Wired Intelligent Edge

last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

2930F Aruba Switches

This thread has been viewed 14 times

  • 1.  2930F Aruba Switches

    Posted Nov 20, 2019 03:17 PM

    Everyone,

     

    Would anyone being willing to share a base config for the 2930F aruba switch that is configured for 802.1X. We are getting a couple of the switches and we would like to use 802.1X on the wired side.

    Thanks!



  • 2.  RE: 2930F Aruba Switches

    EMPLOYEE
    Posted Nov 21, 2019 04:04 AM

    If you have the basics of the ArubaOS Switches configured, the ClearPass Solution Guide: Wired Policy Enforcement is probably the next document to read to get 802.1X/Role-based-access/etc configured.



  • 3.  RE: 2930F Aruba Switches

    Posted Nov 21, 2019 08:10 AM

    Thank you for the information!



  • 4.  RE: 2930F Aruba Switches
    Best Answer

    Posted Nov 21, 2019 10:03 AM

    Oh one thing I forgot to mention: check Aruba's Solution Exchange. There are couple configurators for 802.1X configs where you can put your own IPs etc and then get the config from there.

     

    I ran the wizard, below is the config. I still don't know how to set 802.1X -> MAB timeout but I remember once I tested this and there was some magic involved as it worked like I wanted to. If client did 802.1x switch didn't send MAC auth request, but fallback also worked. Still not sure how it worked, with other vendors I always have to specify that it either sends both .1x and MAC at the same time or waits a fixed amount of time (I think 20s is optimal) and then sends MAC auth.

     

    #Authentication server configuration

#Define authentication server host and pre-shared key
radius-server host 10.133.0.10 key "RadiusPassword"

#Set selected port access authentication mode
aaa authentication port-access eap-radius

#Configure selected backup authentication method
aaa authentication port-access eap-radius none

#Enable dynamic authorization message processing
radius-server host 10.133.0.10 dyn-authorization

#Set selected dynamic authorization time window and mode
radius-server host 10.133.0.10 time-window 0

#802.1X authentication configuration

#Configure specified ports for 802.1X authentication
aaa port-access authenticator 1-12

#Set 802.1X authenticator ports to client-based mode and configure client limit
aaa port-access authenticator 1-12 client-limit 8

#MAC-based authentication configuration

#Configure specified ports for MAC-based authentication
aaa port-access mac-based 1-12

#Configure MAC address limit for authenticator ports
aaa port-access mac-based 1-12 addr-limit 8

#Configure redirect server for self-registration of unauthenticated MAC addresses
aaa port-access mac-based unauth-redirect ""

#Activate 802.1X authenticator on configured ports
aaa port-access authenticator active

    I believe you need to have authenticator client-limit set up if you want to use both 802.1X  and MAC auth on the same port. Or it will complain about something. Dyn-authorization means that RADIUS server can send back CoA.



  • 5.  RE: 2930F Aruba Switches

    Posted Nov 25, 2019 09:06 AM

    That's great information and I will use this as we begin to impliment 802.1X on the wired side. Thank you so much for your help.



  • 6.  RE: 2930F Aruba Switches

    Posted Nov 21, 2019 04:28 AM

    Check 2930 access security guide I think it explains the stuff quite well.

     

    Configuration is quite easy, you just configure a radius-server host and then enable aaa port-authentication and if you want mac-based authentication too. Comparing to other vendors it feels quite easy. One thing I've yet tocheck is how to specify fallback time from 802.1X to MAB if client doesn't support ..1x