Wired Intelligent Edge

Hi there,

We want  to secure our wired network and as we already have an aruba wireless network in place we are going to

use aruba access switch to provide user authentication and policy enforcement  the same way we're doing with 

the wireless i.e users and devices are authenticated and assigned a role by mobility controller and security policies

are applied to users and devices whether they use a wired port or access the network through an AP.

Does any one have any experience can share and which aruba access switch model is used? 

Please advise.

Thanks,

You can absolutely do this.  I've been testing with the S3500/S2500s and have replicated my wireless side "student" and "staff" user roles authenticating with dot1x. It's very straightforward and basically the same configuration that's already on your controller.  I've also successfully tested UDR authentication for ps3, xboxen, etc.  On the client side, it's very simple to include the same native network profile on Macs or your 1X supplicant (we use SecureW2 since we're TTLS/LDAP) on the PC side.  If you have an on-boarding app like Cloudpath, this just snaps in.  The real win here is because we are using AMP, this gives us one place to see users no matter how they connect.  This is huge for our dormitory users.

The switches also have lots of other nice features, especially for tight wiring closets and small buildings.  

Same here. 

We are doing this on our 300 + S3500's Works great!

Hi, 

Could you please shade some lights on the configuration on the switch S3500 side?

We have two SSID on the wireless network, each one with its pool vlan. One SSID is using 802.1x authentication (machine authentication on the AD) and the second SSID is using web authentication (user authentication on the AD). We are using radius

server to authenticate machines and users.

We want to have the same thing on the wired side. If I connect AD machine on the wired port, the machine authenticate and gets its IP address from the pool. If I connect a non AD machine on the wired port, the user should get the CP to enter his AD credentials.

I configured some ports on the S3500 switch as tunneled ports, I assigned these ports to a switching profile. When I connect the machine to the tunneled port, I get the correct IP and I can authenticate via CP. If I connect an AD machine on which I already activated the 802.1X machine authentication, It wouldn't authenticate.

Could you please help?

Thank you very much. 

The configuration is very simple,

 there are the related commands:

In switch:

vlan "100"

!
interface-profile switching-profile "vlan-100"
   access-vlan 100
!

interface-profile tunneled-node-profile "t1"
   controller-ip 172.16.50.60
 
  
!

interface gigabitethernet "1/0/4"
   tunneled-node-profile "t1"
   switching-profile "vlan-100"
  
!

In the controller side:

vlan 100 need to be created and an aaa profile applied under "aaa authentication wired"

vlan 100

user-role webauth1
 captive-portal "default"
 access-list session captiveportal
 access-list session logon-control
!

!
user-role authenticated
 access-list session allowall
 access-list session v6-allowall
!

aaa profile "wired-cpdot1x"
   initial-role "webauth1"
   authentication-dot1x "default"
   dot1x-default-role "authenticated"
   dot1x-server-group "acs2"

!
aaa authentication wired
   profile "wired-cpdot1x"
!

Thanks gcui for the help.

The aaa authentication wired profile was missing on my config. I will give it a try monday.

Regards,

Hi there,

Here is my config:

switch S3500:

interface-profile tunneled-node-profile "default"
controller-ip 172.23.4.32
mtu 1500

interface-profile switching-profile "CORP"
access-vlan 200
native-vlan 200
trunk allowed vlan 1,200,300

interface gigabitethernet "0/0/46"
tunneled-node-profile "default"
poe-profile "poe-factory-initial"
qos-profile "default"
switching-profile "CORP"
no trusted port

Aruba Controller :

interface vlan 200
ip address 172.25.160.5 255.255.255.0

aaa profile "CORP prive-aaa_prof"
authentication-dot1x "CORP prive-dot1x_prof"
dot1x-default-role "Machine_CORP"
dot1x-server-group "CORP prive"

user-role "CORP public-guest-logon"

captive-portal "CORP public-cp_prof"
access-list session logon-control
access-list session captiveportal

user-role Machine_CORP
vlan 200
access-list session CORP_policy

;User auth Captive portal
aaa profile "Wired-aaa_prof"
initial-role "CORP public-guest-logon"
authentication-dot1x "default"
dot1x-default-role "Machine_CORP"
dot1x-server-group "CORP prive"

;---------------dot1x--------------------------
aaa authentication wired
profile "CORP prive-aaa_prof"

;machine connected to the port 0/0/46 on S3500
;Win7 auth dot1x on the wired network card is activated
;machine auth dot1x on win7 is NOT working

;----------------CP-----------------------------------------
aaa authentication wired
profile "Wired-aaa_prof"

;machine connected to the port 0/0/46 on S3500
;Win7 auth dot1x on the wired network card is disabled
;Captive portal user authentication is working correctly

Any idea why dot1x is not working with the wired access?

My goal is to have both authentication web and dot1x working for the wired access though if the machine did not authenticate

with dot1x then the user get the CP for user auth.

Please advise.

Hi,

I found what I was missing in my config posted above. May help somebody else.

The configured AAA profile needs to be applied to the VLAN 200 so it will take effect.

On the controller:

#vlan 200 wired aaa-profile "CORP prive-aaa_prof"

Is it possible to have aaa profile applied to a pool VLAN? 

Thanks,

Hi, I have an S3500 configured to use 802.1x authentication. I own a cun authentication profile and role. All ports are in the same VLAN and only two ports configured for 802.1x. The problem is that when I connect cable to the ports that require authentication, this process is repeated twice. The first time I assigned the user role 'logon' and the second time the role 'udr-dot1x-aaa'. Is the Solution to ask authentication only once?

Thanks,

Hi, I have used this document when I configured wired dot1x authentication.

Hope this document will help you.

Regards,

Attachment(s)

Aruba S3500 Tunneled Node Demo Guide.pdf   1.97 MB 1 version

Victor,

Could you provide more detail on the configuration, are you using Tunneled Node or the the native AAA capabilities?

Best regards,

Madani