25
2023-11-21T13:22:14.459156+0100 intfd[596] <INFO> Event|403|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is up
2023-11-21T13:22:14.911076+0100 port-accessd[2290] <INFO> Event|10502|LOG_INFO|AMM|1/1|Port 1/1/25 is blocked by port-access

2023-11-21T13:22:56.926873+0100 ops-switchd[568] <INFO> Event|2108|LOG_INFO|AMM|1/1|Created Mac based VLAN entry. VLAN 82 is mapped to client a8:b1:3b:ec:83:37 on port 1/1/25
2023-11-21T13:22:57.171522+0100 port-accessd[2290] <INFO> Event|10503|LOG_INFO|AMM|1/1|Port 1/1/25 is unblocked by port-access

 vlan access 504
    rate-limit broadcast 100000 kbps
    spanning-tree port-type admin-edge
    port-access fallback-role Critical-Role
    aaa authentication port-access allow-cdp-bpdu
    aaa authentication port-access allow-lldp-bpdu
    aaa authentication port-access client-limit 2
    aaa authentication port-access critical-role Critical-Role
    aaa authentication port-access auth-role client
    aaa authentication port-access dot1x authenticator
        eapol-timeout 5
        max-eapol-requests 1
        max-retries 1
        enable

port-access role Critical-Role
    vlan access 82

show port-a clients int 1/1/25 det

Port Access Client Status Details:

Client a8:b1:3b:ec:83:37
========================
  Session Details
  ---------------
    Port         : 1/1/25
    Session Time : 154s
    IPv4 Address :
    IPv6 Address :
    Device Type  :

  VLAN Details
  ------------
    VLAN Group Name :
    VLANs Assigned  : 82
      Access          : 82
      Native Untagged :
      Allowed Trunk   :

  Authentication Details
  ----------------------
    Status          : Authentication Failed, Supplicant-Timeout
    Auth Precedence : dot1x - Unauthenticated, mac-auth - Not attempted
    Auth History    : dot1x - Unauthenticated, Supplicant-Timeout, 138s ago

  Authorization Details
  ----------------------
    Role   : Critical-Role, Fallback role
    Status : Applied

Role Information:

Name  : Critical-Role
Type  : local
----------------------------------------------
    Reauthentication Period             :
    Cached Reauthentication Period      :
    Authentication Mode                 :
    Session Timeout                     :
    Client Inactivity Timeout           :
    Description                         :
    Access VLAN                         : 82
    Native VLAN                         :
    Allowed Trunk VLANs                 :
    Access VLAN Name                    :
    Native VLAN Name                    :
    Allowed Trunk VLAN Names            :
    VLAN Group Name                     :
    MTU                                 :
    QOS Trust Mode                      :
    STP Administrative Edge Port        :
    PoE Priority                        :
    Captive Portal Profile              :
    Policy                              :
    Device Type                         :

the supplicant timeout drives me crazy.

As I found: configuring the dot1x supplicant

aaa authentication port-access dot1x supplicant
    enable
    policy CX_dot1x_supplicant
        held-period 30
        eapol-timeout 3
        max-retries 3
        eap-identity identity CXTME
        eap-identity password ciphertext AQBape5Wu36KVGRugeNTbk8v2b9IK4ttoDVItApjU0eTS3UKBQAAAKDsy/Fx
        eapol-force-multicast
        canned-eap-success
        discovery-timeout 15
        start-mode start-closed
        fail-mode fail-closed

First I want to get the basic 802.1x EAP-TLS authentication right. Then I want ClearPass to sent the specific role(s) to the switch. Do I have to add a certificate to the switch?

Hi Erik

I do not have any experiance with the specific dockingstations your users have.

But in general, if you do not see anything in Access Tracker I would say the two most common issues are, blocked Radius traffic between the switch and ClearPass or missconfigured or missing Network Device configuration under Network Devices.

I have seen situations where the MTU size is wrong and packets get corrupted on the way, also seen a bug in a AOS switch firmware about 5 years ago stacking upp over 200 copies of the same attribute in a Radius reques. In that case ClearPass dropped the request without a trace.

Can you do a pcap and check if you get the expexted traffic to ClearPass?

anyone?

Now tested on a Aruba OS switch both docks connecting a device behind both types of docks works.

Hi guys,

In my current project, I'm having issues getting radius working on Aruba CX6100 switch.

I used the CX wired enforcement PDF to configure the switch with the role and so on.

While testing I don't see anything in acces tracker. When configuring radius on a old Aruba 2540 switch, it works.

