Wireless Access

Occasional Contributor I

802.1X profile allowed DHCP with no authentication

I have a AP303H running as a RAP, with wired port profiles applied. The AAA profile applied to the port uses 802.1X with no L2 fail-through for MAC based authenticaiton. 


When I connected a corporate endpoint configured for 802.1X, everything worked as expected. 


I connected my home PC, which is not setup for 802.1X, and was surprised that it got an IP address in the scope/VLAN assigned to the port. I couldn't access anything because I got a guest or logon role. 


I thought that with 802.1X enabled I shouldn't be able to get DHCP unless I passed 802.1X? In this case, I didn't even attempt it and still got DHCP on the corporate network. 


aaa profile "WiredPort1_aaa_prof"
authentication-dot1x "Wired_dot1_auth"
dot1x-default-role "authenticated"
dot1x-server-group "ISE"
radius-accounting "ISE"


aaa authentication dot1x "Wired_dot1_auth"
machine-authentication machine-default-role "logon"
machine-authentication user-default-role "logon"

Guru Elite

Re: 802.1X profile allowed DHCP with no authentication

The "initial role" in the AAA profile is what a user would get without doing any  authentication.  If you setup the initial role to a role that denies all traffic, that would block all users that do not pass 802.1x authentication.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba Technical Webinars
Search Airheads
Showing results for 
Search instead for 
Did you mean: