Wired Intelligent Edge

 View Only
last person joined: 16 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Expand all | Collapse all

Bridge-mode SSID and switch port-access/macauth

This thread has been viewed 26 times
  • 1.  Bridge-mode SSID and switch port-access/macauth

    Posted 21 days ago
    I don't know if this is impossible or pretty easy, but I can't seem to figure out the solution.
    We have our APs on vlan X, and almost averything is set up in tunnel-mode. Except one SSID "Bridge" which is in bridge-mode, vlan Y.
    Now this works perfectly well when we configure the uplink-port on the AP manually, vlan X untagged and vlan Y tagged.
     
    As we are currently implementing 802.1x and mac-auth on our wired network we came upon an issue:
    We use Clearpass for profiling endpoints, and an Aruba-AP gets its enforcement-profile with vlan X untagged and vlan Y tagged. So far so good! This vlan-configuration is applied to the switchport.
    However; as a client connects to the "Bridge" SSID, it then hits the switchport that is configured for 802.1x and mac-auth. And subsequently wants the client to authenticate to the switchport.
    I just want the client to connect to vlan Y.
    What am I missing?

    This is a default port-config:
    interface 1/1/1
        no shutdown
        no routing
        vlan access 256
        aaa authentication port-access dot1x authenticator
            initial-auth-response-timeout 30
            enable
        aaa authentication port-access mac-auth
            enable
        loop-protect
        exit



  • 2.  RE: Bridge-mode SSID and switch port-access/macauth
    Best Answer

    Posted 21 days ago

    aaa authentication port-access auth-mode device-mode

    However, it is better to use the Radius VSA of Port Auth Mode so this is applied dynamically.

    https://www.arubanetworks.com/techdocs/AOS-CX/10.09/HTML/security_6200-6300-6400/Content/Chp_Sppt_RADIUS_att/rad-ses-aut-att-vsa-fl-10.htm

    Port Auth Mode needs to be set as 1 Device Mode




  • 3.  RE: Bridge-mode SSID and switch port-access/macauth

    Posted 20 days ago

    Thank you, I'll give it a try. 




  • 4.  RE: Bridge-mode SSID and switch port-access/macauth

    Posted 18 days ago

    Worked like a charm! Thank you.

    I ended up just setting the authentication mode in the enforcement-profile in Clearpass: