Original Message:
Sent: Mar 19, 2024 10:22 AM
From: 802.zak
Subject: ArubaOS-CX issue with dot1.x traffic to internet
What user role has been created and thus assigned upon a successful auth on your 2530?
The .1x process does not have a direct relation to network access. But as part of the RADIUS response a role will be assigned. That role can contain traffic/class rules for network access.
------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
Original Message:
Sent: Mar 19, 2024 08:27 AM
From: santoniadis
Subject: ArubaOS-CX issue with dot1.x traffic to internet
I am using Windows Radius Server NPS.
The Logs on the event viewer, confirm successful authentication of the device connected on the switch port.
If I disable aaa on the switch port internet traffic is permitted. When enabling, internet traffic is not passing.
I don't understand the relation of 802.1x authentication with traffic to internet. isn't wired?
On the older hp switches as I pointed earlier in the post, when devices were authenticated, internal and external traffic was permitted without any additional configuration.
Original Message:
Sent: Mar 14, 2024 10:57 AM
From: 802.zak
Subject: ArubaOS-CX issue with dot1.x traffic to internet
What are you using as your RADIUS sever? Clearpass? What sort of enforcement response RADIUS/VSA is it sending upon successful auth?
------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
Original Message:
Sent: Mar 14, 2024 03:28 AM
From: santoniadis
Subject: ArubaOS-CX issue with dot1.x traffic to internet
switch(config-if)# show port-access clients interface 1/1/2 detail
No port-access clients found.
Original Message:
Sent: Mar 13, 2024 07:21 PM
From: Usaia Tawakevou
Subject: ArubaOS-CX issue with dot1.x traffic to internet
What does the output of "show port-access clients interface 1/1/2 detail" when you remove 802.1x configuration on that port ?
Original Message:
Sent: Mar 13, 2024 06:14 PM
From: santoniadis
Subject: ArubaOS-CX issue with dot1.x traffic to internet
For internal use only (C2)
For internal use only (C2)
Yes it does. If i deactivate on the port 1/1/2 port- access, traffic to internet is passing.
Disclaimer: This message and any files transmitted with it are confidential, intended exclusively for the use of the individual or entity to which they are addressed. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, except for the purpose of the delivery to the addressee(s), is prohibited and may be unlawful. You should notify the sender of receiving the email in error, and immediately delete the copy from your system. Finally, the recipient should check this email and any attachments for the presence of viruses. Our Company accepts no liability for any damage caused by any virus transmitted by this email.
Original Message:
Sent: 3/13/2024 5:12:00 PM
From: 802.zak
Subject: RE: ArubaOS-CX issue with dot1.x traffic to internet
Does external network access work with that VLAN (and the particular switch) on a port without port-access configured?
------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
Original Message:
Sent: Mar 13, 2024 01:42 PM
From: santoniadis
Subject: ArubaOS-CX issue with dot1.x traffic to internet
Bellow is a snippet of the configuration (only regarding radius and dot1.x) the rest is out of scope. Names and other data have been changed for privacy.
As you can see from the output of the commands, pc on 1/1/2 has been authenticated. Traffic to internal lan is fine, but to internet is not passing.
Currently I just want to focus on dot1.x authentication not mac authentication.
Snippet from running config
!
radius-server host xxx.xxx.xxx.xxx key ciphertext xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
radius-server host xxx.xxx.xxx.xxx key ciphertext xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
!
!
aaa authentication login https-server group radius local
aaa authentication login ssh group radius local
!
aruba-central
disable
!
aaa authentication port-access dot1x authenticator
enable
!
interface 1/1/2
description xxxxxxx
no shutdown
vlan access 303
spanning-tree bpdu-guard
spanning-tree port-type admin-edge
aaa authentication port-access dot1x authenticator
enable
Output of #show aaa authentication port-access dot1x authenticator interface all client-status
Client xx:xx:xx:xx:xx:xx, host/xxxxx.domain.com, 1/1/2
=========================================
Authentication Details
----------------------
Status : Authenticated
Type : Pass-Through
EAP-Method : TLS
Auth Failure reason :
Time Since Last State Change : 104s
Authentication Statistics
-------------------------
Authentication : 1
Authentication Timeout : 0
EAP-Start While Authenticating : 0
EAP-Logoff While Authenticating : 0
Successful Authentication : 1
Failed Authentication : 0
Re-Authentication : 0
Successful Re-Authentication : 0
Failed Re-Authentication : 0
EAP-Start When Authenticated : 0
EAP-Logoff When Authenticated : 0
Re-Auths When Authenticated : 0
Cached Re-Authentication : 0
Second output:
switch# show port-access clients interface 1/1/2 detail
Port Access Client Status Details:
RADIUS overridden user roles are suffixed with '*'
Client xx:xx:xx:xx:xx:xx, host/xxxxx.domain.com
==============================================
Session Details
---------------
Port : 1/1/2
Session Time : 5153s
IPv4 Address :
IPv6 Address :
Device Type :
VLAN Details
------------
VLAN Group Name :
VLANs Assigned : 303
Access : 303
Native Untagged :
Allowed Trunk :
Authentication Details
----------------------
Status : dot1x Authenticated
Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted
Auth History : dot1x - Authenticated, 5153s ago
Authorization Details
----------------------
Status : Applied
RADIUS Attributes
------------------
Framed-MTU : 1200 bytes
RADIUS Role Name : RADIUS_3226739997
Original Message:
Sent: Mar 13, 2024 10:47 AM
From: 802.zak
Subject: ArubaOS-CX issue with dot1.x traffic to internet
Can you share a snippet of your configuration? Access to Internal vs. External are not role/acl dependent, but that is an important part of understanding the design.
Here is a detailed guide for this process, starting at Page 258
Security Guide
What do the outputs of the below look like for those clients?
#show aaa authentication port-access dot1x authenticator interface all client-status
#show port-access clients interface 1/1/X detail
------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
Original Message:
Sent: Mar 13, 2024 03:56 AM
From: santoniadis
Subject: ArubaOS-CX issue with dot1.x traffic to internet
Hi Zak and thanks for the reply,
I can ping my default gateway from the switch.
I haven't assigned any particular ACL's on the ports neither Roles, only configured access ports with the respective VLAN assignment to them .
I haven't used before Role's and ACL's on a layer 2 device such as an Aruba 6000.
So in order to grant access on the external network, do i have to configure Roles on the switch?
Can you elaborate more an give an example please?
Thank you
Original Message:
Sent: Mar 12, 2024 02:52 PM
From: 802.zak
Subject: ArubaOS-CX issue with dot1.x traffic to internet
Well this is highly dependent on the Role and ACL that is assigned as a part of the port-access process.
Are you assigning any particular ACL's or VLANs? Can you ping the default gateway of that User VLAN?
------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
Original Message:
Sent: Mar 12, 2024 10:46 AM
From: santoniadis
Subject: ArubaOS-CX issue with dot1.x traffic to internet
Hi to all,
I have a couple of aruba 6000 switches and set them up, so clients can authenticate via dot1.x and access the network.
Previous I used some hp 2530 switches with dot1.x enabled also and were working fine.
The madness with the new one Aruba 6000 is that although the clients are authenticated via dot1.x and gaining access on the LAN, external traffic to internet is not not passing.
Can anyone explain this or point me something to check?
Thank you in advance!