Controller-less WLANs

 View Only
last person joined: one year ago 

Articles relating to existing and legacy HPE Aruba Networking products and solutions including IAP, Central / HPE Aruba Networking Central, MSR, and Outdoor Mesh
Back to Library

How does role derivation work with different combinations of MAC Auth Fail-Thru & Enforce MAC Auth Only Role options? 

Jun 30, 2014 05:23 PM

Question: How does role derivation work with different combinations of MAC Auth Fail-Thru & Enforce MAC Auth Only Role options?

Environment:Aruba Instant running 6.2.1.0-3.3.0.0 or above with MAC + 802.1x wired authentication enabled

 

MAC Auth Fail-Thru

 

With MAC & 802.1x authentication configured; MAC authentication occurs first. By default; 802.1x authentication wouldn't be attempted for a client which fails MAC authentication. However; MAC authentication fail-thru (CLI Command :: l2-auth-failthrough) allows a client to attempt 802.1x authentication even when it fails MAC authentication.

 

rtaImage1.jpg

 

 

Enforce MAC Auth Only Role

 

Enforce MAC auth only role (CLI Command :: set-role-mac-auth ) allows to assign a unique role for a client which passes MAC auth but fails 802.1x authentication.

 

Below are four possible scenarios with the above two option configuration and corresponding expected role assignment.

 

rtaImage2.jpg

 

 

 

Scenario I ::

 

 

 

MAC authentication fail-thru Enforce MAC auth only role
Disabled Disabled

 

Sample CLI Wired Profile Configuration :

 

 

wired-port-profile wired-user

switchport-mode access

allowed-vlan all

native-vlan 1

no shutdown

access-rule-name wired-user

speed auto

duplex auto

poe

type employee

auth-server InternalServer

captive-portal disable

mac-authentication

dot1x

 

 

Role Assignment :

 

MAC Auth Dot1x Role Assignment
Fail Doesn’t Occur DenyAll
Pass Fail DenyAll
Pass Pass Default / Derived Role

 

Scenario II ::

 

 

MAC authentication fail-thru Enforce MAC auth only role
Disabled Enabled

 

Sample CLI Wired Profile Configuration :

wired-port-profile wired-user

switchport-mode access

allowed-vlan all

native-vlan 1

no shutdown

access-rule-name wired-user

speed auto

duplex auto

poe

type employee

auth-server InternalServer

captive-portal disable

mac-authentication

dot1x

set-role-mac-auth <role name>

 

 

Role Assignment :

 

MAC Auth Dot1x Role Assignment
Fail Doesn’t Occur DenyAll
Pass Fail MAC Auth Only Role
Pass Pass Default / Derived Role

 

 

Scenario III ::

 

MAC authentication fail-thru Enforce MAC auth only role
Enabled Disabled

Sample CLI Wired Profile Configuration :

wired-port-profile wired-user

switchport-mode access

allowed-vlan all

native-vlan 1

no shutdown

access-rule-name wired-user

speed auto

duplex auto

poe

type employee

auth-server InternalServer

captive-portal disable

mac-authentication

l2-auth-failthrough

dot1x

Role Assignment :

 

MAC Auth Dot1x Role Assignment
Fail Fail DenyAll
Fail Pass Default / Derived Role
Pass Fail DenyAll
Pass Pass Default / Derived Role

 

 

 

Scenario IV ::

 

MAC authentication fail-thru Enforce MAC auth only role
Enabled Enabled

 

Sample CLI Wired Profile Configuration :

 

wired-port-profile wired-user

switchport-mode access

allowed-vlan all

native-vlan 1

no shutdown

access-rule-name wired-user

speed auto

duplex auto

poe

type employee

auth-server InternalServer

captive-portal disable

mac-authentication

l2-auth-failthrough

dot1x


set-role-mac-auth <role name>

 

 

 

 

MAC Auth Dot1x Role Assignment
Fail Fail DenyAll
Fail Pass Default / Derived Role
Pass Fail MAC Auth Only Role
Pass Pass Default / Derived Role

 

 

 

Statistics
0 Favorited
4 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.