Network Management

 View Only
last person joined: 3 days ago 

Keep an informative eye on your network with HPE Aruba Networking network management solutions
Expand all | Collapse all

HP 1920 et HP ARUBA 2530 - 802.1x and MAC fallback - port-based mode

This thread has been viewed 8 times
  • 1.  HP 1920 et HP ARUBA 2530 - 802.1x and MAC fallback - port-based mode

    Posted May 22, 2023 01:52 PM

    Hello everyone !

    I'm working on a projet to configure 802.1x authentication on HP 1920 and HP 2530 switchs, and I need to have a MAC address authentication bypass for dumb terminals (e.g. printers, wireless Access Point...).

    I have a RADIUS Server and everything works fine, except for the fact that wireless users have to authenticate twice....

    Before 802.1x, I already had a RADIUS server for wireless authentication, and the AP were the RADIUS client.

    Now the APs are authenticated through their MAC addresses and the wireless client is first authenticated through the AP with login, and then through the switch with their MAC addresses also. So it doesn't work because their MAC addresses aren't authorized.

    I would like to tell the switch to authenticate the first client only, not the other clients on the same port. I know that this mode is called "port-based" as opposed to "mac-based", but it seems that there's an incompatibility with the mac address fallback.

    Typically, in my HP 1920 configuration, the "port based" mode is not allowed when mac-authentication is enabled on the port... but without it, my AP doesn't identify on the RADIUS.

    For the HP2530, this is slightly different. To be able to have a MAC authentication bypass, I must enter the command "aaa port-access mac-based <port-list>" and I can only do that by entering the command "aaa port-access authenticator <port-list> client-limit <1-32>" first, and then "aaa authentication mac-based chap-radius".

    So if I'm "mac-based", I have two authentication mode, one through the AP with login, and the other through the switch with MAC address, which I don't want.

    I also have some HUAWEI switch on which I can specifie the user access mode (i.e. multi-share on my case), nonetheless I still can use MAC address bypass.

    Does anyone kown how to combine to two things please ?

    Thanks a lot.


  • 2.  RE: HP 1920 et HP ARUBA 2530 - 802.1x and MAC fallback - port-based mode

    Posted Jun 26, 2023 04:34 AM

    Check here for the answer to a similar question. You can dynamically switch an AOS-Switch port to port-mode based on RADIUS attributes.

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.