HPE Community
Aruba & ProVision-based
1752643 Members
5721 Online
108788 Solutions
New Discussion

Re: HP 2530 802.1x Failback

 
Network59770
Occasional Visitor

‎07-20-2016 08:40 AM

‎07-20-2016 08:40 AM

HP 2530 802.1x Failback

Hi,

We are currently working on HP ClearPass solution for 802.1X authentication on our network.
We did some testing on 2530 series switches.

- Connecting users using 802.1x certificates was ok.
- Connecting users using MAC based authentication was fine also.
- Finaly, putting users in default guest vlan (200) when they didn't match any authentication method was also done without any issues.

The question is, in case of a failure on our ClearPass solution (that will become unreachable), is it possible to get some kind of failback configuration on our 2530 switch that will be different from putting users in our default guest vlan 200 (as when they are not authenticated by the solution) ?

Moreover, can we have a priority over the two types of authentication ? i.e can we configure 802.1x to be used first, and then MAC, and then default ?

Thanks,




 

0 Kudos
3 REPLIES 3
Mike_ES
Valued Contributor

‎07-21-2016 02:26 AM

‎07-21-2016 02:26 AM

Re: HP 2530 802.1x Failback


Hi,

For the switch 2530, AOS YA.15.10/YB.15.12


#Configure specified ports for authentication
aaa port-access authenticator 1-20

#Assign authenticated client VLAN to authenticator ports
aaa port-access authenticator 1-20 auth-vid 200

#Assign unauthenticated client VLAN to authenticator ports
aaa port-access authenticator 1-20 unauth-vid 100

Authenticated client VLAN:
- Authenticated clients not assigned a specific VLAN by the authentication server will be assigned to this VLAN, as well as clients connected when the server is unreachable if the appropriate backup authentication method is configured.
 
Unauthenticated client VLAN:
- Clients that fail authentication by the authentication server are assigned to this VLAN, as well as any clients attempting authentication when the server is unreachable and no backup method is configured.


Alle details yo ucan find in the Manual:

HPE ArubaOS-Switch Access Security Guide for YA/YB.16.01

Br,
Michal

0 Kudos
TerjeAFK
Respected Contributor

‎07-21-2016 04:34 AM

‎07-21-2016 04:34 AM

Re: HP 2530 802.1x Failback

We have started working on the same solution as you, and this is the config we have been using so far:

radius-server host x.x.x.x key secretkey
radius-server host x.x.x.x dyn-authorization
radius-server host x.x.x.y key secretkey
radius-server host x.x.x.y dyn-authorization
aaa server-group radius "ClearPass" host x.x.x.x
aaa server-group radius "ClearPass" host x.x.x.y
aaa accounting update periodic 2
aaa authentication port-access eap-radius server-group "ClearPass"
aaa authentication mac-based chap-radius server-group "ClearPass"
aaa port-access authenticator 1-24
aaa port-access authenticator 1-24 client-limit 1
aaa port-access mac-based 1-24
aaa port-access mac-based 1-24 unauth-vid 200
aaa port-access authenticator active

With this config the switch will first try 802.1X authentication and then MAC authentication. We use 802.1X for PCs and thin clients and MAC auth for IP telephones (which don't have 802.1X support).

We have not specified any auth-vid in our switch config since we want ClearPass to return the correct VLAN id for all authentications. For redundancy we use a ClearPass cluster. Not sure if you can have some kind of local fallback.

 

0 Kudos
Mike_ES
Valued Contributor

‎07-21-2016 05:37 AM

‎07-21-2016 05:37 AM

Re: HP 2530 802.1x Failback

We have not specified any auth-vid in our switch config since we want ClearPass to return the correct VLAN id for all authentications. For redundancy we use a ClearPass cluster. Not sure if you can have some kind of local fallback.

 

Both authenticated client VLAN and unauthenticated client VLAN works for local fallback scenario, when Radius server is unreachable. When your ClearPass Radius is reachable and gives vlans dynamically, it has priority over all static configured vlans on the ports.

When ClearPass is unreachable, defined vlans (both unauth-vid and auth-vid) takes precedence over 802.1x configured port. Both types of defined static vlans has different purpose, in other words: for already authenticated clients and for clients attempting to be authenticated. It works with Radius service tracking, please see page no. 48 from documentation: "HPE ArubaOS-Switch Access Security Guide for YA/YB.16.01".

Michal

 

The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.