Security

Reply
Highlighted
MVP Expert

double dot1x lan clients when dot1x config wired and IAP?

So, topic says all.. sort off :P

 

I was happily configuring wired and wireless 802.1X but instead of a controller based setup I now had InstantAPs to work with. 

No problem, you can configue the IAPs to do wired auth also.

  

But then the and result is offcourse that the IAP does 802.1X just fine, but then any client that connects through that IAP hits the Aruba LAN switch that also demands authentication.

 

How do you guys usually handle this situation?  Disable 802.1X for the wired ports with IAPs connected to them?  Use port-based authentication instead of session based auth?

 


Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite

Re: double dot1x lan clients when dot1x config wired and IAP?

You can’t use user roles with bridged devices like APs or downstream switches. You need to instead return the port auth mode and other enforcement actions via RADIUS VSA.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP Expert

Re: double dot1x lan clients when dot1x config wired and IAP?

Hi Tim,

 

Could you clarify that a bit more please?

 

If I understand correctly, on the IAP authenticating, I return a HP-Port-Auth-Mode-Dot1x VSA which overrides the default session based auth for the port.

Can I still send along HPE-Egress-VLAN-Name VSA's to open an untagged and several tagged vlans on this port then?

Will with port-based access clients landing in those ifferent vlans not trigger a new authentication for this port?


Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite

Re: double dot1x lan clients when dot1x config wired and IAP?

Yes, you’d return both the port auth mode and Egress VLAN VSAs. Subsequent MAC addresses presented on the port will not be forced to authenticate.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP Expert

Re: double dot1x lan clients when dot1x config wired and IAP?

Would be nice if someone could write a guide for how to do role-based colorless-ports along with Instant.. Like update the otherwise nice guide Tim?


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP Expert

Re: double dot1x lan clients when dot1x config wired and IAP?

Hey Tim,

 

Is there a similar VSA I can use for comware switches?


Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Aruba Employee

Re: double dot1x lan clients when dot1x config wired and IAP?

 check chapter 8, of this guide that talks about Wired Enforcement for Instant APs Dot1x and how to avoid double dt1x auth with "port-mode" command on the Aruba switch. you need AOS-S version 16.08 and CP verson 6.7.9 or later.

 

https://community.arubanetworks.com/t5/Wired-Intelligent-Edge-Campus/Wired-Enforcement-of-Local-and-Downloadable-user-roles/m-p/518927#M5481

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: