Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Contributor I

2930F Aruba AP profiling in 16.5.x SW

Hi

 

I am implementing a network with 802.1x on the ports, on the switches i will have ports used for Aruba AP and to make life easy i will use profiling

 

device-profile name ap
    untagged-vlan 110
    exit
    
device-profile type "aruba-ap"
    associate "ap"
    enable
    exit
 
When using authenticator on the ports, the port is closed until sone EAP traffic open the port therefor i use
 
aaa port-access use-lldp-data 
 
to get LLDP into a "Closed" port. This works but then 
802.1x stops working, and when removed 802.1x works again but the profiling stops working
 
aaa port-access authenticator 1/1-1/48,2/1-2/48
aaa port-access authenticator 1/1-1/48,2/1-2/48 client-limit 10
aaa port-access authenticator active
 
Am i missing som command to have both functions working
or is this the design??
 
Running 16.5.0009 (due to other issues) Tried 16.6 same issue.
 
Highlighted
MVP Expert

Re: 2930F Aruba AP profiling in 16.5.x SW

Greetings!

 

There is an additional command that is specific to Aruba APs that may help:

 

switch(config)# aaa port-access lldp-bypass help
Usage:   [no] aaa port-access lldp-bypass <PORT-LIST> 

Description: Configure lldp-bypass on the switch ports
to bypass authentication for Aruba-APs that sends a
special LLDP TLV. When lldp-bypass is enabled on the switch ports then
Aruba-APs connected to that port will not undergo any
authentication like 802.1x/WMA/LMA. By default,
lldp-bypass is disabled on the switch ports.

 

Try enabling that and see if it solves your issue.



Matt Fern
Senior Technical Marketing Engineer, Aruba Switching

Aruba, a Hewlett Packard Enterprise company

8000 FOOTHILLS BLVD  |  ROSEVILLE, CA 95747
T: 916.540.1759  |  E: mfern@hpe.com   |   Matt @ Twitter
Highlighted
Contributor I

Re: 2930F Aruba AP profiling in 16.5.x SW

Thanks for the suggestion.

 

Yes this "opens" the port for LLDP so profiling occours, BUT stops 802.1x

 

Tried that enabled stops 802.1x, disabled 802.1 works

 

Highlighted
MVP Guru Elite

Re: 2930F Aruba AP profiling in 16.5.x SW


@toche9595 wrote:

Thank you for the suggestion, it works for me too


There is a new device mode on ArubaOS Switch (16.08)



PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)

PowerArubaIAP: Powershell Module to use Aruba Instant AP

PowerArubaMC: Powershell Module to use Mobility Controller / Master


ACMP 6.4 / ACMX #107 / ACCP 6.5 / ACSP
Highlighted
Occasional Contributor I

Re: 2930F Aruba AP profiling in 16.5.x SW

We are using 2530's, 2930's and 5412r ZL2's.  We have the same issue.  We're using LLDP-Bypass for switches and AP's.  We're using the default device type and profile for each.  When mac and 802.1x authentication are enabled on a port, and I also apply "aaa port-access lldp-bypass <interface>" it effectively disables both mac and 802.1x authentication.  If I don't apply the "aaa port-access lldp-bypass <interface>" command, then the device profiling doesn't work.  Is there a step that I'm missing to make these authentication methods work together.  It is afterall LLDP-Bypass not LLDP-Replace.

 

Highlighted
New Contributor

Re: 2930F Aruba AP profiling in 16.5.x SW

Hi everybody, I'm facing the same difficulty :

- I need to do a full Colorless port on Stacked 2930M in last 16.10.10 firmware.

- I want to authenticate IAP and Cisco Phone by LLDP so these devices are not part of Clearpass processing and still work in case of failure

- IAP will be in port-mode and Cisco-Phone in client-mode (to authenticate other device behind)

- Then if their is no LLDP bypass detected port have to process 1X then MAC-Auth with wired captive portal in default profile.

 

All these action work well separatly but not together :-(.

- "aaa port-access lldp-bypass" detect and profile IAP (and if I remember, Cisco Phone when detected by "lldp sys-desc" and not "cdp voip-vlan-query") but port stop doing 1X/MAC for other devices...

- "aaa port-access device-identity name CiscoPhone bypass" bypass auth for Phone but not IAP because :

    - is not compatible with first lldp-bypass

    - only when device-identity bypass can be configured

 

So, I'm stuck here, not able to find good information/configuration on Access Security Guide, nor in this forum and nor on Arubapedia.

 

As lldp-bypass / device-identity bypass is done for that case, we are perhaps facing firmware version bug issue... I will try with other 16.08 or 16.09 I don't know...

 

I've create a case and I'm waiting Aruba TAC reply...

 

I hope a good day to everybody !

Regards

 

Félix

Highlighted
MVP Guru Elite

Re: 2930F Aruba AP profiling in 16.5.x SW

Bonjour Félix,

 

no sure if there is a solution...

do you have look for cisco to use critical voice vlan ? (and use ClearPass auth)



PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)

PowerArubaIAP: Powershell Module to use Aruba Instant AP

PowerArubaMC: Powershell Module to use Mobility Controller / Master


ACMP 6.4 / ACMX #107 / ACCP 6.5 / ACSP
Highlighted
New Contributor

Re: 2930F Aruba AP profiling in 16.5.x SW

Hi Alexis, everybody,

 

I get a very good detailled feedback from Aruba TAC.

 

As always, thanks for their powerfull support !

 

- Port level configuration "aaa port-access lldp-bypass ethernet X"
     - Work only with Aruba AP
     - Is not compatible with "aaa port-access device-identity bypass ethernet X" (one CLI or the other at a time on a switch).
     - Disable all 1X/MAC Auth on port X : so others device do not trigger Auth and stay steuck :-(.
     - So impose to connect an Aruba-AP and block access to all other devices...

- Port level configuration "aaa port-access device-identity bypass ethernet X" :
     - Bypass auth for a specific device detected by LLDP
     - Allow 1X/MAC Auth for other Devices
     - Only one device to detect can be configured at port level, so Aruba AP or Cisco phone for exemple but not both...

 

I use the following CLI to detect and profile AP by LLDP and authenticate and configure all others by RADIUS (Return tagged VLAN for Phone):


aaa authentication allow-vlan tagged
aaa port-access authenticator active
aaa authentication captive-portal enable
aaa port-access authenticator 1/1
aaa port-access mac-based 1/1
aaa port-access authenticator 1/1 tx-period 2
aaa port-access authenticator 1/1 supplicant-timeout 2
aaa port-access authenticator 1/1 auth-vid 1
aaa port-access authenticator 1/1 client-limit 2
aaa port-access authenticator 1/2 tx-period 2
aaa port-access device-identity "MY-aruba-ap" bypass 1/1
aaa port-access 1/1 auth-order authenticator mac-based
aaa port-access 1/1 auth-priority authenticator mac-based
device-identity name "MY-aruba-ap"
lldp sys-desc "Aruba IAP" (I have preference for that one which is more easy to understand)
lldp oui 000b86 (Aruba give me that information to detect Aruba AP)
exit
device-profile name "MY-aruba-ap"
untagged-vlan X
tagged-vlan Y,Z
exit
device-profile device-type "MY-aruba-ap"
associate "MY-aruba-ap"
enable
exit

 

I've note that MAC-Auth is sometimes triggered before LLDP detection, the RADIUS Returned Untagged VLAN is applied and stay applied with the one of the next device-profile. So 2 Untagged VLAN are on the same port : radomly some AP in one VLAN and others are in the other VLAN.
I'm waiting feedback from TAC about that... But I make a workaroud returning just Sample Allow policy with no VLAN during MAC-Auth for AP...

 

Hope it will help.
I will be pleased if Aruba can comment/modify what I just said, if I'm wrong or if their is more explanation.

 

Regards,
Félix

Highlighted
MVP Guru Elite

Re: 2930F Aruba AP profiling in 16.5.x SW

Merci Félix for feedback.



PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)

PowerArubaIAP: Powershell Module to use Aruba Instant AP

PowerArubaMC: Powershell Module to use Mobility Controller / Master


ACMP 6.4 / ACMX #107 / ACCP 6.5 / ACSP
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: