802.1x wired authentication with HP/Aruba Procurve Switches

Another day and I am covering wired 802.1X authentication for another vendor. This time it is for HP/Aruba branded procurve switches.

In this blog, I will just cover HP/Aruba procurve switches's configuration commands for 802.1x. I will not present a network topology and work with that. If someone is interested about a full network setup and example, I recommend reading part Ipart II and compare the configuration accordingly.

Our policy is simple, if a client is authenticated it will be assigned client vlan (vlan 246) from radius server. In all other case, switch port will be assigned to guest vlan (vlan 247) by the switch.

Configuration of the switch

We need to configure a radius server first -

SW(config)#radius-server host 172.16.245.11 key test123 auth-port 1812 acct-port 1813

Then we will assign this radius server to an aaa server group - 

SW(config)#aaa server-group radius nps-servers host 172.16.245.11

Then we specify protocol used for 802.1x and which radius server group it uses -

SW(config)#aaa authentication port-access eap-radius server-group nps-servers

Now we activate 802.1x globally and individual port at the switch -

!!!Enables 802.1x over switch port named "ethernet 2".

SW(config)#aaa port-access authenticator ethernet 2 
!!!Every client that connects to port 2 needs to authenticate.
!!!A port can have maximum of 10 clients associated with it.
SW(config)#aaa port-access authenticator ethernet 2 client-limit 10
SW(config)#aaa port-access ethernet 2 controlled-direction both
!!!Port needs to authenticate periodically every 1 hour.
SW(config)#aaa port-access authenticator ethernet 2 reauthenticate
SW(config)#aaa port-access authenticator ethernet 2 reauth-period 3600
!!!Unauthenticated clients are assigned to VLAN  247
SW(config)#aaa port-access authenticator ethernet 2 unauth-vid 247
!!!Switch will wait 30 seconds before placing a unauthenticated port into the unauthenticated vlan
SW(config)#aaa port-access authenticator ethernet 2 unauth-period 30

!!!Enables 802.1x globally in the switch
SW(config)#aaa port-access authenticator active

Now the actual switch port configuration -

SW(config)#interface ethernet 2 untagged vlan 1

Even though we have placed our switch port (ethernet 2), in access VLAN 1. It does not communicates in VLAN 1 when a client is connected. Instead the port is placed in vlan 247 (aaa port-access authenticator ethernet 2 unauth-vid 247) and starts authentication process. If authentication is successful, the port is placed into radius assigned VLAN 246. 

HP/Aruba switch's behavior when the port is in unauthorized state is that the port will be granted full access in unauthorized VLAN (247). It can acquire DHCP adress, get network access which is allowed for guest vlan. The difference with Cisco switches is that Cisco switches does not allow any kind of network access during this phase of 802.1x authentication. I have not found a way to replicate the same behavior with procurve switches. Anyone knows that are welcome to leave a comment.

There are some other settings we can tune, most of them is under -

 SW(config)# aaa port-access authenticator ethernet 2 ? 

Verification

Let's look at radius configuration -

SW# show radius 

 Status and Counters - General RADIUS Information

  Deadtime (minutes)             : 0           
  Timeout (seconds)              : 5           
  Retransmit Attempts            : 3           
  Global Encryption Key          :                                                                                          
  Dynamic Authorization UDP Port : 3799        
  Source IP Selection            : Outgoing Interface     
  Source IPv6 Selection          : Outgoing Interface     
  Tracking                       : Disabled

                  Auth  Acct  DM/ Time   |                                                                                          
  Server IP Addr  Port  Port  CoA Window | Encryption Key      
  ---------------------------------------------------------------
  172.16.245.11   1812  1813  No  300    | test123 

Look at our radius server group -

SW# show server-group radius nps-servers 

 Status and Counters - AAA Server Groups

  Group Name: nps-servers

                        Auth  Acct  DM/ Time   |                                                                                          
 Server IP Addr  Port   Port  CoA Window | Encryption Key                                 ---------------------------------------------------------------
 172.16.245.11   1812  1813  No  300    | test123      

Let's verify how 802.1x authenticates a switch port -

SW# show authentication 

 Status and Counters - Authentication Information

  Login Attempts : 3 
  Lockout Delay : 0   
  Respect Privilege : Enabled  
  Bypass Username For Operator and Manager Access : Disabled 

                       | Login        Login                  Login     
  Access Task    | Primary     Server Group      Secondary 
  ---------------------------- ------------ --------------------
  Port-Access    | EapRadius   nps-servers       None      
  
Now we verify 802.1x over individual switch ports - 

SW# show port-access summary 

 Port Access Status Summary

  Port-access authenticator activated [No] : Yes
  Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No 
  Use LLDP data to authenticate [No] : No 
  Dot1X EAP Identifier Compliance [Disabled] : Disabled
  Allow incremental EAP identifier only [Disabled] : Disabled

  Note: * indicates values dynamically overridden by RADIUS.

          |Authenticator         |   Web Auth   |      MAC Auth      |  Local MAC
  Port  |Enable Mode  Limit | Enable Limit  | Enable Mode  Limit | Enable Limit
  ----- - ------ ----- ----- - ------ ----- - ------ ----- ----- - ------ -----
  1     | No     Port      0     | No      1     | No     User  1     | No     1    
  2     | Yes    User    10     | No     1      | No     User  1     | No     1    

