Wired Intelligent Edge

There are four AAA security features introduced in ArubaOS-Switch Version 16.05.

Open Authentication: Open Authentication (OpenAuth) Role allows a device to obtain network access before that particular device is placed under authentication process.

Critical Authentication: This feature enhancement is to support a “Critical VLAN” concept, where in a remote authentication scenario such as MAC-Auth or 802.1X starts for a client, but the authentication server is not reachable then, the client will be placed in a “Critical VLAN”.

Per-Port Initial Role: ArubaOS-Switches supports initial role where the clients that are rejected by radius server or clients that fails authentication due to radius unreachability will be applied with this initial role.  Initial role can be tweaked to provide limited access to download supplicant or be used for Wired Guest access solution.

Mac-Pinning: With MAC Pinning feature enabled, LMA/MAC-based authenticated clients will remain authenticated in the switch even during the client’s inactivity throughout the log-off period.

I have attached these four feature guides to this post which includes in-depth explanation with configuration examples.

Thank You,

Attachment(s)

Open_Authentication_Role.docx   463 KB 1 version

Critical_Authentication_Role.docx   433 KB 1 version

MAC_Pinning.docx   454 KB 1 version

Per-Port_Initial_Role.docx   474 KB 1 version

Ciao Priyank,

and thank for sharing those informations.

I think Critical VLAN is a cool feature helps to implement 802.1x in a small remote office. Do you know if it will be support 25x0 as well?

Thanks

Hello,

The Critical Authentication Role is not supported on Aruba 2500 Series Switch.

Thank You,

Question on MAC-pinning.

What would happen if I enable MAC-pinning on all switchports that are controlled by Clearpass for both 802.1X and MAC-auth? So both aaa port-access authenticator and aaa port-access mac-based enabled on all switchports?

I'm in a project that went live 3 weeks ago anf we are experiencing the  non-chatty device syndrome. Unfortunately these devices still get moved within the building so enabling MAC-pinning on specific ports is not an option. The dynamic vlan configuration feature was a Clearpass selling point so breaking this is a last resort.

I currently have set the logoff-period to 300000 to solve this problem but the MAC-pinning feature looks like a better solution

thanks

Erik

Anything new on the mac pinning? iv got alot of "legacy" things that are moved around so mac pinning on a port is not a solution, can clearpass send mac pinning on a port? so i just configure it on my device and clearpass sends the mac pinning to the switch?

Yes, this is supported using logoff-period under a user-role since ArubaOS-switch version 16.06 with 2930F switch series and higher. A vlaue of 0 is infinity like mac-pinning. 

http://h22208.www2.hpe.com/eginfolib/Aruba/16.09/5200-5908/index.html#GUID-7B8ECA6C-9966-49CA-A823-202A274E851C.html

Nice i'll try that, and if we have some cisco switch is there a way to do that also? we are in a process of changing our 1000 cisco switch to aruba 2930f but its gonna take some time

Just got i to work, but im not getting the logoff option in the enforcement profile, is that a 6.8 thing? im only on 6.7.9, but about to opgrade to 6.8 next month.