Aruba & ProVision-based
cancel
Showing results for 
Search instead for 
Did you mean: 

Question about securing access points on edge-port.

 
BrackeKommun
Occasional Advisor

Question about securing access points on edge-port.

Problem:
I’m about to roll out wired 802.1x with Mac-auth as secondary and I have trouble securing edge-port to AP (Access Point). I have tried only mac-auth even with mixed-mode.
I can make the switch to allow the AP and dynamically configure vlan on the edge-port BUT the switch will just block all wireless devices on the two 802.1x protected VSC’s that is connected to separate egress-vlan to the local network. Debugging the switch says rejected during demux, known unauth client; If I allow mixed-mode.
The guest VSC just works fine because it’s using AP tunnel to the controller-team. So the switch can’t see guest’s mac-addresses.

Question:
Cisco’s solution is with smart-port and just disables 802.1x and trunk with their APs when detected on an edge-port. Is there a similar way with HP’s procurve?
If not; How and is there a way to configure security on edge-port to an AP? Some AP’s can be disconnected and a user can make use of the port and I want to lock it down so it can’t be used unlawfully. My users are creative and will test it for sure, I know… Sometimes I wish I could use glue, but then they will just break it…

Background:
Working for a small municipality in Sweden and have mostly (99,9%) HP networking spread across 6 location and small satellites with a single routing-domain spanning it all. Each site has different vlan-id and netword-id. User base is about 800 employee and 300 elementary students.
I have around 140 msm422, 430 and 460 controlled by an msm765zl team with 3 VSC on all AP’s. Two 802.1x protected and 1 open guest VSC. Guest VSC uses the AP tunnel to the controller that’s ending up on the limited guest-net. The other two VSC egress to each tagged vlan on the switches to the local networks. Edge-switches are a mix between HP Procurve 2600 and HP Procurve 2900 series. Most of switches to AP have PoE and running the latest firmware, same to MSM AP and Controllers.
Radius servers are Windows 2012 R2 with “expanded” support for RFC4675, So I can push out tagged vlan, soon hopefully even ACL’s.