Original Message:
Sent: Feb 02, 2024 08:35 AM
From: CM83
Subject: Bridge-mode SSID and switch port-access/macauth
aaa authentication port-access auth-mode device-mode
However, it is better to use the Radius VSA of Port Auth Mode so this is applied dynamically.
https://www.arubanetworks.com/techdocs/AOS-CX/10.09/HTML/security_6200-6300-6400/Content/Chp_Sppt_RADIUS_att/rad-ses-aut-att-vsa-fl-10.htm
Port Auth Mode needs to be set as 1 Device Mode
Original Message:
Sent: Feb 02, 2024 07:53 AM
From: Palves
Subject: Bridge-mode SSID and switch port-access/macauth
I don't know if this is impossible or pretty easy, but I can't seem to figure out the solution.
We have our APs on vlan X, and almost averything is set up in tunnel-mode. Except one SSID "Bridge" which is in bridge-mode, vlan Y.
Now this works perfectly well when we configure the uplink-port on the AP manually, vlan X untagged and vlan Y tagged.
As we are currently implementing 802.1x and mac-auth on our wired network we came upon an issue:
We use Clearpass for profiling endpoints, and an Aruba-AP gets its enforcement-profile with vlan X untagged and vlan Y tagged. So far so good! This vlan-configuration is applied to the switchport.
However; as a client connects to the "Bridge" SSID, it then hits the switchport that is configured for 802.1x and mac-auth. And subsequently wants the client to authenticate to the switchport.
I just want the client to connect to vlan Y.
What am I missing?
This is a default port-config:
interface 1/1/1
no shutdown
no routing
vlan access 256
aaa authentication port-access dot1x authenticator
initial-auth-response-timeout 30
enable
aaa authentication port-access mac-auth
enable
loop-protect
exit