HPE Community
IMC
1752702 Members
6225 Online
108789 Solutions
New Discussion

Re: Aruba IAP 305 with HP IMC UAM Mac-based Authentication

 
Moewa
Occasional Advisor

‎08-15-2019 07:40 AM

‎08-15-2019 07:40 AM

Aruba IAP 305 with HP IMC UAM Mac-based Authentication

Hello Guys,

we actually are facing an Issue where I am still not able to find a solution.

Since 2012 we are using HP830 Controller with MSM460 and MSM560 APs. As we find out last year, this Controller/AP-Setup is deprecated and we are now using Aruba IAP 305 for our WLAN environment in a few sites.

With our old setup, we used a mac based authentication with IMC UAM for our MSM-APs themselfes to get connected to our network and put them in our AP-VLAN (we also could have used certificates for that - the handling from IMC/UAM point of stand would be the same).

Problem now is, with the old setup, the MSM-APs redirected the traffic through HP830 Controller, so that we have been able to authenticate the APs with their MAC against the IMC/UAM and deployed their AP-VLAN with an Access Policy. From the security point of stand (we are going to ignore at this point, that MACs can be emulated) this was a save way, to not get any external device connected with our internal network, cause if you would have taken the network cable of an AP and put it into an external device, you only would have been put into an quarantine VLAN. At the moment I do not understand, how we could handle this savety (we will improve it with certificates instead of MAC-Auth if possible) with IAP 305s. Cause we need to have trunk-ports on the end where the IAPs are connected to, I do not get, how we could use IMC/UAM to authenticate the APs themselfes. The trunk-ports are needed, cause every department do have it's own VLAN(s) and their devices are also authenticated with IMC/UAM when they do try to connect with WLAN. 

I hope you do understand the issue here, someone will have a solution for and you will be gentle cause of my bad english. I am better understanding it than speaking or writing.

Daniel

0 Kudos
3 REPLIES 3
NeilR
Esteemed Contributor

‎08-15-2019 05:40 PM - edited ‎08-16-2019 11:13 AM

‎08-15-2019 05:40 PM - edited ‎08-16-2019 11:13 AM

Re: Aruba IAP 305 with HP IMC UAM Mac-based Authentication

I've been using the MSM series and APs as well. I use the 802.1x supplicants (instead of MAC)  in the APs and create a user/password for this in IMC. It looks like the IAP 305 have a supplicant option as well.. You could have a unique ID for each or share the same one for all (make sure you set the login limit in IMC) depending on your need

Your switches should be able to authenticate the AP on the trunk port and then use IMC to assign the VLANs needed as tagged to the port using the access policy based on the userID of the AP - I'm doing the same thing with the MSMs

EDIT: Also note that if the switch port has a MAC client limit as part of 802.1x authentication, it will count those from the AP clients. On procurve this occurs with mixed authentication.

0 Kudos
Moewa
Occasional Advisor

‎10-08-2019 07:51 AM

‎10-08-2019 07:51 AM

Re: Aruba IAP 305 with HP IMC UAM Mac-based Authentication

Hi Neil,

sorry for late response - i  was on holiday and then stuck in other Projects.

I might have asked the wrong way. The Authentication is not the Problem. Luckily i found a Question from you, where you asked excactly what we'd need:

https://community.hpe.com/t5/IMC/Deploy-tagged-vlans-to-ports-with-UAM-as-part-of-a-service/m-p/6631682#M1528

Problems i am facing with this is first: When using Egress-VLANID with Maxlength 6 i do not get how we should insert our VLANIDs there, while using HEX oder Decimal values. For Example our AP-VLANs are 11 and 12. Correctly written as HEX this would be 0x3200000B and 0x3200000C - Decimal it would be 822083595 and 822083596.

Second Problem: It looks like we only can add 16 Values for Access-Accept. But cause of multiple VLANs we are using for different Departments, i need to tag 44 VLANs on AP-Ports, which looks impossible to me.

I also found a thread where you showed a screenshot with this settings:

https://community.hpe.com/t5/IMC/Deploy-tagged-vlans-to-ports-with-UAM-for-IP-Phone/td-p/6814369#.XZx-GU17kpQ

Sadly you are able to use VLAN-Names instead of IDs. In our Environment the names can differ and so we need to use the IDs...

Hope maybe you or another Member here can help with this.

Regards

Daniel

0 Kudos
NeilR
Esteemed Contributor

‎10-08-2019 04:12 PM - edited ‎10-09-2019 09:28 AM

‎10-08-2019 04:12 PM - edited ‎10-09-2019 09:28 AM

Re: Aruba IAP 305 with HP IMC UAM Mac-based Authentication

You definitely have a challenge if you need to deploy 44 VLANs to each AP uplink port on every AP. Do they all really need to be on EVERY AP in all locations?

If you were able to get down to different sets of 16 you could use user group, SSID or some other policy access condition to assign them.

It does look like the HP propietary attribute of 65 for numbered egress ID is also used by aruba IAPs but the format of the hex string does seem at odds with the 6 digit limit.

Either this is a mistake or the use of 5 hex digits (which is what it accepts, not 6)  31 or 32 and 3 hex digits (which equal 4096 max)  so 3101E for example.

Or you can try under access device type, under procurve, delete existing and re-add and you are able to specify the length.. Or add a propietarty attribute under Aruba  Use the same number 65

Then set up a test to see which format works. It was confusion over the number format that prompted me to use the "Name" option

EDIT: BTW you can use IMC VLAN management functions to globaly homogenize your vlan names if that makes it easier.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.