The AOS-CX virtual switch can authenticate wired device connected to it with 802.1X or MAC address authentication. It also supports major Radius extentions such as Accounting or Dynamic Authorization (RFC3576). For ‘real’ CX switch series, the same is supported on the ArubaOS-CX 6400/6300/6200 switches, but not on 8400/8300 switches. This article explains how to configure simple 802.1X authentication. I assume following topology is setup using EVE-NG in this lab. (note: Radius server is not depicted in the diagram but needs to be reachable from ArubaCX-1)
Here is the configuration stub to enable 802.1X authentication on port 1/1/2.
radius-server host <Radius Server IP> key plaintext <Radius Key>
aaa authentication port-access dot1x authenticator enable
interface 1/1/2
aaa authentication port-access dot1x authenticator enable
Pretty simple, isn’t it?
Let’s enable 802.1X on a windows VM and connect it to the port. Login dialogue will pop up.
If authentication is failing, take a packet capture on the switch’s uplink port and confirm if it is sending Radius packet properly. Check each component based on the observation as below:
Switch is not sending Raiud packet – try shut/no shut on the 802.1X port (1/1/2). check routing table, default gateway, port configuration.
Switch is sending Radius packet but server is not responding – check Radius key is correct
Radius session stops in the middle – go to 802.1X setting on the client and uncheck ‘Verify the server’s identity by validating the certificate’ option
The server responds with ‘Access Reject’ – check if the user is registered on the Radius server properly
If the switch is not sending Radius request at all even if routing and port configurations are all correct, doing ‘shut’ and ‘no shut’ on the 802.1X enabled port may fix the issue. It is an issue seen only on CX virtual switch.
Once it’s authenticated, check client status on the CX.
ArubaCX-1# show port-access clients
Port Access Clients
--------------------------------------------------------------------------------
Port MAC Address Onboarded Status Role
Method
--------------------------------------------------------------------------------
1/1/2 50:00:00:05:00:00 dot1x Success RADIUS_773420618
ArubaCX-1# show aaa authentication port-access interface all client-status
Port Access Client Status Details
Client 50:00:00:05:00:00, labuser
============================
Session Details
---------------
Port : 1/1/2
Session Time : 210s
Authentication Details
----------------------
Status : dot1x Authenticated
Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted
Authorization Details
----------------------
Role : RADIUS_773420618
Status : Applied
Unfortunately CX does not display detailed information of authenticated user. For instance, IP address, user name or assigned VLAN. I believe it will be improved in the future version of ArubaOS-CX.
Assign Local User Role to authenticated user
You can use ‘Role’ (a set of user attributes such as ACL, QoS policy, VLAN) to manage a group of users with same access level. Let’s create a role and assign it to authenticated user.
class ip all-ip
match any any any
class ip prohibited_hosts
match any any 8.8.4.4
port-access policy dot1x-pol
class ip prohibited_hosts action drop <<<<<<< Drop packets to 8.8.4.4
class ip all-ip <<<<<<< Pass all other traffic
port-access role dot1x-role
associate policy dot1x-pol <<<<<<< Assign ACL policy
vlan access 2
interface 1/1/2
aaa authentication port-access auth-role dot1x-role
vlan access 1 <<<<<<<< assign vlan 1 so I can check if role vlan works
Connect the same windows VM again and check if role is taking effect properly.
ArubaCX-1# show port-access clients
Port Access Clients
--------------------------------------------------------------------------------
Port MAC Address Onboarded Status Role
Method
--------------------------------------------------------------------------------
1/1/2 50:00:00:05:00:00 dot1x Success dot1x-role, Auth
ArubaCX-1# show mac-address-table
MAC age-time : 300 seconds
Number of MAC addresses : 2
MAC Address VLAN Type Port
--------------------------------------------------------------
00:50:00:00:01:01 1 dynamic 1/1/1
50:00:00:05:00:00 2 port-access-security 1/1/2
ArubaCX-1#
Let’s check the IP assignment and ACL enforcement on client side.
It seems it’s working as expected.