ProCurve / ProVision-Based
cancel
Showing results for 
Search instead for 
Did you mean: 

HP 2530 802.1x Failback

Network59770
Occasional Visitor

HP 2530 802.1x Failback

Hi,

We are currently working on HP ClearPass solution for 802.1X authentication on our network.
We did some testing on 2530 series switches.

- Connecting users using 802.1x certificates was ok.
- Connecting users using MAC based authentication was fine also.
- Finaly, putting users in default guest vlan (200) when they didn't match any authentication method was also done without any issues.

The question is, in case of a failure on our ClearPass solution (that will become unreachable), is it possible to get some kind of failback configuration on our 2530 switch that will be different from putting users in our default guest vlan 200 (as when they are not authenticated by the solution) ?

Moreover, can we have a priority over the two types of authentication ? i.e can we configure 802.1x to be used first, and then MAC, and then default ?

Thanks,




 

3 REPLIES
Mike_ES
Valued Contributor

Re: HP 2530 802.1x Failback


Hi,

For the switch 2530, AOS YA.15.10/YB.15.12


#Configure specified ports for authentication
aaa port-access authenticator 1-20

#Assign authenticated client VLAN to authenticator ports
aaa port-access authenticator 1-20 auth-vid 200

#Assign unauthenticated client VLAN to authenticator ports
aaa port-access authenticator 1-20 unauth-vid 100

Authenticated client VLAN:
- Authenticated clients not assigned a specific VLAN by the authentication server will be assigned to this VLAN, as well as clients connected when the server is unreachable if the appropriate backup authentication method is configured.
 
Unauthenticated client VLAN:
- Clients that fail authentication by the authentication server are assigned to this VLAN, as well as any clients attempting authentication when the server is unreachable and no backup method is configured.


Alle details yo ucan find in the Manual:

HPE ArubaOS-Switch Access Security Guide for YA/YB.16.01

Br,
Michal

TerjeAFK
Respected Contributor

Re: HP 2530 802.1x Failback

We have started working on the same solution as you, and this is the config we have been using so far:

radius-server host x.x.x.x key secretkey
radius-server host x.x.x.x dyn-authorization
radius-server host x.x.x.y key secretkey
radius-server host x.x.x.y dyn-authorization
aaa server-group radius "ClearPass" host x.x.x.x
aaa server-group radius "ClearPass" host x.x.x.y
aaa accounting update periodic 2
aaa authentication port-access eap-radius server-group "ClearPass"
aaa authentication mac-based chap-radius server-group "ClearPass"
aaa port-access authenticator 1-24
aaa port-access authenticator 1-24 client-limit 1
aaa port-access mac-based 1-24
aaa port-access mac-based 1-24 unauth-vid 200
aaa port-access authenticator active

With this config the switch will first try 802.1X authentication and then MAC authentication. We use 802.1X for PCs and thin clients and MAC auth for IP telephones (which don't have 802.1X support).

We have not specified any auth-vid in our switch config since we want ClearPass to return the correct VLAN id for all authentications. For redundancy we use a ClearPass cluster. Not sure if you can have some kind of local fallback.

 

Mike_ES
Valued Contributor

Re: HP 2530 802.1x Failback


We have not specified any auth-vid in our switch config since we want ClearPass to return the correct VLAN id for all authentications. For redundancy we use a ClearPass cluster. Not sure if you can have some kind of local fallback.

 


Both authenticated client VLAN and unauthenticated client VLAN works for local fallback scenario, when Radius server is unreachable. When your ClearPass Radius is reachable and gives vlans dynamically, it has priority over all static configured vlans on the ports.

When ClearPass is unreachable, defined vlans (both unauth-vid and auth-vid) takes precedence over 802.1x configured port. Both types of defined static vlans has different purpose, in other words: for already authenticated clients and for clients attempting to be authenticated. It works with Radius service tracking, please see page no. 48 from documentation: "HPE ArubaOS-Switch Access Security Guide for YA/YB.16.01".

Michal