Ethernet 802.1X configuration – Aruba

In this topic, you will learn how to configure Aruba switches to work together with Portnox™ Cloud and 802.1X RADIUS authentication for wired Ethernet connections.

General configuration

This is a general configuration template for Aruba switches.

Warning: We tested this configuration on several Aruba models but we cannot guarantee that it will cover every Aruba model. Also, the configuration is general and may not fit every single environment. Therefore, to get the most accurate and current configuration guidance on switch 802.1X configuration, we strongly recommend that you refer to the documentation provided by Aruba on these topics for your particular device model.
Important: All values in this configuration are examples. Make sure to adjust the configuration to your individual RADIUS server addresses, ports, and keys, as well as device interfaces by replacing the values presented as underlined italics.
  1. Define Portnox Cloud RADIUS server IPs and ports.
    Important: The IP addresses, port numbers, and keys below are examples. Replace them with your individual IP addresses, port numbers, and keys from your Portnox Cloud configuration.

    In this configuration, we assume that you are using both Portnox Cloud RADIUS servers.

    1. Add the US Cloud RADIUS server:
      radius-server host 20.119.69.248 auth-port 10322 acct-port 10323 key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
    2. Add the Europe Cloud RADIUS server:
      radius-server host 52.232.122.157 auth-port 10476 acct-port 10477 key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
  2. Create a new RADIUS server group and add RADIUS servers.
    aaa server-group radius "PORTNOX" host 20.119.69.248
    aaa server-group radius "PORTNOX" host 52.232.122.157
  3. Configure 802.1X on the switch.
    aaa authentication port-access eap-radius server-group "PORTNOX" authorized
    aaa authentication mac-based chap-radius server-group "PORTNOX" authorized
    aaa port-access gvrp-vlans
    aaa port-access authenticator active
    aaa authentication port-access dot1x authenticator
      radius server-group PORTNOX
        enable
    aaa authentication port-access mac-auth
      radius server-group PORTNOX 
        enable
  4. Configure 802.1X authentication on interface 1/1/27:
    interface 1/1/27
      aaa authentication port-access auth-precedence dot1x mac-auth 
      aaa authentication port-access client-limit multi-domain 2
      aaa authentication port-access auth-mode multi-domain 
      aaa authentication port-access dot1x authenticator
          enable 	
      aaa authentication port-access mac-auth
          enable
  5. Configure a critical authentication VLAN
    Note: If, for any reason, your NAS device is temporarily unable to connect to Portnox Cloud RADIUS servers, the client device attempting 802.1X authentication is assigned to this VLAN. This lets your network administrators maintain client connectivity to certain resources without compromising security in circumstances such as an Internet connection failure.
    Note: This function is supported on 3810, 5400R, 2930F, and 2930M switches. For more information, consult Aruba documentation on critical authentication.
    aaa port-access 1/1/27 critical-auth-data-vlan 10

    In this example, we are using VLAN 10, but you can use a different configuration.

Here is the entire example configuration for your convenience:

radius-server host 20.119.69.248 auth-port 10322 acct-port 10323 key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
radius-server host 52.232.122.157 auth-port 10476 acct-port 10477 key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
aaa server-group radius "PORTNOX" host 20.119.69.248
aaa server-group radius "PORTNOX" host 52.232.122.157
aaa authentication port-access eap-radius server-group "PORTNOX" authorized
aaa authentication mac-based chap-radius server-group "PORTNOX" authorized
aaa port-access gvrp-vlans
aaa port-access authenticator active
aaa authentication port-access dot1x authenticator
  radius server-group PORTNOX
    enable
aaa authentication port-access mac-auth
  radius server-group PORTNOX 
    enable
interface 1/1/27
  aaa authentication port-access auth-precedence dot1x mac-auth 
  aaa authentication port-access client-limit multi-domain 2
  aaa authentication port-access auth-mode multi-domain 
  aaa authentication port-access dot1x authenticator
      enable 	
  aaa authentication port-access mac-auth
      enable
aaa port-access 1/1/27 critical-auth-data-vlan 10

Aruba 6200

This is a general configuration template for Aruba 6200 switches.

Warning: Please treat this configuration as an example template only. To get the most accurate and current configuration guidance on switch 802.1X configuration, we strongly recommend that you refer to the documentation provided on these topics for your particular device model and OS version.
Important: All values in this configuration are examples. Make sure to adjust the configuration to your individual RADIUS server addresses, ports, and keys, as well as device interfaces.
  1. Define Portnox Cloud RADIUS server IPs and ports:
    Important: The IP addresses, port numbers, and keys below are examples. Replace them with your individual IP addresses, port numbers, and keys from your Portnox Cloud configuration.

    In this configuration, we assume that you are using both Portnox Cloud RADIUS servers.

    1. Add the US Cloud RADIUS server:
      radius-server host 20.119.69.248 port 10322 acct-port 10323 key plaintext rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
    2. Add the Europe Cloud RADIUS server:
      radius-server host 52.232.122.157 port 10476 acct-port 10477 key plaintext fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
  2. Create a new RADIUS server group and add RADIUS servers.
    aaa group server radius PORTNOX
        server 20.119.69.248 port 10322
        server 52.232.122.157 port 10476
  3. Assign the RADIUS group to port-access accounting.
    aaa accounting port-access start-stop group PORTNOX
  4. Enable 802.1X and MAC-based authentication.
    aaa authentication port-access dot1x authenticator
        radius server-group PORTNOX
        enable
    aaa authentication port-access mac-auth
        radius server-group PORTNOX
        enable
  5. Configure 802.1X authentication on interface 1/1/27:
    interface 1/1/27
      no shutdown
      no routing
      vlan trunk native 151
      vlan trunk allowed 151,651
      port-access onboarding-method concurrent enable
      aaa authentication port-access client-limit multi-domain 3
      aaa authentication port-access client-limit 4
      aaa authentication port-access auth-mode multi-domain
      aaa authentication port-access dot1x authenticator
          enable
      aaa authentication port-access mac-auth
          enable

Here is the entire example configuration for your convenience:

radius-server host 20.119.69.248 port 10322 acct-port 10323 key plaintext rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
radius-server host 52.232.122.157 port 10476 acct-port 10477 key plaintext fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
aaa group server radius PORTNOX
    server 20.119.69.248 port 10322
    server 52.232.122.157 port 10476
aaa accounting port-access start-stop group PORTNOX
aaa authentication port-access dot1x authenticator
    radius server-group PORTNOX
    enable
aaa authentication port-access mac-auth
    radius server-group PORTNOX
    enable
interface 1/1/27
  no shutdown
  no routing
  vlan trunk native 151
  vlan trunk allowed 151,651
  port-access onboarding-method concurrent enable
  aaa authentication port-access client-limit multi-domain 3
  aaa authentication port-access client-limit 4
  aaa authentication port-access auth-mode multi-domain
  aaa authentication port-access dot1x authenticator
      enable
  aaa authentication port-access mac-auth
      enable

Aruba 1930

This is a general configuration template for Aruba 1930 Instant On switches.

  1. In the left-hand side menu, select the Security > RADIUS Configuration option. Then, in the RADIUS Server Configuration pane, click on the + button to add a RADIUS server.

  2. In the Add RADIUS Server pane, enter your RADIUS server information from Portnox Cloud: Server IP Address, Authentication Port, Accounting Port, and Secret. Then, click on the Apply button.
    Important: The IP address, port number, and key below are examples. Replace them with your individual IP address, port number, and key from your Portnox Cloud configuration.

  3. Repeat the above 2 steps for the second Portnox Cloud RADIUS server and/or the local RADIUS server, if necessary.
  4. In the left-hand side menu, select the Security > RADIUS Configuration option. Then, in the Global Configuration pane, activate the 802.1x Authentication Mode switch.

  5. To enable MAC Address Bypass on specific ports, in the left-hand side menu, select the Security > Port Access Control > Port Configuration option, and select relevant 802.1X ports.

    For each of these ports, in the Edit Port Configuration window:

    1. In the Control Mode field, select the MAC Based option.

    2. Activate the MAC Authentication switch.

    3. Click on the Apply button.