You can authenticate each user on 3rd party switch with Clearpass via Aruba switch. Your port need to be setup a port for client authentication (default) so every mac address will get authenticated.
But I need to agree with Carson as this is very trivial to spoof. Just change mac address on offending device and you are in. At least until next reauth period arrives.
Original Message:
Sent: Apr 26, 2024 02:57 PM
From: chulcher
Subject: 802.1x with Colorless port connecting switch behind Aruba switch
There are a few guides and videos for setting up UBT, just do a search to find one that meets your needs.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Apr 26, 2024 02:23 PM
From: PD28
Subject: 802.1x with Colorless port connecting switch behind Aruba switch
Thanks.
Yes, reading more on that and I noticed that UBT is an option, in that case what exactly needed to have on 3rd party switch and uplink port connecting to Aruba switch should have.?
Is there any sample CX switch configuration or any such relevant document for this scenario.?
Original Message:
Sent: Apr 26, 2024 01:50 PM
From: chulcher
Subject: 802.1x with Colorless port connecting switch behind Aruba switch
Would not recommend, you're essentially building in a security bypass.
If you want to investigate then you should research UBT and test that configuration.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Apr 26, 2024 01:38 PM
From: PD28
Subject: 802.1x with Colorless port connecting switch behind Aruba switch
Hi Carson,
Thanks for your reply.
Well, I only need to make sure devices connecting on downstream switch can also authenticate via clearpass (802.1x, MAB), without any configuration on downstream switch. Just want to validate if this is doable solution.?
Thank you.
Original Message:
Sent: Apr 26, 2024 11:57 AM
From: chulcher
Subject: 802.1x with Colorless port connecting switch behind Aruba switch
Don't do this.
You aren't going to get the same experience when there is a switch downstream not applying 802.1X. The authenticating device will have no visibility into the port state of the downstream device, leading to a trivial ability to spoof an already authenticated device.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Apr 26, 2024 10:55 AM
From: PD28
Subject: 802.1x with Colorless port connecting switch behind Aruba switch
Hi,
I am looking for more information and configuration guidelines with Aruba colorless port concept. Our requirement is to have same 802.1x experience as users connecting to Aruba switch with any users connecting 3rd party switch (does not support 802.1x) behind Aruba switch as per the attached picture.
Doing some research, it seems like this may be done something with user based tunneling (UBT), we do have Aruba Controllers (8.x) as well. However currently it is working with Aruba switch using local user roles and Clearpass alone.
I would like to know:
- how we use the 3rd party switch to authenticate them with CPPM
- what kind of configuration needed for the port connecting to Aruba and 3rd party switch uplink
- what kind of configuration needed for 3rd party switch regular ports
- what configuration needed on Gateway/Controller (if needed)
- any reference documents/configuration guides
Thanks in advance..