Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Frequent Contributor II

LACP and AAA Best Practice

With the incoming of these high-speed, dual-port 802.11ax APs I'm curious: What does Aruba/community recommend for AAA with LACP/LAG in the AOS-CX OS.

 

I know that they cannot live together, but how would I take advantage of the dual ports on a AP535, and have that AP/port authenticate using EAP-TLS?

 

Is the answer really: it's one or the other? This kind of flies in the face of the dynamic/colorless ports, right?

 

Thanks,

ACEP, ACSP, ACCX #1239

Accepted Solutions
Highlighted
MVP Guru

Re: LACP and AAA Best Practice

LACP and Port authentication are indeed mutually exclusive, so you can't use them together.

 

Note that LACP configuration is static in general as you need to configure which ports belong to what port-channel/trunk, so it is hard to combine that with the dynamics of colorless ports as well.

 

I haven't tested, but heard that if you don't bundle the AP ports but leave them as two independent ports, you could do 802.1X on the AP uplink for both ports, it just doesn't load-balance and will be more active/passive. You may give that approach a try.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).

View solution in original post


All Replies
Highlighted
MVP Guru

Re: LACP and AAA Best Practice

LACP and Port authentication are indeed mutually exclusive, so you can't use them together.

 

Note that LACP configuration is static in general as you need to configure which ports belong to what port-channel/trunk, so it is hard to combine that with the dynamics of colorless ports as well.

 

I haven't tested, but heard that if you don't bundle the AP ports but leave them as two independent ports, you could do 802.1X on the AP uplink for both ports, it just doesn't load-balance and will be more active/passive. You may give that approach a try.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).

View solution in original post

Highlighted
Frequent Contributor II

Re: LACP and AAA Best Practice

Thanks for the tip, Herman. 

 

From my testing, it appears that you can enable 802.1X on both ports without the LAG configured. I just hooked up both cables and it switched out of power-restricted mode. After a reboot to confirm this was working, I noticed the second port does not authenticate.

 

This makes me curious: What is going on in the AP to allow this without a loop being created?

ACEP, ACSP, ACCX #1239
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: