- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- Local port security for access point - Aruba switc...
-
- Forums
-
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
- HPE Blog, Austria, Germany & Switzerland
- Blog HPE, France
- HPE Blog, Italy
- HPE Blog, Japan
- HPE Blog, Middle East
- HPE Blog, Latin America
- HPE Blog, Russia
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
-
Blogs
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Blog, Latin America
- HPE Blog, Middle East
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
-
Information
- Community
- Welcome
- Getting Started
- FAQ
- Ranking Overview
- Rules of Participation
- Tips and Tricks
- Resources
- Announcements
- Email us
- Feedback
- Information Libraries
- Integrated Systems
- Networking
- Servers
- Storage
- Other HPE Sites
- Support Center
- Aruba Airheads Community
- Enterprise.nxt
- HPE Dev Community
- Cloud28+ Community
- Marketplace
-
Forums
-
Blogs
-
Information
-
English
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
03-03-2021 09:01 AM
03-03-2021 09:01 AM
Local port security for access point - Aruba switch
HI,
I'm trying to secure ports in the switch for an access point. In my case, I want to avoid RADIUS authentication.
In Security Guide, found a software feature called Local Mac Authentication. (Chapter 7 - Aruba 2930F / 2930M Access Security Guide for ArubaOS-Switch 16.10)
Topology:
Switch_Port9 ----- Access Point------Phone
Configuration switch:
aaa port-access local-mac profile "wifi"
vlan tagged 20
vlan untagged 9
exit
aaa port-access local-mac apply profile "wifi" mac-addr dc8c37-78f8e4 //mac address AP
aaa port-access local-mac 9
aaa port-access local-mac 9 addr-limit 256
aaa port-access local-mac 9 unauth-vid 110 //vlan 110 - guest vlan
Description:
When I plug something in port 9, that it doesn't have MAC address dc8c37-78f8e4, switch allocate to vlan 110 - good.
When I plug the correct AP, switch allocate to untagged vlan 9, and tagged 20 - good.
When I try to connect to my SSID (vlan 20) - the phone never gets an IP.
Reason: LMA block not authorize MAC address (phone)
Question:
- Using LMA, is it possible to secure the port without limiting the operation of the access point?
- If not LMA. How do I secure the ports on the switch so that an access point can be connected to it? Can this be done without using an external authenticator?
- Where can I find a simple instruction for implementing 802.1x on a switch for an access point?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
03-03-2021 11:07 PM - edited 03-03-2021 11:18 PM
03-03-2021 11:07 PM - edited 03-03-2021 11:18 PM
Re: Local port security for access point - Aruba switch
Hello,
I think you need the feature that is called "port-mode" or "port-based" authentication. When the authentication is configured in port-mode, after the succesful authentication of one user the port is opened for all users. In user-mode on the contrary when a user authenticates the port allows only traffic with the source mac of this user, all other macs are blocked.
For 802.1x you configure port-based mode by disabling the client limit (no client-limit), for RADIUS based MAC authentication it is done by a special VSA returned by the RADIUS server.
I think with local MAC it should be possible to do this if you are using a user-role instead of profile. You can use either profile or user-role for configuring the authorization attributes (VLAN, cos, etc)
LeftAcessSw(config)# aaa port-access local-mac apply ?
profile Enter a profile.
user-role Enter a user role.
And as an attribute of a local user-role you can specify port-mode
LeftAcessSw(config)# aaa authorization user-role name User1 device port-mode
Here are the other options of a user-role
LeftAcessSw(config)# aaa authorization user-role name User1 ?
cached-reauth-period The value indicates the period in seconds, during which
cached reauthentication is allowed on the port.
captive-portal-pro... Assign a captive portal profile for this role.
device Set the device specific configuration in user-role.
logoff-period The inactivity period in seconds with either 0 or
60-9999999 for the authenticated client for an implicit
logoff.
policy Set a user policy for this role.
reauth-period Set the reauthentication period in seconds or 0 to
disable.
tunneled-node-serv... Configures traffic redirect to user-based tunnel.
vlan-id Set the untagged VLAN that users will be assigned to.
vlan-id-tagged Set the tagged VLAN that users will be assigned to.
vlan-name Set the untagged VLAN name that users will be assigned
to.
vlan-name-tagged Set the tagged VLAN name that users will be assigned to.
<cr>
You will have to enable user-roles on the switch globally for this to work (aaa authorization user-role enable) and this introduces some restrictions and limitations regarding legacy security feautures. You can read more in the manual.
You can also use a device-profile instead of local-mac authentication, here you can also specify port-mode.
LeftAcessSw(config)# device-profile name AP mode ?
client-mode Configure the device connected port as client mode.
port-mode Configure the device connected port as port mode.
The configuration of device-profiles is also explained in the manual. If you are using LLDP OUI for device-identity you have to keep in mind that this is the OUI used in TLV 127 of the LLDP packet, not the OUI of the device mac.
This is the latest Access Security Guide for 2930 where you should be able to answer all your question.
https://support.hpe.com/hpesc/public/docDisplay?docId=a00091304en_us
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
03-03-2021 11:40 PM
03-03-2021 11:40 PM
Re: Local port security for access point - Aruba switch
Where can I find a simple instruction for implementing 802.1x on a switch for an access point?
If you want to use 802.1x authentication for AP which is egressing the wireless traffic locally (not tunneling to any controller) like mentioned above you should configure 802.1x in port-mode. You are doing this by disabling the client limit. Here an example (this is only port configuration, skipping RADIUS configuration and global 802.1x configuration as they are the same as for normal 802.1x users.
LeftAcessSw(config)# aaa port-access authenticator 1
LeftAcessSw(config)# no aaa port-access authenticator 1 client-limit
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
03-04-2021 02:29 AM
03-04-2021 02:29 AM
Re: Local port security for access point - Aruba switch
Thank you for showing the way.
Sadly when using LMA cannot enable Port-mode which is necessary for AP.
LMA mWebAuth:Port 11, MAC dc8c37-78f8e4: user-role wifi-usr,
Port-mode cannot be enabled during Local MAC Authentication.
LMA mWebAuth:Failed to apply user role 'wifi-usr' to lma
client DC8C3778F8E4 on port 11: Port-Mode cannot be enabled with LMA.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
03-04-2021 05:09 AM
03-04-2021 05:09 AM
Re: Local port security for access point - Aruba switch
Hello,
I am sorry, this was not obvious in the manual and I didnt have to do it by now. Please have a look at the device-profile option and test if it will allow to specify port-mode.
If I am not wrong this switch should support 802.1x authentication without RADIUS server, that means using local-users on the switch itself. So maybe this would be another option.
LeftAcessSw(config)# aaa authentication port-access ?
local Use local switch user/password database.
eap-radius Use EAP capable RADIUS server.
chap-radius Use CHAP (MD5) capable RADIUS server.
Unfortunately I dont have experience with it and cannot find config examples.
Hewlett Packard Enterprise International
- Communities
- HPE Blogs and Forum
© Copyright 2021 Hewlett Packard Enterprise Development LP