Security

So, topic says all.. sort off :P

 

I was happily configuring wired and wireless 802.1X but instead of a controller based setup I now had InstantAPs to work with. 

No problem, you can configue the IAPs to do wired auth also.

  

But then the and result is offcourse that the IAP does 802.1X just fine, but then any client that connects through that IAP hits the Aruba LAN switch that also demands authentication.

 

How do you guys usually handle this situation?  Disable 802.1X for the wired ports with IAPs connected to them?  Use port-based authentication instead of session based auth?

 

You can’t use user roles with bridged devices like APs or downstream switches. You need to instead return the port auth mode and other enforcement actions via RADIUS VSA.

Hi Tim,

 

Could you clarify that a bit more please?

 

If I understand correctly, on the IAP authenticating, I return a HP-Port-Auth-Mode-Dot1x VSA which overrides the default session based auth for the port.

Can I still send along HPE-Egress-VLAN-Name VSA's to open an untagged and several tagged vlans on this port then?

Will with port-based access clients landing in those ifferent vlans not trigger a new authentication for this port?

Yes, you’d return both the port auth mode and Egress VLAN VSAs. Subsequent MAC addresses presented on the port will not be forced to authenticate.

Would be nice if someone could write a guide for how to do role-based colorless-ports along with Instant.. Like update the otherwise nice guide Tim?

Hey Tim,

 

Is there a similar VSA I can use for comware switches?

 check chapter 8, of this guide that talks about Wired Enforcement for Instant APs Dot1x and how to avoid double dt1x auth with "port-mode" command on the Aruba switch. you need AOS-S version 16.08 and CP verson 6.7.9 or later.

 

https://community.arubanetworks.com/t5/Wired-Intelligent-Edge-Campus/Wired-Enforcement-of-Local-and-Downloadable-user-roles/m-p/518927#M5481