Security

Reply
Highlighted
Frequent Contributor I

MAC Authentication AOS-S

Hi guys,

I think I starred to long at this to get the behaviour of an MAC Auth Port right. Is it normal that a port on a AOS-S (former Provision) 2530 switch configured with MAC Authentication authenticates every MAC he learns? Isn't there a config option for MAC auth like port-based / user-based mode on a "authenticator" port?

Scenario:
I have a Meraki cloud managed AP which does not support 802.1X wired authentication. I choose to configure the switchport to authenticate the device (AP) via its MAC and set dynamically he needed vlans to it (works fine). As there are bridged SSIDs on the AP the wireless clients are bridged locally into a vlan on the same switchport. The switch wants to authenticate every newly learned / seen MAC addresson the wired side.

Again the question. Is this behaviour normal or did I miss some configuration?
Does anyone have a hint to achieve a partly acceptable authentication for Meraki APs?

Network Engineer
ACCX #931 | ACMP

Accepted Solutions
Highlighted
MVP Guru

Re: MAC Authentication AOS-S

If you want to do MAC authentication on an AP that carries tagged VLANs, you will need to return the following attributes to switch to port-mode (don't authenticate the clients that reach the switch in the VLANs from the AP:

Screen Shot 2020-07-30 at 09.58.47.png

This example uses VLAN names, and the number in front of the VLAN name means 2 for untagged or 1 for tagged. So the VLAN 'Management VLAN' is applied untagged, where 'Corporate VLAN', 'Voice VLAN', etc are applied tagged.

 

You will need to run on your switch 16.02.0012 or newer for these attributes to be recognized.

 

In case you authenticate your AP with 802.1X instead of MAC Authentication, the attributes are slightly different:

Screen Shot 2020-07-30 at 10.01.41.pngNote that both line 6 and 7 are different for MAC Auth vs 802.1X, but in the end, they do similar things: Authenticate the AP (or other devices), Return native and tagged VLANs, and change to port mode to prevent clients behind the AP from being authenticated on the switch.

 

I can't find the version where the HPE-Port-Dot1x-Port-Mode attribute was introduced, but if you run 16.06 or newer it should be present. If the attributes are not accepted, check the documentation for the version of firmware that you run to see if it is supported, or just upgrade to the latest version.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).

View solution in original post


All Replies
Highlighted
MVP Guru

Re: MAC Authentication AOS-S

If you want to do MAC authentication on an AP that carries tagged VLANs, you will need to return the following attributes to switch to port-mode (don't authenticate the clients that reach the switch in the VLANs from the AP:

Screen Shot 2020-07-30 at 09.58.47.png

This example uses VLAN names, and the number in front of the VLAN name means 2 for untagged or 1 for tagged. So the VLAN 'Management VLAN' is applied untagged, where 'Corporate VLAN', 'Voice VLAN', etc are applied tagged.

 

You will need to run on your switch 16.02.0012 or newer for these attributes to be recognized.

 

In case you authenticate your AP with 802.1X instead of MAC Authentication, the attributes are slightly different:

Screen Shot 2020-07-30 at 10.01.41.pngNote that both line 6 and 7 are different for MAC Auth vs 802.1X, but in the end, they do similar things: Authenticate the AP (or other devices), Return native and tagged VLANs, and change to port mode to prevent clients behind the AP from being authenticated on the switch.

 

I can't find the version where the HPE-Port-Dot1x-Port-Mode attribute was introduced, but if you run 16.06 or newer it should be present. If the attributes are not accepted, check the documentation for the version of firmware that you run to see if it is supported, or just upgrade to the latest version.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).

View solution in original post

Highlighted
Frequent Contributor I

Re: MAC Authentication AOS-S

Hey Herman,

 

that's done the trick! Thanks alot for the quick help! 
As I read it I thought I have read it before in some guide?!

 

Thanks again and have a nice and sunny weekend!

Network Engineer
ACCX #931 | ACMP
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: