Wired Intelligent Edge

Hello everyone,

I am trying to configure a ArubaOS switch to work with downloadable user roles. I am stuck on the following point;

How do I configure a port to allow 802.1x and MAC authentication when a device connects to the port?

I want the switch to be configured that when a device connects that it capable of 802.1x auth, that it can do 802.1x and when a device connects that can't do 802.1x, that it uses MAC auth to authenticate. Is this possible?

And one more question, is it possible to make one service in Clearpass to do 802.1x (for example EAP-TLS) and mac-auth? Because when I do this, a 802.1x seems to authenticate using MAC auth when I look in the access tracker...


Kind regards,

Jer

When I get it right, MACSec is not requested.

Yes you can combine 802.1X & MAC auth

See here for CLI Config - https://ase.arubanetworks.com/solutions/id/137

You can login with your Community Account credentials.

Hello everyone,

I am trying to configure a ArubaOS switch to work with downloadable user roles. I am stuck on the following point;

How do I configure a port to allow 802.1x and MAC authentication when a device connects to the port?

I want the switch to be configured that when a device connects that it capable of 802.1x auth, that it can do 802.1x and when a device connects that can't do 802.1x, that it uses MAC auth to authenticate. Is this possible?

And one more question, is it possible to make one service in Clearpass to do 802.1x (for example EAP-TLS) and mac-auth? Because when I do this, a 802.1x seems to authenticate using MAC auth when I look in the access tracker...


Kind regards,

Jer

Thank you,

This is where I was searching for. I just tried it and it doesn't work. It doesn't let me configure mac-based auth on the port when 802.1x is already configured. Are there any solutions for this? And as an extra question; can I configure one service in Clearpass to handle 802.1x and MAC or do I need two seperate services? I have tried to do with one service, but when I try to authenticate a 802.1x supplicant, Clearpass gives back this (can be seen in the picture below) error and sends back [deny access profile].

These are the rolemapping and enforcement policy used in the service;

When I get it right, MACSec is not requested.

Yes you can combine 802.1X & MAC auth

See here for CLI Config - https://ase.arubanetworks.com/solutions/id/137

You can login with your Community Account credentials.

Hello everyone,

I am trying to configure a ArubaOS switch to work with downloadable user roles. I am stuck on the following point;

How do I configure a port to allow 802.1x and MAC authentication when a device connects to the port?

I want the switch to be configured that when a device connects that it capable of 802.1x auth, that it can do 802.1x and when a device connects that can't do 802.1x, that it uses MAC auth to authenticate. Is this possible?

And one more question, is it possible to make one service in Clearpass to do 802.1x (for example EAP-TLS) and mac-auth? Because when I do this, a 802.1x seems to authenticate using MAC auth when I look in the access tracker...


Kind regards,

Jer

which aruba swithc model is this? is it 2930?

anyway for 2930F/M you need the follwoing port level configuration

aaa port-access authenticator 3
aaa port-access authenticator 3 tx-period 10
aaa port-access authenticator 3 supplicant-timeout 10
aaa port-access authenticator 3 client-limit 5
aaa port-access authenticator active
aaa port-access mac-based 3-4
aaa port-access mac-based 3 addr-limit 4

Thank you,

This is where I was searching for. I just tried it and it doesn't work. It doesn't let me configure mac-based auth on the port when 802.1x is already configured. Are there any solutions for this? And as an extra question; can I configure one service in Clearpass to handle 802.1x and MAC or do I need two seperate services? I have tried to do with one service, but when I try to authenticate a 802.1x supplicant, Clearpass gives back this (can be seen in the picture below) error and sends back [deny access profile].

These are the rolemapping and enforcement policy used in the service;

When I get it right, MACSec is not requested.

Yes you can combine 802.1X & MAC auth

See here for CLI Config - https://ase.arubanetworks.com/solutions/id/137

You can login with your Community Account credentials.

Hello everyone,

I am trying to configure a ArubaOS switch to work with downloadable user roles. I am stuck on the following point;

How do I configure a port to allow 802.1x and MAC authentication when a device connects to the port?

I want the switch to be configured that when a device connects that it capable of 802.1x auth, that it can do 802.1x and when a device connects that can't do 802.1x, that it uses MAC auth to authenticate. Is this possible?

And one more question, is it possible to make one service in Clearpass to do 802.1x (for example EAP-TLS) and mac-auth? Because when I do this, a 802.1x seems to authenticate using MAC auth when I look in the access tracker...


Kind regards,

Jer

Hello Ariyap,

Yes, it is indeed a 2930F. Had to add that information in my original post. I am sorry.
Can you maybe explain where the 'tx-period' and 'supplicant-timeout' are for?

And then I have one more question. Is it possible to only have one service in clearpass that handles 802.1x and mac-auth, instead of having two (one for 802.1x and one for mac-auth). I have tried two services and it worked, but I was trying to do it with one service but then the mac-auth devices couldn't find a service to hit on.

Kind regards,

Jer

which aruba swithc model is this? is it 2930?

anyway for 2930F/M you need the follwoing port level configuration

aaa port-access authenticator 3
aaa port-access authenticator 3 tx-period 10
aaa port-access authenticator 3 supplicant-timeout 10
aaa port-access authenticator 3 client-limit 5
aaa port-access authenticator active
aaa port-access mac-based 3-4
aaa port-access mac-based 3 addr-limit 4

Thank you,

This is where I was searching for. I just tried it and it doesn't work. It doesn't let me configure mac-based auth on the port when 802.1x is already configured. Are there any solutions for this? And as an extra question; can I configure one service in Clearpass to handle 802.1x and MAC or do I need two seperate services? I have tried to do with one service, but when I try to authenticate a 802.1x supplicant, Clearpass gives back this (can be seen in the picture below) error and sends back [deny access profile].

These are the rolemapping and enforcement policy used in the service;

When I get it right, MACSec is not requested.

Yes you can combine 802.1X & MAC auth

See here for CLI Config - https://ase.arubanetworks.com/solutions/id/137

You can login with your Community Account credentials.

Hello everyone,

I am trying to configure a ArubaOS switch to work with downloadable user roles. I am stuck on the following point;

How do I configure a port to allow 802.1x and MAC authentication when a device connects to the port?

I want the switch to be configured that when a device connects that it capable of 802.1x auth, that it can do 802.1x and when a device connects that can't do 802.1x, that it uses MAC auth to authenticate. Is this possible?

And one more question, is it possible to make one service in Clearpass to do 802.1x (for example EAP-TLS) and mac-auth? Because when I do this, a 802.1x seems to authenticate using MAC auth when I look in the access tracker...


Kind regards,

Jer

[supplicant-timeout <1 - 300>]

Sets the period of time the switch waits for a supplicant response to an EAP request. If the supplicant does not respond within the configured time frame, the session times out. (Default: 30 seconds)

[tx-period <0 - 65535>]

Sets the period the port waits to retransmit the next EAPOL PDU during an authentication session. (Default: 30 seconds)

You have to have seperated Services for 802.1X and MAC Auth. Those are totally different technics of authentication.

I would suggest to read the Document "Wired Policy Enforcement (Solution Guide)" which you´ll find here

https://arubanetworks.com/clearpassdocs

This is a step by step documentation. Also the AirHeads Broadcasting Channel is from high value - https://www.youtube.com/@AirheadsBroadcasting

Hello Ariyap,

Yes, it is indeed a 2930F. Had to add that information in my original post. I am sorry.
Can you maybe explain where the 'tx-period' and 'supplicant-timeout' are for?

And then I have one more question. Is it possible to only have one service in clearpass that handles 802.1x and mac-auth, instead of having two (one for 802.1x and one for mac-auth). I have tried two services and it worked, but I was trying to do it with one service but then the mac-auth devices couldn't find a service to hit on.

Kind regards,

Jer

which aruba swithc model is this? is it 2930?

anyway for 2930F/M you need the follwoing port level configuration

aaa port-access authenticator 3
aaa port-access authenticator 3 tx-period 10
aaa port-access authenticator 3 supplicant-timeout 10
aaa port-access authenticator 3 client-limit 5
aaa port-access authenticator active
aaa port-access mac-based 3-4
aaa port-access mac-based 3 addr-limit 4

Thank you,

This is where I was searching for. I just tried it and it doesn't work. It doesn't let me configure mac-based auth on the port when 802.1x is already configured. Are there any solutions for this? And as an extra question; can I configure one service in Clearpass to handle 802.1x and MAC or do I need two seperate services? I have tried to do with one service, but when I try to authenticate a 802.1x supplicant, Clearpass gives back this (can be seen in the picture below) error and sends back [deny access profile].

