Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Contributor I

2930F Aruba AP profiling in 16.5.x SW

Hi

 

I am implementing a network with 802.1x on the ports, on the switches i will have ports used for Aruba AP and to make life easy i will use profiling

 

device-profile name ap
    untagged-vlan 110
    exit
    
device-profile type "aruba-ap"
    associate "ap"
    enable
    exit
 
When using authenticator on the ports, the port is closed until sone EAP traffic open the port therefor i use
 
aaa port-access use-lldp-data 
 
to get LLDP into a "Closed" port. This works but then 
802.1x stops working, and when removed 802.1x works again but the profiling stops working
 
aaa port-access authenticator 1/1-1/48,2/1-2/48
aaa port-access authenticator 1/1-1/48,2/1-2/48 client-limit 10
aaa port-access authenticator active
 
Am i missing som command to have both functions working
or is this the design??
 
Running 16.5.0009 (due to other issues) Tried 16.6 same issue.
 
Highlighted
MVP Expert

Re: 2930F Aruba AP profiling in 16.5.x SW

Greetings!

 

There is an additional command that is specific to Aruba APs that may help:

 

switch(config)# aaa port-access lldp-bypass help
Usage:   [no] aaa port-access lldp-bypass <PORT-LIST> 

Description: Configure lldp-bypass on the switch ports
to bypass authentication for Aruba-APs that sends a
special LLDP TLV. When lldp-bypass is enabled on the switch ports then
Aruba-APs connected to that port will not undergo any
authentication like 802.1x/WMA/LMA. By default,
lldp-bypass is disabled on the switch ports.

 

Try enabling that and see if it solves your issue.



Matt Fern
Senior Technical Marketing Engineer, Aruba Switching

Aruba, a Hewlett Packard Enterprise company

8000 FOOTHILLS BLVD  |  ROSEVILLE, CA 95747
T: 916.540.1759  |  E: mfern@hpe.com   |   Matt @ Twitter
Highlighted
Contributor I

Re: 2930F Aruba AP profiling in 16.5.x SW

Thanks for the suggestion.

 

Yes this "opens" the port for LLDP so profiling occours, BUT stops 802.1x

 

Tried that enabled stops 802.1x, disabled 802.1 works

 

Highlighted
MVP Guru Elite

Re: 2930F Aruba AP profiling in 16.5.x SW


@toche9595 wrote:

Thank you for the suggestion, it works for me too


There is a new device mode on ArubaOS Switch (16.08)



PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)

PowerArubaIAP: Powershell Module to use Aruba Instant AP

PowerArubaMC: Powershell Module to use Mobility Controller / Master


ACMP 6.4 / ACMX #107 / ACCP 6.5 / ACSP
Highlighted
Occasional Contributor I

Re: 2930F Aruba AP profiling in 16.5.x SW

We are using 2530's, 2930's and 5412r ZL2's.  We have the same issue.  We're using LLDP-Bypass for switches and AP's.  We're using the default device type and profile for each.  When mac and 802.1x authentication are enabled on a port, and I also apply "aaa port-access lldp-bypass <interface>" it effectively disables both mac and 802.1x authentication.  If I don't apply the "aaa port-access lldp-bypass <interface>" command, then the device profiling doesn't work.  Is there a step that I'm missing to make these authentication methods work together.  It is afterall LLDP-Bypass not LLDP-Replace.

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: