Wired Intelligent Edge

last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

legacy mac authentication

This thread has been viewed 4 times

  • 1.  legacy mac authentication

    Posted Jun 11, 2018 12:33 PM

    Greetings,

    I've recently inherited 2 Hp2530 switches.  I'd like to quickly stand up MAB on these switches while i figure out what to do next.  I've got Mac athentication to work using my ISE server for radius but when i try to add a IP phone to the mix the phone lands in the trusted vlan instead of the voip.  The voice vlan works correctly on ports that aren't configured for mac authenticaton.

    config follows

     

    Running configuration:

    ; J9775A Configuration Editor; Created on release #YA.16.02.0012
    ; Ver #0e:01.10.82.34.47.18.28.f3.84.9c.63.ff.37.27:b9
    hostname "Aruba01"
    radius-server host 192.168.5.205 key "xxx"
    radius-server host 192.168.5.206 key "xxx"
    radius-server key "xxx"
    radius-server retransmit 2
    radius-server tracking enable
    timesync ntp
    ntp server 192.168.0.150
    ntp enable
    ip default-gateway 192.168.253.1
    snmp-server community "xxx" unrestricted
    aaa server-group radius "ISE" host 192.168.5.205
    aaa server-group radius "ISE" host 192.168.5.206
    aaa authentication telnet login radius server-group "ISE" local
    aaa authentication telnet enable radius server-group "ISE" local
    aaa authentication allow-vlan tagged
    aaa port-access mac-based 2-12
    aaa port-access mac-based 1 addr-limit 2
    aaa port-access mac-based 1 unauth-period 30
    aaa port-access mac-based 2 addr-limit 2
    aaa port-access mac-based 2 addr-moves
    aaa port-access mac-based 2 unauth-period 30
    aaa port-access mac-based 2 auth-vid 160
    aaa port-access mac-based 2 unauth-vid 100
    aaa port-access mac-based 3 addr-limit 2
    aaa port-access mac-based 3 addr-moves
    aaa port-access mac-based 3 unauth-period 30
    aaa port-access mac-based 3 auth-vid 160
    aaa port-access mac-based 3 unauth-vid 100
    aaa port-access mac-based 4 addr-limit 2
    aaa port-access mac-based 4 addr-moves
    aaa port-access mac-based 4 unauth-period 30
    aaa port-access mac-based 4 auth-vid 160
    aaa port-access mac-based 4 unauth-vid 100
    aaa port-access mac-based 5 addr-limit 2
    aaa port-access mac-based 5 addr-moves
    aaa port-access mac-based 5 unauth-period 30
    aaa port-access mac-based 5 auth-vid 160
    aaa port-access mac-based 5 unauth-vid 100
    aaa port-access mac-based 6 addr-limit 2
    aaa port-access mac-based 6 addr-moves
    aaa port-access mac-based 6 unauth-period 30
    aaa port-access mac-based 6 auth-vid 160
    aaa port-access mac-based 6 unauth-vid 100
    aaa port-access mac-based 7 addr-limit 2
    aaa port-access mac-based 7 addr-moves
    aaa port-access mac-based 7 unauth-period 30
    aaa port-access mac-based 7 auth-vid 160
    aaa port-access mac-based 7 unauth-vid 100
    aaa port-access mac-based 8 addr-limit 2
    aaa port-access mac-based 8 addr-moves
    aaa port-access mac-based 8 unauth-period 30
    aaa port-access mac-based 8 auth-vid 160
    aaa port-access mac-based 8 unauth-vid 100
    aaa port-access mac-based 9 addr-limit 2
    aaa port-access mac-based 9 addr-moves
    aaa port-access mac-based 9 unauth-period 30
    aaa port-access mac-based 9 auth-vid 160
    aaa port-access mac-based 9 unauth-vid 100
    aaa port-access mac-based 10 addr-limit 2
    aaa port-access mac-based 10 addr-moves
    aaa port-access mac-based 10 unauth-period 30
    aaa port-access mac-based 10 auth-vid 160
    aaa port-access mac-based 10 unauth-vid 100
    aaa port-access mac-based 11 addr-limit 2
    aaa port-access mac-based 11 addr-moves
    aaa port-access mac-based 11 unauth-period 30
    aaa port-access mac-based 11 auth-vid 160
    aaa port-access mac-based 11 unauth-vid 100
    aaa port-access mac-based 12 addr-limit 2
    aaa port-access mac-based 12 addr-moves
    aaa port-access mac-based 12 unauth-period 30
    aaa port-access mac-based 12 auth-vid 160
    aaa port-access mac-based 12 unauth-vid 100
    aaa port-access mac-based addr-format multi-colon
    lldp top-change-notify 2-48
    lldp enable-notification 2-48
    vlan 1
    name "DEFAULT_VLAN"
    no untagged 1-52
    no ip address
    disable layer3
    exit
    vlan 100
    name "VLAN100"
    tagged 1
    ip address 192.168.253.194 255.255.255.192
    ip helper-address 192.168.5.205
    ip helper-address 192.168.5.206
    exit
    vlan 160
    name "VLAN160"
    untagged 2-52
    tagged 1
    ip address 192.168.253.4 255.255.255.128
    ip helper-address 192.168.5.205
    ip helper-address 192.168.5.206
    exit
    vlan 260
    name "VOIP"
    tagged 1-48
    ip address dhcp-bootp
    voice
    exit
    spanning-tree
    spanning-tree mode rapid-pvst
    no spanning-tree extend system-id
    no tftp server
    no dhcp config-file-update
    no dhcp image-file-update
    no dhcp tr69-acs-url
    password manager



  • 2.  RE: legacy mac authentication

    EMPLOYEE
    Posted Jun 11, 2018 01:26 PM
    With this config and no vlan ‘pushed’ back to the switch from ISE the phone will be put in the auth vlan 160.

    As the vlan 260 on the switch is tagged on all ports and voice is set, your phone will probably use lldp-med to find the voice vlan and use a tagged vlan, if no MAC auth is active on the port.
    You need to setup the ISE server (or use ClearPass 🙊) to answer in the radius request with a tagged vlan 260.

    Good luck