Security

Guys,

 

Aruba 3810: latest FW

Cisco 2960X latest FW

 

My deployment is to perform 802.1x and MAC auth failover. Everything works fine accept for the unmanged switch connected to the aruba (3810) and cisco switch (2960x)

 

when the unmanaged switch connected to the aruba & cisco switch, only the 1 user managed to perform authentication, once the next user authenticate, the existing user will be disconnected.

 

please help..

So, in this case you would be doing mac-authentication for clients connected to the unmanaged switch since, as an unmanaged switch it can't be a RADIUS client, correct? 

 

Have you configured the mac-authentication client-limit on the downlink port from the 3810?  I believe it defaults to 1, but can be increased to as many as 32.  I'm not sure what the Cisco equivalent would be off the top of my head, but I have to assume they have something similar.

 

Edit:  Thinking a bit further on this, you should also be able to do 802.1X as well as long as it is enabled on the downlink port to the unmanaged switch.  However, in either case you will still need to increase the client-limit on that port (for both mac-auth and the .1X configuration). 

my configuration for the port includes:

 

aaa port-access mac-based 2-24 addr-limit 24

aaa port-access authenticator 2-24 client-limit 24

 

but still only 1 user able to authenticate if using unmanaged switch

 

for cisco im looking at multi authentication mode.

 

 

Are you using Clearpass to set any access parameters (ACLs, VLAN assignment, ect...)?  If you are, the properties of the downlink port to the unmanaged switch would be set based on the most recent successful authentication.

The configuration you are using should work. Most times we are using this with for clients behind an IP phone. Are you using mac or dot1x authentication at the clients? Is something like port security configured at the switch? 

Like Bill already asked. The client limit at the Aruba switch can dynamically changed. Are you using this?

 

Please could you share the output of the following command from the switch?

 

show port-access config

show port-access clients detailed <portnumber>

 

Do you see more the one authentication request at cppm?

For Cisco you should indeed use the multi authentication mode.

 

Willem

It's working for ip phones and the device behind ip phones for both Aruba and Cisco switch. Currently I'm using mutli domain for Cisco and pushing default voice class attributes from clearpass to make the phones get voice vlan configured at the port

Not sure whether phone still works If the same attributes is pushed when using multi authentication

below is the output as requested:

 

Aruba-3810# show port-access config

Port Access Status Summary

Port-access authenticator activated [No] : Yes
Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
Use LLDP data to authenticate [No] : No

802.1X 802.1X Web Mac LMA Cntrl Mixed Speed
Port Supp Auth Auth Auth Auth Dir Mode VSA MBV
----- ------- -------- -------- -------- ----- ----- -------- ----- ---
1 No No No No No both No No Yes
2 No No No No No both No No Yes
3 No No No No No both No No Yes
4 No No No No No both No No Yes
5 No No No No No both No No Yes
6 No Yes No Yes No in No No Yes
7 No Yes No Yes No both No No Yes
8 No No No No No both No No Yes
9 No No No No No both No No Yes
10 No No No No No both No No Yes
11 No No No No No both No No Yes
12 No Yes No No No in No No Yes
13 No Yes No Yes No in No No Yes
15 No Yes No Yes No in No No Yes
16 No Yes No Yes No in No No Yes
17 No Yes No Yes No in No No Yes
18 No Yes No Yes No in No No Yes
19 No Yes No Yes No in No No Yes
20 No Yes No Yes No in No No Yes
21 No Yes No Yes No in No No Yes
22 No Yes No Yes No in No No Yes
23 No Yes No Yes No in No No Yes
24 No Yes No Yes No in No No Yes
A1 No No No No No both No No Yes
A2 No No No No No both No No Yes
A3 No No No No No both No No Yes
A4 No No No No No both No No Yes

Aruba-3810# show port
port-access
port-security
portal
Aruba-3810# show port-access clients detailed
[ethernet] PORT-LIST Show information for specified ports only.
<cr>
Aruba-3810# show port-access clients detailed 13

Port Access Client Status Detail

Client Base Details :
Port : 13 Authentication Type : 802.1x
Client Status : authenticated Session Time : 116 seconds
Client name : shaiful Session Timeout : 10800 seconds
MAC Address : e46f13-f4c209
IP : n/a

Access Policy Details :
COS Map : Not Defined In Limit Kbps : Not Set
Untagged VLAN : 352 Out Limit Kbps : Not Set
Tagged VLANs : No Tagged VLANs

 

Port Mode : 1000FDx
RADIUS ACL List :
permit in ip from any to any

Captive Portal Details :
URL :

Client Base Details :
Port : 13 Authentication Type : mac-based
Client Status : authenticated Session Time : 145 seconds
Client Name : a44cc80e07ff Session Timeout : 10800 seconds
MAC Address : a44cc8-0e07ff
IP : n/a

Access Policy Details :
COS Map : Not Defined In Limit Kbps : Not Set
Untagged VLAN : 358 Out Limit Kbps : Not Set
Tagged VLANs : No Tagged VLANs
Port Mode : 1000FDx
RADIUS ACL List :
permit in ip from any to any

Captive Portal Details :
URL :

Client Base Details :
Port : 13 Authentication Type : mac-based
Client Status : authenticated Session Time : 156 seconds
Client Name : c8d3ffd9fd66 Session Timeout : 10800 seconds
MAC Address : c8d3ff-d9fd66
IP : n/a

Access Policy Details :
COS Map : Not Defined In Limit Kbps : Not Set
Untagged VLAN : 358 Out Limit Kbps : Not Set
Tagged VLANs : No Tagged VLANs
Port Mode : 1000FDx
RADIUS ACL List :
permit in ip from any to any

Captive Portal Details :
URL :

 

 

hub connected to the cisco is  resolved using multi-auth

for aruba switch 3810, can be connected using hub/unmanagegd switch but need to manually plug in and plug out

Clearpass only push acl to the switch. Clients will get whatever access vlan already configured at the port