Controllerless Networks

last person joined: yesterday 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

IAP-205H and wired port security

This thread has been viewed 0 times

  • 1.  IAP-205H and wired port security

    Posted Aug 28, 2017 03:21 PM

    Hi,

     

    I ran into some weird behavior with the IAP-205H and configuring the wired port security.

     

    I want to be able to perform dot1x and MACAUTH on the switch ports available on the IAP-205H. 

    Devices the do dot1x seem to work great all the time. But with MACAUTH devices, I get some strange behavior.

     

    Port configured with both dot1x and MACAUTH

    • Device gets an IP address
    • Unable to communicate with anything
    • I see the auth request hitting the ClearPass.

    Port configured with just MACAUTH

    • Device gets an IP address
    • Able to communicate normally.
    • I see the auth request hitting the ClearPass.

    Any ideas as to why when I combine the two authentication methods on the port the device performing MACAUTH is not able to communicate correctly?



  • 2.  RE: IAP-205H and wired port security

    EMPLOYEE
    Posted Aug 29, 2017 03:11 AM

    Did you enable Authentication fail-thru?

    mac-failthrough.png

    With authentication fail-thru, access can be provided if any of the selected methods (MAC, 802.1X) succeeds; when disabled (default) both methods must succeed.



  • 3.  RE: IAP-205H and wired port security

    Posted Aug 29, 2017 07:30 AM

    I did test with "MAC Authentication fail-thru".

    With this option turned on, the device will not even receive an IP address.

     

    I will test again though just to confirm.



  • 4.  RE: IAP-205H and wired port security

    Posted Aug 29, 2017 07:58 AM

    I just tested with MAC Auth fail-thru.

    With it turned on, the device doesn't receive an IP address.

     

    Is what I am trying to do not possible?



  • 5.  RE: IAP-205H and wired port security

    EMPLOYEE
    Posted Aug 29, 2017 08:34 AM

    What is the initial role in the AAA profile attached to the "Ethernet Interface X  port configuration:?  The initial role must have a firewall policy that allows DHCP.  The initial role decides what firewall policies are applied when the user has not authenticated yet and is essential for devices that do not authenticate via 802.1x



  • 6.  RE: IAP-205H and wired port security

    Posted Aug 29, 2017 10:50 AM

    Hi cjoseph,

     

    I do not believe I have set an initial role. I didn't know that it would be required. I actually haven't seen a setting to configure an initial role in the IAP configuration.

    Below are some screen shots of what I am working with:

    Ports on the IAP-205H I am trying to configurePorts on the IAP-205H I am trying to configureUsing unrestrictedUsing unrestricted

    I am using unrestricted so that the CPPM can pass back to the role to the IAP. Should I be using Role-Based access?

     

    Sorry, I may have misunderstand your question in the context of an IAP environment. I am still pretty new to using the IAPs without a controller.



  • 7.  RE: IAP-205H and wired port security

    Posted Sep 25, 2017 04:07 PM

    Just a quick update on this.

    I discovered that the MAC fail-thru is actually working, but the clients that auth via MAC do not take the role passed back from the ClearPass.

    iap-325# show client wired

Wired Client List
-----------------
Name          IP Address      MAC Address        OS  Network  Access Point     Role      IPv6 Address  Speed (mbps)
----          ----------      -----------        --  -------  ------------     ----      ------------  ------------
408d5cxxxxxx  192.168.xxx.xxx  40:8d:5c:xx:xx:xx      eth2     iap-205h-xxxxxx  Deny All  --            -

    The client keeps take the "Deny All" role, this is definitely not what I am passing back from the CPPM.

     

    I think I have run into this already and you guys already explained to me why this happens, I just can't for the life of me remember why.



  • 8.  RE: IAP-205H and wired port security

    EMPLOYEE
    Posted Oct 02, 2017 06:10 AM

    Are you sending back an Access-Accept with the role from ClearPass? I can imagine that on an Access-Reject the role is either not sent by ClearPass or not evaluated by the IAP.

     

    It may help if someone has a look with you what is happening. I would open a TAC case to get this investigated. Probably works better than posting snippets on this forum.



  • 9.  RE: IAP-205H and wired port security

    Posted Oct 05, 2017 11:09 AM

    Thanks Herman,

     

    I will do that.



  • 10.  RE: IAP-205H and wired port security

    Posted Oct 16, 2017 02:51 PM

    I have opened a ticket with Aruba support. I spent 5 hours on the phone on Saturday trying to get things working, and nothing.

     

    I am just curious, is anyone actually using any of the 3 switch ports available on any version of IAP models that have these ports available?

    Specfically in a controllerless environment.

     

    After a lot of trial and error I was successful at getting them to work in a controller environment. But so far I have had zero luck in using these ports when it is just an IAP cluster environment.

     

    The weird behavior I am seeing now, the device will get an IP address and the correct user role, but there is no communication possible with the device. If I run a tracert to the device, the tracert never completes.

     

    If anyone has any actual experience working with the IAP switch ports I would really appreciate any advice you can offer.