Wired

Hi to all,

I have a couple of aruba 6000 switches and set them up, so clients can authenticate via dot1.x and access the network.

Previous I used some hp 2530 switches with dot1.x enabled also and were working fine.

The madness with the new one Aruba 6000 is that although the clients are authenticated via dot1.x and gaining access on the LAN, external traffic to internet is not not passing.

Can anyone explain this or point me something to check?

Thank you in advance!

Well this is highly dependent on the Role and ACL that is assigned as a part of the port-access process. 

Are you assigning any particular ACL's or VLANs? Can you ping the default gateway of that User VLAN?

Hi to all,

I have a couple of aruba 6000 switches and set them up, so clients can authenticate via dot1.x and access the network.

Previous I used some hp 2530 switches with dot1.x enabled also and were working fine.

The madness with the new one Aruba 6000 is that although the clients are authenticated via dot1.x and gaining access on the LAN, external traffic to internet is not not passing.

Can anyone explain this or point me something to check?

Thank you in advance!

Hi Zak and thanks for the reply,

I can ping my default gateway from the switch.

I haven't assigned any particular ACL's on the ports neither Roles, only configured access ports with the respective VLAN assignment to them .

I haven't used before Role's and ACL's on a layer 2 device such as an Aruba 6000.

So in order to grant access on the external network, do i have to configure Roles on the switch?

Can you elaborate more an give an example please?

Thank you

Well this is highly dependent on the Role and ACL that is assigned as a part of the port-access process. 

Are you assigning any particular ACL's or VLANs? Can you ping the default gateway of that User VLAN?

Hi to all,

I have a couple of aruba 6000 switches and set them up, so clients can authenticate via dot1.x and access the network.

Previous I used some hp 2530 switches with dot1.x enabled also and were working fine.

The madness with the new one Aruba 6000 is that although the clients are authenticated via dot1.x and gaining access on the LAN, external traffic to internet is not not passing.

Can anyone explain this or point me something to check?

Thank you in advance!

Can you share a snippet of your configuration? Access to Internal vs. External are not role/acl dependent, but that is an important part of understanding the design. 

Here is a detailed guide for this process, starting at Page 258
Security Guide

What do the outputs of the below look like for those clients?
#show aaa authentication port-access dot1x authenticator interface all client-status
#show port-access clients interface 1/1/X detail

Hi Zak and thanks for the reply,

I can ping my default gateway from the switch.

I haven't assigned any particular ACL's on the ports neither Roles, only configured access ports with the respective VLAN assignment to them .

I haven't used before Role's and ACL's on a layer 2 device such as an Aruba 6000.

So in order to grant access on the external network, do i have to configure Roles on the switch?

Can you elaborate more an give an example please?

Thank you

Well this is highly dependent on the Role and ACL that is assigned as a part of the port-access process. 

Are you assigning any particular ACL's or VLANs? Can you ping the default gateway of that User VLAN?

Hi to all,

I have a couple of aruba 6000 switches and set them up, so clients can authenticate via dot1.x and access the network.

Previous I used some hp 2530 switches with dot1.x enabled also and were working fine.

The madness with the new one Aruba 6000 is that although the clients are authenticated via dot1.x and gaining access on the LAN, external traffic to internet is not not passing.

Can anyone explain this or point me something to check?

Thank you in advance!

Bellow is a snippet of the configuration (only regarding radius and dot1.x) the rest is out of scope. Names and other data have been changed for privacy. 

As you can see from the output of the commands, pc on 1/1/2 has been authenticated. Traffic to internal lan is fine, but to internet is not passing.

Currently I just want to focus on dot1.x authentication not mac authentication.

Snippet from running config

!
radius-server host xxx.xxx.xxx.xxx key ciphertext xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
radius-server host xxx.xxx.xxx.xxx key ciphertext xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
!
!
aaa authentication login https-server group radius local
aaa authentication login ssh group radius local
!
aruba-central
    disable
!
aaa authentication port-access dot1x authenticator
    enable
!
interface 1/1/2
    description xxxxxxx
    no shutdown
    vlan access 303
    spanning-tree bpdu-guard
    spanning-tree port-type admin-edge
    aaa authentication port-access dot1x authenticator
        enable

Output of #show aaa authentication port-access dot1x authenticator interface all client-status

Client xx:xx:xx:xx:xx:xx, host/xxxxx.domain.com, 1/1/2
=========================================

  Authentication Details
  ----------------------
    Status                        : Authenticated
    Type                          : Pass-Through
    EAP-Method                    : TLS
    Auth Failure reason           :
    Time Since Last State Change  : 104s

  Authentication Statistics
  -------------------------
    Authentication                         : 1
    Authentication Timeout                 : 0
    EAP-Start While Authenticating         : 0
    EAP-Logoff While Authenticating        : 0
    Successful Authentication              : 1
    Failed Authentication                  : 0
    Re-Authentication                      : 0
    Successful Re-Authentication           : 0
    Failed Re-Authentication               : 0
    EAP-Start When Authenticated           : 0
    EAP-Logoff When Authenticated          : 0
    Re-Auths When Authenticated            : 0
    Cached Re-Authentication               : 0

Second output:

switch# show port-access clients interface 1/1/2 detail

Port Access Client Status Details:

RADIUS overridden user roles are suffixed with '*'

Client xx:xx:xx:xx:xx:xx, host/xxxxx.domain.com
==============================================
  Session Details
  ---------------
    Port         : 1/1/2
    Session Time : 5153s
    IPv4 Address :
    IPv6 Address :
    Device Type  :

  VLAN Details
  ------------
    VLAN Group Name :
    VLANs Assigned  : 303
      Access          : 303
      Native Untagged :
      Allowed Trunk   :

  Authentication Details
  ----------------------
    Status          : dot1x Authenticated
    Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted
    Auth History    : dot1x - Authenticated, 5153s ago

  Authorization Details
  ----------------------
    Status : Applied

    RADIUS Attributes
    ------------------
    Framed-MTU                   : 1200 bytes

    RADIUS Role Name : RADIUS_3226739997

Can you share a snippet of your configuration? Access to Internal vs. External are not role/acl dependent, but that is an important part of understanding the design. 

