802.1X profile allowed DHCP with no authentication
11-12-2019 11:48 AM
I have a AP303H running as a RAP, with wired port profiles applied. The AAA profile applied to the port uses 802.1X with no L2 fail-through for MAC based authenticaiton.
When I connected a corporate endpoint configured for 802.1X, everything worked as expected.
I connected my home PC, which is not setup for 802.1X, and was surprised that it got an IP address in the scope/VLAN assigned to the port. I couldn't access anything because I got a guest or logon role.
I thought that with 802.1X enabled I shouldn't be able to get DHCP unless I passed 802.1X? In this case, I didn't even attempt it and still got DHCP on the corporate network.
aaa profile "WiredPort1_aaa_prof"
aaa authentication dot1x "Wired_dot1_auth"
machine-authentication machine-default-role "logon"
machine-authentication user-default-role "logon"
Re: 802.1X profile allowed DHCP with no authentication
11-12-2019 04:03 PM - edited 11-12-2019 04:03 PM
The "initial role" in the AAA profile is what a user would get without doing any authentication. If you setup the initial role to a role that denies all traffic, that would block all users that do not pass 802.1x authentication.
*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide