Aruba & ProVision-based

Local port security for access point - Aruba switch

 
mstezowski
Occasional Collector

Local port security for access point - Aruba switch

HI, 

I'm trying to secure ports in the switch for an access point. In my case, I want to avoid RADIUS authentication.

In Security Guide, found a software feature called Local Mac Authentication. (Chapter 7 - Aruba 2930F / 2930M Access Security Guide for ArubaOS-Switch 16.10)

Topology:

Switch_Port9 ----- Access Point------Phone

Configuration switch:

aaa port-access local-mac profile "wifi"
vlan tagged 20
vlan untagged 9
exit
aaa port-access local-mac apply profile "wifi" mac-addr dc8c37-78f8e4    //mac address AP
aaa port-access local-mac 9
aaa port-access local-mac 9 addr-limit 256
aaa port-access local-mac 9 unauth-vid 110          //vlan 110 - guest vlan

Description:

When I plug something in port 9, that it doesn't have MAC address dc8c37-78f8e4, switch allocate to vlan 110 - good.

When I plug the correct AP, switch allocate to untagged vlan 9, and tagged 20 - good.

When I try to connect to my SSID (vlan 20) - the phone never gets an IP.

Reason: LMA block not authorize MAC address (phone)

Question:

  1. Using LMA, is it possible to secure the port without limiting the operation of the access point?
  2. If not LMA. How do I secure the ports on the switch so that an access point can be connected to it? Can this be done without using an external authenticator?
  3. Where can I find a simple instruction for implementing 802.1x on a switch for an access point?

 

 

4 REPLIES 4
Emil_G
HPE Pro

Re: Local port security for access point - Aruba switch

Hello,

I think you need the feature that is called "port-mode" or "port-based" authentication. When the authentication is configured in port-mode, after the succesful authentication of one user the port is opened for all users. In user-mode on the contrary when a user authenticates the port allows only traffic with the source mac of this user, all other macs are blocked.

For 802.1x you configure port-based mode by disabling the client limit (no client-limit), for RADIUS based MAC authentication it is done by a special VSA returned by the RADIUS server.

I think with local MAC it should be possible to do this if you are using a user-role instead of profile. You can use either profile or user-role for configuring the authorization attributes (VLAN, cos, etc)

LeftAcessSw(config)# aaa port-access local-mac apply ?
profile Enter a profile.
user-role Enter a user role.

And as an attribute of a local user-role you can specify port-mode

LeftAcessSw(config)# aaa authorization user-role name User1 device port-mode

Here are the other options of a user-role

LeftAcessSw(config)# aaa authorization user-role name User1 ?
cached-reauth-period The value indicates the period in seconds, during which
cached reauthentication is allowed on the port.
captive-portal-pro... Assign a captive portal profile for this role.
device Set the device specific configuration in user-role.
logoff-period The inactivity period in seconds with either 0 or
60-9999999 for the authenticated client for an implicit
logoff.
policy Set a user policy for this role.
reauth-period Set the reauthentication period in seconds or 0 to
disable.
tunneled-node-serv... Configures traffic redirect to user-based tunnel.
vlan-id Set the untagged VLAN that users will be assigned to.
vlan-id-tagged Set the tagged VLAN that users will be assigned to.
vlan-name Set the untagged VLAN name that users will be assigned
to.
vlan-name-tagged Set the tagged VLAN name that users will be assigned to.
<cr>

You will have to enable user-roles on the switch globally for this to work (aaa authorization user-role enable) and this introduces some restrictions and limitations regarding legacy security feautures. You can read more in the manual.

You can also use a device-profile instead of local-mac authentication, here you can also specify port-mode.

LeftAcessSw(config)# device-profile name AP mode ?
client-mode Configure the device connected port as client mode.
port-mode Configure the device connected port as port mode.

The configuration of device-profiles is also explained in the manual. If you are using LLDP OUI for device-identity you have to keep in mind that this is the OUI used in TLV 127 of the LLDP packet, not the OUI of the device mac.

This is the latest Access Security Guide for 2930 where you should be able to answer all your question.

https://support.hpe.com/hpesc/public/docDisplay?docId=a00091304en_us

 

I am an HPE employee

Accept or Kudo


Emil_G
HPE Pro

Re: Local port security for access point - Aruba switch

Where can I find a simple instruction for implementing 802.1x on a switch for an access point?

If you want to use 802.1x authentication for AP which is egressing the wireless traffic locally (not tunneling to any controller) like mentioned above you should configure 802.1x in port-mode. You are doing this by disabling the client limit. Here an example (this is only port configuration, skipping RADIUS configuration and global 802.1x configuration as they are the same as for normal 802.1x users.

LeftAcessSw(config)# aaa port-access authenticator 1
LeftAcessSw(config)# no aaa port-access authenticator 1 client-limit

I am an HPE employee

Accept or Kudo


mstezowski
Occasional Collector

Re: Local port security for access point - Aruba switch

Thank you for showing the way.

Sadly when using LMA cannot enable Port-mode which is necessary for AP.

 

LMA  mWebAuth:Port 11, MAC dc8c37-78f8e4: user-role wifi-usr,
   Port-mode cannot be enabled during Local MAC Authentication.
 LMA  mWebAuth:Failed to apply user role 'wifi-usr' to lma
   client DC8C3778F8E4 on port 11: Port-Mode cannot be enabled with LMA.

 

 

Emil_G
HPE Pro

Re: Local port security for access point - Aruba switch

Hello, 

I am sorry, this was not obvious in the manual and I didnt have to do it by now. Please have a look at the device-profile option and test if it will allow to specify port-mode.

If I am not wrong this switch should support 802.1x authentication without RADIUS server, that means using local-users on the switch itself. So maybe this would be another option. 

LeftAcessSw(config)# aaa authentication port-access ?
local Use local switch user/password database.
eap-radius Use EAP capable RADIUS server.
chap-radius Use CHAP (MD5) capable RADIUS server.

Unfortunately I dont have experience with it and cannot find config examples.

I am an HPE employee

Accept or Kudo