PS: users are working with HP docking stations USB-C G4 and G5. It seems to work behind a G5 docking not behind a G4 dock.

Has anyone experience with it?

I also configured radius tracking, that works perfectly.

Changing it did not make any sense.

I'll wait my colleague will configure the wired intune SCEP profile.

I've another question. I have 7 client vlans at this customer and I want the users to be put in a vlan randomly instead of by building.

I think VLAN pooling is the best option. I found the configuration in ASE. How can I test this authz source the  best way?

Best regards,

Erik

Do you have the switch as a supplicant to authenticate the uplink port?

No, just basic 802.1x is needed in this case.

CX switches must use FQDN for the Radius server configuration, instead of IP addresses.

I'm using IP-addresses. Going to change this first. 

Strangely enough radius tracking works fine.

Hi Erik

Do you have the switch as a supplicant to authenticate the uplink port?

For basic 802.1x you do not need to install a trusted CA certificate on the switch, but if you would like to implement Downloadable User Roles you need to create a TA profile and install the root certificate of the chain for the HTTPS certificate on ClearPass.

The https certificate must include in the SAN field, or Common name, the FQDN's referenced as Radius servers. CX switches must use FQDN for the Radius server configuration, instead of IP addresses. The same is true also for the Dynamic Authorization settings.

Hi Jonas,

thanks for your reply. In the meanwhile I opened a support case, but is a nastly problem.

Debugging on the switches gives me this:

2023-11-21T13:21:05.960782+0100 dot1x-suppd[552] <INFO> Event|12301|LOG_INFO|AMM|1/1|802.1X supplicant has blocked the interface 1/1/25.
2023-11-21T13:21:09.417494+0100 intfd[596] <INFO> Event|404|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is down - Administratively down
2023-11-21T13:21:09.607199+0100 dot1x-suppd[552] <INFO> Event|12302|LOG_INFO|AMM|1/1|802.1X supplicant has unblocked the interface 1/1/25.
2023-11-21T13:21:09.949640+0100 ops-switchd[568] <INFO> Event|2110|LOG_INFO|AMM|1/1|Deleted Mac based VLAN entry for a8:b1:3b:ec:83:37 with VLAN 82 on port 1/1/25
2023-11-21T13:21:19.032244+0100 intfd[596] <INFO> Event|403|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is up
2023-11-21T13:21:19.473994+0100 port-accessd[2290] <INFO> Event|10502|LOG_INFO|AMM|1/1|Port 1/1/25 is blocked by port-access
2023-11-21T13:21:23.277544+0100 intfd[596] <INFO> Event|404|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is down
2023-11-21T13:21:24.033765+0100 dot1x-suppd[552] <INFO> Event|12302|LOG_INFO|AMM|1/1|802.1X supplicant has unblocked the interface 1/1/25.
2023-11-21T13:21:24.266222+0100 port-accessd[2290] <INFO> Event|10503|LOG_INFO|AMM|1/1|Port 1/1/25 is unblocked by port-access
2023-11-21T13:21:26.283550+0100 intfd[596] <INFO> Event|403|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is up
2023-11-21T13:21:26.692447+0100 port-accessd[2290] <INFO> Event|10502|LOG_INFO|AMM|1/1|Port 1/1/25 is blocked by port-access
2023-11-21T13:21:38.959497+0100 ops-switchd[568] <INFO> Event|2108|LOG_INFO|AMM|1/1|Created Mac based VLAN entry. VLAN 82 is mapped to client a8:b1:3b:ec:83:37 on port 1/1/25
2023-11-21T13:21:39.206120+0100 port-accessd[2290] <INFO> Event|10503|LOG_INFO|AMM|1/1|Port 1/1/25 is unblocked by port-access
2023-11-21T13:22:05.878532+0100 intfd[596] <INFO> Event|404|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is down
2023-11-21T13:22:05.988913+0100 dot1x-suppd[552] <INFO> Event|12302|LOG_INFO|AMM|1/1|802.1X supplicant has unblocked the interface 1/1/25.
2023-11-21T13:22:06.841729+0100 ops-switchd[568] <INFO> Event|2110|LOG_INFO|AMM|1/1|Deleted Mac based VLAN entry for a8:b1:3b:ec:83:37 with VLAN 504 on port 1/1/25
2023-11-21T13:22:14.459156+0100 intfd[596] <INFO> Event|403|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is up
2023-11-21T13:22:14.911076+0100 port-accessd[2290] <INFO> Event|10502|LOG_INFO|AMM|1/1|Port 1/1/25 is blocked by port-access

2023-11-21T13:22:56.926873+0100 ops-switchd[568] <INFO> Event|2108|LOG_INFO|AMM|1/1|Created Mac based VLAN entry. VLAN 82 is mapped to client a8:b1:3b:ec:83:37 on port 1/1/25
2023-11-21T13:22:57.171522+0100 port-accessd[2290] <INFO> Event|10503|LOG_INFO|AMM|1/1|Port 1/1/25 is unblocked by port-access

 vlan access 504
    rate-limit broadcast 100000 kbps
    spanning-tree port-type admin-edge
    port-access fallback-role Critical-Role
    aaa authentication port-access allow-cdp-bpdu
    aaa authentication port-access allow-lldp-bpdu
    aaa authentication port-access client-limit 2
    aaa authentication port-access critical-role Critical-Role
    aaa authentication port-access auth-role client
    aaa authentication port-access dot1x authenticator
        eapol-timeout 5
        max-eapol-requests 1
        max-retries 1
        enable

port-access role Critical-Role
    vlan access 82

show port-a clients int 1/1/25 det

Port Access Client Status Details:

Client a8:b1:3b:ec:83:37
========================
  Session Details
  ---------------
    Port         : 1/1/25
    Session Time : 154s
    IPv4 Address :
    IPv6 Address :
    Device Type  :

  VLAN Details
  ------------
    VLAN Group Name :
    VLANs Assigned  : 82
      Access          : 82
      Native Untagged :
      Allowed Trunk   :

  Authentication Details
  ----------------------
    Status          : Authentication Failed, Supplicant-Timeout
    Auth Precedence : dot1x - Unauthenticated, mac-auth - Not attempted
    Auth History    : dot1x - Unauthenticated, Supplicant-Timeout, 138s ago

  Authorization Details
  ----------------------
    Role   : Critical-Role, Fallback role
    Status : Applied

Role Information:

Name  : Critical-Role
Type  : local
----------------------------------------------
    Reauthentication Period             :
    Cached Reauthentication Period      :
    Authentication Mode                 :
    Session Timeout                     :
    Client Inactivity Timeout           :
    Description                         :
    Access VLAN                         : 82
    Native VLAN                         :
    Allowed Trunk VLANs                 :
    Access VLAN Name                    :
    Native VLAN Name                    :
    Allowed Trunk VLAN Names            :
    VLAN Group Name                     :
    MTU                                 :
    QOS Trust Mode                      :
    STP Administrative Edge Port        :
    PoE Priority                        :
    Captive Portal Profile              :
    Policy                              :
    Device Type                         :

the supplicant timeout drives me crazy.

As I found: configuring the dot1x supplicant

aaa authentication port-access dot1x supplicant
    enable
    policy CX_dot1x_supplicant
        held-period 30
        eapol-timeout 3
        max-retries 3
        eap-identity identity CXTME
        eap-identity password ciphertext AQBape5Wu36KVGRugeNTbk8v2b9IK4ttoDVItApjU0eTS3UKBQAAAKDsy/Fx
        eapol-force-multicast
        canned-eap-success
        discovery-timeout 15
        start-mode start-closed
        fail-mode fail-closed

First I want to get the basic 802.1x EAP-TLS authentication right. Then I want ClearPass to sent the specific role(s) to the switch. Do I have to add a certificate to the switch?

Hi Erik

I do not have any experiance with the specific dockingstations your users have.

But in general, if you do not see anything in Access Tracker I would say the two most common issues are, blocked Radius traffic between the switch and ClearPass or missconfigured or missing Network Device configuration under Network Devices.

I have seen situations where the MTU size is wrong and packets get corrupted on the way, also seen a bug in a AOS switch firmware about 5 years ago stacking upp over 200 copies of the same attribute in a Radius reques. In that case ClearPass dropped the request without a trace.

Can you do a pcap and check if you get the expexted traffic to ClearPass?

anyone?

Now tested on a Aruba OS switch both docks connecting a device behind both types of docks works.

Hi guys,

In my current project, I'm having issues getting radius working on Aruba CX6100 switch.

I used the CX wired enforcement PDF to configure the switch with the role and so on.

While testing I don't see anything in acces tracker. When configuring radius on a old Aruba 2540 switch, it works.

PS: users are working with HP docking stations USB-C G4 and G5. It seems to work behind a G5 docking not behind a G4 dock.

Has anyone experience with it?

I also configured radius tracking, that works perfectly.

I have never tried VLAN pooling on wired, maybe someone else has an idea.

Changing it did not make any sense.

I'll wait my colleague will configure the wired intune SCEP profile.

I've another question. I have 7 client vlans at this customer and I want the users to be put in a vlan randomly instead of by building.

I think VLAN pooling is the best option. I found the configuration in ASE. How can I test this authz source the  best way?

Best regards,

Erik

Do you have the switch as a supplicant to authenticate the uplink port?

No, just basic 802.1x is needed in this case.

CX switches must use FQDN for the Radius server configuration, instead of IP addresses.

I'm using IP-addresses. Going to change this first. 

Strangely enough radius tracking works fine.

Hi Erik

Do you have the switch as a supplicant to authenticate the uplink port?

For basic 802.1x you do not need to install a trusted CA certificate on the switch, but if you would like to implement Downloadable User Roles you need to create a TA profile and install the root certificate of the chain for the HTTPS certificate on ClearPass.

The https certificate must include in the SAN field, or Common name, the FQDN's referenced as Radius servers. CX switches must use FQDN for the Radius server configuration, instead of IP addresses. The same is true also for the Dynamic Authorization settings.

Hi Jonas,

thanks for your reply. In the meanwhile I opened a support case, but is a nastly problem.

Debugging on the switches gives me this:

2023-11-21T13:21:05.960782+0100 dot1x-suppd[552] <INFO> Event|12301|LOG_INFO|AMM|1/1|802.1X supplicant has blocked the interface 1/1/25.
2023-11-21T13:21:09.417494+0100 intfd[596] <INFO> Event|404|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is down - Administratively down
2023-11-21T13:21:09.607199+0100 dot1x-suppd[552] <INFO> Event|12302|LOG_INFO|AMM|1/1|802.1X supplicant has unblocked the interface 1/1/25.
2023-11-21T13:21:09.949640+0100 ops-switchd[568] <INFO> Event|2110|LOG_INFO|AMM|1/1|Deleted Mac based VLAN entry for a8:b1:3b:ec:83:37 with VLAN 82 on port 1/1/25
2023-11-21T13:21:19.032244+0100 intfd[596] <INFO> Event|403|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is up
2023-11-21T13:21:19.473994+0100 port-accessd[2290] <INFO> Event|10502|LOG_INFO|AMM|1/1|Port 1/1/25 is blocked by port-access
2023-11-21T13:21:23.277544+0100 intfd[596] <INFO> Event|404|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is down
2023-11-21T13:21:24.033765+0100 dot1x-suppd[552] <INFO> Event|12302|LOG_INFO|AMM|1/1|802.1X supplicant has unblocked the interface 1/1/25.
2023-11-21T13:21:24.266222+0100 port-accessd[2290] <INFO> Event|10503|LOG_INFO|AMM|1/1|Port 1/1/25 is unblocked by port-access
2023-11-21T13:21:26.283550+0100 intfd[596] <INFO> Event|403|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is up
2023-11-21T13:21:26.692447+0100 port-accessd[2290] <INFO> Event|10502|LOG_INFO|AMM|1/1|Port 1/1/25 is blocked by port-access
2023-11-21T13:21:38.959497+0100 ops-switchd[568] <INFO> Event|2108|LOG_INFO|AMM|1/1|Created Mac based VLAN entry. VLAN 82 is mapped to client a8:b1:3b:ec:83:37 on port 1/1/25
2023-11-21T13:21:39.206120+0100 port-accessd[2290] <INFO> Event|10503|LOG_INFO|AMM|1/1|Port 1/1/25 is unblocked by port-access
2023-11-21T13:22:05.878532+0100 intfd[596] <INFO> Event|404|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is down
2023-11-21T13:22:05.988913+0100 dot1x-suppd[552] <INFO> Event|12302|LOG_INFO|AMM|1/1|802.1X supplicant has unblocked the interface 1/1/25.
2023-11-21T13:22:06.841729+0100 ops-switchd[568] <INFO> Event|2110|LOG_INFO|AMM|1/1|Deleted Mac based VLAN entry for a8:b1:3b:ec:83:37 with VLAN 504 on port 1/1/25
2023-11-21T13:22:14.459156+0100 intfd[596] <INFO> Event|403|LOG_INFO|AMM|1/1|Link status for interface 1/1/25 is up
2023-11-21T13:22:14.911076+0100 port-accessd[2290] <INFO> Event|10502|LOG_INFO|AMM|1/1|Port 1/1/25 is blocked by port-access

