Aruba & ProVision-based
cancel
Showing results for 
Search instead for 
Did you mean: 

Aruba 2530 with 802.1x access control and port security for clients.

 
SOLVED
Go to solution
Highlighted
Occasional Visitor

Aruba 2530 with 802.1x access control and port security for clients.

Hello all.

Brief: I want to use 802.1x eap authentication to allow only one client, either to an authenticated VLAN, or a guest VLAN. I cannot limit to just one client on the switch interface.

Using Aruba 2530  J9776A YA.16.09.0003 

I am working with adding a security layer in our network. My idea is to allow domain member computers to VLAN 100, while allowing access to anyone else on VLAN 200. Also to prevent network access from unauthenticated devices via unmanaged devices (i.e. small dumb switches). Basic config of 802.1x will move an domain computer to VLAN 100 and a guest to VLAN 200, as expected. But if I add a simple switch, any computer can access VLAN 100 after the first device on the switch authenticates on the 2530 interface. 

When trying to use port-security to counter that, I get no access at all to the network, even from a domain member connected straight into the 2530 interface.

I am following procedures outlined in the "Aruba 2530 Access security guide for ArubaOS-Switch 16.09". I haven't found much info in other places, including searching on this site. I will provide any relevant status output from the running system. Here's the first few:

switch60# sh port-access 12 authenticator

 Port Access Authenticator Status

  Port-access authenticator activated [No] : Yes
  Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
  Use LLDP data to authenticate [No] : No
  Dot1X EAP Identifier Compliance [Disabled] : Disabled
  Allow incremental EAP identifier only [Disabled] : Disabled

        Auths/  Unauth  Untagged Tagged           % In  RADIUS Cntrl
  Port  Guests  Clients VLAN     VLANs  Port COS  Limit ACL    Dir   Port Mode
  ----- ------- ------- -------- ------ --------- ----- ------ ----- ----------
  12    1/0     0       100      No     No        No    No     both  1000FDx

switch60# sh port-security 12

 Port Security

  Port : 12
  Learn Mode [Continuous] : Port-Access
  Action [None] : None
  Eavesdrop Prevention [Enabled] : Enabled

  Authorized Addresses
  --------------------

(This is the current status with a domain-member connected straight into the switch. It is not able to finish a DHCP request now. It worked ok before adding port-security configurtaion.)

Relevant configuration:

port-security 12 learn-mode port-access
 # when I add this, I cant access anything anymore. 

aaa authentication port-access eap-radius
 # the certificate authentication to my domain RADIUS works just fine, 
 # failed authentication assignes the unauth-vid 
aaa port-access authenticator 1-12
 # I have configured more ports, but am using port 12 for trials
aaa port-access authenticator 12 auth-vid 100
aaa port-access authenticator 12 unauth-vid 200
 # these assigns the port to the proper VLAN, according to first connected 
 # authenticator, but allow any subsequent client access to the same VLAN
aaa port-access authenticator active

 

2 REPLIES 2
Highlighted
Solution

Re: Aruba 2530 with 802.1x access control and port security for clients.

Hello,

Please try adding the following for the port you test.

aaa port-access authenticator 12 client-limit 1

THis command switches the authentication to user-based mode and limits the user number to 1 per port.

Without client limits the 802.1x port operates in port-based mode which means that after the first user authenticates every device can access the network through the port. This is what you are complaining about if I am not wrong.

I am an HPE employee

Accept or Kudo


Highlighted
Occasional Visitor

Re: Aruba 2530 with 802.1x access control and port security for clients.

Thank you, Emil.

I had seen that command in the manual, but dismissed it for some reason. Probably because I confused the use of Port-based vs Client-based authentication modes. The switch manuals might be good at explaining the hows, but not so good with the whys  

Now it seems I get my desired function. Even if I attach clients over a unmanaged switch, my 2530 access port will only allow one client at a time. That client will be attached to the desired VLAN, depending on if it authenticates with certs, or not. For reference, I will attach my current configuration.

 # This config requires working RADIUS setup
 # and VLAN 100,200 created statically
aaa authentication port-access eap-radius
aaa port-access authenticator 1-12
 # I have configured more ports, but am using port 12 for trials
aaa port-access authenticator 12 auth-vid 100
aaa port-access authenticator 12 unauth-vid 200
aaa port-access authenticator 12 client-limit 1
aaa port-access authenticator active

That's the authentication config needed to control VLAN acces to secure or guest networks, and limit the number of attached clients. All I need to do now is check the behavior of disconnecting and reconnecting multiple clients over an remote switch. I expect there might be some delays, since the access port stays up when the client disconnect. But that is a minor problem, the clients shouldn't have switches anyway.

Thanks again.

Lars Olof Norell