good to hear, and lastly, you need 2x services in clearpass that handles wired 802.1x and mac-auth.
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: Jun 08, 2023 06:27 AM
From: Jer.S
Subject: Is it possible to configure 802.1x and MAC port-access on the same port?
Thank you for your help,
I fixed it now. I have added two extra lines to the switch configuration that help by first trying 802.1x and when it fails, falls back to MAC-auth.
- aaa port-access 1 auth-order authenticator mac-based
- aaa port-access 1 auth-priority authenticator mac-based
This also helped fixing the problem that the MAC-auth service got triggered when a 802.1x auth request was send to Clearpass. Now only the 802.1x service gets triggered.
Thanks you all for your help!
Kind regards,
Jer
Original Message:
Sent: Jun 08, 2023 06:15 AM
From: cordless
Subject: Is it possible to configure 802.1x and MAC port-access on the same port?
[supplicant-timeout <1 - 300>]
Sets the period of time the switch waits for a supplicant response to an EAP request. If the supplicant does not respond within the configured time frame, the session times out. (Default: 30 seconds)
[tx-period <0 - 65535>]
Sets the period the port waits to retransmit the next EAPOL PDU during an authentication session. (Default: 30 seconds)
You have to have seperated Services for 802.1X and MAC Auth. Those are totally different technics of authentication.
I would suggest to read the Document "Wired Policy Enforcement (Solution Guide)" which you´ll find here
https://arubanetworks.com/clearpassdocs
This is a step by step documentation. Also the AirHeads Broadcasting Channel is from high value - https://www.youtube.com/@AirheadsBroadcasting
Original Message:
Sent: Jun 08, 2023 02:11 AM
From: Jer.S
Subject: Is it possible to configure 802.1x and MAC port-access on the same port?
Hello Ariyap,
Yes, it is indeed a 2930F. Had to add that information in my original post. I am sorry.
Can you maybe explain where the 'tx-period' and 'supplicant-timeout' are for?
And then I have one more question. Is it possible to only have one service in clearpass that handles 802.1x and mac-auth, instead of having two (one for 802.1x and one for mac-auth). I have tried two services and it worked, but I was trying to do it with one service but then the mac-auth devices couldn't find a service to hit on.
Kind regards,
Jer
Original Message:
Sent: Jun 07, 2023 06:33 PM
From: ariyap
Subject: Is it possible to configure 802.1x and MAC port-access on the same port?
which aruba swithc model is this? is it 2930?
anyway for 2930F/M you need the follwoing port level configuration
aaa port-access authenticator 3
aaa port-access authenticator 3 tx-period 10
aaa port-access authenticator 3 supplicant-timeout 10
aaa port-access authenticator 3 client-limit 5
aaa port-access authenticator active
aaa port-access mac-based 3-4
aaa port-access mac-based 3 addr-limit 4
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: Jun 07, 2023 07:33 AM
From: Jer.S
Subject: Is it possible to configure 802.1x and MAC port-access on the same port?
Thank you,
This is where I was searching for. I just tried it and it doesn't work. It doesn't let me configure mac-based auth on the port when 802.1x is already configured. Are there any solutions for this? And as an extra question; can I configure one service in Clearpass to handle 802.1x and MAC or do I need two seperate services? I have tried to do with one service, but when I try to authenticate a 802.1x supplicant, Clearpass gives back this (can be seen in the picture below) error and sends back [deny access profile].
These are the rolemapping and enforcement policy used in the service;
Original Message:
Sent: Jun 07, 2023 07:02 AM
From: cordless
Subject: Is it possible to configure 802.1x and MAC port-access on the same port?
When I get it right, MACSec is not requested.
Yes you can combine 802.1X & MAC auth
See here for CLI Config - https://ase.arubanetworks.com/solutions/id/137
You can login with your Community Account credentials.
Original Message:
Sent: Jun 07, 2023 03:52 AM
From: Jer.S
Subject: Is it possible to configure 802.1x and MAC port-access on the same port?
Hello everyone,
I am trying to configure a ArubaOS switch to work with downloadable user roles. I am stuck on the following point;
How do I configure a port to allow 802.1x and MAC authentication when a device connects to the port?
I want the switch to be configured that when a device connects that it capable of 802.1x auth, that it can do 802.1x and when a device connects that can't do 802.1x, that it uses MAC auth to authenticate. Is this possible?
And one more question, is it possible to make one service in Clearpass to do 802.1x (for example EAP-TLS) and mac-auth? Because when I do this, a 802.1x seems to authenticate using MAC auth when I look in the access tracker...
Kind regards,
Jer