Security

last person joined: 16 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

LLDP ByPass for AP on SwitchOS >16.06

This thread has been viewed 8 times

  • 1.  LLDP ByPass for AP on SwitchOS >16.06

    Posted Mar 03, 2020 07:04 AM

    Dear Guys 

     

    I'm trying to deploy APs to my network infrastructure protected by Dot1X / Clearpass.

     

    The switch configuration looks as following (example):

     

     

    aaa port-access use-lldp-data
    aaa port-access authenticator 3-6
    aaa port-access authenticator 3 client-limit 2
    aaa port-access authenticator 4 client-limit 2
    aaa port-access authenticator 5 client-limit 2
    aaa port-access authenticator 6 client-limit 2
    aaa port-access authenticator active
    aaa port-access mac-based 3-6
    aaa port-access 3 controlled-direction in
    aaa port-access 3 mixed
    aaa port-access 4 controlled-direction in
    aaa port-access 4 mixed
    aaa port-access 5 controlled-direction in
    aaa port-access 5 mixed
    aaa port-access 6 controlled-direction in
    aaa port-access 6 mixed

    device-profile name "ARUBA-AP"
    untagged-vlan 930
    tagged-vlan 900-903,913,933
    exit
    device-profile type "aruba-ap"
    associate "ARUBA-AP"
    enable
    exit

     

    As long as I connect an AP to a port-access protected port, the AP won't get online and does't get his device profile. If I connect the AP to a not protected port, the device profile looks quite good and I get the AP running.

     

    In switchOS version before 16.06, there was a command named

     

    aaa port-access lldp-bypass

     

    In 16.06 and above, there isn't anymore and got deleted without any notice in release notes I think.

     

    My intention is, that the switch doesn't get lldp units and therefore does not conigure the AP. I made a port mirror to check this, and that it actually looks like LLDP from the AP does not get to the switch.

     

    How would the way be with 16.06. In 16.05 and below, I got the configuration working.

     

    Thanks for your help!!!

     

    ... sw OS version I tried is 

     

    Image stamp:
    /ws/swbuildm/rel_yakima_qaoff/code/build/lakes(swbuildm_rel_yakima_qaoff_rel_ya
    kima)
    Nov 21 2018 04:56:04
    YA.16.08.0001
    264
    Boot Image: Primary

    Boot ROM Version: YA.15.20



  • 2.  RE: LLDP ByPass for AP on SwitchOS >16.06
    Best Answer

    EMPLOYEE
    Posted Mar 04, 2020 09:46 AM

    Looking at the build number you pasted, it seems you are trying this on a 2530.

     

    This switch model does not support the function you are looking for.

    It's supported on 2540 and upwards and is still there in the most recent version of AOS-S.

     

    For example, 16.10 command index guide of the 2540:

    https://support.hpe.com/hpesc/public/docDisplay?docId=a00091317en_us



  • 3.  RE: LLDP ByPass for AP on SwitchOS >16.06

    Posted Mar 05, 2020 09:56 AM

    That it was, 1000thanks!



  • 4.  RE: LLDP ByPass for AP on SwitchOS >16.06

    EMPLOYEE
    Posted Mar 04, 2020 09:46 AM

    Duplicate post created by airheads



  • 5.  RE: LLDP ByPass for AP on SwitchOS >16.06

    Posted Mar 24, 2020 02:04 AM
     
    LLDP ByPass for AP on SwitchOS >16.06

    3 weeks ago

    Dear Guys 

     

    I'm trying to deploy APs to my network infrastructure protected by Dot1X / Clearpass.

     

    The switch configuration looks as following (example):

     

     

    aaa port-access use-lldp-data
    aaa port-access authenticator 3-6
    aaa port-access authenticator 3 client-limit 2
    aaa port-access authenticator 4 client-limit 2
    aaa port-access authenticator 5 client-limit 2
    aaa port-access authenticator 6 client-limit 2
    aaa port-access authenticator active
    aaa port-access mac-based 3-6
    aaa port-access 3 controlled-direction in
    aaa port-access 3 mixed
    aaa port-access 4 controlled-direction in
    aaa port-access 4 mixed
    aaa port-access 5 controlled-direction in
    aaa port-access 5 mixed
    aaa port-access 6 controlled-direction in
    aaa port-access 6 mixed

    device-profile name "ARUBA-AP"
    untagged-vlan 930
    tagged-vlan 900-903,913,933
    exit
    device-profile type "aruba-ap"
    associate "ARUBA-AP"
    enable
    exit

     

    As long as I connect an AP to a port-access protected port, the AP won't get online and does't get his device profile. If I connect the AP to a not protected port, the device profile looks quite good and I get the AP running.

     

    In switchOS version before 16.06, there was a command named

     

    aaa port-access lldp-bypass

     

    In 16.06 and above, there isn't anymore and got deleted without any notice in release notes I think.

     

    My intention is, that the switch doesn't get lldp units and therefore does not conigure the AP. I made a port mirror to check this, and that it actually looks like LLDP from the AP does not get to the switch.

     

    How would the way be with 16.06. In 16.05 and below, I got the configuration working.

     

    Thanks for your help!!!

     

    ... sw OS version I tried is 

     

    Image stamp:
    /ws/swbuildm/rel_yakima_qaoff/code/build/lakes(swbuildm_rel_yakima_qaoff_rel_ya
    kima)
    Nov 21 2018 04:56:04
    YA.16.08.0001
    264
    Boot Image: Primary

    Boot ROM Version: YA.15.20

    @jonasstalder wrote:

    Dear Guys 

     

    I'm trying to deploy APs to my network infrastructure protected by Dot1X / Clearpass.

     

    The switch configuration looks as following (example):

     

     

    aaa port-access use-lldp-data
    aaa port-access authenticator 3-6
    aaa port-access authenticator 3 client-limit 2
    aaa port-access authenticator 4 client-limit 2
    aaa port-access authenticator 5 client-limit 2
    aaa port-access authenticator 6 client-limit 2
    aaa port-access authenticator active
    aaa port-access mac-based 3-6
    aaa port-access 3 controlled-direction in
    aaa port-access 3 mixed
    aaa port-access 4 controlled-direction in
    aaa port-access 4 mixed
    aaa port-access 5 controlled-direction in
    aaa port-access 5 mixed
    aaa port-access 6 controlled-direction in
    aaa port-access 6 mixed

    device-profile name "ARUBA-AP"
    untagged-vlan 930
    tagged-vlan 900-903,913,933
    exit
    device-profile type "aruba-ap"
    associate "ARUBA-AP"
    enable
    exit

     

    As long as I connect an AP to a port-access protected port, the AP won't get online and does't get his device profile. If I connect the AP to a not protected port, the device profile looks quite good and I get the AP running.

     

    In switchOS version before 16.06, there was a command named

     

    aaa port-access lldp-bypass

     

    In 16.06 and above, there isn't anymore and got deleted without any notice in release notes I think.

     

    My intention is, that the switch doesn't get lldp units and therefore does not conigure the AP. I made a port mirror to check this, and that it actually looks like LLDP from the AP does not get to the switch.

     

    How would the way be with mcdonalds survey code 16.06. In 16.05 and below, I got the configuration working.

     

    Thanks for your help!!!

     

    ... sw OS version I tried is 

     

    Image stamp:
    /ws/swbuildm/rel_yakima_qaoff/code/build/lakes(swbuildm_rel_yakima_qaoff_rel_ya
    kima)
    Nov 21 2018 04:56:04
    YA.16.08.0001
    264
    Boot Image: Primary

    Boot ROM Version: YA.15.20

    I got really good information from this content.thanks for sharing.