Here is a detailed guide for this process, starting at Page 258
Security Guide

What do the outputs of the below look like for those clients?
#show aaa authentication port-access dot1x authenticator interface all client-status
#show port-access clients interface 1/1/X detail

Hi Zak and thanks for the reply,

I can ping my default gateway from the switch.

I haven't assigned any particular ACL's on the ports neither Roles, only configured access ports with the respective VLAN assignment to them .

I haven't used before Role's and ACL's on a layer 2 device such as an Aruba 6000.

So in order to grant access on the external network, do i have to configure Roles on the switch?

Can you elaborate more an give an example please?

Thank you

Well this is highly dependent on the Role and ACL that is assigned as a part of the port-access process. 

Are you assigning any particular ACL's or VLANs? Can you ping the default gateway of that User VLAN?

Hi to all,

I have a couple of aruba 6000 switches and set them up, so clients can authenticate via dot1.x and access the network.

Previous I used some hp 2530 switches with dot1.x enabled also and were working fine.

The madness with the new one Aruba 6000 is that although the clients are authenticated via dot1.x and gaining access on the LAN, external traffic to internet is not not passing.

Can anyone explain this or point me something to check?

Thank you in advance!

Does external network access work with that VLAN (and the particular switch) on a port without port-access configured? 

Bellow is a snippet of the configuration (only regarding radius and dot1.x) the rest is out of scope. Names and other data have been changed for privacy. 

As you can see from the output of the commands, pc on 1/1/2 has been authenticated. Traffic to internal lan is fine, but to internet is not passing.

Currently I just want to focus on dot1.x authentication not mac authentication.

Snippet from running config

!
radius-server host xxx.xxx.xxx.xxx key ciphertext xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
radius-server host xxx.xxx.xxx.xxx key ciphertext xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
!
!
aaa authentication login https-server group radius local
aaa authentication login ssh group radius local
!
aruba-central
    disable
!
aaa authentication port-access dot1x authenticator
    enable
!
interface 1/1/2
    description xxxxxxx
    no shutdown
    vlan access 303
    spanning-tree bpdu-guard
    spanning-tree port-type admin-edge
    aaa authentication port-access dot1x authenticator
        enable

Output of #show aaa authentication port-access dot1x authenticator interface all client-status

Client xx:xx:xx:xx:xx:xx, host/xxxxx.domain.com, 1/1/2
=========================================

  Authentication Details
  ----------------------
    Status                        : Authenticated
    Type                          : Pass-Through
    EAP-Method                    : TLS
    Auth Failure reason           :
    Time Since Last State Change  : 104s

  Authentication Statistics
  -------------------------
    Authentication                         : 1
    Authentication Timeout                 : 0
    EAP-Start While Authenticating         : 0
    EAP-Logoff While Authenticating        : 0
    Successful Authentication              : 1
    Failed Authentication                  : 0
    Re-Authentication                      : 0
    Successful Re-Authentication           : 0
    Failed Re-Authentication               : 0
    EAP-Start When Authenticated           : 0
    EAP-Logoff When Authenticated          : 0
    Re-Auths When Authenticated            : 0
    Cached Re-Authentication               : 0

Second output:

switch# show port-access clients interface 1/1/2 detail

Port Access Client Status Details:

RADIUS overridden user roles are suffixed with '*'

Client xx:xx:xx:xx:xx:xx, host/xxxxx.domain.com
==============================================
  Session Details
  ---------------
    Port         : 1/1/2
    Session Time : 5153s
    IPv4 Address :
    IPv6 Address :
    Device Type  :

  VLAN Details
  ------------
    VLAN Group Name :
    VLANs Assigned  : 303
      Access          : 303
      Native Untagged :
      Allowed Trunk   :

  Authentication Details
  ----------------------
    Status          : dot1x Authenticated
    Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted
    Auth History    : dot1x - Authenticated, 5153s ago

  Authorization Details
  ----------------------
    Status : Applied

    RADIUS Attributes
    ------------------
    Framed-MTU                   : 1200 bytes

    RADIUS Role Name : RADIUS_3226739997

Can you share a snippet of your configuration? Access to Internal vs. External are not role/acl dependent, but that is an important part of understanding the design. 

Here is a detailed guide for this process, starting at Page 258
Security Guide

What do the outputs of the below look like for those clients?
#show aaa authentication port-access dot1x authenticator interface all client-status
#show port-access clients interface 1/1/X detail

Hi Zak and thanks for the reply,

I can ping my default gateway from the switch.

I haven't assigned any particular ACL's on the ports neither Roles, only configured access ports with the respective VLAN assignment to them .

I haven't used before Role's and ACL's on a layer 2 device such as an Aruba 6000.

So in order to grant access on the external network, do i have to configure Roles on the switch?

Can you elaborate more an give an example please?

