The use of unmanaged switches is not recommended and it may indeed affect the reliability as a physical link coming up (and going down on a disconnect) helps the clients and switch to synchronize the 802.1X and MAC Authentication, and the failover between those.
It would really help to get clear what behavior you see more specific, what are the conditions when you get clients authenticated in a different state than desired, and from there see if changing the port-access timers/parameters can help to resolve those conditions. I don't know a universal good working configuration for this situation. Working with your Aruba Partner or TAC may be useful.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Mar 19, 2024 05:08 PM
From: Dia
Subject: Best Practices for Configuring 802.1X and MAC Authentication with Aruba Switches and ClearPass, Considering Unmanaged Switches
Hello Community
After recently upgrading our network with Aruba 6200 Access Switches and 6300 Core Switches, managed via Aruba Central with the Multi-Edit feature, we're integrating ClearPass to implement both 802.1X (Dot1X) and MAC Authentication to enhance our network's security and access control.
Our network configuration is somewhat unique due to the inclusion of unmanaged switches at several workstations. This setup has necessitated specific adjustments to our managed switch configurations to accommodate the connectivity and authentication requirements of multiple devices through a single port. Specifically, we have set the client limit on our access switches to 20 (aaa authentication port-access client-limit 20) to manage the devices connected via unmanaged switches effectively.
Despite this adjustment, we're encountering challenges with inconsistent authentication behaviors, particularly where Dot1X and MAC Authentication are concerned. Below is our current configuration for the managed switches:
no shutdownno routingdescription Accessvlan access xxxspanning-tree bpdu-guardspanning-tree port-type admin-edgeloop-protectrate-limit broadcast 1000 kbpsrate-limit multicast 10000 kbpsaaa authentication port-access allow-lldp-bpduaaa authentication port-access client-limit 20port-access onboarding-method concurrent enableport-access security violation action shutdown auto-recovery enableport-access security violation action shutdown recovery-timer 600port-access allow-flood-traffic enableaaa authentication port-access dot1x authenticator reauth eapol-timeout 7 initial-auth-response-timeout 20 max-eapol-requests 3 max-retries 3 reauth-period 200 discovery-period 7 enableaaa authentication port-access mac-auth cached-reauth reauth reauth-period 200 enable
Given the mixed environment of managed and unmanaged switches, we're seeking insights on optimizing our setup to ensure consistent and secure authentication across all devices. Is there a better approach to handling authentication in such a scenario, or does the presence of unmanaged switches necessitate a reconsideration of our network design?
We appreciate any shared experiences, advice, or configuration recommendations that could help us improve our network's reliability and security.
Thank you for your valuable insights
Kind Regards
Dia