Wired Intelligent Edge

I was able to configure port based 802.1x using the command: 

 

aaa port-access authenticator <port number>

 

without any client-limit. But for MAC Auth, the default for this command is  addr-limit of 1 and it doesn't set MAC Auth to port based as it is still user based

 

aaa port-access mac-based <port number>

 

I tried using the radius VSA HPE-Port-MA-Port-Mode and this works as expected, but I want to enable this using CLI as some ports are always port based.

 

Any idea how to achieve this using CLI? I am not using roles in this deployment. 

Try these commands:
aaa port-access authenticator tx-period 5
aaa port-access authenticator supplicant-timeout 10
aaa port-access authenticator max-requests 3
aaa port-access authenticator unauth-period 10
aaa port-access authenticator client-limit <#> --> include the amount of devices , you want to allow per port
aaa port-access mac-based addr-limit 5
aaa port-access mac-based addr-moves
aaa port-access controlled-direction in
aaa port-access auth-order authenticator mac-based --> Determines the order the authentication will happen
aaa port-access auth-priority authenticator mac-based

Sent from Mail for Windows 10

This is still user based and not port based. "Port based" means only one device need to authenticate using MAC Auth, then all devices will be allowed with full access without authentication. 

How does the switch determine which MAC to auth if multiple are available? If all MAC addresses can be authenticated, what's the security benefit to only authenticating one of them?

 

I don't believe this use case (1st seen MAC is authenticated, subsequent MACs automatically trusted based on the authenticated MAC) is a supported configuration.

I believe in cisco world, this concept is configurable under

authentication host-mode multi-host

The first device is authenticated, then all subsequent devices are automatically authorized.

Being honest, I never understood the use case for that, but I don't think Aruba has a equivalent command, I think every MAC connected to a port  gets authenticated separately 

Hi,

 

This is possible if you apply role-based access on the switch and you use port-mode under the user-role definition. This is documented here https://community.arubanetworks.com/aruba/attachments/aruba/CampusSwitching/4032/2/ArubaOS-Switch%20User-Based%20Tunneling%20Technical%20Whitepaper.pdf on page 20

 

I need radius server to be configured with this attribute. Customer was looking for something equivalent to Cisco "multi-host" command but couldn't find any equivalent command.

Hi Ahmad,

 

You can create a local user role on the switch that has the port-mode.

 

If you don't watch to do authentication with radius, you can even assign this as the initial role

aaa port-access <PORT-LIST> initial-role <ROLE-NAME>

Hi,

@cclemmer This solution is needed when you plug an AP on your switch which might be authenticated. In this case, AP authenticate on port and then connected wireless user only authenticate on AP but not on switch.

------------------------------
Martin
------------------------------

Original Message:
Sent: Jun 01, 2020 01:27 PM
From: cclemmer
Subject: How to configure port based MAC Auth in 2930M switch?

How does the switch determine which MAC to auth if multiple are available? If all MAC addresses can be authenticated, what's the security benefit to only authenticating one of them?

 

I don't believe this use case (1st seen MAC is authenticated, subsequent MACs automatically trusted based on the authenticated MAC) is a supported configuration.