Thank you

Well this is highly dependent on the Role and ACL that is assigned as a part of the port-access process. 

Are you assigning any particular ACL's or VLANs? Can you ping the default gateway of that User VLAN?

Hi to all,

I have a couple of aruba 6000 switches and set them up, so clients can authenticate via dot1.x and access the network.

Previous I used some hp 2530 switches with dot1.x enabled also and were working fine.

The madness with the new one Aruba 6000 is that although the clients are authenticated via dot1.x and gaining access on the LAN, external traffic to internet is not not passing.

Can anyone explain this or point me something to check?

Thank you in advance!

Does external network access work with that VLAN (and the particular switch) on a port without port-access configured? 

Bellow is a snippet of the configuration (only regarding radius and dot1.x) the rest is out of scope. Names and other data have been changed for privacy. 

As you can see from the output of the commands, pc on 1/1/2 has been authenticated. Traffic to internal lan is fine, but to internet is not passing.

Currently I just want to focus on dot1.x authentication not mac authentication.

Snippet from running config

!
radius-server host xxx.xxx.xxx.xxx key ciphertext xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
radius-server host xxx.xxx.xxx.xxx key ciphertext xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
!
!
aaa authentication login https-server group radius local
aaa authentication login ssh group radius local
!
aruba-central
    disable
!
aaa authentication port-access dot1x authenticator
    enable
!
interface 1/1/2
    description xxxxxxx
    no shutdown
    vlan access 303
    spanning-tree bpdu-guard
    spanning-tree port-type admin-edge
    aaa authentication port-access dot1x authenticator
        enable

Output of #show aaa authentication port-access dot1x authenticator interface all client-status

Client xx:xx:xx:xx:xx:xx, host/xxxxx.domain.com, 1/1/2
=========================================

  Authentication Details
  ----------------------
    Status                        : Authenticated
    Type                          : Pass-Through
    EAP-Method                    : TLS
    Auth Failure reason           :
    Time Since Last State Change  : 104s

  Authentication Statistics
  -------------------------
    Authentication                         : 1
    Authentication Timeout                 : 0
    EAP-Start While Authenticating         : 0
    EAP-Logoff While Authenticating        : 0
    Successful Authentication              : 1
    Failed Authentication                  : 0
    Re-Authentication                      : 0
    Successful Re-Authentication           : 0
    Failed Re-Authentication               : 0
    EAP-Start When Authenticated           : 0
    EAP-Logoff When Authenticated          : 0
    Re-Auths When Authenticated            : 0
    Cached Re-Authentication               : 0

Second output:

switch# show port-access clients interface 1/1/2 detail

Port Access Client Status Details:

RADIUS overridden user roles are suffixed with '*'

Client xx:xx:xx:xx:xx:xx, host/xxxxx.domain.com
==============================================
  Session Details
  ---------------
    Port         : 1/1/2
    Session Time : 5153s
    IPv4 Address :
    IPv6 Address :
    Device Type  :

  VLAN Details
  ------------
    VLAN Group Name :
    VLANs Assigned  : 303
      Access          : 303
      Native Untagged :
      Allowed Trunk   :

  Authentication Details
  ----------------------
    Status          : dot1x Authenticated
    Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted
    Auth History    : dot1x - Authenticated, 5153s ago

  Authorization Details
  ----------------------
    Status : Applied

    RADIUS Attributes
    ------------------
    Framed-MTU                   : 1200 bytes

    RADIUS Role Name : RADIUS_3226739997

Can you share a snippet of your configuration? Access to Internal vs. External are not role/acl dependent, but that is an important part of understanding the design. 

Here is a detailed guide for this process, starting at Page 258
Security Guide

What do the outputs of the below look like for those clients?
#show aaa authentication port-access dot1x authenticator interface all client-status
#show port-access clients interface 1/1/X detail

Hi Zak and thanks for the reply,

I can ping my default gateway from the switch.

I haven't assigned any particular ACL's on the ports neither Roles, only configured access ports with the respective VLAN assignment to them .

I haven't used before Role's and ACL's on a layer 2 device such as an Aruba 6000.

So in order to grant access on the external network, do i have to configure Roles on the switch?

Can you elaborate more an give an example please?

Thank you

Well this is highly dependent on the Role and ACL that is assigned as a part of the port-access process. 

Are you assigning any particular ACL's or VLANs? Can you ping the default gateway of that User VLAN?

Hi to all,

I have a couple of aruba 6000 switches and set them up, so clients can authenticate via dot1.x and access the network.

Previous I used some hp 2530 switches with dot1.x enabled also and were working fine.

The madness with the new one Aruba 6000 is that although the clients are authenticated via dot1.x and gaining access on the LAN, external traffic to internet is not not passing.

Can anyone explain this or point me something to check?

Thank you in advance!

What does the output of "show port-access clients interface 1/1/2 detail" when you remove 802.1x configuration on that port ?

Does external network access work with that VLAN (and the particular switch) on a port without port-access configured? 

Bellow is a snippet of the configuration (only regarding radius and dot1.x) the rest is out of scope. Names and other data have been changed for privacy. 

As you can see from the output of the commands, pc on 1/1/2 has been authenticated. Traffic to internal lan is fine, but to internet is not passing.

Currently I just want to focus on dot1.x authentication not mac authentication.

Snippet from running config

!
radius-server host xxx.xxx.xxx.xxx key ciphertext xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
radius-server host xxx.xxx.xxx.xxx key ciphertext xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
!
!
aaa authentication login https-server group radius local
aaa authentication login ssh group radius local
!
aruba-central
    disable
!
aaa authentication port-access dot1x authenticator
    enable
!
interface 1/1/2
    description xxxxxxx
    no shutdown
    vlan access 303
    spanning-tree bpdu-guard
    spanning-tree port-type admin-edge
    aaa authentication port-access dot1x authenticator
        enable

Output of #show aaa authentication port-access dot1x authenticator interface all client-status

Client xx:xx:xx:xx:xx:xx, host/xxxxx.domain.com, 1/1/2
=========================================

  Authentication Details
  ----------------------
    Status                        : Authenticated
    Type                          : Pass-Through
    EAP-Method                    : TLS
    Auth Failure reason           :
    Time Since Last State Change  : 104s

  Authentication Statistics
  -------------------------
    Authentication                         : 1
    Authentication Timeout                 : 0
    EAP-Start While Authenticating         : 0
    EAP-Logoff While Authenticating        : 0
    Successful Authentication              : 1
    Failed Authentication                  : 0
    Re-Authentication                      : 0
    Successful Re-Authentication           : 0
    Failed Re-Authentication               : 0
    EAP-Start When Authenticated           : 0
    EAP-Logoff When Authenticated          : 0
    Re-Auths When Authenticated            : 0
    Cached Re-Authentication               : 0

Second output:

switch# show port-access clients interface 1/1/2 detail

Port Access Client Status Details:

RADIUS overridden user roles are suffixed with '*'

Client xx:xx:xx:xx:xx:xx, host/xxxxx.domain.com
==============================================
  Session Details
  ---------------
    Port         : 1/1/2
    Session Time : 5153s
    IPv4 Address :
    IPv6 Address :
    Device Type  :

  VLAN Details
  ------------
    VLAN Group Name :
    VLANs Assigned  : 303
      Access          : 303
      Native Untagged :
      Allowed Trunk   :

  Authentication Details
  ----------------------
    Status          : dot1x Authenticated
    Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted
    Auth History    : dot1x - Authenticated, 5153s ago

  Authorization Details
  ----------------------
    Status : Applied

    RADIUS Attributes
    ------------------
    Framed-MTU                   : 1200 bytes

    RADIUS Role Name : RADIUS_3226739997

Can you share a snippet of your configuration? Access to Internal vs. External are not role/acl dependent, but that is an important part of understanding the design. 

Here is a detailed guide for this process, starting at Page 258
Security Guide

What do the outputs of the below look like for those clients?
#show aaa authentication port-access dot1x authenticator interface all client-status
#show port-access clients interface 1/1/X detail

Hi Zak and thanks for the reply,

I can ping my default gateway from the switch.

I haven't assigned any particular ACL's on the ports neither Roles, only configured access ports with the respective VLAN assignment to them .

I haven't used before Role's and ACL's on a layer 2 device such as an Aruba 6000.

So in order to grant access on the external network, do i have to configure Roles on the switch?

Can you elaborate more an give an example please?

Thank you

Well this is highly dependent on the Role and ACL that is assigned as a part of the port-access process. 

Are you assigning any particular ACL's or VLANs? Can you ping the default gateway of that User VLAN?

Hi to all,

I have a couple of aruba 6000 switches and set them up, so clients can authenticate via dot1.x and access the network.

Previous I used some hp 2530 switches with dot1.x enabled also and were working fine.

The madness with the new one Aruba 6000 is that although the clients are authenticated via dot1.x and gaining access on the LAN, external traffic to internet is not not passing.

Can anyone explain this or point me something to check?

Thank you in advance!

switch(config-if)# show port-access clients interface 1/1/2 detail
No port-access clients found.

What does the output of "show port-access clients interface 1/1/2 detail" when you remove 802.1x configuration on that port ?

Does external network access work with that VLAN (and the particular switch) on a port without port-access configured? 

Bellow is a snippet of the configuration (only regarding radius and dot1.x) the rest is out of scope. Names and other data have been changed for privacy. 

As you can see from the output of the commands, pc on 1/1/2 has been authenticated. Traffic to internal lan is fine, but to internet is not passing.

Currently I just want to focus on dot1.x authentication not mac authentication.

Snippet from running config

!
radius-server host xxx.xxx.xxx.xxx key ciphertext xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
radius-server host xxx.xxx.xxx.xxx key ciphertext xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
!
!
aaa authentication login https-server group radius local
aaa authentication login ssh group radius local
!
aruba-central
    disable
!
aaa authentication port-access dot1x authenticator
    enable
!
interface 1/1/2
    description xxxxxxx
    no shutdown
    vlan access 303
    spanning-tree bpdu-guard
    spanning-tree port-type admin-edge
    aaa authentication port-access dot1x authenticator
        enable

Output of #show aaa authentication port-access dot1x authenticator interface all client-status

Client xx:xx:xx:xx:xx:xx, host/xxxxx.domain.com, 1/1/2
=========================================

  Authentication Details
  ----------------------
    Status                        : Authenticated
    Type                          : Pass-Through
    EAP-Method                    : TLS
    Auth Failure reason           :
    Time Since Last State Change  : 104s

  Authentication Statistics
  -------------------------
    Authentication                         : 1
    Authentication Timeout                 : 0
    EAP-Start While Authenticating         : 0
    EAP-Logoff While Authenticating        : 0
    Successful Authentication              : 1
    Failed Authentication                  : 0
    Re-Authentication                      : 0
    Successful Re-Authentication           : 0
    Failed Re-Authentication               : 0
    EAP-Start When Authenticated           : 0
    EAP-Logoff When Authenticated          : 0
    Re-Auths When Authenticated            : 0
    Cached Re-Authentication               : 0

Second output:

switch# show port-access clients interface 1/1/2 detail

Port Access Client Status Details:

RADIUS overridden user roles are suffixed with '*'

Client xx:xx:xx:xx:xx:xx, host/xxxxx.domain.com
==============================================
  Session Details
  ---------------
    Port         : 1/1/2
    Session Time : 5153s
    IPv4 Address :
    IPv6 Address :
    Device Type  :

  VLAN Details
  ------------
    VLAN Group Name :
    VLANs Assigned  : 303
      Access          : 303
      Native Untagged :
      Allowed Trunk   :

  Authentication Details
  ----------------------
    Status          : dot1x Authenticated
    Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted
    Auth History    : dot1x - Authenticated, 5153s ago

  Authorization Details
  ----------------------
    Status : Applied

    RADIUS Attributes
    ------------------
    Framed-MTU                   : 1200 bytes

    RADIUS Role Name : RADIUS_3226739997

Can you share a snippet of your configuration? Access to Internal vs. External are not role/acl dependent, but that is an important part of understanding the design. 

Here is a detailed guide for this process, starting at Page 258
Security Guide

What do the outputs of the below look like for those clients?
#show aaa authentication port-access dot1x authenticator interface all client-status
#show port-access clients interface 1/1/X detail

Hi Zak and thanks for the reply,

I can ping my default gateway from the switch.

I haven't assigned any particular ACL's on the ports neither Roles, only configured access ports with the respective VLAN assignment to them .

I haven't used before Role's and ACL's on a layer 2 device such as an Aruba 6000.

So in order to grant access on the external network, do i have to configure Roles on the switch?

Can you elaborate more an give an example please?

Thank you

Well this is highly dependent on the Role and ACL that is assigned as a part of the port-access process. 

Are you assigning any particular ACL's or VLANs? Can you ping the default gateway of that User VLAN?

Hi to all,

I have a couple of aruba 6000 switches and set them up, so clients can authenticate via dot1.x and access the network.

Previous I used some hp 2530 switches with dot1.x enabled also and were working fine.

The madness with the new one Aruba 6000 is that although the clients are authenticated via dot1.x and gaining access on the LAN, external traffic to internet is not not passing.

Can anyone explain this or point me something to check?

Thank you in advance!

What are you using as your RADIUS sever? Clearpass? What sort of enforcement response RADIUS/VSA is it sending upon successful auth? 

switch(config-if)# show port-access clients interface 1/1/2 detail
No port-access clients found.

What does the output of "show port-access clients interface 1/1/2 detail" when you remove 802.1x configuration on that port ?

Does external network access work with that VLAN (and the particular switch) on a port without port-access configured? 

Bellow is a snippet of the configuration (only regarding radius and dot1.x) the rest is out of scope. Names and other data have been changed for privacy. 

As you can see from the output of the commands, pc on 1/1/2 has been authenticated. Traffic to internal lan is fine, but to internet is not passing.

Currently I just want to focus on dot1.x authentication not mac authentication.

Snippet from running config

!
radius-server host xxx.xxx.xxx.xxx key ciphertext xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
radius-server host xxx.xxx.xxx.xxx key ciphertext xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
!
!
aaa authentication login https-server group radius local
aaa authentication login ssh group radius local
!
aruba-central
    disable
!
aaa authentication port-access dot1x authenticator
    enable
!
interface 1/1/2
    description xxxxxxx
    no shutdown
    vlan access 303
    spanning-tree bpdu-guard
    spanning-tree port-type admin-edge
    aaa authentication port-access dot1x authenticator
        enable

Output of #show aaa authentication port-access dot1x authenticator interface all client-status

Client xx:xx:xx:xx:xx:xx, host/xxxxx.domain.com, 1/1/2
=========================================

  Authentication Details
  ----------------------
    Status                        : Authenticated
    Type                          : Pass-Through
    EAP-Method                    : TLS
    Auth Failure reason           :
    Time Since Last State Change  : 104s

  Authentication Statistics
  -------------------------
    Authentication                         : 1
    Authentication Timeout                 : 0
    EAP-Start While Authenticating         : 0
    EAP-Logoff While Authenticating        : 0
    Successful Authentication              : 1
    Failed Authentication                  : 0
    Re-Authentication                      : 0
    Successful Re-Authentication           : 0
    Failed Re-Authentication               : 0
    EAP-Start When Authenticated           : 0
    EAP-Logoff When Authenticated          : 0
    Re-Auths When Authenticated            : 0
    Cached Re-Authentication               : 0

Second output:

switch# show port-access clients interface 1/1/2 detail

Port Access Client Status Details:

RADIUS overridden user roles are suffixed with '*'

Client xx:xx:xx:xx:xx:xx, host/xxxxx.domain.com
==============================================
  Session Details
  ---------------
    Port         : 1/1/2
    Session Time : 5153s
    IPv4 Address :
    IPv6 Address :
    Device Type  :

  VLAN Details
  ------------
    VLAN Group Name :
    VLANs Assigned  : 303
      Access          : 303
      Native Untagged :
      Allowed Trunk   :

  Authentication Details
  ----------------------
    Status          : dot1x Authenticated
    Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted
    Auth History    : dot1x - Authenticated, 5153s ago

  Authorization Details
  ----------------------
    Status : Applied

    RADIUS Attributes
    ------------------
    Framed-MTU                   : 1200 bytes

    RADIUS Role Name : RADIUS_3226739997

Can you share a snippet of your configuration? Access to Internal vs. External are not role/acl dependent, but that is an important part of understanding the design. 

