Wireless Access

Occasional Contributor I

802.1X profile allowed DHCP with no authentication

I have a AP303H running as a RAP, with wired port profiles applied. The AAA profile applied to the port uses 802.1X with no L2 fail-through for MAC based authenticaiton. 


When I connected a corporate endpoint configured for 802.1X, everything worked as expected. 


I connected my home PC, which is not setup for 802.1X, and was surprised that it got an IP address in the scope/VLAN assigned to the port. I couldn't access anything because I got a guest or logon role. 


I thought that with 802.1X enabled I shouldn't be able to get DHCP unless I passed 802.1X? In this case, I didn't even attempt it and still got DHCP on the corporate network. 


aaa profile "WiredPort1_aaa_prof"
authentication-dot1x "Wired_dot1_auth"
dot1x-default-role "authenticated"
dot1x-server-group "ISE"
radius-accounting "ISE"


aaa authentication dot1x "Wired_dot1_auth"
machine-authentication machine-default-role "logon"
machine-authentication user-default-role "logon"

Guru Elite

Re: 802.1X profile allowed DHCP with no authentication

The "initial role" in the AAA profile is what a user would get without doing any  authentication.  If you setup the initial role to a role that denies all traffic, that would block all users that do not pass 802.1x authentication.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Search Airheads
Showing results for 
Search instead for 
Did you mean: