Wireless Access

last person joined: 3 days ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

802.1X profile allowed DHCP with no authentication

This thread has been viewed 3 times

  • 1.  802.1X profile allowed DHCP with no authentication

    Posted Nov 12, 2019 02:48 PM

    I have a AP303H running as a RAP, with wired port profiles applied. The AAA profile applied to the port uses 802.1X with no L2 fail-through for MAC based authenticaiton. 

     

    When I connected a corporate endpoint configured for 802.1X, everything worked as expected. 

     

    I connected my home PC, which is not setup for 802.1X, and was surprised that it got an IP address in the scope/VLAN assigned to the port. I couldn't access anything because I got a guest or logon role. 

     

    I thought that with 802.1X enabled I shouldn't be able to get DHCP unless I passed 802.1X? In this case, I didn't even attempt it and still got DHCP on the corporate network. 

     

    aaa profile "WiredPort1_aaa_prof"
    authentication-dot1x "Wired_dot1_auth"
    dot1x-default-role "authenticated"
    dot1x-server-group "ISE"
    radius-accounting "ISE"
    !

     

    aaa authentication dot1x "Wired_dot1_auth"
    machine-authentication machine-default-role "logon"
    machine-authentication user-default-role "logon"
    !



  • 2.  RE: 802.1X profile allowed DHCP with no authentication

    EMPLOYEE
    Posted Nov 12, 2019 07:03 PM
    The "initial role" in the AAA profile is what a user would get without doing any  authentication.  If you setup the initial role to a role that denies all traffic, that would block all users that do not pass 802.1x authentication.