- Integrated Systems
- About Us
- Integrated Systems
- About Us
07-29-2020 01:45 AM
Brief: I want to use 802.1x eap authentication to allow only one client, either to an authenticated VLAN, or a guest VLAN. I cannot limit to just one client on the switch interface.
Using Aruba 2530 J9776A YA.16.09.0003
I am working with adding a security layer in our network. My idea is to allow domain member computers to VLAN 100, while allowing access to anyone else on VLAN 200. Also to prevent network access from unauthenticated devices via unmanaged devices (i.e. small dumb switches). Basic config of 802.1x will move an domain computer to VLAN 100 and a guest to VLAN 200, as expected. But if I add a simple switch, any computer can access VLAN 100 after the first device on the switch authenticates on the 2530 interface.
When trying to use port-security to counter that, I get no access at all to the network, even from a domain member connected straight into the 2530 interface.
I am following procedures outlined in the "Aruba 2530 Access security guide for ArubaOS-Switch 16.09". I haven't found much info in other places, including searching on this site. I will provide any relevant status output from the running system. Here's the first few:
switch60# sh port-access 12 authenticator Port Access Authenticator Status Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Use LLDP data to authenticate [No] : No Dot1X EAP Identifier Compliance [Disabled] : Disabled Allow incremental EAP identifier only [Disabled] : Disabled Auths/ Unauth Untagged Tagged % In RADIUS Cntrl Port Guests Clients VLAN VLANs Port COS Limit ACL Dir Port Mode ----- ------- ------- -------- ------ --------- ----- ------ ----- ---------- 12 1/0 0 100 No No No No both 1000FDx switch60# sh port-security 12 Port Security Port : 12 Learn Mode [Continuous] : Port-Access Action [None] : None Eavesdrop Prevention [Enabled] : Enabled Authorized Addresses -------------------- (This is the current status with a domain-member connected straight into the switch. It is not able to finish a DHCP request now. It worked ok before adding port-security configurtaion.)
port-security 12 learn-mode port-access # when I add this, I cant access anything anymore. aaa authentication port-access eap-radius # the certificate authentication to my domain RADIUS works just fine, # failed authentication assignes the unauth-vid aaa port-access authenticator 1-12 # I have configured more ports, but am using port 12 for trials aaa port-access authenticator 12 auth-vid 100 aaa port-access authenticator 12 unauth-vid 200 # these assigns the port to the proper VLAN, according to first connected # authenticator, but allow any subsequent client access to the same VLAN aaa port-access authenticator active
Solved! Go to Solution.
07-29-2020 03:47 AMSolution
Please try adding the following for the port you test.
aaa port-access authenticator 12 client-limit 1
THis command switches the authentication to user-based mode and limits the user number to 1 per port.
Without client limits the 802.1x port operates in port-based mode which means that after the first user authenticates every device can access the network through the port. This is what you are complaining about if I am not wrong.
07-30-2020 01:14 AM
Re: Aruba 2530 with 802.1x access control and port security for clients.
Thank you, Emil.
I had seen that command in the manual, but dismissed it for some reason. Probably because I confused the use of Port-based vs Client-based authentication modes. The switch manuals might be good at explaining the hows, but not so good with the whys
Now it seems I get my desired function. Even if I attach clients over a unmanaged switch, my 2530 access port will only allow one client at a time. That client will be attached to the desired VLAN, depending on if it authenticates with certs, or not. For reference, I will attach my current configuration.
# This config requires working RADIUS setup # and VLAN 100,200 created statically aaa authentication port-access eap-radius aaa port-access authenticator 1-12 # I have configured more ports, but am using port 12 for trials aaa port-access authenticator 12 auth-vid 100 aaa port-access authenticator 12 unauth-vid 200 aaa port-access authenticator 12 client-limit 1 aaa port-access authenticator active
That's the authentication config needed to control VLAN acces to secure or guest networks, and limit the number of attached clients. All I need to do now is check the behavior of disconnecting and reconnecting multiple clients over an remote switch. I expect there might be some delays, since the access port stays up when the client disconnect. But that is a minor problem, the clients shouldn't have switches anyway.
Lars Olof Norell