2023-11-21T13:22:56.926873+0100 ops-switchd[568] <INFO> Event|2108|LOG_INFO|AMM|1/1|Created Mac based VLAN entry. VLAN 82 is mapped to client a8:b1:3b:ec:83:37 on port 1/1/25
2023-11-21T13:22:57.171522+0100 port-accessd[2290] <INFO> Event|10503|LOG_INFO|AMM|1/1|Port 1/1/25 is unblocked by port-access

 vlan access 504
    rate-limit broadcast 100000 kbps
    spanning-tree port-type admin-edge
    port-access fallback-role Critical-Role
    aaa authentication port-access allow-cdp-bpdu
    aaa authentication port-access allow-lldp-bpdu
    aaa authentication port-access client-limit 2
    aaa authentication port-access critical-role Critical-Role
    aaa authentication port-access auth-role client
    aaa authentication port-access dot1x authenticator
        eapol-timeout 5
        max-eapol-requests 1
        max-retries 1
        enable

port-access role Critical-Role
    vlan access 82

show port-a clients int 1/1/25 det

Port Access Client Status Details:

Client a8:b1:3b:ec:83:37
========================
  Session Details
  ---------------
    Port         : 1/1/25
    Session Time : 154s
    IPv4 Address :
    IPv6 Address :
    Device Type  :

  VLAN Details
  ------------
    VLAN Group Name :
    VLANs Assigned  : 82
      Access          : 82
      Native Untagged :
      Allowed Trunk   :

  Authentication Details
  ----------------------
    Status          : Authentication Failed, Supplicant-Timeout
    Auth Precedence : dot1x - Unauthenticated, mac-auth - Not attempted
    Auth History    : dot1x - Unauthenticated, Supplicant-Timeout, 138s ago

  Authorization Details
  ----------------------
    Role   : Critical-Role, Fallback role
    Status : Applied

Role Information:

Name  : Critical-Role
Type  : local
----------------------------------------------
    Reauthentication Period             :
    Cached Reauthentication Period      :
    Authentication Mode                 :
    Session Timeout                     :
    Client Inactivity Timeout           :
    Description                         :
    Access VLAN                         : 82
    Native VLAN                         :
    Allowed Trunk VLANs                 :
    Access VLAN Name                    :
    Native VLAN Name                    :
    Allowed Trunk VLAN Names            :
    VLAN Group Name                     :
    MTU                                 :
    QOS Trust Mode                      :
    STP Administrative Edge Port        :
    PoE Priority                        :
    Captive Portal Profile              :
    Policy                              :
    Device Type                         :

the supplicant timeout drives me crazy.

As I found: configuring the dot1x supplicant

aaa authentication port-access dot1x supplicant
    enable
    policy CX_dot1x_supplicant
        held-period 30
        eapol-timeout 3
        max-retries 3
        eap-identity identity CXTME
        eap-identity password ciphertext AQBape5Wu36KVGRugeNTbk8v2b9IK4ttoDVItApjU0eTS3UKBQAAAKDsy/Fx
        eapol-force-multicast
        canned-eap-success
        discovery-timeout 15
        start-mode start-closed
        fail-mode fail-closed

First I want to get the basic 802.1x EAP-TLS authentication right. Then I want ClearPass to sent the specific role(s) to the switch. Do I have to add a certificate to the switch?

Hi Erik

I do not have any experiance with the specific dockingstations your users have.

But in general, if you do not see anything in Access Tracker I would say the two most common issues are, blocked Radius traffic between the switch and ClearPass or missconfigured or missing Network Device configuration under Network Devices.

I have seen situations where the MTU size is wrong and packets get corrupted on the way, also seen a bug in a AOS switch firmware about 5 years ago stacking upp over 200 copies of the same attribute in a Radius reques. In that case ClearPass dropped the request without a trace.

Can you do a pcap and check if you get the expexted traffic to ClearPass?

anyone?

Now tested on a Aruba OS switch both docks connecting a device behind both types of docks works.

Hi guys,

In my current project, I'm having issues getting radius working on Aruba CX6100 switch.

I used the CX wired enforcement PDF to configure the switch with the role and so on.

While testing I don't see anything in acces tracker. When configuring radius on a old Aruba 2540 switch, it works.

PS: users are working with HP docking stations USB-C G4 and G5. It seems to work behind a G5 docking not behind a G4 dock.

Has anyone experience with it?

I also configured radius tracking, that works perfectly.