Wired Intelligent Edge

last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

802.1x on Aruba 2930 with Phone/PC not working properly

This thread has been viewed 18 times

  • 1.  802.1x on Aruba 2930 with Phone/PC not working properly

    Posted Dec 03, 2019 08:54 AM

    Hello

     

    i have a very strange issue and i guess i have something configured wrong. 

     

    Here is my 802.1x config, pretty basic:

     

    aaa port-access gvrp-vlans
aaa port-access authenticator 2/43-2/44
aaa port-access authenticator 2/43 client-limit 10
aaa port-access authenticator active
aaa port-access mac-based 2/43
aaa port-access mac-based 2/43 unauth-vid 2
aaa port-access 2/43 mixed

    when i plugin a phone on Port 2/43, Phone boots to proper VLAN (provided by Radius):

    show port-access mac-based clients 2/43 detailed

Port Access MAC-Based Client Status Detailed

Client Base Details :
Port                : 2/43
Client Status       : authenticated         
Session Time        : 182 seconds
MAC Address         : FFFFFF-5cc306         
Session Timeout     : 0 seconds
IP                  : n/a

Access Policy Details :
COS Map            : Not Defined           
In Limit Kbps      : Not Set
Untagged VLAN      : Not Set               
Out Limit Kbps     : Not Set
Tagged VLANs       : 30
Port Mode          : 1000FDx               
Auth Mode          : User-based
RADIUS ACL List    : No Radius ACL List

    ok, next step is to connect a laptop with Windows Service "dot3svc" enabled, which works properly as well:

     

    Client Base Details :
Port            : 2/43
Client Status   : Authenticated
    Session Time    : 1160 seconds
Client name     : host/XX-XX-XX.XX...
    Session Timeout : 0 seconds
IP              : n/a
    MAC Address     : FFFFFF-4664aa
    Access Policy Details :
COS Map         : Not Defined
    In Limit Kbps   : Not Set
Untagged VLAN   : 10
    Out Limit Kbps  : Not Set
Tagged VLANs    : No Tagged VLANs
Port Mode       : 1000FDx
RADIUS ACL List : No Radius ACL List

    So both are connected properly:

    show port-access clients
    Port Access Client Status

Port Client Name MAC Address IP Address Type   VLAN
2/43             FFFFFF-5c.. n/a        8021X  30
2/43  host/XX-.. FFFFFF-46.. n/a        8021X  10
2/43  FFFFFF5c.. FFFFFF-5c.. n/a        MAC    30
2/43             FFFFFF-46.. n/a        MAC    10

    next step is to disable Windows Service "dot3svc" which should place the client in the "unauth-vid 2", works again as expected:

     

    show port-access mac-based clients 2/43 detailed

Port Access MAC-Based Client Status Detailed

Client Base Details :
Port            : 2/43
Client Status   : rejected,unauth vlan
    Session Time    : 25 seconds
MAC Address     : 186024-4664aa
    Session Timeout : 0 seconds
IP              : n/a

Access Policy Details :
COS Map         : Not Defined
    In Limit Kbps   : Not Set
Untagged VLAN   : 2
    Out Limit Kbps  : Not Set
Tagged VLANs    : No Tagged VLANs
Port Mode       : 1000FDx
    Auth Mode       : User-based
RADIUS ACL List : No Radius ACL List

    But when i connect the phone (which authenticated successfully with MAC) and behind the phone a client with Windows Service "dot3svc" disabled, following happens:

     

     

     

     show port-access mac-based clients 2/43 detailed

 Port Access MAC-Based Client Status Detailed

Client Base Details :
Port            : 2/43
Client Status   : authenticated
    Session Time    : 230 seconds
MAC Address     : 00085d-5cc306
    Session Timeout : 0 seconds
IP              : n/a

Access Policy Details :
COS Map         : Not Defined
    In Limit Kbps   : Not Set
Untagged VLAN   : Not Set
    Out Limit Kbps  : Not Set
Tagged VLANs    : 30
Port Mode       : 1000FDx
    Auth Mode       : User-based
RADIUS ACL List : No Radius ACL List

Client Base Details :
Port            : 2/43
Client Status            : rejected no vlan  
    Session Time    : 45 seconds
MAC Address     : 186024-4664aa
    Session Timeout : 0 seconds
IP              : n/a

Access Policy Details :
COS Map         : Not Defined
    In Limit Kbps   : Not Set
Untagged VLAN   : Not Set
    Out Limit Kbps  : Not Set
Tagged VLANs    : No Tagged VLANs
Port Mode       : 1000FDx
    Auth Mode       : User-based
RADIUS ACL List : No Radius ACL List

    for some reason the client does not get the unauth-vlan assigned, instead "Client Status : rejected no vlan"

     

    Anyone an idea what i am missing?

     

    thanks a lot in advance

     



  • 2.  RE: 802.1x on Aruba 2930 with Phone/PC not working properly

    MVP GURU
    Posted Dec 08, 2019 03:01 AM

    why don't enable client-limit for mac-auth too ?

     

    What do you have on log ?

     

    (what the radius server ?)



  • 3.  RE: 802.1x on Aruba 2930 with Phone/PC not working properly

    Posted Aug 13, 2020 09:17 AM

    Hi 

     

    sorry for my very late reply, solution was to activate "mixed mode" on ports:

    aaa port-access 1/1 mixed

     

    Thanks for your support!