- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- Re: Aruba 2530 with 802.1x access control and port...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-29-2020 01:45 AM
тАО07-29-2020 01:45 AM
Hello all.
Brief: I want to use 802.1x eap authentication to allow only one client, either to an authenticated VLAN, or a guest VLAN. I cannot limit to just one client on the switch interface.
Using Aruba 2530 J9776A YA.16.09.0003
I am working with adding a security layer in our network. My idea is to allow domain member computers to VLAN 100, while allowing access to anyone else on VLAN 200. Also to prevent network access from unauthenticated devices via unmanaged devices (i.e. small dumb switches). Basic config of 802.1x will move an domain computer to VLAN 100 and a guest to VLAN 200, as expected. But if I add a simple switch, any computer can access VLAN 100 after the first device on the switch authenticates on the 2530 interface.
When trying to use port-security to counter that, I get no access at all to the network, even from a domain member connected straight into the 2530 interface.
I am following procedures outlined in the "Aruba 2530 Access security guide for ArubaOS-Switch 16.09". I haven't found much info in other places, including searching on this site. I will provide any relevant status output from the running system. Here's the first few:
switch60# sh port-access 12 authenticator
Port Access Authenticator Status
Port-access authenticator activated [No] : Yes
Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
Use LLDP data to authenticate [No] : No
Dot1X EAP Identifier Compliance [Disabled] : Disabled
Allow incremental EAP identifier only [Disabled] : Disabled
Auths/ Unauth Untagged Tagged % In RADIUS Cntrl
Port Guests Clients VLAN VLANs Port COS Limit ACL Dir Port Mode
----- ------- ------- -------- ------ --------- ----- ------ ----- ----------
12 1/0 0 100 No No No No both 1000FDx
switch60# sh port-security 12
Port Security
Port : 12
Learn Mode [Continuous] : Port-Access
Action [None] : None
Eavesdrop Prevention [Enabled] : Enabled
Authorized Addresses
--------------------
(This is the current status with a domain-member connected straight into the switch. It is not able to finish a DHCP request now. It worked ok before adding port-security configurtaion.)
Relevant configuration:
port-security 12 learn-mode port-access
# when I add this, I cant access anything anymore.
aaa authentication port-access eap-radius
# the certificate authentication to my domain RADIUS works just fine,
# failed authentication assignes the unauth-vid
aaa port-access authenticator 1-12
# I have configured more ports, but am using port 12 for trials
aaa port-access authenticator 12 auth-vid 100
aaa port-access authenticator 12 unauth-vid 200
# these assigns the port to the proper VLAN, according to first connected
# authenticator, but allow any subsequent client access to the same VLAN
aaa port-access authenticator active
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-29-2020 03:47 AM
тАО07-29-2020 03:47 AM
SolutionHello,
Please try adding the following for the port you test.
aaa port-access authenticator 12 client-limit 1
THis command switches the authentication to user-based mode and limits the user number to 1 per port.
Without client limits the 802.1x port operates in port-based mode which means that after the first user authenticates every device can access the network through the port. This is what you are complaining about if I am not wrong.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-30-2020 01:14 AM
тАО07-30-2020 01:14 AM
Re: Aruba 2530 with 802.1x access control and port security for clients.
Thank you, Emil.
I had seen that command in the manual, but dismissed it for some reason. Probably because I confused the use of Port-based vs Client-based authentication modes. The switch manuals might be good at explaining the hows, but not so good with the whys
Now it seems I get my desired function. Even if I attach clients over a unmanaged switch, my 2530 access port will only allow one client at a time. That client will be attached to the desired VLAN, depending on if it authenticates with certs, or not. For reference, I will attach my current configuration.
# This config requires working RADIUS setup
# and VLAN 100,200 created statically
aaa authentication port-access eap-radius
aaa port-access authenticator 1-12
# I have configured more ports, but am using port 12 for trials
aaa port-access authenticator 12 auth-vid 100
aaa port-access authenticator 12 unauth-vid 200
aaa port-access authenticator 12 client-limit 1
aaa port-access authenticator active
That's the authentication config needed to control VLAN acces to secure or guest networks, and limit the number of attached clients. All I need to do now is check the behavior of disconnecting and reconnecting multiple clients over an remote switch. I expect there might be some delays, since the access port stays up when the client disconnect. But that is a minor problem, the clients shouldn't have switches anyway.
Thanks again.
Lars Olof Norell
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-05-2021 01:19 AM
тАО02-05-2021 01:19 AM
Re: Aruba 2530 with 802.1x access control and port security for clients.
Hi Friends,
ich have't experience on the Aruba Products and in need help Please.
i Have an Aruba J9857A Switch and on the Switch i have some VLANs.
VLAN 2 have just Internet and VLAN 25 have Access to Clients.
One of Clients VLAN 25 must connecting to VLAN 2 and plus Access to VLAN 25 must have Access to VLAN 2, but VLAN 2 Clients must not Access to VLAN 25.
How to configuration this Senario?
i must on VLAN 25 Port Security for VLAN2 IPs Configuration that VLAN 2 IPs don't have Access to VLAN 25?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-05-2021 05:19 AM
тАО02-05-2021 05:19 AM
Re: Aruba 2530 with 802.1x access control and port security for clients.
Hello @Interuniversal
If I undestand correctly your requirements you need to implement Access Control Lists. Please have a look at the Access Security Guide, Chapter 7, Page 157
https://support.hpe.com/hpesc/public/docDisplay?docId=a00091309en_us
Port Security can only restrict how many and which devices connect to a port. It cannot restrict the communication of allowed devices.
Wenn ich Ihre Anforderungen richtig verstehe, brauchen Sie Access Control Lists. Bitte schauen Sie sich den Access Security Guide, seite 157. Chapter 7.
Port Securty kann nur kontrollieren, welche und wieviele Ger├дte an einen Port zugelassen werden k├╢nnen. Es kann die Kommunikation der zugelassenen Ger├дte nicht kontrollieren.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-06-2021 05:17 AM
тАО02-06-2021 05:17 AM