Wired Intelligent Edge

 View Only
  • 1.  Aruba 2930F RADIUS auth with Windows NPS

    Posted Aug 30, 2024 04:59 AM

    Hello,

    We currently have four Aruba 2930F switches and a Windows NPS server handling authentication. We want to configure all ports for port-access.

    I have configured almost every port with port-access, and authentication is working well with the NPS server (I'm using dynamic VLAN assignment).

    One problem we are facing is that we have multiple APs. The MAC addresses of the APs are stored in a group in Active Directory (AD), and we check for a security group in a network policy on the NPS server. So far, this works great-the APs receive the correct VLAN ID after MAC authentication on the NPS server. However, the clients behind the APs can't connect because the VLANs are not allowed on the port.

    One solution is to use user roles on the switch where the untagged/tagged VLANs can be added. Does the Windows NPS server support sending back a specific user role name to the switch after authentication? If so, how should I configure this, and how does the user role for the access points be configured on the switch? (Something with device port mode?)


    And then I have one more question. Currently, all ports are configured with the following commands:

    interface (x)
    untagged vlan 1

    aaa port-access authenticator (x)
    aaa port-access authenticator (x) tx-period 10
    aaa port-access authenticator (x) client-limit 2
    aaa port-access mac-based (x)
    aaa port-access mac-based (x) addr-limit 2
    aaa port-access (x) auth-order authenticator mac-based
    aaa port-access (x) auth-priority authenticator mac-based


    From my understanding, the ports are currently configured for 'client-based' authentication. What is the difference between client-based and port-based authentication? Since all ports only have one client behind them, would port-based authentication be better?


  • 2.  RE: Aruba 2930F RADIUS auth with Windows NPS

    Posted Aug 30, 2024 12:49 PM

    Just use this for your aruba aps:

     

    device-profile name "default-ap-profile"

       untagged-vlan 3249

       tagged-vlan 3216,3224

       allow-jumbo-frames

       exit

     

    device-profile type "aruba-ap"

       enable

       exit

     

     

     

    Logo  Description automatically generated

     

     

    Icon  Description automatically generated with medium confidence  Icon  Description automatically generated   An orange slice with a white background  Description automatically generated with low confidence

     

     

    Mr. Scott McCambley

    Manager of Network, Server & Cloud Infrastructure

     

    P.O. Box 3013 - 2 Ridley Road

    St. Catharines, Ontario L2R 7C3

    905-684-1889 x2218

    ridleycollege.com

     

    signature_2362232615

     

    If you require technical support, simply click the button below to submit a ticket. 

     

    signature_1103703789

     

     

     

     

     

     






  • 3.  RE: Aruba 2930F RADIUS auth with Windows NPS

    Posted Sep 02, 2024 06:56 AM

    Hi, the difference between client-based and port-based authentication is that if you use client-based each individual mac-address entering the port will be authenticated. If you use port-based authentication, only the first mac-address learned on the port is being authenticated and the mac-addresses that follow are allowed. So if you want to authenticated only the ap and not the clients connecting to the ap you can use port-based authentication.




  • 4.  RE: Aruba 2930F RADIUS auth with Windows NPS

    Posted Sep 11, 2024 09:10 AM

    I have configured the port on port-based mode. But what happens now is a bit weird.

    The access point authenticates just fine and gets connectivity after successful authentication.

    After that, the clients that were connected to the AP before (And already obtained an IP, can communicate just fine). But when a new client tries to connect, it doesn't get an IP-adres via the DHCP-server (running on the firewall (FortiGate)). It's like traffic from a new client to obtain an IP-adres doesn't work.

    I think I need to use user roles in order to let traffic from the other VLAN's trough the switchport. But I can't configure them on the switches with the current firmware version which is YA.16.09.0014. I think this version doesn't support multi untagged vlan's inside a local user role?




  • 5.  RE: Aruba 2930F RADIUS auth with Windows NPS

    Posted Sep 11, 2024 10:45 AM

    Hi, to my knowledge the AOS-S 2530 switches don´t support Aruba user roles with the attribute port-mode. You need AOS-S 2540 or upwards for that feature.

    Have you configured the NPS according to Herman´s recommendation?




  • 6.  RE: Aruba 2930F RADIUS auth with Windows NPS

    Posted Sep 11, 2024 10:50 AM

    Two things meet at this point - your WLAN and your LAN.
    Do you also use different VLANS in the WLAN environment? If so, the AP tags these packets when they are transferred to the wired network, from the end device's point of view, the traffic remains untagged. You must also tag these VLANs at the switch port where the AP is connected. You can write this statically into the startup config.

    It is better if you send the VLAN taggs dynamically during AP authentication at the switch port.

    After AP authentication you can check port mode in the switch CLI, use show port-access summary radius-overridden.

    You can check dynamic VLAN tagging with show port-access clients [port-nr] detailed.



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 7.  RE: Aruba 2930F RADIUS auth with Windows NPS

    Posted Sep 02, 2024 06:59 AM

    You should (by RADIUS attributes) switch the port to port-mode after your MAC or 802.1X authentication. From ClearPass (you should be able to enter the same VSAs in NPS), it would look like:

    For 802.1X Authentication (of your AP) on a 2930F switch:

    For MAC Authentication:

    In here 2<VLAN-name> means VLAN is untagged/native; 1<VLAN-name> means the VLAN is tagged. The port-mode and client limit disables further authentication of additional clients; but is different depending on if the AP is MAC or 802.1X authenticated.

    And here is the attrribute ID/type mapping for HPE VSA (Vendor id 11):



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 8.  RE: Aruba 2930F RADIUS auth with Windows NPS

    Posted Sep 04, 2024 07:39 AM

    NPS can also send VSA, it's a bit tricky, but it works.
    You need the Radius Vendor ID and the Radius Attribute ID.



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------