Wired Intelligent Edge (Campus Switching and Routing)

Reply
Aruba Employee

What are the new AAA security features introduced in ArubaOS-Switch Version 16.05?

There are four AAA security features introduced in ArubaOS-Switch Version 16.05.

 

Open Authentication: Open Authentication (OpenAuth) Role allows a device to obtain network access before that particular device is placed under authentication process.

 

Critical Authentication: This feature enhancement is to support a “Critical VLAN” concept, where in a remote authentication scenario such as MAC-Auth or 802.1X starts for a client, but the authentication server is not reachable then, the client will be placed in a “Critical VLAN”.

 

Per-Port Initial Role: ArubaOS-Switches supports initial role where the clients that are rejected by radius server or clients that fails authentication due to radius unreachability will be applied with this initial role.  Initial role can be tweaked to provide limited access to download supplicant or be used for Wired Guest access solution.

 

Mac-Pinning: With MAC Pinning feature enabled, LMA/MAC-based authenticated clients will remain authenticated in the switch even during the client’s inactivity throughout the log-off period.

 

I have attached these four feature guides to this post which includes in-depth explanation with configuration examples.

 

Thank You,

Priyank Patel
Highlighted
Contributor II

Re: What are the new AAA security features introduced in ArubaOS-Switch Version 16.05?

Ciao Priyank,

and thank for sharing those informations.

I think Critical VLAN is a cool feature helps to implement 802.1x in a small remote office. Do you know if it will be support 25x0 as well?

 

Thanks

Aruba Employee

Re: What are the new AAA security features introduced in ArubaOS-Switch Version 16.05?

Hello,

 

The Critical Authentication Role is not supported on Aruba 2500 Series Switch.

 

Thank You,

Priyank Patel
Frequent Contributor I

Re: What are the new AAA security features introduced in ArubaOS-Switch Version 16.05?

Question on MAC-pinning.

 

What would happen if I enable MAC-pinning on all switchports that are controlled by Clearpass for both 802.1X and MAC-auth? So both aaa port-access authenticator and aaa port-access mac-based enabled on all switchports?

 

I'm in a project that went live 3 weeks ago anf we are experiencing the  non-chatty device syndrome. Unfortunately these devices still get moved within the building so enabling MAC-pinning on specific ports is not an option. The dynamic vlan configuration feature was a Clearpass selling point so breaking this is a last resort.

 

I currently have set the logoff-period to 300000 to solve this problem but the MAC-pinning feature looks like a better solution

 

thanks

Erik

ACDX#968, ACMP, ACCP, ACSP
Occasional Contributor II

Re: What are the new AAA security features introduced in ArubaOS-Switch Version 16.05?

Anything new on the mac pinning? iv got alot of "legacy" things that are moved around so mac pinning on a port is not a solution, can clearpass send mac pinning on a port? so i just configure it on my device and clearpass sends the mac pinning to the switch?

Aruba Employee

Re: What are the new AAA security features introduced in ArubaOS-Switch Version 16.05?

Yes, this is supported using logoff-period under a user-role since ArubaOS-switch version 16.06 with 2930F switch series and higher. A vlaue of 0 is infinity like mac-pinning. 

 

http://h22208.www2.hpe.com/eginfolib/Aruba/16.09/5200-5908/index.html#GUID-7B8ECA6C-9966-49CA-A823-202A274E851C.html

Occasional Contributor II

Re: What are the new AAA security features introduced in ArubaOS-Switch Version 16.05?

Nice i'll try that, and if we have some cisco switch is there a way to do that also? we are in a process of changing our 1000 cisco switch to aruba 2930f but its gonna take some time

Occasional Contributor II

Re: What are the new AAA security features introduced in ArubaOS-Switch Version 16.05?

Just got i to work, but im not getting the logoff option in the enforcement profile, is that a 6.8 thing? im only on 6.7.9, but about to opgrade to 6.8 next month.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: