G'day all,
I'm working with a customer setting up Aruba Central and dot1x. All switches are managed by Central. Dot1x works well for clients that should be able to authenticate. However, for wired clients not supporting dot1x, we want them to end up in the guest role, but they are not getting access to the network.
Here is my role and policy config
class ip any-any-class
10 match any any any
port-access policy guest-policy
10 class ip any-any-class
port-access role guest
associate policy guest-policy
auth-mode client-mode
poe-priority low
trust-mode none
stp-admin-edge-port
vlan access 500
In addition, the default vlan of a port is 500 and a reject-role of guest is configured on all copper interfaces.
interface 1/1/1
no shutdown
vlan access 500
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree port-type admin-edge
aaa authentication port-access critical-role guest
aaa authentication port-access preauth-role pre_auth
aaa authentication port-access reject-role guest
aaa authentication port-access dot1x authenticator
max-eapol-requests 1
max-retries 1
enable
loop-protect
exit
When a non-dot1x client plugs into the switch, it fails auth as expected, but it never receives the guest role, and whilst it is in vlan 500, it cannot communicate with the outside world and never gets an IP address from DCHP. If I remove dot1x from the port and connect the client, it gets an IP in vlan 500 and all is well.
Below you see the output from show port-access clients
Status Codes: d device-mode, c client-mode, m multi-domain
--------------------------------------------------------------------------------------------------------
Port MAC-Address Onboarding Status Role Device Type
Method
--------------------------------------------------------------------------------------------------------
c 1/1/1 40:b0:aa:aa:aa:aa Fail
I can see the mac-address of the client in the mac address table, but no access is available for the client.
Do you have any idea of what is going on? Why is the reject-role not being assigned as expected? Or is it a case of since dot1x has failed, that the port is completely unavailable to the client? Mind you, that would seem odd as that would prevent such a guest scenario as we are discussing here.