Q:
How do we configure 802.1x for the wired uplink port of an Instant AP?
A:
From IAP 6.4.4.4-4.2.3.0 802.1x authentication for IAP can be enabled. As a result only authenticated IAP's can join the cluster and hence avoid anyone brining up there own device.
Below is a sample network setup:
IAP ------ Aruba MAS --------- Windows 2008 server
Below is the sample config:
84:d4:7e:c3:d9:02# show version
Aruba Operating System Software.
ArubaOS (MODEL: 205), Version 6.4.4.4-4.2.3.1
Website: http://www.arubanetworks.com
Copyright (c) 2002-2016, Aruba Networks, an HP company.
Compiled on 2016-04-15 at 05:13:35 PDT (build 54637) by p4build
FIPS Mode :disabled
AP uptime is 14 minutes 7 seconds
Reboot Time and Cause: AP rebooted Mon May 16 20:23:21 UTC 2016; CLI cmd at uptime 0D 0H 3M 0S: reload
84:d4:7e:c3:d9:02# configure terminal
We now support CLI commit model, please type "commit apply" for configuration to take effect.
84:d4:7e:c3:d9:02 (config) # ap1x peap ==> This will make the IAP to use peap auth.
84:d4:7e:c3:d9:02 (config) # exit
84:d4:7e:c3:d9:02# commit apply
committing configuration...
configuration committed.
84:d4:7e:c3:d9:02# ap1x-peap-user iap iap@123 ==> This will configure the username and password.
Once configured, IAP has to be reloaded.
84:d4:7e:c3:d9:02# show ap1x config
#generated by rcS.fatap
ctrl_interface=/var/run/wpa_supplicant
ap_scan=0
eapol_version=1
fast_reauth=1
network={
scan_ssid=0
key_mgmt=IEEE8021X
eap=PEAP
eapol_flags=0
identity="iap"
password="iap@123"
phase1="crypto_binding=0"
phase2="peaplabel=1"
phase2="auth=MSCHAPV2"
priority=1
84:d4:7e:c3:d9:02# show ap1x status
ap1x:peap
ap1x auth result:succeed
On the Aruba MAS side, created a Wired AAA profile with the required configuration for the authentication. Below is a snip of the auth-tracebuf from MAS:
(ArubaS1500-12P) #show auth-tracebuf count 50
Auth Trace Buffer
-----------------
May 16 12:44:12 station-up * 84:d4:7e:c3:d9:02 01:80:c2:00:00:03 - - wired station
May 16 12:44:12 eap-id-req <- 84:d4:7e:c3:d9:02 01:80:c2:00:00:03 1 5
May 16 12:44:12 eap-id-resp -> 84:d4:7e:c3:d9:02 01:80:c2:00:00:03 1 8 iap
May 16 12:44:12 rad-req -> 84:d4:7e:c3:d9:02 01:80:c2:00:00:03 89 178
May 16 12:44:12 rad-resp <- 84:d4:7e:c3:d9:02 01:80:c2:00:00:03/Win2008 89 90
May 16 12:44:12 eap-req <- 84:d4:7e:c3:d9:02 01:80:c2:00:00:03 2 6
May 16 12:44:12 eap-resp -> 84:d4:7e:c3:d9:02 01:80:c2:00:00:03 2 66
May 16 12:44:12 eap-req <- 84:d4:7e:c3:d9:02 01:80:c2:00:00:03 10 107
May 16 12:44:12 eap-resp -> 84:d4:7e:c3:d9:02 01:80:c2:00:00:03 10 43
May 16 12:44:12 rad-req -> 84:d4:7e:c3:d9:02 01:80:c2:00:00:03/Win2008 98 251
May 16 12:44:12 rad-accept <- 84:d4:7e:c3:d9:02 01:80:c2:00:00:03/Win2008 98 307
May 16 12:44:12 eap-success <- 84:d4:7e:c3:d9:02 01:80:c2:00:00:03 10 4
Above can be configured on the IAP UI as well as shown below: