Wired Intelligent Edge

Hi,

I am currently playing around with with an AP 205H and a Cisco 2960x

AOS Version: 6.4.3.7

IOS Version: 15.0(2a)EX5

Cisco Switch Model: Cisco 2960x

I have the AP 205H working the way I wanted on the Cisco with a simple configuration on the switch port. It basically only had switchport access configured with the VLAN for our APs.

I am not trying to implement wired 802.1x on the Cisco and have the AP perform 802.1x and then configure the 3 switch ports on the AP 205H to also perform 802.1x on any clients plugged in.

The first hurdle I am facing is that I do not see the 802.1x requests coming into the CPPM from the AP itself when it gets plugged in. However, I do it see it's MACAUTH attempt after 802.1x fails. I am currently using Eth0 on the back of the AP with the default port configuration. I have provisioned the AP with it's own user name and password and created a local account in the CPPM to authenticate against.

From the Aruba controller this is the status:

00:0b:86:xx:xx:xx  CourtTest      192.168.xxx.xxx  0            AP:HT:11-/22.5/22.5     0            AP:VHT:132E/21/21      W-AP205  1FE2a  8h:57m:27s       N/A

I beleive this is indicating that it failed 802.1x authentication.

Cisco switch port is configured as follows:

interface GigabitEthernet1/0/4
 switchport mode access
 switchport voice vlan 25
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication port-control auto
 mab
 mls qos trust dscp
 dot1x pae authenticator
 dot1x timeout tx-period 10
 auto qos trust dscp
 spanning-tree portfast

I am able to authenticate other devices with 802.1x such as laptops and desktops through this switch so I know that the 802.1x configuration on the switch is at least communicating with the CPPM. But I suspect I am configuring something wrong on the port when it comes to this AP.

I was looking at this article. There are some options that are used that do not appear to be available on our switch so I am not sure how relevant this configuration is.

Any help would greatly be appreciated.

Cheers

http://community.arubanetworks.com/t5/Controller-less-WLANs/How-do-we-configure-802-1x-for-the-wired-uplink-port-in-Instant/ta-p/267171

I took at look at the document you provided.

In this case, the IAP is left as an IAP?

I should have mentioned that we switched IAP-205H to campus mode and it is being controlled by our controller.

Does this document still apply?

You are using the correct article.  Please disregard my link.

Is the provisioning profile applied to that specific AP group?

I currently am not using provisioning profiles. But for testing purposes I will make some changes.

I have tried creating one. I will give some details on what I have configured to test this IAP-205H

• Created a new AP group called "AP205Test"
• I created a provisioning profile for this AP and set it as the active provisioning profile for that AP group. I have never done this before so I am not sure if I am doing it correctly.
• I created a new Eth profile for Eth0 on the AP to set Eth0 as untrust. I had read in this post that the port needed to be set as untrust in order for the AAA profile to take over.

I have not made any changes on the switchport of the Cisco switch. I am hoping that I can make it work without adjusting those settings.

According to the Controller UI it is reporting that this AP is unprovisioned.

I am not receiving any dot1x requests in the CPPM. I only see the MACAUTH attempts after dot1x timesout.

Ah, you should not make the eth0 on the AP205H untrusted. What untrusted does is that it will authenticate devices connecting incoming to that port; and if I understand correctly, you want the other way around that the AP authenticates to the switch (you configured that in the AP provisioning profile).

Please revert the eth0 profile to the default profile (which is named default as well).

Hi Herman,

Sorry for my late reply yet again.

I will give this a try and see if I can get it working.

Initially I had had the port configured under the default profile but I was still not seeing the 802.1x requests coming from the AP. Only the MACAUTH events after 802.1x failed.

And yes you are right, I would like the 205H itself to perform 802.1x authentication against the switch. Then, any device plugged into any of it's 3 ports to also perform 802.1x authentication.

Cheers

Hi,

Just wanted to update this old thread.

All the issues I was having were related to the firmware on the controller. I was initially trying to have the AP itself perform 802.1x against our Cisco switch, which was failing.

I opened a ticket with Aruba Support and they confirmed that there was an issue with the AP205H receiving the 802.1x information from the controller (username and password). I upgraded our controller to the latest firmware it would support (6.4.4.11). After doing this the AP worked perfectly and all the strange behavior I was getting went away.

Cheers