Network Management

I had AAA port-access authenticator turned on the switch ports, but lately the client computers not get any connection, so if I disable the AAA they get connection.  How can I figure out what's causing this?  Is there any command on the CLI I can run on the switch port with AAA?

I don't have AAA on uplink switch ports, just on computers.

I will have port-security turned on for MAC, so is AAA even necessary?

These are the AAA config on the switches.  These were already setup before I came to this company, and they were working.  But lately more computer don't get connection if they have aaa port-access enabled.

aaa server-group radius "8021x" host 10.0.0.15
aaa server-group radius "8021x" host 10.0.0.16
aaa server-group radius "mgmt" host 10.0.0.17
aaa authentication login privilege-mode
aaa authentication console login peap-mschapv2 server-group "mgmt" local
aaa authentication telnet login peap-mschapv2 server-group "mgmt" local
aaa authentication web login peap-mschapv2 server-group "mgmt" local
aaa authentication ssh login peap-mschapv2 server-group "mgmt" local
aaa authentication port-access eap-radius server-group "8021x"
aaa port-access authenticator active
Original Message:
Sent: Feb 01, 2023 10:16 AM
From: t.antony
Subject: Aruba 2930F AAA port-access denying clients access to network

I had AAA port-access authenticator turned on the switch ports, but lately the client computers not get any connection, so if I disable the AAA they get connection.  How can I figure out what's causing this?  Is there any command on the CLI I can run on the switch port with AAA?

I don't have AAA on uplink switch ports, just on computers.

I will have port-security turned on for MAC, so is AAA even necessary?

Check your Authentication/RADIUS servers and/or the clients for errors or more information.
What type of RADIUS server do you have (the IPs: 10.0.0.15/10.0.0.16)?

AAA does authentication of the computer and/or user account, versus MAC that only checks a mac address that can be easily changed and for most customers does not provide enough security. Without knowing what your security requirements are, it's hard to tell if you need 802.1X security.

Best to find the requirements, design for your network, and then check if that is still accurate or if you need more/less/same authentication to prevent the threats you have identified. It may make sense to do such a thing together with your Aruba partner and/or other network/security consultant.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Feb 01, 2023 10:16 AM
From: t.antony
Subject: Aruba 2930F AAA port-access denying clients access to network

I had AAA port-access authenticator turned on the switch ports, but lately the client computers not get any connection, so if I disable the AAA they get connection.  How can I figure out what's causing this?  Is there any command on the CLI I can run on the switch port with AAA?

I don't have AAA on uplink switch ports, just on computers.

I will have port-security turned on for MAC, so is AAA even necessary?

10.0.0.15/10.0.0.16 are our domain controllers, and I didn't really see anything on the event viewer. I'll check NPS also.
Original Message:
Sent: Feb 06, 2023 05:05 AM
From: Herman Robers
Subject: Aruba 2930F AAA port-access denying clients access to network

Check your Authentication/RADIUS servers and/or the clients for errors or more information.
What type of RADIUS server do you have (the IPs: 10.0.0.15/10.0.0.16)?

AAA does authentication of the computer and/or user account, versus MAC that only checks a mac address that can be easily changed and for most customers does not provide enough security. Without knowing what your security requirements are, it's hard to tell if you need 802.1X security.

Best to find the requirements, design for your network, and then check if that is still accurate or if you need more/less/same authentication to prevent the threats you have identified. It may make sense to do such a thing together with your Aruba partner and/or other network/security consultant.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Feb 01, 2023 10:16 AM
From: t.antony
Subject: Aruba 2930F AAA port-access denying clients access to network

I had AAA port-access authenticator turned on the switch ports, but lately the client computers not get any connection, so if I disable the AAA they get connection.  How can I figure out what's causing this?  Is there any command on the CLI I can run on the switch port with AAA?

I don't have AAA on uplink switch ports, just on computers.

I will have port-security turned on for MAC, so is AAA even necessary?