Wired Intelligent Edge

 View Only
  • 1.  AAA - Removing access from a Port

    Posted Sep 25, 2023 11:03 AM

    Hi all,

    I am testing out 802.1X and have the following config on 1 of the ports on my Aruba 2920 switch:

    aaa port-access authenticator 1/39
    aaa port-access authenticator 1/39 tx-period 10
    aaa port-access authenticator 1/39 server-timeout 10
    aaa port-access authenticator 1/39 max-requests 5
    aaa port-access authenticator 1/39 reauth-period 3600
    aaa port-access authenticator 1/39 unauth-period 10
    aaa port-access authenticator 1/39 client-limit 2
    aaa port-access authenticator active
    aaa port-access mac-based 1/39
    aaa port-access mac-based 1/39 addr-limit 2
    aaa port-access mac-based 1/39 max-requests 5
    aaa port-access mac-based 1/39 reauth-period 3600
    aaa port-access mac-based 1/39 unauth-period 10
    aaa port-access mac-based 1/39 unauth-vid 200
    aaa port-access 1/39 controlled-direction in
    

    When trying to remove all AAA config from this port i have run:

    No aaa port-access authenticator 1/39
    No aaa port-access mac-based 1/39
    

    I have since read that by running these commands, not everting gets removed. Some commands need to be reverted to their default value first.

    What i am struggling with is to remove the 2 following commands:

    aaa port-access authenticator 1/39 server-timeout 10
    aaa port-access mac-based 1/39 max-requests 5
    

    I have since set these back to their default values. Server-timeout = 30 and max-requests = 1

    But these following commands do not exist:

    No aaa port-access mac-based 1/39 max-requests
    No aaa port-access authenticator 1/39 server-timeout 
    

    How do i clear this out from the port?

    Thanks,

    James



  • 2.  RE: AAA - Removing access from a Port

    Posted Sep 25, 2023 11:15 AM

    Did you check: Wired Intelligent Edge (Campus Switching and Routing)

    or this Thread: Airhead Discussion Thread

    Maybe it helps :)



    ------------------------------
    Shpat | ACEP | ACMP | ACCP | ACDP |
    -Just an Aruba enthusiast and contributor by cases-
    ------------------------------



  • 3.  RE: AAA - Removing access from a Port

    Posted Nov 02, 2023 12:07 PM

    Hello,

    I have read those posts and still confused as to how to achieve this.

    I don't wish to use the following method:

    https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=ac82ded4-b73b-4e36-a7d2-fbb6e70655f4&CommunityKey=2fd943a6-8898-4dbe-915f-4f09e4d3c317&tab=librarydocuments
    
    Reset to default config with a single command: 
    (ArubaS1500-24P) (config) #no interface gigabitethernet 0/0/10  

    Doing so will remove other commands related to the port, i am only interested in wiping all AAA commands.

    Following the other post it recommends to set commands back to their default value if there are no 'no' commands to enter.  This is what i am doing, but am having trouble removing max-requests and server-timeout values as per my original post.

    I'd appreciate some help on how to remove these specific ones.

    Thank you,

    James




  • 4.  RE: AAA - Removing access from a Port

    Posted Nov 03, 2023 11:19 AM

    James,

    This topic is on different switches than your S1500. The S1500 works with interface profiles for AAA/authentication and if you remove the profile on an interface, it will fallback to a default for which I don't know if that performs authentication or not.

    Please open a separate topic if you need more information



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: AAA - Removing access from a Port

    Posted Nov 03, 2023 11:32 AM
    Edited by JamesITK Nov 03, 2023 11:32 AM

    Hi Herman,

    I was simply replying to the previous post.  I am not in slightest bit interested in the S1500 switch  that was linked.  I have the Aruba 2920.

    My original post was asking for info on how to remove these 2 commands on this switch.

    Please may i have some guidance, as clearly setting those 2 commands to their default values as per the documentation does not remove them from the config, at least for me so it seems?  Am i doling something wrong?

    Thanks,

    James




  • 6.  RE: AAA - Removing access from a Port

    Posted Nov 03, 2023 12:17 PM

    Ok, misinterpreted that. And the link shared earlier was on the S1500 Mobility Access switch and does not apply to the 2920 ArubaOS-S switches.

    You can 'remove' those commands from the config by setting them to the default value. In fact they are not really removed, but commands at their default setting are not displayed. Check this post with some example on the same question (if I now correctly interpreted).



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: AAA - Removing access from a Port

    Posted Nov 03, 2023 12:52 PM

    Hi Herman,

    I had read that post, and while it is useful it doesn't address my specific query despite the fact it should follow the same logic.

    For the life of me i cannot get these below commands removed (not displayed) from the running config, despite reverting them to default values of 30 and 2 stated here:

    https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch13s05.html

    aaa port-access authenticator 1/39 server-timeout 30
    aaa port-access mac-based 1/39 max-requests 2

    Can you please test and let me know what is going on here?

    Thanks,

    James




  • 8.  RE: AAA - Removing access from a Port

    Posted Nov 06, 2023 04:04 AM

    Hi James,

    Could you try the below CLI.

    Just curious to know if this removes the command from the running configuration.

    "no aaa port-access authenticator 1/39 server-timeout 30 "

    " no aaa port-access mac-based 1/39 max-requests 2"

    I do agree with Herman that "commands at their default setting are not displayed in running configuration"

    Thank you

    Anil




  • 9.  RE: AAA - Removing access from a Port
    Best Answer

    Posted Nov 06, 2023 04:18 AM
    Edited by JamesITK Nov 17, 2023 11:47 AM

    Ok, the values may have changed between firmware versions. For me, on a 2930F running version 16.11, the max-requests is 'removed' by setting it to 2, and the server-timeout needs to be set to 300:

    sw01-12p(config)# aaa port-access authenticator 4 server-timeout 30
    sw01-12p(config)# aaa port-access authenticator 4 max-requests 4
    sw01-12p(config)# show running-config | inc "authenticator 4"
    aaa port-access authenticator 4 server-timeout 30
    aaa port-access authenticator 4 max-requests 4
    aaa port-access authenticator 4 client-limit 1
    sw01-12p(config)# aaa port-access authenticator 4 max-requests 2
    sw01-12p(config)# show running-config | inc "authenticator 4"
    aaa port-access authenticator 4 server-timeout 30
    aaa port-access authenticator 4 client-limit 1
    sw01-12p(config)# no aaa port-access authenticator 4 server-timeout 30
    Invalid input: server-timeout
    sw01-12p(config)# aaa port-access authenticator 4 server-timeout 300
    sw01-12p(config)# show running-config | inc "authenticator 4"
    aaa port-access authenticator 4 client-limit 1
    


    And for the sake of completeness, the 'no' commands typically don't work for aaa port-access, you really need to set parameters back to their defaults.
    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 10.  RE: AAA - Removing access from a Port

    Posted Nov 17, 2023 11:47 AM

    Thank you Herman.  The server-timeout being set to 300 removed this.

    I guess i need to update the firmware as max-requests 2 is still displayed in my config. Appreciate your help.

    James