SW# show port-access authenticator config 

 Port Access Authenticator Configuration

  Port-access authenticator activated [No] : Yes
  Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No 
  Use LLDP data to authenticate [No] : No 
  Dot1X EAP Identifier Compliance [Disabled] : Disabled
  Allow incremental EAP identifier only [Disabled] : Disabled

        | Re-auth   Access  Max  Quiet  TX      Supplicant Server  Cntrl
  Port  | Period    Control Reqs Period Timeout Timeout    Timeout Dir  
  ----- + --------- ------- ---- ------ ------- ---------- ------- -----
  2     | 3600      Auto    2    60     30      30         300     both 


SW# show port-access authenticator      

 Port Access Authenticator Status

  Port-access authenticator activated [No] : Yes
  Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No 
  Use LLDP data to authenticate [No] : No 
  Dot1X EAP Identifier Compliance [Disabled] : Disabled
  Allow incremental EAP identifier only [Disabled] : Disabled

        Auths/  Unauth  Untagged Tagged           % In  RADIUS Cntrl           
  Port  Guests  Clients VLAN     VLANs  Port COS  Limit ACL    Dir   Port Mode 
  ----- ------- ------- -------- ------ --------- ----- ------ ----- ----------
  2     0/1     0       247     No     No        No    No     both  1000FDx   

SW# show port-access authenticator clients 

 Port Access Authenticator Client Status

  Port-access authenticator activated [No] : Yes
  Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No 
  Use LLDP data to authenticate [No] : No 
  Dot1X EAP Identifier Compliance [Disabled] : Disabled
  Allow incremental EAP identifier only [Disabled] : Disabled

  Port  Client Name           MAC Address   IP Address      Client Status       
  ----- --------------------- ------------- --------------- --------------------
  2                           fc15b4-ec608e n/a             Connecting    

SW# show port-access authenticator clients detailed 

 Port Access Authenticator Client Status Detailed

  Port-access authenticator activated [No] : Yes
  Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No 
  Use LLDP data to authenticate [No] : No 
  Dot1X EAP Identifier Compliance [Disabled] : Disabled
  Allow incremental EAP identifier only [Disabled] : Disabled

  Client Base Details :                    
   Port            : 2    
   Client Status   : Connecting            Session Time    : 0 seconds       
   Client name     :                       Session Timeout : 3600 seconds      
   IP              : n/a                   MAC Address     : fc15b4-ec608e

  Access Policy Details :                       
   COS Map         : Not Defined           In Limit Kbps   : Not Set    
   Untagged VLAN   : 247                
   Tagged VLANs    : No Tagged VLANs                                        
   Port Mode       : 1000FDx    
   RADIUS ACL List : No Radius ACL List                                                              
   Auth Order      : Not Set                                           
   Auth Priority   : Not Set                                           
   LMA Fallback    : Disabled

Debugging

The switches supports also 802.1x debugging. We can type the following commands to active debugging -

SW# debug destination session
SW# debug security port-access
Location: Sundsvall, Sweden

Comments

Post a Comment

Popular posts from this blog

Fortigate firewall AAA Configuration for management with TACACS+ protocol and Cisco ISE

Image
In this blog I will write about how to implement AAA services in Fortigate firewalls using Cisco ISE as an authentication server with TACACS+ protocol. First good to know our limitations. AAA means - Authentication (supported by ISE TACACS+), Authorization (partially supported by ISE TACACS+; Fortigate implements Admin-Profiles; so what a user can/cannot do is defined locally in the firewall with "Admin Profiles"; ISE just instructs the firewall to allocate one of those profiles), Accounting (not supported; instead configure syslog to get accounting data, Fortigate firewalls generate syslog messages for configuration changes made by a user). Let's jump to our configuration. Our topology is very simple; one Fortigate firewall and Cisco ISE server connected with the same management network which looks like below -  01 - Network Topology We have a management network 192.168.199.0/24. The firewall is at  .230  and Cisco ISE is at  .49  IP address. We are running the lates
Read more

Stacking switches Part - VI (Dell OS10 VLT - Virtual Link Trunking)

Image
In this blog I will configure MLAG (multi chassis link aggregation) for Dell OS10 switches. As every other vendor choses a fancy name of their implementation of MLAG; Dell is no exception to this. Dell calls their implementation VLT - Virtual Link Trunking . Let's look at our network topology - Two Dell OS10 switches will run peering between them and will run VLT/MLAG between them. Two Debian 10 linux machine will be connected with LACP bonding with both switches. They will simulate the client connection. Our topology looks like below - 01 - Dell OS10 VLT Topology Let's look at some terminology before configuration - VLT peer – The two switches participating in VLT are peer to each other. In a VLT domain a maximum of two switches are allowed. VLT interconnect (VLTi) – VLTi synchronizes state information between VLT peers. It synchronizes layer 2 and layer 3 control-plane information. These state/control-plane information includes MAC table, ARP table, IPv6 neighbors etc. VLT
Read more

Arista EOS AAA configuration for management with TACACS+ protocol and Cisco ISE (Part I)

Image
Today I will write about AAA configuration (SSH authentication, authorization and accounting) for Arista EOS switches with Cisco ISE as authentication server and AAA protocol will be TACACS . Our topology is very simple. One Arista switch and One Cisco ISE server is running on the same network. Our topology looks like below - 01 - Network Topology We have a management network 192.168.199.0/24. The switch is at .134 and Cisco ISE is at .49 IP address. We are running the latest version of ISE - version 3.0. Let's define our AAA requirements - Arista switches comes with two pre defined user roles - "network-admin" and "network-operator" . We will use those two roles. Every user after successful authentication from tacacs server (ISE), will be authorized as either "network-admin" or "network-operator" role. In turn these two roles will determine read-write or read-only access to the switch. N ote: With TACACS, we can also do individual cl
Read more