Summary
This solution configures port authentication on an Aruba Mobility Access Switch. Various combinations of authentication methods can be configured including but not limited to MAC authentication only, MAC authentication + 802.1X authentication (with or without fail through enabled), and 802.1X authentication + Machine authentication. User/MAC/Machine authentication can be authenticated against the switch's internal database or a RADIUS server can be specified such as CPPM. The solution asks the user which interfaces to build the configuration for.
Minimum Software Version(s) Required
ArubaOS version 7.2 or greater is required to configure the RFC 3576 Dynamic Authorization feature. This feature allows the RADIUS server to dynamically send user disconnect and change-of-authorization (CoA) messages to the NAS device (switch/controller).
Configuration Notes
Warning: This solution creates multiple user roles for authenticated users, including individual roles for various authentication methods (MAC, 802.1X, and Machine Auth). All roles created by this solution give the user full access. It is highly suggested to place additional restrictions on each user role created by this solution to match your desired security policies. See the user guide for more information on creating user roles and ACLs.
When enabling both MAC authentication and 802.1X authentication on a port, ArubaOS offers a feature called "L2 Authentication Fail Through", which allows mixed authentication modes. If L2 auth fail through is not enabled, both the MAC authentication and the 802.1X authentication must be successful before the user is given access. Enabling L2 auth fail through allows the user to fail MAC authentication and still proceed to 802.1X authentication. See the Mixed Authentication Modes table below for the possible role assignments based on MAC/802.1X authentication results.
Mixed Authentication Modes when L2 Authentication Fail Through is Enabled
|
Authentication
|
1
|
2
|
3
|
4
|
5
|
6
|
|
MAC authentication
|
Success
|
Success
|
Success
|
Fail
|
Fail
|
Fail
|
|
802.1X authentication
|
Success
|
Fail
|
—
|
Success
|
Fail
|
—
|
|
Role Assignment
|
802.1x
|
—
|
MAC
|
802.1x
|
—
|
logon
|
Machine Authentication provides a second authentication factor for 802.1X on Windows PCs. Successful machine authentication requests are cached by the switch/controller for 24 hours by default. This cache parameter can be changed. A user is placed in one of four different roles depending on the authentication result of both Machine Auth and User Auth. The role mappings are described in the table below.
Role Derivation when Machine Authentication is Enabled
| |
Machine Auth Fail
|
Machine Auth Pass
|
|---|
|
User Auth Fail
|
Initial Role |
Machine-Auth Machine-Default-Role |
|---|
|
User Auth Pass
|
Machine-Auth User-Default-Role |
Dot1x Default Role |
|---|
Platform(s) Tested
Aruba Mobility Mobility Access Switch S2500 running AOS 7.2.2.1.
Licensing
No special licenses are required.
References
User Guide: Aruba OS 7.2.0 (Mobility Switch)