Network Management

Good day,

I've been asked to configure 802.1X wired port access with Radius server to prevent unauthorized devices connecting to our network.

But I'm struggling to get it to work at all.  Here is the configuration on the switch:

radius-server host 10.99.16.22 key "XXXXXXXXXXXXXXXXXXXXX"
radius-server host 10.99.16.22 dyn-authorization
aaa authentication port-access eap-radius
aaa port-access authenticator 8

The port config looks like this:
interface 8
untagged vlan 201
aaa port-access authenticator
aaa port-access authenticator client-limit 1

The switch can see the Radius server and is configured.

When I patch a device that is not on the domain, nothing happens. The port still connects and is given an IP address in the corporate network.
I have enabled debug but I see no messages about port-access at all.

Am I missing something fundamental here?

Thanks in advance.

Under the assumption that you have an ArubaOS Switch (2930F), because I don't know the 2030F:
 
Looks like you missed the global configuration statement: 'aaa port-access authenticator active'
You could check 'show port-access clients' or 'show port-access clients 8 detail' (for details on port 8); for the actual status of your port-access.

The command 'show portacces config' will show the actual config for each port.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Sep 21, 2022 06:18 AM
From: David Jones
Subject: 802.1X port-access on Aruba 2030F switches not working

Good day,

I've been asked to configure 802.1X wired port access with Radius server to prevent unauthorized devices connecting to our network.

But I'm struggling to get it to work at all.  Here is the configuration on the switch:

radius-server host 10.99.16.22 key "XXXXXXXXXXXXXXXXXXXXX"
radius-server host 10.99.16.22 dyn-authorization
aaa authentication port-access eap-radius
aaa port-access authenticator 8

The port config looks like this:
interface 8
untagged vlan 201
aaa port-access authenticator
aaa port-access authenticator client-limit 1

The switch can see the Radius server and is configured.

When I patch a device that is not on the domain, nothing happens. The port still connects and is given an IP address in the corporate network.
I have enabled debug but I see no messages about port-access at all.

Am I missing something fundamental here?

Thanks in advance.

Thank you for your reply. Yes it is a 2930
I set auth to active, but show port-access config says it in not configured??

  Port-access authenticator activated [No] : Yes

  Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No

  Use LLDP data to authenticate [No] : No

 

        802.1X  802.1X   Web      Mac      LMA   Cntrl Mixed    Speed

  Port  Supp    Auth     Auth     Auth     Auth  Dir   Mode     VSA   MBV

  ----- ------- -------- -------- -------- ----- ----- -------- ----- ---

  1     No      No       No       No       No    both  No       No    Yes

  2     No      No       No       No       No    both  No       No    Yes

  3     No      No       No       No       No    both  No       No    Yes

  4     No      No       No       No       No    both  No       No    Yes

  5     No      No       No       No       No    both  No       No    Yes

  6     No      No       No       No       No    both  No       No    Yes

  7     No      No       No       No       No    both  No       No    Yes

  8     No      No       No       No       No    both  No       No    Yes

Port access is configured for Radius:

| Login       Login        Login

  Access Task    | Primary     Server Group Secondary

  -------------- + ----------- ------------ ----------

  Console        | Local                    None

  Telnet         | Local                    None

  Port-Access    | EapRadius   radius       None

  Webui          | Local                    None

  SSH            | Local                    None

  Web-Auth       | ChapRadius  radius       None

  MAC-Auth       | ChapRadius  radius       None

  SNMP           | Local                    None

  Local-MAC-Auth | Local                    None

It just looks like the config is not being applied to the port?

Thanks for your help

Original Message:
Sent: Sep 22, 2022 04:33 AM
From: Herman Robers
Subject: 802.1X port-access on Aruba 2030F switches not working

Under the assumption that you have an ArubaOS Switch (2930F), because I don't know the 2030F:

Looks like you missed the global configuration statement: 'aaa port-access authenticator active'
You could check 'show port-access clients' or 'show port-access clients 8 detail' (for details on port 8); for the actual status of your port-access.

The command 'show portacces config' will show the actual config for each port.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 21, 2022 06:18 AM
From: David Jones
Subject: 802.1X port-access on Aruba 2030F switches not working

Good day,

I've been asked to configure 802.1X wired port access with Radius server to prevent unauthorized devices connecting to our network.

But I'm struggling to get it to work at all.  Here is the configuration on the switch:

radius-server host 10.99.16.22 key "XXXXXXXXXXXXXXXXXXXXX"
radius-server host 10.99.16.22 dyn-authorization
aaa authentication port-access eap-radius
aaa port-access authenticator 8

The port config looks like this:
interface 8
untagged vlan 201
aaa port-access authenticator
aaa port-access authenticator client-limit 1

The switch can see the Radius server and is configured.

When I patch a device that is not on the domain, nothing happens. The port still connects and is given an IP address in the corporate network.
I have enabled debug but I see no messages about port-access at all.

Am I missing something fundamental here?

Thanks in advance.

Hello jones60a,

did you add these commands:
aaa port-access authenticator active
aaa accounting network start-stop radius
aaa accounting update periodic 3

?

I hope it helps you

Best Regards

Original Message:
Sent: Sep 21, 2022 06:18 AM
From: David Jones
Subject: 802.1X port-access on Aruba 2030F switches not working

Good day,

I've been asked to configure 802.1X wired port access with Radius server to prevent unauthorized devices connecting to our network.

But I'm struggling to get it to work at all.  Here is the configuration on the switch:

radius-server host 10.99.16.22 key "XXXXXXXXXXXXXXXXXXXXX"
radius-server host 10.99.16.22 dyn-authorization
aaa authentication port-access eap-radius
aaa port-access authenticator 8

The port config looks like this:
interface 8
untagged vlan 201
aaa port-access authenticator
aaa port-access authenticator client-limit 1

The switch can see the Radius server and is configured.

When I patch a device that is not on the domain, nothing happens. The port still connects and is given an IP address in the corporate network.
I have enabled debug but I see no messages about port-access at all.

Am I missing something fundamental here?

Thanks in advance.