Wired Intelligent Edge (Campus Switching and Routing)

Occasional Contributor II

IAP authentication/automation

I am working on SD-Branch PoC with a retail shop chain. They will not be able to change their existing 2530 and 2620 switches right away. 2930Fs will only gradually take their places. Since this project has to heavily rely on Central, I am limited to Aruba IAP clusters. The customer would like to automate and unify as much network related things in their shops as possible. One of the goals would be to configure all access switch ports with 802.1x + MAC authentication with the same settings on all ports, except uplinks. No matter what we plug into any port, Clearpass should take care of AAA and pass the needed instructions to switch, controller and firewall. The trick is - they have VoIP phones with PCs behind them connected to their network. Switch ports have to be configured in user authentication mode with MAC authentication working in parallel. IAPs cannot work in user mode they need port mode. Is there any solution how to automate IAP port configuration in this situation? I am sure we can parse syslog messages, look for LLDP specific things and launch scripts to change the port configuration on the fly but I would like to do it in a more civilized fashion and I also need to keep in mind that after a “hard” port config change I might need to revert it to original, if IAP for some reason is reconnected to another port and some other device is connected to the same port. To my knowledge LLDP bypass is not available on 2530 and 2620.