Hi
Working with Clearpass I have added a radius attribute in the reply: Avenda-Tag-Id (1) = 0.
So the total response in the profile to allow access and put the port in VLAN 10 for example is:
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = "10"
Avenda-Tag-Id (1) = 0
You can of course add other attributes like timeout etc.
The same answer in a similar thread: https://community.arubainstanton.com/discussion/8021x-authentication-and-dynamic-vlan-assignment-with-aruba-1960-switch
If you have any questions, just let me know.
------------------------------
Peter Neyt
------------------------------
Original Message:
Sent: 02-23-2024 11:47 AM
From: cjbruck
Subject: Aruba Instant On 1960 802.1x RADIUS Clearpass Port Access Control
I am attempting to set up a 1960 switch (JL807A) to authenticate and then assign a VLAN to a wired endpoint. The authentication portion works and the RADIUS response from Clearpass is as follows:
Radius:IETF:Session-Timeout |
32400 |
Radius:IETF:Termination-Action |
1 |
Radius:IETF:Tunnel-Medium-Type |
6 |
Radius:IETF:Tunnel-Private-Group-Id |
106 |
Radius:IETF:Tunnel-Type |
13 |
Status-Update:Endpoint |
Known |
The switch never assigns vlan 106 to the endpoint. Looking at the Access Control Client Information portion of the Port Access Control menu shows the VLAN ID as 0. I will paste my config below, but to summarize what I've configured so far:
- Management VLAN with static IP. Uplink port is configured as untagged on this VLAN.
- Created 20 more VLANs (including the example VLAN 106 which is being assigned in this case) and tagged them on the uplink port.
- Enabled 802.1x Authentication and Accounting modes in Security>RADIUS Configuration as well as added the Clearpass server as a RADIUS server.
- Enabled Admin Mode in Security>Port Access Control. Edited the Port Configuration of the port the endpoint is connected to (1/1) and set the Control Mode to Auto and enabled VLAN Assignment.
- Tagged all VLANs except management VLAN 100 on port 1/1 and untagged to VLAN 1.
Before setting up RADIUS I made sure that my actual VLANs are working if I just untag them on the ports manually, but the goal is to have all the ports configured for automatic VLAN assignment based upon what Clearpass sends back. What am I missing here?
config-file-headerCN20KY63R9vInstantOn_1960_2.9.0.0 (53) / RHPE2.9_932_296_002SKU Description "Aruba Instant On 1960 24G 20p Class4 4p Class6 PoE 2XGT 2SFP+ 370W Switch JL807A"@!unit-type-control-start unit-type unit 1 network fa uplink te unit-type unit 2 network fa uplink te unit-type unit 3 network fa uplink te unit-type unit 4 network fa uplink te unit-type-control-end !vlan databasevlan 100-120 exitvoice vlan oui-table add 0001e3 Siemens_AG_phonevoice vlan oui-table add 00036b Cisco_phonevoice vlan oui-table add 00096e Avayavoice vlan oui-table add 000fe2 3Comvoice vlan oui-table add 0060b9 H3Cvoice vlan oui-table add 64167f Polycomvoice vlan oui-table add 805e0c Yealinkdot1x system-auth-controlpriority-queue out num-of-queues 1 hostname CN20KY63R9radius-server host 10.0.1.75 key [REDACTED]aaa accounting dot1x start-stop group radiususername admin password encrypted 7b20549e03b15656b78e5b0862854729c2851f50 privilege 15 snmp-server engineid local default management vlan 100 !interface vlan 100 name MGMT ip address 10.0.0.108 255.255.255.0 no ip address dhcp !interface 1/1 dot1x radius-attributes vlan static dot1x port-control auto switchport general allowed vlan add 101-120 tagged switchport general allowed vlan add 1 untagged !interface 1/28 switchport general allowed vlan add 101-120 tagged switchport general allowed vlan add 100 untagged switchport general pvid 100 !exitip default-gateway 10.0.0.1 ip ssh-client key rsa key-pair---- BEGIN SSH2 PRIVATE KEY ----Comment: RSA Private Key[REDACTED]---- END SSH2 PRIVATE KEY -------- BEGIN SSH2 PUBLIC KEY ----Comment: RSA Public Key[REDACTED]---- END SSH2 PUBLIC KEY ----.ip ssh-client key dsa key-pair---- BEGIN SSH2 PRIVATE KEY ----Comment: DSA Private Key[REDACTED]---- END SSH2 PRIVATE KEY -------- BEGIN SSH2 PUBLIC KEY ----Comment: DSA Public Key[REDACTED]---- END SSH2 PUBLIC KEY ----.crypto certificate 1 import-----BEGIN RSA PRIVATE KEY-----[REDACTED]-----END RSA PRIVATE KEY----------BEGIN RSA PUBLIC KEY-----[REDACTED]01TwIDAQAB-----END RSA PUBLIC KEY----------BEGIN CERTIFICATE-----[REDACTED]-----END CERTIFICATE-----.crypto certificate 2 import-----BEGIN RSA PRIVATE KEY-----[REDACTED]-----END RSA PRIVATE KEY----------BEGIN RSA PUBLIC KEY-----[REDACTED]-----END RSA PUBLIC KEY----------BEGIN CERTIFICATE-----[REDACTED]-----END CERTIFICATE-----.
------------------------------
Chris Bruck
------------------------------