For many switches you can configure port-mode or host-mode where in port mode just the first device authenticates (and additional devices 'piggyback' on that authentication) and in host-mode each device individually authenticates. Looks like you have the second type.
I'm not too familiar with comware, but think dynamically switching between port/host based on authentication is not possible. But others may know if/how?
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Oct 26, 2023 03:28 PM
From: ehab.boshra@tenzing.de
Subject: wireless user do mac auth after wired AP port do mac auth
I have comware switches
Wired port connected with AP with do mac authentication.
Clearpass Profile is pushed correctly to this port with untagged mng vlan 2504 and tagged user vlan 1731,1732
The problem that the wireless user is trying to re-auth with mac-auth again and appears on the access tracker sourced from the NAD and the same port of the AP connected to this port !!!!
Port config
description Aruba WiFi
port link-type hybrid
port hybrid vlan 1 untagged
undo voice-vlan mode auto
mac-vlan enable
stp edged-port
poe enable
undo dot1x handshake
dot1x mandatory-domain global
undo dot1x multicast-trigger
dot1x re-authenticate
dot1x unicast-trigger
dot1x critical vlan 1
dot1x re-authenticate server-unreachable keep-online
mac-authentication max-user 10
mac-authentication domain global
mac-authentication timer auth-delay 1
mac-authentication re-authenticate server-unreachable keep-online
mac-authentication host-mode multi-vlan
mac-authentication parallel-with-dot1x
mac-authentication re-authenticate
port-security port-mode userlogin-secure-or-mac-ext
undo shut
Viele Grüße aus Lübeck Ehab Boshra | Netzwerktechnik
|
tenzing - Dr. Müller & Partner GmbH IT-Solutions
|
Hutmacherring 6, 23556 Lübeck |
Tel.: | (+49) 451 8730035 |
Fax: | (+49) 451 8730029 |
Mobil: | (+49) 1703725035 |
E-Mail: | ehab.boshra@tenzing.de |
Web: | https://tenzing.de |
Amtsgericht Lübeck | HRB 5627 Geschäftsführer: Björn Meyer & Gunnar Petersen
|