Security

Hi,

I am looking for more information and configuration guidelines with Aruba colorless port concept. Our requirement is to have same 802.1x experience as users connecting to Aruba switch with any users connecting 3rd party switch (does not support 802.1x) behind Aruba switch as per the attached picture.

Doing some research, it seems like this may be done something with user based tunneling (UBT), we do have Aruba Controllers (8.x) as well. However currently it is working with Aruba switch using local user roles and Clearpass alone.

I would like to know:

• how we use the 3rd party switch to authenticate them with CPPM
• what kind of configuration needed for the port connecting to Aruba and 3rd party switch uplink
• what kind of configuration needed for 3rd party switch regular ports
• what configuration needed on Gateway/Controller (if needed) 
• any reference documents/configuration guides

Thanks in advance..

Don't do this.

You aren't going to get the same experience when there is a switch downstream not applying 802.1X.  The authenticating device will have no visibility into the port state of the downstream device, leading to a trivial ability to spoof an already authenticated device.

Hi,

I am looking for more information and configuration guidelines with Aruba colorless port concept. Our requirement is to have same 802.1x experience as users connecting to Aruba switch with any users connecting 3rd party switch (does not support 802.1x) behind Aruba switch as per the attached picture.

Doing some research, it seems like this may be done something with user based tunneling (UBT), we do have Aruba Controllers (8.x) as well. However currently it is working with Aruba switch using local user roles and Clearpass alone.

I would like to know:

• how we use the 3rd party switch to authenticate them with CPPM
• what kind of configuration needed for the port connecting to Aruba and 3rd party switch uplink
• what kind of configuration needed for 3rd party switch regular ports
• what configuration needed on Gateway/Controller (if needed) 
• any reference documents/configuration guides

Thanks in advance..

Hi Carson,

Thanks for your reply. 
Well, I only need to make sure devices connecting on downstream switch can also authenticate via clearpass (802.1x, MAB), without any configuration on downstream switch. Just want to validate if this is doable solution.?

Thank you.

Don't do this.

You aren't going to get the same experience when there is a switch downstream not applying 802.1X.  The authenticating device will have no visibility into the port state of the downstream device, leading to a trivial ability to spoof an already authenticated device.

Hi,

I am looking for more information and configuration guidelines with Aruba colorless port concept. Our requirement is to have same 802.1x experience as users connecting to Aruba switch with any users connecting 3rd party switch (does not support 802.1x) behind Aruba switch as per the attached picture.

Doing some research, it seems like this may be done something with user based tunneling (UBT), we do have Aruba Controllers (8.x) as well. However currently it is working with Aruba switch using local user roles and Clearpass alone.

I would like to know:

• how we use the 3rd party switch to authenticate them with CPPM
• what kind of configuration needed for the port connecting to Aruba and 3rd party switch uplink
• what kind of configuration needed for 3rd party switch regular ports
• what configuration needed on Gateway/Controller (if needed) 
• any reference documents/configuration guides

Thanks in advance..

Would not recommend, you're essentially building in a security bypass.

If you want to investigate then you should research UBT and test that configuration.

Hi Carson,

Thanks for your reply. 
Well, I only need to make sure devices connecting on downstream switch can also authenticate via clearpass (802.1x, MAB), without any configuration on downstream switch. Just want to validate if this is doable solution.?

Thank you.

Don't do this.

You aren't going to get the same experience when there is a switch downstream not applying 802.1X.  The authenticating device will have no visibility into the port state of the downstream device, leading to a trivial ability to spoof an already authenticated device.

Hi,

I am looking for more information and configuration guidelines with Aruba colorless port concept. Our requirement is to have same 802.1x experience as users connecting to Aruba switch with any users connecting 3rd party switch (does not support 802.1x) behind Aruba switch as per the attached picture.

Doing some research, it seems like this may be done something with user based tunneling (UBT), we do have Aruba Controllers (8.x) as well. However currently it is working with Aruba switch using local user roles and Clearpass alone.

I would like to know:

• how we use the 3rd party switch to authenticate them with CPPM
• what kind of configuration needed for the port connecting to Aruba and 3rd party switch uplink
• what kind of configuration needed for 3rd party switch regular ports
• what configuration needed on Gateway/Controller (if needed) 
• any reference documents/configuration guides

Thanks in advance..

Thanks.

Yes, reading more on that and I noticed that UBT is an option, in that case what exactly needed to have on 3rd party switch and uplink port connecting to Aruba switch should have.?

Is there any sample CX switch configuration or any such relevant document for this scenario.?

Would not recommend, you're essentially building in a security bypass.

If you want to investigate then you should research UBT and test that configuration.

Hi Carson,

Thanks for your reply. 
Well, I only need to make sure devices connecting on downstream switch can also authenticate via clearpass (802.1x, MAB), without any configuration on downstream switch. Just want to validate if this is doable solution.?

Thank you.

Don't do this.

You aren't going to get the same experience when there is a switch downstream not applying 802.1X.  The authenticating device will have no visibility into the port state of the downstream device, leading to a trivial ability to spoof an already authenticated device.

Hi,

I am looking for more information and configuration guidelines with Aruba colorless port concept. Our requirement is to have same 802.1x experience as users connecting to Aruba switch with any users connecting 3rd party switch (does not support 802.1x) behind Aruba switch as per the attached picture.

Doing some research, it seems like this may be done something with user based tunneling (UBT), we do have Aruba Controllers (8.x) as well. However currently it is working with Aruba switch using local user roles and Clearpass alone.

I would like to know:

• how we use the 3rd party switch to authenticate them with CPPM
• what kind of configuration needed for the port connecting to Aruba and 3rd party switch uplink
• what kind of configuration needed for 3rd party switch regular ports
• what configuration needed on Gateway/Controller (if needed) 
• any reference documents/configuration guides

Thanks in advance..

There are a few guides and videos for setting up UBT, just do a search to find one that meets your needs.

Thanks.

Yes, reading more on that and I noticed that UBT is an option, in that case what exactly needed to have on 3rd party switch and uplink port connecting to Aruba switch should have.?

Is there any sample CX switch configuration or any such relevant document for this scenario.?

Would not recommend, you're essentially building in a security bypass.

If you want to investigate then you should research UBT and test that configuration.

Hi Carson,

Thanks for your reply. 
Well, I only need to make sure devices connecting on downstream switch can also authenticate via clearpass (802.1x, MAB), without any configuration on downstream switch. Just want to validate if this is doable solution.?

Thank you.

Don't do this.

You aren't going to get the same experience when there is a switch downstream not applying 802.1X.  The authenticating device will have no visibility into the port state of the downstream device, leading to a trivial ability to spoof an already authenticated device.

Hi,

I am looking for more information and configuration guidelines with Aruba colorless port concept. Our requirement is to have same 802.1x experience as users connecting to Aruba switch with any users connecting 3rd party switch (does not support 802.1x) behind Aruba switch as per the attached picture.

Doing some research, it seems like this may be done something with user based tunneling (UBT), we do have Aruba Controllers (8.x) as well. However currently it is working with Aruba switch using local user roles and Clearpass alone.

I would like to know:

• how we use the 3rd party switch to authenticate them with CPPM
• what kind of configuration needed for the port connecting to Aruba and 3rd party switch uplink
• what kind of configuration needed for 3rd party switch regular ports
• what configuration needed on Gateway/Controller (if needed) 
• any reference documents/configuration guides

Thanks in advance..