the problem is, both type of switches are in the same network management vlan, so I cannot seperate it.
I made seperate services for Intune and AD-Joined devices. That worked for me the best way.
I have different roles for AOS and AOS-CX switches made in the role-mapping. That works, only the issue I have now.
I also have two different enformace profiles for AOS and AOS-CX. Otherwise it did not work.
Original Message:
Sent: Mar 14, 2024 01:04 PM
From: Herman Robers
Subject: Aruba CX switch multi-domain authentication will not work
Have you separate services for CX and for AOS-S?
You should just return HPE roles to AOS-S, and just Aruba roles to CX, not both. If you use the same service, you can make enforcement profiles specific to a device group, which may work if your CX and AOS-S devices are in different device groups.
I'd recommend a separate service, where you use role-mapping to do your lookups/authorizations, and create two enforcement policies that map the ClearPass roles to HPE/Aruba Roles respectively.
Or do I miss it completely?
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Mar 14, 2024 04:51 AM
From: erik.boss
Subject: Aruba CX switch multi-domain authentication will not work
HI Herman,
I have a TAC case now. The engineer tells me the switch(port) config is good and this must work.
I remembered adding Radius:Hewlett-Packard-Enterprise:HPE-Capability-Advertisement NOT_EXISTS on the role-mapping for CX switches, because I also have OS switches.
When I remove this condition, users working on an Aruba OS switch receive 2 user roles (HPE and Aruba) and cannot apply both. Client cannot authenticate.
So I need to have a solution for that.
Best regards,
Erik
There's no radius Aruba capability or something like that.
Original Message:
Sent: Mar 11, 2024 11:57 AM
From: Herman Robers
Subject: Aruba CX switch multi-domain authentication will not work
It may be best to work with TAC on this, as it's hard to determine what the issue is without full access to config (like the other roles), troubleshooting commands, the captures that you created, etc. At first glance this should work, but there probably is missed something.
If just client connected direct to the switch works fine,
and just phone connected to the switch on the same port works fine and you see tagged traffic between the switch and phone,
but client behind phone on that port doesn't, and same setup on AOS-S works fine, that is quite unexpected.
But it's also strange if you see the phone 'eating' the EAPoL frames... as it would suggest an issue on the phone, which shouldn't be as it works the same on an AOS-S.
I would check with the show port-access clients detail command in each 3 situations what happens, and is negotiated. With the combination, you should see the same as the combined output of the separate authentication. One thing you may try is to set the client-limit for both dot1x and mac, as one may be set to a single client and blocking additional authentications on the same port. There is just too much possible, and not enough information to guide you.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Mar 11, 2024 10:59 AM
From: erik.boss
Subject: Aruba CX switch multi-domain authentication will not work
HI Herman,
when authenticating the client only on the switchport it works fine, no issue.
When a client fails authentication, the client will enter the Guest network.
Also a this time, VOIP-Phone will be in the voice vlan, client in guest vlan.
On Aruba OS, same config, it works as expected.
I installed a sniffer on the client. I only see EAP requests from the switch(port) and a response from my client.
A TCP dump on the switch gave me nothing, so the request does not enter the switchport. the VOIPphone should delete the EAP request.
I hope someone has a solution for this.
Original Message:
Sent: Mar 11, 2024 10:41 AM
From: Herman Robers
Subject: Aruba CX switch multi-domain authentication will not work
What does the port-access status show when the devices are connected? (show port-access clients interface 1/1/32 detail)
Does it work when you just connect the phone, or just connect the client to the port? It may be good to see if you can make them work individually first.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Mar 05, 2024 05:38 AM
From: erik.boss
Subject: Aruba CX switch multi-domain authentication will not work
Hi guys,
I 'm currently migrating users from the old static vlan to 802.1x (and mac-authentication for VOIP-Phones).
I'm having troubles to authenticate the clients behind a VOIP-Phone.
I tested it before and it worked fine.
the current interface configuration
interface 1/1/32
no shutdown
vlan access 1
rate-limit broadcast 100000 kbps
spanning-tree port-type admin-edge
port-access fallback-role Critical-Role
aaa authentication port-access auth-priority mac-auth dot1x
port-access onboarding-method concurrent enable
aaa authentication port-access allow-cdp-bpdu
aaa authentication port-access allow-lldp-bpdu
aaa authentication port-access critical-role Critical-Role
aaa authentication port-access critical-voice-role VOIP-Phone
aaa authentication port-access reject-role Guest
aaa authentication port-access dot1x authenticator
cached-reauth
cached-reauth-period 60
eapol-timeout 5
max-eapol-requests 1
max-retries 1
quiet-period 5
discovery-period 10
enable
aaa authentication port-access mac-auth
enable
client track ip enable
client track ip update-interval 60
show port-a role name VOIP-Phone
Role Information:
Name : VOIP-Phone
Type : local
----------------------------------------------
Reauthentication Period :
Cached Reauthentication Period :
Authentication Mode : client-mode
Session Timeout :
Client Inactivity Timeout :
Description :
Access VLAN :
Native VLAN :
Allowed Trunk VLANs :
Access VLAN Name :
Native VLAN Name :
Allowed Trunk VLAN Names : NLISOVOIPPHONE
VLAN Group Name :
MTU :
QOS Trust Mode :
STP Administrative Edge Port :
PoE Priority :
Captive Portal Profile :
Policy : policy-VOIP
Device Type : voice
VOIP-Phone must have a tagged vlan, otherwise it will not boot.
The issue, the VOIP-Phone and the client are both authenticated by mac-authentication.
What I also see, the client is then not able to communicate with Intune with de certificate. It seems like in the authentication the certificate is not sent or something like that.
I made a workaround, trying to add the local Endpoint attributes, but I won't match.
Does anyone have an idea?
Many thanks.