Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

wireless user do mac auth after wired AP port do mac auth

This thread has been viewed 10 times

  • 1.  wireless user do mac auth after wired AP port do mac auth

    Posted Oct 26, 2023 03:29 PM

    I have comware switches

    Wired port connected with AP with do mac authentication.

     

    Clearpass Profile is pushed correctly to this port with untagged mng vlan 2504 and tagged user vlan 1731,1732

     

     

    The problem that the wireless user is trying to re-auth with mac-auth again and appears on the access tracker sourced from the NAD and the same port of the AP connected to this port !!!!

     

    Port config

     

     

    description Aruba WiFi

    port link-type hybrid

    port hybrid vlan 1 untagged

    undo voice-vlan mode auto

    mac-vlan enable

    stp edged-port

    poe enable

    undo dot1x handshake

    dot1x mandatory-domain global

    undo dot1x multicast-trigger

    dot1x re-authenticate

    dot1x unicast-trigger

    dot1x critical vlan 1

    dot1x re-authenticate server-unreachable keep-online

    mac-authentication max-user 10

    mac-authentication domain global

    mac-authentication timer auth-delay 1

    mac-authentication re-authenticate server-unreachable keep-online

    mac-authentication host-mode multi-vlan

    mac-authentication parallel-with-dot1x

    mac-authentication re-authenticate

    port-security port-mode userlogin-secure-or-mac-ext

    undo shut

    Viele Grüße aus Lübeck
    Ehab Boshra | Netzwerktechnik
    tenzing - Dr. Müller & Partner GmbH IT-Solutions  
    Hutmacherring 6, 23556 Lübeck
    Tel.: (+49) 451 8730035
    Fax: (+49) 451 8730029
    Mobil: (+49) 1703725035
    E-Mail: ehab.boshra@tenzing.de
    Web: https://tenzing.de

    Amtsgericht Lübeck | HRB 5627
    Geschäftsführer: Björn Meyer & Gunnar Petersen


  • 2.  RE: wireless user do mac auth after wired AP port do mac auth

    Posted Oct 31, 2023 10:19 AM

    For many switches you can configure port-mode or host-mode where in port mode just the first device authenticates (and additional devices 'piggyback' on that authentication) and in host-mode each device individually authenticates. Looks like you have the second type.

    I'm not too familiar with comware, but think dynamically switching between port/host based on authentication is not possible. But others may know if/how?



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 3.  RE: wireless user do mac auth after wired AP port do mac auth

    Posted 2 days ago

    Did you ever get to the bottom of this? I have the exact same issue and as Herman said, i cant find away to put the switches into port mode.

    Its a bit of a show stopper for me at the moment, so any suggestions would be great!

    Thanks,
    Ben


    Original Message