Wireless Access

Reply
Highlighted
Occasional Contributor I

802.1X profile allowed DHCP with no authentication

I have a AP303H running as a RAP, with wired port profiles applied. The AAA profile applied to the port uses 802.1X with no L2 fail-through for MAC based authenticaiton. 

 

When I connected a corporate endpoint configured for 802.1X, everything worked as expected. 

 

I connected my home PC, which is not setup for 802.1X, and was surprised that it got an IP address in the scope/VLAN assigned to the port. I couldn't access anything because I got a guest or logon role. 

 

I thought that with 802.1X enabled I shouldn't be able to get DHCP unless I passed 802.1X? In this case, I didn't even attempt it and still got DHCP on the corporate network. 

 

aaa profile "WiredPort1_aaa_prof"
authentication-dot1x "Wired_dot1_auth"
dot1x-default-role "authenticated"
dot1x-server-group "ISE"
radius-accounting "ISE"
!

 

aaa authentication dot1x "Wired_dot1_auth"
machine-authentication machine-default-role "logon"
machine-authentication user-default-role "logon"
!

Highlighted
Guru Elite

Re: 802.1X profile allowed DHCP with no authentication

The "initial role" in the AAA profile is what a user would get without doing any  authentication.  If you setup the initial role to a role that denies all traffic, that would block all users that do not pass 802.1x authentication.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: