Community Home > Discuss > Technology > Security > 802.1x authentication in Aruba/HPE switches

Security

Reply
MVP
MVP
kevin_pm

802.1x authentication in Aruba/HPE switches

‎02-07-2018 12:13 PM

Hello all,

 

I am now performing a study of a 802.1x solution using HPE/aruba switches. I am familiar with Cisco switches and some of the commands used to configure it on Cisco. I have been looking around in the Internet about the confguration on HPE/Aruba switches and got the following questions:

 

First, I wonder if Aruba switches have commands similar to the following commands in Cisco switches: 

- authentication event no-response action authorize vlan <vlan_id>

- authentication event fail action authorize vlan <vlan_id>

- authentication event server dead action <action>

 

I know that it is possible to configure an open VLAN mode in Aruba switches (which is equivalent to event no-response AND event fail) but I wonder if there is an equivalent to those commands.

 

Another question, is it possible to apply 802.1x auth in trunk ports? I am aware that this is not supported in Cisco devices (just asking out of curiosity since I have not found any info on the Internet)

 

Thank you very much in advance!

Alert a Moderator
Message 1 of 15
8,558 Views
Tags (3)
Reply
0 Kudos

Accepted Solutions
Highlighted
Moderator Moderator
Moderator
cappalli

Re: 802.1x authentication in Aruba/HPE switches

‎02-07-2018 12:40 PM

There are no direct equivalents to those commands.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post

Alert a Moderator
Message 4 of 15
8,527 Views
Reply
0 Kudos
Highlighted
Moderator Moderator
Moderator
cappalli

Re: 802.1x authentication in Aruba/HPE switches

‎02-07-2018 12:47 PM

" If you enable 802.1X authentication on a port, the switch automatically disables LACP on that port. However, if the port is already operating in an LACP trunk, you must remove the port from the trunk before you can configure it for 802.1X authentication."


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post

Alert a Moderator
Message 6 of 15
8,512 Views
Reply
0 Kudos

All Replies
Highlighted
Moderator Moderator
Moderator
cappalli

Re: 802.1x authentication in Aruba/HPE switches

‎02-07-2018 12:17 PM

Are you referring to Aruba switches or HPE Comware switches?


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Alert a Moderator
Message 2 of 15
8,557 Views
Reply
0 Kudos
Highlighted
MVP
MVP
kevin_pm

Re: 802.1x authentication in Aruba/HPE switches

‎02-07-2018 12:22 PM

Sorry, I meant Aruba switches. Thanks for your answer!

Alert a Moderator
Message 3 of 15
8,549 Views
Reply
0 Kudos
Highlighted
Moderator Moderator
Moderator
cappalli

Re: 802.1x authentication in Aruba/HPE switches

‎02-07-2018 12:40 PM

There are no direct equivalents to those commands.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post

Alert a Moderator
Message 4 of 15
8,528 Views
Reply
0 Kudos
Highlighted
MVP
MVP
kevin_pm

Re: 802.1x authentication in Aruba/HPE switches

‎02-07-2018 12:43 PM

Thanks for the answer. Furthermore, is it possible to perform 802.1x on trunk ports?

Thanks!

Alert a Moderator
Message 5 of 15
8,525 Views
Reply
0 Kudos
Highlighted
Moderator Moderator
Moderator
cappalli

Re: 802.1x authentication in Aruba/HPE switches

‎02-07-2018 12:47 PM

" If you enable 802.1X authentication on a port, the switch automatically disables LACP on that port. However, if the port is already operating in an LACP trunk, you must remove the port from the trunk before you can configure it for 802.1X authentication."


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post

Alert a Moderator
Message 6 of 15
8,513 Views
Reply
0 Kudos
Highlighted
MVP
MVP
kevin_pm

Re: 802.1x authentication in Aruba/HPE switches

‎02-07-2018 12:53 PM

Thank you very much for the answers, Tim. I really appreciate it

Alert a Moderator
Message 7 of 15
8,499 Views
Reply
0 Kudos
Highlighted
MVP Expert
MVP Expert
Willem Bargeman

Re: 802.1x authentication in Aruba/HPE switches

‎02-18-2018 12:36 PM

The open VLAN mode (and especially critical authentication) should give the same result as the Cisco commands in my opinion.

 

What do you mean with trunk ports? VLAN trunking or link aggregation? Aruba supports authentication at VLAN trunk interfaces. It's also possible to configure dynamically a VLAN trunk interface based on a RADIUS return. This is really useful for IAP deployments.

 

Regards,


Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Alert a Moderator
Message 8 of 15
8,255 Views
Reply
0 Kudos
Highlighted
MVP
MVP
kevin_pm

Re: 802.1x authentication in Aruba/HPE switches

‎02-19-2018 12:32 AM

Thanks for the explanation about the open VLAN mode.

 

With trunk ports, I mean VLAN trunking. I wonder where I could find more info about configuring 802.1x on VLAN trunks since this would be really useful.

Alert a Moderator
Message 9 of 15
8,232 Views
Reply
0 Kudos
Highlighted
MVP Expert
MVP Expert
Willem Bargeman

Re: 802.1x authentication in Aruba/HPE switches

‎02-19-2018 06:31 AM

Aruba/HPE switches does support a RADIUS return with tagged VLAN's (RFC4675). The return can contain a VLAN ID (hex value) or a VLAN name.

 

Example.

Switch is configured with 3 VLAN's. After authentication the NATIVE vlan needs to be set untagged and MANAGEMENT and DATA VLAN needs to be set tagged. Please see screenshot for an example enforcement profile

image.png

2 followed by VLAN name (example 2NATIVE) means set VLAN NATIVE untagged. 1 followed by VLAN name (example 1MANAGEMENT) means set VLAN MANAGEMENT tagged.

 

Next to this behaviour it's possbile to dynamic change the authentication at the port. It's possible to disable dot1x authentication after MAC authentication and set MAC authentication to port mode, or visa versa. This is usefull for IAP deployments. After the IAP is authenticated (via dot1x or MAC auth) to port will be open and the other clients behind the port or not authenticated anymore.

 

Example for IAP with MAC auth

image.png

Example for IAP with dot1x

image.png

Make sure you are using latest RADIUS dictionary. See attachment.

 

Regards,


Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Alert a Moderator
Message 10 of 15
8,209 Views
Reply
Search Airheads
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

© Copyright 2019 Hewlett Packard Enterprise Development LP
All Rights Reserved.
Powered by Lithium