These are the rolemapping and enforcement policy used in the service;

When I get it right, MACSec is not requested.

Yes you can combine 802.1X & MAC auth

See here for CLI Config - https://ase.arubanetworks.com/solutions/id/137

You can login with your Community Account credentials.

Hello everyone,

I am trying to configure a ArubaOS switch to work with downloadable user roles. I am stuck on the following point;

How do I configure a port to allow 802.1x and MAC authentication when a device connects to the port?

I want the switch to be configured that when a device connects that it capable of 802.1x auth, that it can do 802.1x and when a device connects that can't do 802.1x, that it uses MAC auth to authenticate. Is this possible?

And one more question, is it possible to make one service in Clearpass to do 802.1x (for example EAP-TLS) and mac-auth? Because when I do this, a 802.1x seems to authenticate using MAC auth when I look in the access tracker...


Kind regards,

Jer

Thank you for your help,

I fixed it now. I have added two extra lines to the switch configuration that help by first trying 802.1x and when it fails, falls back to MAC-auth.

• aaa port-access 1 auth-order authenticator mac-based
• aaa port-access 1 auth-priority authenticator mac-based

This also helped fixing the problem that the MAC-auth service got triggered when a 802.1x auth request was send to Clearpass. Now only the 802.1x service gets triggered.

Thanks you all for your help!

Kind regards,

Jer

[supplicant-timeout <1 - 300>]

Sets the period of time the switch waits for a supplicant response to an EAP request. If the supplicant does not respond within the configured time frame, the session times out. (Default: 30 seconds)

[tx-period <0 - 65535>]

Sets the period the port waits to retransmit the next EAPOL PDU during an authentication session. (Default: 30 seconds)

You have to have seperated Services for 802.1X and MAC Auth. Those are totally different technics of authentication.

I would suggest to read the Document "Wired Policy Enforcement (Solution Guide)" which you´ll find here

https://arubanetworks.com/clearpassdocs

This is a step by step documentation. Also the AirHeads Broadcasting Channel is from high value - https://www.youtube.com/@AirheadsBroadcasting

Hello Ariyap,

Yes, it is indeed a 2930F. Had to add that information in my original post. I am sorry.
Can you maybe explain where the 'tx-period' and 'supplicant-timeout' are for?

And then I have one more question. Is it possible to only have one service in clearpass that handles 802.1x and mac-auth, instead of having two (one for 802.1x and one for mac-auth). I have tried two services and it worked, but I was trying to do it with one service but then the mac-auth devices couldn't find a service to hit on.

Kind regards,

Jer

which aruba swithc model is this? is it 2930?

anyway for 2930F/M you need the follwoing port level configuration

aaa port-access authenticator 3
aaa port-access authenticator 3 tx-period 10
aaa port-access authenticator 3 supplicant-timeout 10
aaa port-access authenticator 3 client-limit 5
aaa port-access authenticator active
aaa port-access mac-based 3-4
aaa port-access mac-based 3 addr-limit 4

Thank you,

This is where I was searching for. I just tried it and it doesn't work. It doesn't let me configure mac-based auth on the port when 802.1x is already configured. Are there any solutions for this? And as an extra question; can I configure one service in Clearpass to handle 802.1x and MAC or do I need two seperate services? I have tried to do with one service, but when I try to authenticate a 802.1x supplicant, Clearpass gives back this (can be seen in the picture below) error and sends back [deny access profile].

These are the rolemapping and enforcement policy used in the service;

When I get it right, MACSec is not requested.

Yes you can combine 802.1X & MAC auth

See here for CLI Config - https://ase.arubanetworks.com/solutions/id/137

You can login with your Community Account credentials.

Hello everyone,

I am trying to configure a ArubaOS switch to work with downloadable user roles. I am stuck on the following point;

How do I configure a port to allow 802.1x and MAC authentication when a device connects to the port?

I want the switch to be configured that when a device connects that it capable of 802.1x auth, that it can do 802.1x and when a device connects that can't do 802.1x, that it uses MAC auth to authenticate. Is this possible?

And one more question, is it possible to make one service in Clearpass to do 802.1x (for example EAP-TLS) and mac-auth? Because when I do this, a 802.1x seems to authenticate using MAC auth when I look in the access tracker...


Kind regards,

Jer