Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass wired dot1x or MAC auth on AP switchport

This thread has been viewed 26 times

  • 1.  ClearPass wired dot1x or MAC auth on AP switchport

    Posted Sep 14, 2022 10:53 AM

    Hi,

    I'm securing some switchport utilising 802.1X and MAC authentication. ClearPass is being used to profile the MAC auth devices. Some of the MAC auth devices are Aruba AP and some of the AP broadcast a number of SSIDs which utilise different VLAN, hence the switchport the AP is patched into is configured as a trunk.

    This post shows how to do this for ArubaOS switches. Any tips on how to do this on Comware 7 switches? Or CX switches?

    Cheers

    James



  • 2.  RE: ClearPass wired dot1x or MAC auth on AP switchport

    EMPLOYEE
    Posted Sep 15, 2022 06:17 AM
    check the wired policy enforcement technote as it covers AOS-S, CX , comware and Cisco switches.
    https://support.hpe.com/hpesc/public/docDisplay?docId=a00091135en_us

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------

    Original Message


  • 3.  RE: ClearPass wired dot1x or MAC auth on AP switchport

    Posted Sep 15, 2022 06:32 AM
    Hi, I'm not sure that the solution guide shows how to secure a trunk port with an AP attached. Can you clarify which part shows that?
    Original Message


  • 4.  RE: ClearPass wired dot1x or MAC auth on AP switchport

    EMPLOYEE
    Posted Sep 15, 2022 07:14 AM
    it should be there somewhere.
    But for CX switches basically you can do it either with LUR or DUR.
    As an example using LUR, the main component of it is the "port-access role" , this is the user-role that is send from CPPM.
    so here in this example CPPM is sending Aruba-user-role = IAP-1x

    =======
    port-access role IAP-1x
        description LUR-for-IAPs
        associate policy InstantAP-Pol
        poe-priority critical
        auth-mode device-mode    <<<<
        trust-mode dscp
        vlan trunk native 20    <<<< IAP is on the native VLAN and the tagged VLANs are for the WLANs
    =======


    setting auth-mode = device-mode provides the ability that when the first client authentication on the port defines that access for all clients on that port. So, if there are additional clients on the same port, they 'piggyback' on the access of the first device.  so in most cases, if we authenticate the Instant AP, we don't want the switch to authenticate clients that are connecting to the AP because the AP already authenticated them



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------

    Original Message


  • 5.  RE: ClearPass wired dot1x or MAC auth on AP switchport

    Posted Sep 15, 2022 07:40 AM
    That's great! Thank you.

    Any tips on how to do this on a comware 7 switch?
    Original Message