Security

Hi, 

In addition to what Yash said earlier, I just validated using this configuration:

    aaa authentication port-access dot1x authenticator
        eapol-timeout 30
        max-eapol-requests 1
        max-retries 1
        reauth
        enable
    aaa authentication port-access mac-auth
        cached-reauth
        cached-reauth-period 86400
        quiet-period 30
        enable

Don't set auth precendence, otherwise, MAC Authentication will fire off first and then if successful, dot1x will never be attempted.

With the above configuration, dot1x will attempt first then, after 60s, MAC Authentication will fire off. 

I tested failing dot1x first (invalid credentials) letting MAC Authentication succeed after 60s - see below

***************************************
Iteration : 4 Command : show port-acc cli
***************************************

Port Access Clients
--------------------------------------------------------------------------------
Port     MAC Address       Onboarded      Status      Role
                           Method
--------------------------------------------------------------------------------
2/1/3    d4:c9:ef:f8:1b:0d                Fail
2/1/3    00:04:f2:80:23:57                In-Progress

***************************************
Iteration : 32 Command : show port-acc cli
***************************************

Port Access Clients
--------------------------------------------------------------------------------
Port     MAC Address       Onboarded      Status      Role
                           Method
--------------------------------------------------------------------------------
2/1/3    d4:c9:ef:f8:1b:0d                Fail
2/1/3    00:04:f2:80:23:57 mac-auth       Success     phone_role

I then retried 802.1x using appropriate credentials on the Win 10 laptop which immediately succeeded with 802.1x.

***************************************
Iteration : 43 Command : show port-acc cli
***************************************

Port Access Clients
--------------------------------------------------------------------------------
Port     MAC Address       Onboarded      Status      Role
                           Method
--------------------------------------------------------------------------------
2/1/3    d4:c9:ef:f8:1b:0d dot1x          Success     EMPLOYEE_CX-3074-7
2/1/3    00:04:f2:80:23:57 mac-auth       Success     phone_role

i wonder if it has to do with the windows logon prompt, I've had issues with that in the past, in fact, my laptop that i test with doesn't even prompt anymore.  Have you tried going into the authentication settings and manually entering in the credentials in the network adapter settings?

I also just created a video showing this process and attached it.  Let me know if this helps.

Justin

Attachment(s)

AOS-CX-dot1x-MACAuth.zip   2.97 MB 1 version

Good day!

Agree with Justin.

Hello,

Please setup clearpass setting properly with right services:

• for dot1x - Please use 802.1X Wired service Type
  • make sure you have required authentication methods enabled.
• for mac-auth - Please use MAC Authentication service Type.

As you see below, I have qualified pc behind phone case and you can see dot1x and mac-auth client on-boarding: 

6300-1-VSF# sh port-access clients

Port Access Clients
--------------------------------------------------------------------------------
Port     MAC Address       Onboarded      Status      Role
                           Method
--------------------------------------------------------------------------------
2/1/3    00:50:56:8e:86:27 dot1x          Success     RADIUS_773420618

6300-1-VSF# sh port-access clients

Port Access Clients
--------------------------------------------------------------------------------
Port     MAC Address       Onboarded      Status      Role
                           Method
--------------------------------------------------------------------------------
2/1/3    00:50:56:8e:86:27 dot1x          Success     RADIUS_773420618
2/1/3    2c:41:38:7f:db:42                In-Progress

6300-1-VSF# sh port-access clients

Port Access Clients
--------------------------------------------------------------------------------
Port     MAC Address       Onboarded      Status      Role
                           Method
--------------------------------------------------------------------------------
2/1/3    00:50:56:8e:86:27 dot1x          Success     RADIUS_773420618
2/1/3    2c:41:38:7f:db:42 mac-auth       Success     RADIUS_773420618

6300-1-VSF# sh running-config interface 2/1/3
interface 2/1/3
    no shutdown
    no routing
    vlan trunk native 10
    vlan trunk allowed 10,112
    aaa authentication port-access allow-cdp-bpdu
    aaa authentication port-access allow-lldp-bpdu
    aaa authentication port-access client-limit 2
    port-access security violation action shutdown
    aaa authentication port-access dot1x authenticator
        max-eapol-requests 1
        max-retries 1
        reauth
        enable
    aaa authentication port-access mac-auth
        cached-reauth
        cached-reauth-period 86400
        quiet-period 30
        enable
    exit
6300-1-VSF#

Please see port-access client details below, again this is for Radius-attribute, if you are looking for LUR and DUR please refer below simple references.

6300-1-VSF# show port-access clients detail

Port Access Client Status Details:

Client 00:50:56:8e:86:27, hpn
============================
  Session Details
  ---------------
    Port         : 2/1/3
    Session Time : 84s
    IPv4 Address :
    IPv6 Address :

  Authentication Details
  ----------------------
    Status          : dot1x Authenticated
    Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted

  Authorization Details
  ----------------------
    Role   : RADIUS_773420618
    Status : Applied


Role Information:

Name  : RADIUS_773420618
Type  : radius
----------------------------------------------
    Reauthentication Period             :
    Authentication Mode                 :
    Session Timeout                     :
    Client Inactivity Timeout           :
    Description                         :
    Gateway Zone                        :
    UBT Gateway Role                    :
    Access VLAN                         :
    Native VLAN                         :
    Allowed Trunk VLANs                 :
    Access VLAN Name                    :
    Native VLAN Name                    :
    Allowed Trunk VLAN Names            :
    MTU                                 :
    QOS Trust Mode                      :
    STP Administrative Edge Port        :
    PoE Priority                        :
    Captive Portal Profile              :
    Policy                              :


Port Access Client Status Details:

Client 2c:41:38:7f:db:42, 2c41387fdb42
============================
  Session Details
  ---------------
    Port         : 2/1/3
    Session Time : 79s
    IPv4 Address :
    IPv6 Address :

  Authentication Details
  ----------------------
    Status          : mac-auth Authenticated
    Auth Precedence : dot1x - Unauthenticated, mac-auth - Authenticated

  Authorization Details
  ----------------------
    Role   : RADIUS_773420618
    Status : Applied


Role Information:

Name  : RADIUS_773420618
Type  : radius
----------------------------------------------
    Reauthentication Period             :
    Authentication Mode                 :
    Session Timeout                     :
    Client Inactivity Timeout           :
    Description                         :
    Gateway Zone                        :
    UBT Gateway Role                    :
    Access VLAN                         :
    Native VLAN                         :
    Allowed Trunk VLANs                 :
    Access VLAN Name                    :
    Native VLAN Name                    :
    Allowed Trunk VLAN Names            :
    MTU                                 :
    QOS Trust Mode                      :
    STP Administrative Edge Port        :
    PoE Priority                        :
    Captive Portal Profile              :
    Policy                              :

6300-1-VSF#

If you still have challenge please feel free to setup a call with us and we would happy help you. I have listed both our email address as below:

• Yash: yashavantha.n.n@hpe.com
• Justin: justin.noonan@hpe.com 

Simple steps/references:

• AOS-CX Simple steps to configure Radius-server
• AOS-CX Downloadable User Role (DUR) simple steps to Configure
• AOS-CX Local User Role (LUR) simple steps to Configure
• AOS-CX Simple Steps to Deploy VOIP

Note: Aruba Switches have right required capabilities compare to competition, with simple steps you can achieve best operation efficiency. Let's work together and connect the world rightly! 

Go Aruba!

Yash

The problem with your solutions is that either you get a 60 sec delay to mac-auth and can use dot1x, or you set a smaller timeout but then you can't use dot1x properly.

Also, if somehow the computer takes more than 60 seconds to boot, it will never see the dot1x prompts, because you will only try once.

What the "competition without the best operation efficiency" do is to allow you to set your own timeout for mac-auth and let you keep trying dot1x even after mac-auth succeds or fails. And to fully configure your authentication flow as you like.

Example:

- Start trying dot1x for 10 seconds

- Then after 10 seconds try mac-auth but keep dot1x also trying to auth

- Then if mac-auth succeeds or fails after some seconds, still keep trying dot1x for some minutes (or even forever), so that you can transition from mac-auth to more secure dot1x after boot etc.

Heck, you can even start by trying mac-auth and dot1x all at the same time, so that you don't get any delay for any auth method. Client is mac-auth? It gets immediate access to network. Client is dot1x? Immediate access as well. Client auth with mac-auth when was trying PXE but then booted into a dot1x OS? It will see the prompts, because the switch can keep trying dot1x.

I'm not selling competing products.

But would like to see something that works like what they do on my CX switches.

2930F (and all other old PVOS switches) while not as flexible, did allow concurrent authentication:

2930F datasheet

Concurrent IEEE 802.1X, Web, and MAC authentication schemes per port 

This is why the op refers the same scenario worked with ProCurve but doesnt work properly with CX.

Hello everyone,

If I understand correctly it boils down to this;

1) If you do a successful mac-auth is doesn't do dot1x anymore.
so if you want to do mac-auth and dot1x; first dot1x has to fail and timeout

2) To be able to use the windows logon prompt you need time (eapol-timeout at 30 for example).
Consequence; This also raises the timer on when mac-auth starts.
This will cause non-dot1x client to wait for the dot1x timer expires before even being allowed to gain access.
Things like PXE boot and some dumb industrial clients can expect a lot of timing issues here.

So for me the only way forward is by using saved credentials and keeping the eapol-timeout as low as possible and hoping I don't run into timing issues with clients bringing up the nic well before starting the dot1x supplicant.

This off course until ArubaOS-CX starts handling mac-auth and dot1x in parallel.

Yash, Justin thanks for the command examples.

Regards,

Rens