Here is a detailed guide for this process, starting at Page 258
Security Guide

What do the outputs of the below look like for those clients?
#show aaa authentication port-access dot1x authenticator interface all client-status
#show port-access clients interface 1/1/X detail

Hi Zak and thanks for the reply,

I can ping my default gateway from the switch.

I haven't assigned any particular ACL's on the ports neither Roles, only configured access ports with the respective VLAN assignment to them .

I haven't used before Role's and ACL's on a layer 2 device such as an Aruba 6000.

So in order to grant access on the external network, do i have to configure Roles on the switch?

Can you elaborate more an give an example please?

Thank you

Well this is highly dependent on the Role and ACL that is assigned as a part of the port-access process. 

Are you assigning any particular ACL's or VLANs? Can you ping the default gateway of that User VLAN?

Hi to all,

I have a couple of aruba 6000 switches and set them up, so clients can authenticate via dot1.x and access the network.

Previous I used some hp 2530 switches with dot1.x enabled also and were working fine.

The madness with the new one Aruba 6000 is that although the clients are authenticated via dot1.x and gaining access on the LAN, external traffic to internet is not not passing.

Can anyone explain this or point me something to check?

Thank you in advance!

I am using Windows Radius Server NPS. 

The Logs on the event viewer, confirm successful authentication of the device connected on the switch port.

If I disable aaa on the switch port internet traffic is permitted. When enabling, internet traffic is not passing.

I don't understand the relation of 802.1x authentication with traffic to internet. isn't wired? 

On the older hp switches as I pointed earlier in the post, when devices were authenticated, internal and external traffic was permitted without any additional configuration.

What are you using as your RADIUS sever? Clearpass? What sort of enforcement response RADIUS/VSA is it sending upon successful auth? 

switch(config-if)# show port-access clients interface 1/1/2 detail
No port-access clients found.

What does the output of "show port-access clients interface 1/1/2 detail" when you remove 802.1x configuration on that port ?

Does external network access work with that VLAN (and the particular switch) on a port without port-access configured? 

Bellow is a snippet of the configuration (only regarding radius and dot1.x) the rest is out of scope. Names and other data have been changed for privacy. 

As you can see from the output of the commands, pc on 1/1/2 has been authenticated. Traffic to internal lan is fine, but to internet is not passing.

Currently I just want to focus on dot1.x authentication not mac authentication.

Snippet from running config

!
radius-server host xxx.xxx.xxx.xxx key ciphertext xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
radius-server host xxx.xxx.xxx.xxx key ciphertext xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
!
!
aaa authentication login https-server group radius local
aaa authentication login ssh group radius local
!
aruba-central
    disable
!
aaa authentication port-access dot1x authenticator
    enable
!
interface 1/1/2
    description xxxxxxx
    no shutdown
    vlan access 303
    spanning-tree bpdu-guard
    spanning-tree port-type admin-edge
    aaa authentication port-access dot1x authenticator
        enable

Output of #show aaa authentication port-access dot1x authenticator interface all client-status

Client xx:xx:xx:xx:xx:xx, host/xxxxx.domain.com, 1/1/2
=========================================

  Authentication Details
  ----------------------
    Status                        : Authenticated
    Type                          : Pass-Through
    EAP-Method                    : TLS
    Auth Failure reason           :
    Time Since Last State Change  : 104s

  Authentication Statistics
  -------------------------
    Authentication                         : 1
    Authentication Timeout                 : 0
    EAP-Start While Authenticating         : 0
    EAP-Logoff While Authenticating        : 0
    Successful Authentication              : 1
    Failed Authentication                  : 0
    Re-Authentication                      : 0
    Successful Re-Authentication           : 0
    Failed Re-Authentication               : 0
    EAP-Start When Authenticated           : 0
    EAP-Logoff When Authenticated          : 0
    Re-Auths When Authenticated            : 0
    Cached Re-Authentication               : 0

Second output:

switch# show port-access clients interface 1/1/2 detail

Port Access Client Status Details:

RADIUS overridden user roles are suffixed with '*'

Client xx:xx:xx:xx:xx:xx, host/xxxxx.domain.com
==============================================
  Session Details
  ---------------
    Port         : 1/1/2
    Session Time : 5153s
    IPv4 Address :
    IPv6 Address :
    Device Type  :

  VLAN Details
  ------------
    VLAN Group Name :
    VLANs Assigned  : 303
      Access          : 303
      Native Untagged :
      Allowed Trunk   :

  Authentication Details
  ----------------------
    Status          : dot1x Authenticated
    Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted
    Auth History    : dot1x - Authenticated, 5153s ago

  Authorization Details
  ----------------------
    Status : Applied

    RADIUS Attributes
    ------------------
    Framed-MTU                   : 1200 bytes

    RADIUS Role Name : RADIUS_3226739997

Can you share a snippet of your configuration? Access to Internal vs. External are not role/acl dependent, but that is an important part of understanding the design. 

Here is a detailed guide for this process, starting at Page 258
Security Guide

What do the outputs of the below look like for those clients?
#show aaa authentication port-access dot1x authenticator interface all client-status
#show port-access clients interface 1/1/X detail

Hi Zak and thanks for the reply,

I can ping my default gateway from the switch.

I haven't assigned any particular ACL's on the ports neither Roles, only configured access ports with the respective VLAN assignment to them .

