Wired Intelligent Edge

 View Only
last person joined: 10 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

AOS-CX: 802.1x with phone, no auth for client connected to phone

This thread has been viewed 4 times

  • 1.  AOS-CX: 802.1x with phone, no auth for client connected to phone

    Posted 21 days ago

    Scenario:

    PC --- IP phone --- 6300 (AOS CX)

    1. IP phone is connected to a 6300 switch port (details on port configuration further down). Phone authenticates w/ 802.1x. Works as expected.
    2. PC is connected to phone's LAN port. The PC is not supposed to authenticate. It's supposed to simply be able to use the default VLAN.

    The port configuration is the following:

    interface 5/1/1
    no shutdown
    no routing
    vlan access 16
    port-access fallback-role my-default
    port-access onboarding-method concurrent enable
    aaa authentication port-access dot1x authenticator
        cached-reauth
        cached-reauth-period 86400
        eapol-timeout 30
        max-eapol-requests 2
        reauth
        reauth-period 172800
        enable
    client track ip enable
    loop-protect action tx-rx-disable
    exit

    The fallback role puts the client online in the default VLAN; the only additional thing it does is to re-write DSCP values via a policy.

    The authentication of the phone works as expected, however, the PC only comes online after several minutes (~5 min.). My question is: how can we manage to shorten this time. It's clear to me that we need to wait until waiting for EAPOL packets times out. But I'm not entirely sure which settings to modify to achieve this. From my understanding, the EAPOL timeout is 30s. 2 retries means that the PC should fail to authenticate no later than 90s. But that's not the case. It's 5 minutes or more.

    The only workaround we have right now to configure MAC auth in parallel and simply accept any MAC via RADIUS:

    interface 5/1/1
    no shutdown
    no routing
    vlan access 16
    port-access fallback-role TUC-default
    port-access onboarding-method concurrent enable
    aaa authentication port-access client-limit multi-domain 2
    aaa authentication port-access client-limit 3
    aaa authentication port-access dot1x authenticator
        cached-reauth
        cached-reauth-period 86400
        eapol-timeout 30
        max-eapol-requests 2
        reauth
        reauth-period 172800
        enable
    aaa authentication port-access mac-auth
        cached-reauth
        cached-reauth-period 86400
        quiet-period 30
        reauth
        reauth-period 172800
        enable
    client track ip enable
    loop-protect action tx-rx-disable
    exit

    I don't seem to be able to find good information on what to do in this scenario. Any help is highly appreciated.