in this case you have to configure fallback to MAC address authentication in the switch.
but it still doesn't make any request to the Radius server.
Original Message:
Sent: Jul 06, 2023 09:41 AM
From: lord
Subject: Port-Based Authentication with radius
But that's the point: if the external PC doesn't do 802.1X port authentication, it can't fail. The switch is waiting for credentials via EAPOL on the port, and the external PC is not sending.
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACA - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Jul 06, 2023 07:46 AM
From: Stefano Colombo
Subject: Port-Based Authentication with radius
Hello,
the port is configured exactly the same as the one for the PC on the domain.
Obviously the goal is to have all the ports with the same base configuration and applying settings based on the device attached.
So we cannot "manage" the external computers and we thought to treat them as "failed authentication".
The port I'm using now for the test is configured as below
sh run int 2/g8
Running configuration:
interface 2/G8
untagged vlan 4000
aaa port-access authenticator
aaa port-access authenticator unauth-vid 4000
exit
Original Message:
Sent: Jul 06, 2023 06:16 AM
From: lord
Subject: Port-Based Authentication with radius
Hello,
does the "external" computer also do 802.1X authentication? Does it have port authentication enabled? If not - then it will not make any 802.1X authentication request, in this case you have to configure fallback to MAC address authentication in the switch. The "unauth-vid 4000" must be removed from the command "aaa port-access authenticator 2/G7-2/G8 unauth-vid 4000". You must add the "aaa port-access mac-based 2/G7-2/G8 unauth-vid 4000" command.
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACA - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Jul 06, 2023 04:37 AM
From: Stefano Colombo
Subject: Port-Based Authentication with radius
Hello
as per the DHCP "stuff" we solved, it was a false problem, due to a different problem.
It's still to solve why the "external" computer attached to the port doesn't "fail" authentication.
We don't even see any authentication request on Radius Server's log
It's just seen as guest as reported before
Original Message:
Sent: Jul 06, 2023 04:28 AM
From: Herman Robers
Subject: Port-Based Authentication with radius
I would run a packet capture on the port from a non-corporate machine. From there you might find out what traffic you see, and who/what device is responding to the DHCP request. At the same time, check on your switch in which VLAN the mac address for your client resides and where the mac address lives that responded to your DHCP request.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jul 05, 2023 11:52 AM
From: Stefano Colombo
Subject: Port-Based Authentication with radius
we're trying to configure port-based authentication with radius server to enable VLAN assignment based on Users/Computer membership for company users and externals.
So we configured some ports to test the connection with a domain joined computer ( with certificates ) and non-domain joined computer ( as external device )
The Domain joined computer works as expected and it goes through 802.11 Cert authentication by the radius server and gets its assigned VLAN.
The "external" computer instead doesn't even "fail" the authentication and is seen as "guest"
# sh port-access authenticator 2/g8
Port Access Authenticator Status
Port-access authenticator activated [No] : Yes
Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
Use LLDP data to authenticate [No] : No
Dot1X EAP Identifier Compliance [Disabled] : Disabled
Allow incremental EAP identifier only [Disabled] : Disabled
Auths/ Unauth Untagged Tagged % In RADIUS Cntrl
Port Guests Clients VLAN VLANs Port COS Limit ACL Dir Port Mode
----- ------- ------- -------- ------ --------- ----- ------ ----- ----------
2/G8 0/1 0 4000 No No No No both 1000FDx
We expected that a device that is not able to authenticate via Radius would "fail" the authentication and be put in the Unauth-vid as per the configuration
aaa port-access authenticator 2/G7-2/G8 unauth-vid 4000
The port is configured as follows
interface 2/G8
untagged vlan 4000
aaa port-access authenticator
aaa port-access authenticator unauth-vid 4000
exit
the VLAN 4000 is a "dead" vlan in the sense that no service runs on it but "strangely" the external computer is able to acquire a DHCP IP address from VLAN 201
What we're missing ?
thanks