Security

Reply
Occasional Contributor II

Clearpass to dynamically Disable Wired 802.1x/MacAuth when plugging in an Instant AP?

Hey, Im following the "Wired Policy Enfocement' guide and have evrything working but it works too well :P (Clearpass 6.6 and Aruba/Procurve 2930F's) When i plug in an AP, MAC-Auth gives it an AP profile (Untagged and tagged vlans) but the issue is the port is in user-mode, so all wireless clients are getting MAC-Authed. There is no way in a user-profile to modify the port-access configuration eg, turn off MAC-Auth or set it to Port mode (All other traffic is then permitted) As we dont know where AP's will be plugged and dont want port specific configuration we need to either: A, use another method like LLDP detection to then override the port-access config. B, Via Radius change the port back to port mode or disable MAC-Auth. Which there is mention of this is in the configuration guide "Dynamic port access auth via Radius" from "ArubaOS-Switch Access Security Guide for WC.16.04" but it doesnt work as im guessing since User-Role mode is globaly enabled it seems to reject these VSA's. No matter what i do i cant get it to override the port-access and disable it even though it looks like it works in the config guide. What does everyone else do for AP's that dont tunnel so the end users will get wired authenticated after being wireless authenticated? Ive tried getting the AP to do 802.1x and send the same VSA's to set 802.1x to port-based and MAC-auth to 0 to disable but the debug log shows it erroring cant "apply role". I really loave having to create specific ports for AP's and manually configure them :( Pretty much everything else is working, captive portal, downloaded user roles etc etc, i just need to sort out the IAP's plugged into the switch and the switch reauthenticating the wireless MAC's.

Occasional Contributor II

Re: Clearpass to dynamically Disable Wired 802.1x/MacAuth when plugging in an Instant AP?

Hi Ledge,
as i am currently in front of the same issue i would like to know if you managed to solve the issue?

Super Contributor I

Re: Clearpass to dynamically Disable Wired 802.1x/MacAuth when plugging in an Instant AP?

Hi

If you want to put a port into port mode via Radius you also need to disable 802.1x/macauth via radius in the same radius auth.

So If you need macauth port based you need to disable 802.1x using 802.1x client limit = 0

More info : http://h22208.www2.hpe.com/eginfolib/networking/docs/switches/RA/15-18/5998-8151_ra_2620_asg/content/ch06s10.html

Hope it helps
Cheers, Frank
Aruba Partner Ambassador| AMFX#22| ACCX#613| ACMX#733| ACDX#744

If you like my posts, kudo's are welcome. If it solves your problem, please click 'Accept as Solution'
Occasional Contributor II

Re: Clearpass to dynamically Disable Wired 802.1x/MacAuth when plugging in an Instant AP?

Hi Frank,

thank you very much for the quick reply.

That was a tip in the right direction and works like a charm.

 

Kind regards

Martin

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: