How to configure dot1x authentication for IAP using aruba-switch-2930f and CPPM

MVP Expert
MVP Expert
Q:

How to configure dot1x authentication for an IAP in Aruba-switch-2930F using CPPM.



A:

In the below example, following method has been used, EAP-PEAP MSCHAPV2.

Configuration in the IAP:

a8:bd:27:cc:97:fa (config) # ap1x peap (For AP to do PEAP authentication)
a8:bd:27:cc:97:fa#ap1x-peap-user iap iap@123

 

​Note: The IAP will do the dot1x authenitcation upon next reboot. 

a8:bd:27:cc:97:fa# show ap1x config
#generated by rcS.fatap
ctrl_interface=/var/run/wpa_supplicant
ap_scan=0
eapol_version=1
fast_reauth=1
network={
   scan_ssid=0
   key_mgmt=IEEE8021X
  eap=PEAP
  eapol_flags=0
  identity="arubaiap"
  password="********"
  phase1="tls_disable_time_checks=1 tls_suiteb=1 tls_disable_tlsv1_0=1"
  phase2="peaplabel=1 auth=MSCHAPV2"
  fragment_size=1024
  priority=1

 

a8:bd:27:cc:97:fa# show ap1x status 
ap1x:peap
ap1x auth result:succeed

 

a8:bd:27:cc:97:fa# show ap1x debug-logs
1970-01-01 00:01:12:apdot1x authentication type is peap
1970-01-01 00:01:14:trigger wpa_supplicant with configure file /aruba/ap1x/wpa.conf
1970-01-01 00:01:14:checking the authenticaiton result and will time out at most 1 min
1970-01-01 00:01:18:ap1x authentication succeeded

 

Note: Below debug message is obtained from the boot log of the IAP

SBL2 was updated already
Done.
trigger wpa_supplicant with configure file /aruba/ap1x/wpa.conf
checking the authenticaiton result and will time out at most 1 min
ap1x authentication succeeded
Starting DHCP
Getting an IP address...
Jan  1 00:01:18 udhcpc[5384]: udhcpc (v0.9.9-pre) started
Jan  1 00:01:18 udhcpc[5384]: send_discover: pkt num 0, secs 0
Jan  1 00:01:18 udhcpc[5384]: Sending discover...
Jan  1 00:01:18 udhcpc[5384]: send_selecting: pkt num 0, secs 0
Jan  1 00:01:18 udhcpc[5384]: Sending select for 10.225.12.242...
Jan  1 00:01:18 udhcpc[5384]: Lease of 10.225.12.242 obtained, lease time 28800
[   98.287660] ip_time_handler: Got ip and packets on bond0 Started master election 2-0, rand 28

 

Configuration in the switch-2930F:

Aruba-2930F-8G-PoEP-2SFPP(config)# aaa port-access authenticator ethernet 5 (authentication enabled on port 5)
Aruba-2930F-8G-PoEP-2SFPP(config)# aaa authentication port-access eap-radius

 

Validating the configuration:

Aruba-2930F-8G-PoEP-2SFPP# show running-config interface  5

Running configuration:

interface 5
   poe-value 30
   poe-lldp-detect enabled
   untagged vlan 4051
   aaa port-access authenticator
   exit

 

Radius configuration in the switch:

radius-server host 10.225.39.5 key "aruba123"
radius-server host 10.225.39.5 dyn-authorization

 

To validate the authetnicated client in the switch:

Aruba-2930F-8G-PoEP-2SFPP# show port-access authenticator clients 

 Port Access Authenticator Client Status

  Port-access authenticator activated [No] : Yes
  Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
  Use LLDP data to authenticate [No] : No 

  Port  Client Name           MAC Address   IP Address      Client Status    
  ----- --------------------- ------------- --------------- --------------------
  5     arubaiap              a8bd27-cc97fa n/a             Authenticated       

 

Configuration in CPPM:

 

NAS configuration under network and device:

 

Creating user-name and pasword for IAP: Configuration --> Identity ---> local users:

 

Creating service for IAP: Configuration ---> services:

Version history
Revision #:
2 of 2
Last update:
‎07-16-2019 03:49 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: