Community Home > Discuss > Technology > Wired Intelligent Edge (Campus Switching and Routi... > Re: 802.1x Switch Configuration

Wired Intelligent Edge (Campus Switching and Routing)

Reply
MVP Guru
MVP Guru
jrwhitehead

802.1x Switch Configuration

‎10-08-2013 07:09 AM

Hi All,

 

I've configured 802.1x auth on some switch ports in my lab and I'm using Clearpass as the RADIUS server using AD as the source. I've got clearpass configured to pass a role back to the switch if authentication is sucessful and that works great.


Next step is to allow guest to plug in and for them to be assigned a different role, lets say the guest role.


I don't want to do tunneled node as I don't want the potential extra overhead on my controller. I know in my lab this wont be an issue but for customers there's potential that it could be depending on certain factors.

 

If this possible to do?

 

At the moment when my "guest laptop" plugs in they fail authentication, enforment policies are ignored and they stay in the logon role on the switch.


Cheers

James


Cheers
James
----------------------------------------------------------------------
--------------------------@whereisjrw--------------------------
---------------------------------blog-------------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
----------------------------------------------------------------------
----------------------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Alert a Moderator
Message 1 of 9
5,195 Views
Reply
0 Kudos
Highlighted
Guru Elite Guru Elite
Guru Elite
cappalli

Re: 802.1x Switch Configuration

‎10-08-2013 07:11 AM

Do you want them to go through a registration process or just allow them on with a limited role?


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Alert a Moderator
Message 2 of 9
5,191 Views
Reply
0 Kudos
Aruba
Aruba
madjali

Re: 802.1x Switch Configuration

‎10-08-2013 07:12 AM

James,

You'll want to create a MAC-Auth service that is configured to allow all MAC and in the enforcement policy, if it is an unknown MAC, pass back a role of Guest (or whatever name you chose). I'll post some screenshots of what I mean a little later today.

 

Best regards,

 

Madani

Alert a Moderator
Message 3 of 9
5,191 Views
Reply
MVP Guru
MVP Guru
jrwhitehead

Re: 802.1x Switch Configuration

‎10-08-2013 07:17 AM

Hi,

 

I don't want them to register, just but placed into a particular role.

 

Screenshots would be perfect. :)


Cheers
James
----------------------------------------------------------------------
--------------------------@whereisjrw--------------------------
---------------------------------blog-------------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
----------------------------------------------------------------------
----------------------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Alert a Moderator
Message 4 of 9
5,182 Views
Reply
0 Kudos
Aruba
Aruba
SethFiermonti

Re: 802.1x Switch Configuration

‎10-08-2013 07:36 AM

Just make the initial role "guest".  Upon a failed auth, they will be assigned guest.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Alert a Moderator
Message 5 of 9
5,173 Views
Reply
MVP Guru
MVP Guru
jrwhitehead

Re: 802.1x Switch Configuration

‎10-08-2013 07:54 AM

@SethFiermonti wrote:

Just make the initial role "guest".  Upon a failed auth, they will be assigned guest.

Seth, great answer.

 

I've gone for configurring an allow all MAC authentication source and an enforcement policy which matches any MAC auth requests, then assign a clearpass downloadable role. It's in a lab after all...


Cheers
James
----------------------------------------------------------------------
--------------------------@whereisjrw--------------------------
---------------------------------blog-------------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
----------------------------------------------------------------------
----------------------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Alert a Moderator
Message 6 of 9
5,167 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cappalli

Re: 802.1x Switch Configuration

‎10-08-2013 07:56 AM

You'll have more flexibility in the future using ClearPass instead of the initial role.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Alert a Moderator
Message 7 of 9
5,164 Views
Reply
0 Kudos
Aruba
Aruba
SethFiermonti

Re: 802.1x Switch Configuration

‎10-08-2013 08:11 AM

Agreed. Didn't catch ClearPass was involved here
Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Alert a Moderator
Message 8 of 9
5,159 Views
Reply
0 Kudos
joel.mccotter
Occasional Contributor II
joel.mccotter

Re: 802.1x Switch Configuration

‎10-08-2013 12:59 PM

I know I like to keep my initial role as something that doesn't actually provide any IP connectivity at all, because some clients will not deal well with getting a DHCP lease, and then getting shuttled to another role assigned by a Clearpass RADIUS VSA with a different VLAN associated.  If you keep clients in the same VLAN the whole time and just your various user roles for ACL assignment, this wouldn't be a problem.

 

I don't know if it's the best way to do it but my initial role has an "allow-all" ACL associated, but no VLAN, which means it should derive its VLAN from the switching profile in the interface or interface-group configuration.  If no switching profile is configured it would fall back to the default switching profile with VLAN 1, which in my case is not something that will provide any IP connectivity to clients.

 

If the Aruba experts here think this isn't optimal please let me know.

Alert a Moderator
Message 9 of 9
5,139 Views
Reply
0 Kudos
Search Airheads
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

© Copyright 2019 Hewlett Packard Enterprise Development LP
All Rights Reserved.
Powered by Lithium