Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

determine whos user per switchport before applying 802.1x

This thread has been viewed 0 times

  • 1.  determine whos user per switchport before applying 802.1x

    Posted Jul 14, 2019 11:34 PM

    Greetings,

     

    we are about to apply 802.1x on a Aruba Switch in live production along with deploying GPO to configure Wired Auth Services on workstation sides, however it seems we need to know who are the user/domain name/credential is behind the switch port before we apply and to minimize downtime. 

     

    it seems aruba switch can only display MAC thru ARP. 

     

    we are also able to test an OnGuard agent whi ch is much simplier to deploy to every workstation; can an OnGuard agent be able to display which NAD and port a workstation is connected?

     

    this is quite new to me compared to deploying 802.1x thru wireless.

     

    any suggestions or recommendation will be grealty appreciated.

     

    TIA

     



  • 2.  RE: determine whos user per switchport before applying 802.1x

    EMPLOYEE
    Posted Jul 14, 2019 11:49 PM

    You can use the command "ip client-tracker trusted" that provides IP visibility for AAA-enabled ports



  • 3.  RE: determine whos user per switchport before applying 802.1x

    EMPLOYEE
    Posted Jul 14, 2019 11:54 PM
      |   view attached

    here is the the output of "show port access client" for a client that has successfully passed dot1x auth.



  • 4.  RE: determine whos user per switchport before applying 802.1x

    Posted Jul 15, 2019 01:11 AM
      |   view attached

    Hi ariyap,

     

    thanks for the response.  it seems "ip client-tracker" is not supported on Aruba 2530(16.8) while "show port-access client" is really helpful but only to authenticated users /autheticator active port.

     

    do we have any alternative for those non-autheticator active ports and "not yet 802.1x enabled workstations" ?

     

     

    also, is it possible to an OnGuard Agent to provide  such info?pls see attached file



  • 5.  RE: determine whos user per switchport before applying 802.1x

    EMPLOYEE
    Posted Jul 15, 2019 03:31 AM

    based on the AOS-S support feature matrix, IP visibility command is support from Aruba 2540 switch onwards.

    If you have OnGuard deployed then you can have the visibility of the clients in ClearPass



  • 6.  RE: determine whos user per switchport before applying 802.1x

    Posted Aug 08, 2019 08:39 AM

    Hi ariyap,

     

    sorry for late response. when deploying 802.1x and OnGuard to a certain switch(NAD) with static users and static vlan per port,what would you suggest to go first? configure 802.1x(WiredAuth) service per workstation or deploy OnGuard agent manually? I'm having difficulty in executing GPO so I guess I have to do it manually.

     

    also, assuming that the switch is configured with RADIUS and declared in CPPM as NAD. can the agent reflect NAD,port number and hostname back to access tracker ? without activating port authenticator?

     

    thanks

     

     



  • 7.  RE: determine whos user per switchport before applying 802.1x

    Posted Aug 08, 2019 08:49 AM

    i'm asking this because I need to know first who and which switch and port the workstation is connected before I manually enable its WiredAuth(802.1x) services and enable port authenticator accurately. this is for at least 2000 users haha.

     

    thanks