Security

Reply
Contributor II

determine whos user per switchport before applying 802.1x

Greetings,

 

we are about to apply 802.1x on a Aruba Switch in live production along with deploying GPO to configure Wired Auth Services on workstation sides, however it seems we need to know who are the user/domain name/credential is behind the switch port before we apply and to minimize downtime. 

 

it seems aruba switch can only display MAC thru ARP. 

 

we are also able to test an OnGuard agent whi ch is much simplier to deploy to every workstation; can an OnGuard agent be able to display which NAD and port a workstation is connected?

 

this is quite new to me compared to deploying 802.1x thru wireless.

 

any suggestions or recommendation will be grealty appreciated.

 

TIA

 

Aruba Employee

Re: determine whos user per switchport before applying 802.1x

You can use the command "ip client-tracker trusted" that provides IP visibility for AAA-enabled ports

Aruba Employee

Re: determine whos user per switchport before applying 802.1x

here is the the output of "show port access client" for a client that has successfully passed dot1x auth.

Contributor II

Re: determine whos user per switchport before applying 802.1x

Hi ariyap,

 

thanks for the response.  it seems "ip client-tracker" is not supported on Aruba 2530(16.8) while "show port-access client" is really helpful but only to authenticated users /autheticator active port.

 

do we have any alternative for those non-autheticator active ports and "not yet 802.1x enabled workstations" ?

 

 

also, is it possible to an OnGuard Agent to provide  such info?pls see attached file

Aruba Employee

Re: determine whos user per switchport before applying 802.1x

based on the AOS-S support feature matrix, IP visibility command is support from Aruba 2540 switch onwards.

If you have OnGuard deployed then you can have the visibility of the clients in ClearPass

Contributor II

Re: determine whos user per switchport before applying 802.1x

Hi ariyap,

 

sorry for late response. when deploying 802.1x and OnGuard to a certain switch(NAD) with static users and static vlan per port,what would you suggest to go first? configure 802.1x(WiredAuth) service per workstation or deploy OnGuard agent manually? I'm having difficulty in executing GPO so I guess I have to do it manually.

 

also, assuming that the switch is configured with RADIUS and declared in CPPM as NAD. can the agent reflect NAD,port number and hostname back to access tracker ? without activating port authenticator?

 

thanks

 

 

Contributor II

Re: determine whos user per switchport before applying 802.1x

i'm asking this because I need to know first who and which switch and port the workstation is connected before I manually enable its WiredAuth(802.1x) services and enable port authenticator accurately. this is for at least 2000 users haha.

 

thanks

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: