Hi,
Critical and open authentication is available on ArubaOS switch
------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...
PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)
PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..
ACEP / ACMX #107 / ACDX #1281
------------------------------
Original Message:
Sent: May 20, 2021 06:09 AM
From: Abraham Lopez
Subject: Critical authentication
Hello,
I'd like to deploy a critical authentication feature to HPE and Aruba (ArubaOS) switches. I've been checking the configuration guide and I've found only one way to perform it using the roles configured in the switch:
Assign a user-role containing untagged VLAN as critical-role using the command aaa port-access <port> critical-auth user-role <ROLE-NAME>
Using this feature, I understand that devices connected to the ports configured with this command, are going to get access to the network and they'll receive the vlan inside the role configured always that CPPM server be unreachable.
I've seen that Aruba with AOS-CX switches can perform this feature with more options:
aaa authentication port-access [critical-role|preauth-role|reject-role|auth-role] <ROLE-NAME>
critical-role
Specifies the role that is applied when the RADIUS server is unreachable for authentication or when there is a request timeout.
preauth-role
Specifies the role that is applied when authentication is still in progress.
reject-role
Specifies the role that is applied when authentication has failed.
auth-role
Specifies the role that is applied to authenticated clients when a specific role is not assigned in the RADIUS server.
<ROLE-NAME>
Specifies the role name.
I'd like to deploy this feature when CPPM servers will be unreachable and in specific switches, when the authentication process will fail. With ArubaCX OS I could make that using the "reject-role" parameter. Do you know a procedure to perform this feature with ArubaOS and HPE switches?
Thanks in advance.
------------------------------
tech_sec
------------------------------