Wired Intelligent Edge

 View Only
Expand all | Collapse all

Port-Based Authentication with radius

This thread has been viewed 50 times
  • 1.  Port-Based Authentication with radius

    Posted Jul 05, 2023 11:52 AM

    we're trying to configure port-based authentication with radius server to enable VLAN assignment based on Users/Computer membership for company users and externals.

    So we configured  some ports to test the connection with a domain joined computer ( with certificates ) and non-domain joined computer ( as external device )

    The Domain joined computer works as expected and it goes through 802.11 Cert authentication by the radius server and gets its assigned VLAN.

    The "external" computer instead doesn't even "fail" the authentication and is seen as "guest" 

    # sh port-access authenticator 2/g8

     Port Access Authenticator Status

      Port-access authenticator activated [No] : Yes
      Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
      Use LLDP data to authenticate [No] : No
      Dot1X EAP Identifier Compliance [Disabled] : Disabled
      Allow incremental EAP identifier only [Disabled] : Disabled

                Auths/  Unauth  Untagged Tagged           % In  RADIUS Cntrl
      Port  Guests  Clients VLAN     VLANs  Port COS  Limit ACL    Dir   Port Mode
      -----    -------   -------       -------- ------ --------- ----- ------ ----- ----------
      2/G8  0/1     0       4000     No     No        No    No     both  1000FDx

    We expected that a device that is not able to authenticate via Radius would "fail" the authentication and be put in the Unauth-vid as per the configuration

     aaa port-access authenticator 2/G7-2/G8 unauth-vid 4000

    The port is configured as follows

    interface 2/G8
       untagged vlan 4000
       aaa port-access authenticator
       aaa port-access authenticator unauth-vid 4000
       exit

    the VLAN 4000 is a "dead" vlan in the sense that no service runs on it but "strangely" the external computer is able to acquire a DHCP IP address from VLAN 201

    What we're missing ?

    thanks



  • 2.  RE: Port-Based Authentication with radius

    Posted Jul 05, 2023 07:25 PM

    what is the switch model? is this a CX or AOS-S switch? and are you using ClearPass for RADIUS auth?



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: Port-Based Authentication with radius

    Posted Jul 05, 2023 10:03 PM
    Hello
    We're using an aruba 5412R ZL2 AOS switch with Radius server ( Microsoft NPS )


    Sent from Outlook for iOS





  • 4.  RE: Port-Based Authentication with radius

    Posted Jul 05, 2023 11:39 PM

    and what firmware are you running? 



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 5.  RE: Port-Based Authentication with radius

    Posted Jul 06, 2023 02:40 AM
    Edited by Stefano Colombo Jul 06, 2023 02:55 AM

    5412vsf# sh ver

     

    Image stamp:    /ws/swbuildm/rel_beluru_qaoff/code/build/bom(swbuildm_rel_beluru_qaoff_rel_beluru)

                    Nov 10 2022 23:41:40

                    KB.16.11.0008

                    634

    Boot Image:     Primary

     

    Boot ROM Version:    KB.16.01.0009

    Active Boot ROM:     Primary

     



  • 6.  RE: Port-Based Authentication with radius

    Posted Jul 06, 2023 04:29 AM

    I would run a packet capture on the port from a non-corporate machine. From there you might find out what traffic you see, and who/what device is responding to the DHCP request. At the same time, check on your switch in which VLAN the mac address for your client resides and where the mac address lives that responded to your DHCP request.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: Port-Based Authentication with radius

    Posted Jul 06, 2023 04:37 AM

    Hello 

    as per the DHCP "stuff" we solved, it was a false problem, due to a different problem.

    It's still to solve why the "external" computer attached to the port doesn't "fail" authentication.

    We don't even see any authentication request on Radius Server's log

    It's just seen as guest as reported before




  • 8.  RE: Port-Based Authentication with radius

    Posted Jul 06, 2023 06:16 AM

    Hello,

    does the "external" computer also do 802.1X authentication? Does it have port authentication enabled? If not - then it will not make any 802.1X authentication request, in this case you have to configure fallback to MAC address authentication in the switch. The "unauth-vid 4000" must be removed from the command "aaa port-access authenticator 2/G7-2/G8 unauth-vid 4000". You must add the "aaa port-access mac-based 2/G7-2/G8 unauth-vid 4000" command.



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACA - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 9.  RE: Port-Based Authentication with radius

    Posted Jul 06, 2023 07:47 AM

    Hello, 

    the port is configured exactly the same as the one for the PC on the domain.

    Obviously the goal is to have all the ports with the same base configuration and applying settings based on the device attached.

    So we cannot "manage" the external computers and we thought to treat them as "failed authentication".

    The port I'm using now for the test is configured as below

     sh run int 2/g8

    Running configuration:

    interface 2/G8
       untagged vlan 4000
       aaa port-access authenticator
       aaa port-access authenticator unauth-vid 4000
       exit




  • 10.  RE: Port-Based Authentication with radius

    Posted Jul 06, 2023 09:42 AM

    But that's the point: if the external PC doesn't do 802.1X port authentication, it can't fail. The switch is waiting for credentials via EAPOL on the port, and the external PC is not sending.



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACA - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 11.  RE: Port-Based Authentication with radius

    Posted Jul 06, 2023 09:51 AM

    you mentioned before

    in this case you have to configure fallback to MAC address authentication in the switch. 

    how can I configure it ?

    I tried to add this to the configuration of the port

    interface 2/G8
       untagged vlan 4000
       aaa port-access authenticator
       aaa port-access mac-based unauth-vid 203
       exit

    but it still doesn't make any request to the Radius server.