With just that port config (and RADIUS servers), I would expect a device just doing MAC Authentication to work as 'aaa port-access mac-based 2/36' enable MAC authentication on that port. Mac pinning is described here, you may have that configured as well. If this is lab, and you can wipe the switch config and start from scratch, that may be a good option to avoid any configuration that was collected over the years/time.
You could as well enable debug on the MAC authentication (and other port-access activities):
sw01-12p# debug security port-access
auth-order Display all Auth Order messages.
authenticator Display Port Access 802.1X Authenticator messages.
local-mac Display Port Access Local MAC authentication messages.
mac-based Display Port Access MAC Based authentication messages.
supplicant Display Port Access 802.1X Supplicant messages.
web-based Display Port Access Web Based authentication messages.
<cr>
sw01-12p# debug security port-access mac-based
include
<cr>
and see if that provides new insights.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jul 05, 2023 02:40 AM
From: JeffreyMik
Subject: Can't configure auth-order and auth-priority on 2920 switch
Thank you Herman,
The 802.1x part works right now on the 2920 switch. I have looked in de guide that you suggested and copied the switch config that was stated in the document. But I ran in another problem. As I said, 802.1x is working fine, but when I try to connect a device that only performs MAC-auth, the authentication doesn't happen. I don't see any requests coming in at the CPPM. When I look in the logging from the switch I see the following:
I 07/05/23 08:26:11 05385 auth: ST1-CMDR: mac-pinning is disabled on port 2/36
for mac-based authentication.
I 07/05/23 08:26:11 00435 ports: ST1-CMDR: port 2/36 is Blocked by AAA
The configuration that I use on this port is:
aaa port-access authenticator active
aaa port-access authenticator 2/36
aaa port-access authenticator 2/36 client-limit 5
aaa port-access mac-based 2/36
aaa port-access mac-based 2/36 addr-limit 5
aaa port-access authenticator 2/36 supplicant-timeout 10
aaa port-access authenticator 2/36 tx-period 10
When I look for mac-pinning online, I can't find anything usefull. I think that mac-pinning is blocking MAC-authentication?
Is there a solution so I can also authenticate devices that use MAC-auth?
Jeffrey
Original Message:
Sent: Jul 03, 2023 07:33 AM
From: Herman Robers
Subject: Can't configure auth-order and auth-priority on 2920 switch
You would not need that. The 2920 will perform concurrent onboarding and perform both 802.1X and MAC, and if 802.1X succeeds the outcome of that will take precedence.
With aaa port-access <PORT> auth-order authenticator mac-based, I'd think that 802.1X is completely ignored.
Please have a look a the Wired Policy Enforcement Guide for ClearPass, which has configuration examples for the switch, and for ClearPass. If you have a different RADIUS server, the switch side still should be the same.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jun 28, 2023 08:14 AM
From: JeffreyMik
Subject: Can't configure auth-order and auth-priority on 2920 switch
Hello,
I want to configure a 2920 switch (With the latest firmware version) to be able to perform 802.1x authentication against a Clearpass server with fall-back / fall-over to MAC-authentication. In order to let that work I tried configuring the ports on the switch using the following commands:
aaa port-access authenticator active
aaa port-access authenticator <PORT>
aaa port-access authenticator <PORT> tx-period 1
aaa port-access authenticator <PORT> max-eap-retries 1
aaa port-access authenticator <PORT> client-limit 2
aaa port-access mac-based <PORT>
aaa port-access mac-based <PORT> addr-limit 2
aaa port-access <PORT> auth-order authenticator mac-based
aaa port-access <PORT> auth-priority authenticator mac-based
This are the commands that I also use to configure the ports on a 2930F switch. This works fine and so I tried to also configure the ports on the 2920 switch.
But then the following commands are not recognised by the 2920 switch:
aaa port-access authenticator <PORT> max-eap-retries 1
aaa port-access <PORT> auth-order authenticator mac-based
aaa port-access <PORT> auth-priority authenticator mac-based
I have looked them up in this document and in chapter 9 the document states that it is possible to configure auth-order and auth-priority on a 2920 switch...
Am I missing something and is there a solution to this problem?
Jeffrey