I haven't used before Role's and ACL's on a layer 2 device such as an Aruba 6000.

So in order to grant access on the external network, do i have to configure Roles on the switch?

Can you elaborate more an give an example please?

Thank you

Well this is highly dependent on the Role and ACL that is assigned as a part of the port-access process. 

Are you assigning any particular ACL's or VLANs? Can you ping the default gateway of that User VLAN?

Hi to all,

I have a couple of aruba 6000 switches and set them up, so clients can authenticate via dot1.x and access the network.

Previous I used some hp 2530 switches with dot1.x enabled also and were working fine.

The madness with the new one Aruba 6000 is that although the clients are authenticated via dot1.x and gaining access on the LAN, external traffic to internet is not not passing.

Can anyone explain this or point me something to check?

Thank you in advance!

What user role has been created and thus assigned upon a successful auth on your 2530?

The .1x process does not have a direct relation to network access. But as part of the RADIUS response a role will be assigned. That role can contain traffic/class rules for network access. 

I am using Windows Radius Server NPS. 

The Logs on the event viewer, confirm successful authentication of the device connected on the switch port.

If I disable aaa on the switch port internet traffic is permitted. When enabling, internet traffic is not passing.

I don't understand the relation of 802.1x authentication with traffic to internet. isn't wired? 

On the older hp switches as I pointed earlier in the post, when devices were authenticated, internal and external traffic was permitted without any additional configuration.

What are you using as your RADIUS sever? Clearpass? What sort of enforcement response RADIUS/VSA is it sending upon successful auth? 

switch(config-if)# show port-access clients interface 1/1/2 detail
No port-access clients found.

What does the output of "show port-access clients interface 1/1/2 detail" when you remove 802.1x configuration on that port ?

Does external network access work with that VLAN (and the particular switch) on a port without port-access configured? 

Bellow is a snippet of the configuration (only regarding radius and dot1.x) the rest is out of scope. Names and other data have been changed for privacy. 

As you can see from the output of the commands, pc on 1/1/2 has been authenticated. Traffic to internal lan is fine, but to internet is not passing.

Currently I just want to focus on dot1.x authentication not mac authentication.

Snippet from running config

!
radius-server host xxx.xxx.xxx.xxx key ciphertext xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
radius-server host xxx.xxx.xxx.xxx key ciphertext xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
!
!
aaa authentication login https-server group radius local
aaa authentication login ssh group radius local
!
aruba-central
    disable
!
aaa authentication port-access dot1x authenticator
    enable
!
interface 1/1/2
    description xxxxxxx
    no shutdown
    vlan access 303
    spanning-tree bpdu-guard
    spanning-tree port-type admin-edge
    aaa authentication port-access dot1x authenticator
        enable

Output of #show aaa authentication port-access dot1x authenticator interface all client-status

Client xx:xx:xx:xx:xx:xx, host/xxxxx.domain.com, 1/1/2
=========================================

  Authentication Details
  ----------------------
    Status                        : Authenticated
    Type                          : Pass-Through
    EAP-Method                    : TLS
    Auth Failure reason           :
    Time Since Last State Change  : 104s

  Authentication Statistics
  -------------------------
    Authentication                         : 1
    Authentication Timeout                 : 0
    EAP-Start While Authenticating         : 0
    EAP-Logoff While Authenticating        : 0
    Successful Authentication              : 1
    Failed Authentication                  : 0
    Re-Authentication                      : 0
    Successful Re-Authentication           : 0
    Failed Re-Authentication               : 0
    EAP-Start When Authenticated           : 0
    EAP-Logoff When Authenticated          : 0
    Re-Auths When Authenticated            : 0
    Cached Re-Authentication               : 0

Second output:

switch# show port-access clients interface 1/1/2 detail

Port Access Client Status Details:

RADIUS overridden user roles are suffixed with '*'

Client xx:xx:xx:xx:xx:xx, host/xxxxx.domain.com
==============================================
  Session Details
  ---------------
    Port         : 1/1/2
    Session Time : 5153s
    IPv4 Address :
    IPv6 Address :
    Device Type  :

  VLAN Details
  ------------
    VLAN Group Name :
    VLANs Assigned  : 303
      Access          : 303
      Native Untagged :
      Allowed Trunk   :

  Authentication Details
  ----------------------
    Status          : dot1x Authenticated
    Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted
    Auth History    : dot1x - Authenticated, 5153s ago

  Authorization Details
  ----------------------
    Status : Applied

    RADIUS Attributes
    ------------------
    Framed-MTU                   : 1200 bytes

    RADIUS Role Name : RADIUS_3226739997

Can you share a snippet of your configuration? Access to Internal vs. External are not role/acl dependent, but that is an important part of understanding the design. 

Here is a detailed guide for this process, starting at Page 258
Security Guide

What do the outputs of the below look like for those clients?
#show aaa authentication port-access dot1x authenticator interface all client-status
#show port-access clients interface 1/1/X detail

Hi Zak and thanks for the reply,

I can ping my default gateway from the switch.

I haven't assigned any particular ACL's on the ports neither Roles, only configured access ports with the respective VLAN assignment to them .

I haven't used before Role's and ACL's on a layer 2 device such as an Aruba 6000.

So in order to grant access on the external network, do i have to configure Roles on the switch?

Can you elaborate more an give an example please?

Thank you

Well this is highly dependent on the Role and ACL that is assigned as a part of the port-access process. 

Are you assigning any particular ACL's or VLANs? Can you ping the default gateway of that User VLAN?

Hi to all,

I have a couple of aruba 6000 switches and set them up, so clients can authenticate via dot1.x and access the network.

Previous I used some hp 2530 switches with dot1.x enabled also and were working fine.

The madness with the new one Aruba 6000 is that although the clients are authenticated via dot1.x and gaining access on the LAN, external traffic to internet is not not passing.

Can anyone explain this or point me something to check?

Thank you in advance!

What user role has been created and thus assigned upon a successful auth on your 2530?

The .1x process does not have a direct relation to network access. But as part of the RADIUS response a role will be assigned. That role can contain traffic/class rules for network access. 

I am using Windows Radius Server NPS. 

The Logs on the event viewer, confirm successful authentication of the device connected on the switch port.

If I disable aaa on the switch port internet traffic is permitted. When enabling, internet traffic is not passing.

I don't understand the relation of 802.1x authentication with traffic to internet. isn't wired? 

On the older hp switches as I pointed earlier in the post, when devices were authenticated, internal and external traffic was permitted without any additional configuration.

What are you using as your RADIUS sever? Clearpass? What sort of enforcement response RADIUS/VSA is it sending upon successful auth? 

switch(config-if)# show port-access clients interface 1/1/2 detail
No port-access clients found.

What does the output of "show port-access clients interface 1/1/2 detail" when you remove 802.1x configuration on that port ?

Does external network access work with that VLAN (and the particular switch) on a port without port-access configured? 

Bellow is a snippet of the configuration (only regarding radius and dot1.x) the rest is out of scope. Names and other data have been changed for privacy. 

As you can see from the output of the commands, pc on 1/1/2 has been authenticated. Traffic to internal lan is fine, but to internet is not passing.

Currently I just want to focus on dot1.x authentication not mac authentication.

Snippet from running config

!
radius-server host xxx.xxx.xxx.xxx key ciphertext xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
radius-server host xxx.xxx.xxx.xxx key ciphertext xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
!
!
aaa authentication login https-server group radius local
aaa authentication login ssh group radius local
!
aruba-central
    disable
!
aaa authentication port-access dot1x authenticator
    enable
!
interface 1/1/2
    description xxxxxxx
    no shutdown
    vlan access 303
    spanning-tree bpdu-guard
    spanning-tree port-type admin-edge
    aaa authentication port-access dot1x authenticator
        enable

Output of #show aaa authentication port-access dot1x authenticator interface all client-status

Client xx:xx:xx:xx:xx:xx, host/xxxxx.domain.com, 1/1/2
=========================================

  Authentication Details
  ----------------------
    Status                        : Authenticated
    Type                          : Pass-Through
    EAP-Method                    : TLS
    Auth Failure reason           :
    Time Since Last State Change  : 104s

  Authentication Statistics
  -------------------------
    Authentication                         : 1
    Authentication Timeout                 : 0
    EAP-Start While Authenticating         : 0
    EAP-Logoff While Authenticating        : 0
    Successful Authentication              : 1
    Failed Authentication                  : 0
    Re-Authentication                      : 0
    Successful Re-Authentication           : 0
    Failed Re-Authentication               : 0
    EAP-Start When Authenticated           : 0
    EAP-Logoff When Authenticated          : 0
    Re-Auths When Authenticated            : 0
    Cached Re-Authentication               : 0

Second output:

switch# show port-access clients interface 1/1/2 detail

Port Access Client Status Details:

RADIUS overridden user roles are suffixed with '*'

Client xx:xx:xx:xx:xx:xx, host/xxxxx.domain.com
==============================================
  Session Details
  ---------------
    Port         : 1/1/2
    Session Time : 5153s
    IPv4 Address :
    IPv6 Address :
    Device Type  :

  VLAN Details
  ------------
    VLAN Group Name :
    VLANs Assigned  : 303
      Access          : 303
      Native Untagged :
      Allowed Trunk   :

  Authentication Details
  ----------------------
    Status          : dot1x Authenticated
    Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted
    Auth History    : dot1x - Authenticated, 5153s ago

  Authorization Details
  ----------------------
    Status : Applied

    RADIUS Attributes
    ------------------
    Framed-MTU                   : 1200 bytes

    RADIUS Role Name : RADIUS_3226739997

Can you share a snippet of your configuration? Access to Internal vs. External are not role/acl dependent, but that is an important part of understanding the design. 

Here is a detailed guide for this process, starting at Page 258
Security Guide

What do the outputs of the below look like for those clients?
#show aaa authentication port-access dot1x authenticator interface all client-status
#show port-access clients interface 1/1/X detail

Hi Zak and thanks for the reply,

I can ping my default gateway from the switch.

I haven't assigned any particular ACL's on the ports neither Roles, only configured access ports with the respective VLAN assignment to them .

I haven't used before Role's and ACL's on a layer 2 device such as an Aruba 6000.

So in order to grant access on the external network, do i have to configure Roles on the switch?

Can you elaborate more an give an example please?

Thank you

Well this is highly dependent on the Role and ACL that is assigned as a part of the port-access process. 

Are you assigning any particular ACL's or VLANs? Can you ping the default gateway of that User VLAN?

Hi to all,

I have a couple of aruba 6000 switches and set them up, so clients can authenticate via dot1.x and access the network.

Previous I used some hp 2530 switches with dot1.x enabled also and were working fine.

The madness with the new one Aruba 6000 is that although the clients are authenticated via dot1.x and gaining access on the LAN, external traffic to internet is not not passing.

Can anyone explain this or point me something to check?

Thank you in advance!