Here is an example of the issue i have. When dot1x is enabled on a port with printer connected to it, the https management access to the printer is blocked. Printing and everything for users work and even the port 443 seems to be open. When you disable dot1x authentication and set the static vlan which is same from radius assigned vlan the https access works.
Users also report random errors with accessing external resources, internal work. They get proxy errors etc. These issues are also resolved when bypassing 802.1x authentication. This is very strange because the same setup was working with old switch.
I am running Aruba CX 6200F and tested with firmwares 10.13.0001, 10.13.1050 and will test the latest 10.13.1080 next
Original Message:
Sent: Mar 21, 2025 04:05 AM
From: Herman Robers
Subject: ArubaOS-CX issue with dot1.x traffic to internet
Unsure what problem you have, it's unlikely to be the same and there is no generic solution.
If you don't see a role applied, add that role to your switch and make sure it allows all traffic.
If you see a role applied, but there is no internet access (but LAN access), check the role contents.
This is really standard switch configuration and troubleshooting, your HPE Aruba Networking partner should be able to configure this correctly, or TAC may be able to assist if you configured it correct but it doesn't work.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Mar 20, 2025 10:25 AM
From: fairhead
Subject: ArubaOS-CX issue with dot1.x traffic to internet
Do you have any update on this? I am facing similar issue. The madness is real.
Original Message:
Sent: Mar 21, 2024 01:33 AM
From: santoniadis
Subject: ArubaOS-CX issue with dot1.x traffic to internet
I don't see any assigned role on the configuration on the radius neither on the switch port after the authentication..
Original Message:
Sent: Mar 19, 2024 10:22 AM
From: 802.zak
Subject: ArubaOS-CX issue with dot1.x traffic to internet
What user role has been created and thus assigned upon a successful auth on your 2530?
The .1x process does not have a direct relation to network access. But as part of the RADIUS response a role will be assigned. That role can contain traffic/class rules for network access.
------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
Original Message:
Sent: Mar 19, 2024 08:27 AM
From: santoniadis
Subject: ArubaOS-CX issue with dot1.x traffic to internet
I am using Windows Radius Server NPS.
The Logs on the event viewer, confirm successful authentication of the device connected on the switch port.
If I disable aaa on the switch port internet traffic is permitted. When enabling, internet traffic is not passing.
I don't understand the relation of 802.1x authentication with traffic to internet. isn't wired?
On the older hp switches as I pointed earlier in the post, when devices were authenticated, internal and external traffic was permitted without any additional configuration.
Original Message:
Sent: Mar 14, 2024 10:57 AM
From: 802.zak
Subject: ArubaOS-CX issue with dot1.x traffic to internet
What are you using as your RADIUS sever? Clearpass? What sort of enforcement response RADIUS/VSA is it sending upon successful auth?
------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
Original Message:
Sent: Mar 14, 2024 03:28 AM
From: santoniadis
Subject: ArubaOS-CX issue with dot1.x traffic to internet
switch(config-if)# show port-access clients interface 1/1/2 detail
No port-access clients found.
Original Message:
Sent: Mar 13, 2024 07:21 PM
From: Usaia Tawakevou
Subject: ArubaOS-CX issue with dot1.x traffic to internet
What does the output of "show port-access clients interface 1/1/2 detail" when you remove 802.1x configuration on that port ?
Original Message:
Sent: Mar 13, 2024 06:14 PM
From: santoniadis
Subject: ArubaOS-CX issue with dot1.x traffic to internet
For internal use only (C2)
For internal use only (C2)
Yes it does. If i deactivate on the port 1/1/2 port- access, traffic to internet is passing.
Disclaimer: This message and any files transmitted with it are confidential, intended exclusively for the use of the individual or entity to which they are addressed. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, except for the purpose of the delivery to the addressee(s), is prohibited and may be unlawful. You should notify the sender of receiving the email in error, and immediately delete the copy from your system. Finally, the recipient should check this email and any attachments for the presence of viruses. Our Company accepts no liability for any damage caused by any virus transmitted by this email.
Original Message:
Sent: 3/13/2024 5:12:00 PM
From: 802.zak
Subject: RE: ArubaOS-CX issue with dot1.x traffic to internet
Does external network access work with that VLAN (and the particular switch) on a port without port-access configured?
------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
Original Message:
Sent: Mar 13, 2024 01:42 PM
From: santoniadis
Subject: ArubaOS-CX issue with dot1.x traffic to internet
Bellow is a snippet of the configuration (only regarding radius and dot1.x) the rest is out of scope. Names and other data have been changed for privacy.
As you can see from the output of the commands, pc on 1/1/2 has been authenticated. Traffic to internal lan is fine, but to internet is not passing.
Currently I just want to focus on dot1.x authentication not mac authentication.
Snippet from running config
!
radius-server host xxx.xxx.xxx.xxx key ciphertext xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
radius-server host xxx.xxx.xxx.xxx key ciphertext xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
!
!
aaa authentication login https-server group radius local
aaa authentication login ssh group radius local
!
aruba-central
disable
!
aaa authentication port-access dot1x authenticator
enable
!
interface 1/1/2
description xxxxxxx
no shutdown
vlan access 303
spanning-tree bpdu-guard
spanning-tree port-type admin-edge
aaa authentication port-access dot1x authenticator
enable
Output of #show aaa authentication port-access dot1x authenticator interface all client-status
Client xx:xx:xx:xx:xx:xx, host/xxxxx.domain.com, 1/1/2
=========================================
Authentication Details
----------------------
Status : Authenticated
Type : Pass-Through
EAP-Method : TLS
Auth Failure reason :
Time Since Last State Change : 104s
Authentication Statistics
-------------------------
Authentication : 1
Authentication Timeout : 0
EAP-Start While Authenticating : 0
EAP-Logoff While Authenticating : 0
Successful Authentication : 1
Failed Authentication : 0
Re-Authentication : 0
Successful Re-Authentication : 0
Failed Re-Authentication : 0
EAP-Start When Authenticated : 0
EAP-Logoff When Authenticated : 0
Re-Auths When Authenticated : 0
Cached Re-Authentication : 0
Second output:
switch# show port-access clients interface 1/1/2 detail
Port Access Client Status Details:
RADIUS overridden user roles are suffixed with '*'
Client xx:xx:xx:xx:xx:xx, host/xxxxx.domain.com
==============================================
Session Details
---------------
Port : 1/1/2
Session Time : 5153s
IPv4 Address :
IPv6 Address :
Device Type :
VLAN Details
------------
VLAN Group Name :
VLANs Assigned : 303
Access : 303
Native Untagged :
Allowed Trunk :
Authentication Details
----------------------
Status : dot1x Authenticated
Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted
Auth History : dot1x - Authenticated, 5153s ago
Authorization Details
----------------------
Status : Applied
RADIUS Attributes
------------------
Framed-MTU : 1200 bytes
RADIUS Role Name : RADIUS_3226739997
Original Message:
Sent: Mar 13, 2024 10:47 AM
From: 802.zak
Subject: ArubaOS-CX issue with dot1.x traffic to internet
Can you share a snippet of your configuration? Access to Internal vs. External are not role/acl dependent, but that is an important part of understanding the design.
Here is a detailed guide for this process, starting at Page 258
Security Guide
What do the outputs of the below look like for those clients?
#show aaa authentication port-access dot1x authenticator interface all client-status
#show port-access clients interface 1/1/X detail
------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
Original Message:
Sent: Mar 13, 2024 03:56 AM
From: santoniadis
Subject: ArubaOS-CX issue with dot1.x traffic to internet
Hi Zak and thanks for the reply,
I can ping my default gateway from the switch.
I haven't assigned any particular ACL's on the ports neither Roles, only configured access ports with the respective VLAN assignment to them .
I haven't used before Role's and ACL's on a layer 2 device such as an Aruba 6000.
So in order to grant access on the external network, do i have to configure Roles on the switch?
Can you elaborate more an give an example please?
Thank you
Original Message:
Sent: Mar 12, 2024 02:52 PM
From: 802.zak
Subject: ArubaOS-CX issue with dot1.x traffic to internet
Well this is highly dependent on the Role and ACL that is assigned as a part of the port-access process.
Are you assigning any particular ACL's or VLANs? Can you ping the default gateway of that User VLAN?
------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
Original Message:
Sent: Mar 12, 2024 10:46 AM
From: santoniadis
Subject: ArubaOS-CX issue with dot1.x traffic to internet
Hi to all,
I have a couple of aruba 6000 switches and set them up, so clients can authenticate via dot1.x and access the network.
Previous I used some hp 2530 switches with dot1.x enabled also and were working fine.
The madness with the new one Aruba 6000 is that although the clients are authenticated via dot1.x and gaining access on the LAN, external traffic to internet is not not passing.
Can anyone explain this or point me something to check?
Thank you in advance!