Thank you Herman. The server-timeout being set to 300 removed this.
I guess i need to update the firmware as max-requests 2 is still displayed in my config. Appreciate your help.
Original Message:
Sent: Nov 06, 2023 04:18 AM
From: Herman Robers
Subject: AAA - Removing access from a Port
Ok, the values may have changed between firmware versions. For me, on a 2930F running version 16.11, the max-requests is 'removed' by setting it to 2, and the server-timeout needs to be set to 300:
sw01-12p(config)# aaa port-access authenticator 4 server-timeout 30sw01-12p(config)# aaa port-access authenticator 4 max-requests 4sw01-12p(config)# show running-config | inc "authenticator 4"aaa port-access authenticator 4 server-timeout 30aaa port-access authenticator 4 max-requests 4aaa port-access authenticator 4 client-limit 1sw01-12p(config)# aaa port-access authenticator 4 max-requests 2sw01-12p(config)# show running-config | inc "authenticator 4"aaa port-access authenticator 4 server-timeout 30aaa port-access authenticator 4 client-limit 1sw01-12p(config)# no aaa port-access authenticator 4 server-timeout 30Invalid input: server-timeoutsw01-12p(config)# aaa port-access authenticator 4 server-timeout 300sw01-12p(config)# show running-config | inc "authenticator 4"aaa port-access authenticator 4 client-limit 1
And for the sake of completeness, the 'no' commands typically don't work for aaa port-access, you really need to set parameters back to their defaults.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Nov 03, 2023 12:52 PM
From: JamesITK
Subject: AAA - Removing access from a Port
Hi Herman,
I had read that post, and while it is useful it doesn't address my specific query despite the fact it should follow the same logic.
For the life of me i cannot get these below commands removed (not displayed) from the running config, despite reverting them to default values of 30 and 2 stated here:
https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch13s05.html
aaa port-access authenticator 1/39 server-timeout 30aaa port-access mac-based 1/39 max-requests 2
Can you please test and let me know what is going on here?
Thanks,
James
Original Message:
Sent: Nov 03, 2023 12:16 PM
From: Herman Robers
Subject: AAA - Removing access from a Port
Ok, misinterpreted that. And the link shared earlier was on the S1500 Mobility Access switch and does not apply to the 2920 ArubaOS-S switches.
You can 'remove' those commands from the config by setting them to the default value. In fact they are not really removed, but commands at their default setting are not displayed. Check this post with some example on the same question (if I now correctly interpreted).
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Nov 03, 2023 11:31 AM
From: JamesITK
Subject: AAA - Removing access from a Port
Hi Herman,
I was simply replying to the previous post. I am not in slightest bit interested in the S1500 switch that was linked. I have the Aruba 2920.
My original post was asking for info on how to remove these 2 commands on this switch.
Please may i have some guidance, as clearly setting those 2 commands to their default values as per the documentation does not remove them from the config, at least for me so it seems? Am i doling something wrong?
Thanks,
James
Original Message:
Sent: Nov 03, 2023 11:19 AM
From: Herman Robers
Subject: AAA - Removing access from a Port
James,
This topic is on different switches than your S1500. The S1500 works with interface profiles for AAA/authentication and if you remove the profile on an interface, it will fallback to a default for which I don't know if that performs authentication or not.
Please open a separate topic if you need more information
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Nov 02, 2023 12:06 PM
From: JamesITK
Subject: AAA - Removing access from a Port
Hello,
I have read those posts and still confused as to how to achieve this.
I don't wish to use the following method:
https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=ac82ded4-b73b-4e36-a7d2-fbb6e70655f4&CommunityKey=2fd943a6-8898-4dbe-915f-4f09e4d3c317&tab=librarydocumentsReset to default config with a single command: (ArubaS1500-24P) (config) #no interface gigabitethernet 0/0/10
Doing so will remove other commands related to the port, i am only interested in wiping all AAA commands.
Following the other post it recommends to set commands back to their default value if there are no 'no' commands to enter. This is what i am doing, but am having trouble removing max-requests and server-timeout values as per my original post.
I'd appreciate some help on how to remove these specific ones.
Thank you,
James
Original Message:
Sent: Sep 25, 2023 11:15 AM
From: shpat
Subject: AAA - Removing access from a Port
Did you check: Wired Intelligent Edge (Campus Switching and Routing)
or this Thread: Airhead Discussion Thread
Maybe it helps :)
------------------------------
Shpat | ACEP | ACMP | ACCP | ACDP |
-Just an Aruba enthusiast and contributor by cases
Original Message:
Sent: Sep 25, 2023 10:56 AM
From: JamesITK
Subject: AAA - Removing access from a Port
Hi all,
I am testing out 802.1X and have the following config on 1 of the ports on my Aruba 2920 switch:
aaa port-access authenticator 1/39aaa port-access authenticator 1/39 tx-period 10aaa port-access authenticator 1/39 server-timeout 10aaa port-access authenticator 1/39 max-requests 5aaa port-access authenticator 1/39 reauth-period 3600aaa port-access authenticator 1/39 unauth-period 10aaa port-access authenticator 1/39 client-limit 2aaa port-access authenticator activeaaa port-access mac-based 1/39aaa port-access mac-based 1/39 addr-limit 2aaa port-access mac-based 1/39 max-requests 5aaa port-access mac-based 1/39 reauth-period 3600aaa port-access mac-based 1/39 unauth-period 10aaa port-access mac-based 1/39 unauth-vid 200aaa port-access 1/39 controlled-direction in
When trying to remove all AAA config from this port i have run:
No aaa port-access authenticator 1/39No aaa port-access mac-based 1/39
I have since read that by running these commands, not everting gets removed. Some commands need to be reverted to their default value first.
What i am struggling with is to remove the 2 following commands:
aaa port-access authenticator 1/39 server-timeout 10aaa port-access mac-based 1/39 max-requests 5
I have since set these back to their default values. Server-timeout = 30 and max-requests = 1
But these following commands do not exist:
No aaa port-access mac-based 1/39 max-requestsNo aaa port-access authenticator 1/39 server-timeout
How do i clear this out from the port?
Thanks,
James