Ethernet 802.1X configuration – Aruba
In this topic, you will learn how to configure Aruba switches to work together with Portnox™ Cloud and 802.1X RADIUS authentication for Ethernet connections.
General configuration
This is a general configuration template for Aruba switches.
Warning: We tested this configuration on several Aruba models but we cannot guarantee that it will cover every
Aruba model. Also, the configuration is general and may not fit every single environment. Therefore, to get the most
accurate and current configuration guidance on switch 802.1X configuration, we strongly recommend that you refer to the
documentation provided by Aruba on these topics for your particular device model.
Important: All values in this configuration are examples. Make sure to adjust the configuration to your
individual RADIUS server addresses, ports, and keys, as well as device interfaces by replacing the values presented as
underlined italics.
-
Define Portnox Cloud RADIUS server IPs and ports.
Important: The IP addresses, port numbers, and keys below are examples. Replace them with your individual IP addresses, port numbers, and keys from your Portnox Cloud configuration.
In this configuration, we assume that you are using both Portnox Cloud RADIUS servers.
-
Create a new RADIUS server group and add RADIUS servers.
aaa server-group radius "PORTNOX" host 20.119.69.248 aaa server-group radius "PORTNOX" host 52.232.122.157 -
Configure 802.1X on the switch.
aaa authentication port-access eap-radius server-group "PORTNOX" authorized aaa authentication mac-based chap-radius server-group "PORTNOX" authorized aaa port-access gvrp-vlans aaa port-access authenticator active aaa authentication port-access dot1x authenticator radius server-group PORTNOX enable aaa authentication port-access mac-auth radius server-group PORTNOX enable -
Configure 802.1X authentication on interface 1/1/27:
interface 1/1/27 aaa authentication port-access auth-precedence dot1x mac-auth aaa authentication port-access client-limit multi-domain 2 aaa authentication port-access auth-mode multi-domain aaa authentication port-access dot1x authenticator enable aaa authentication port-access mac-auth enable -
Configure a critical authentication VLAN
Note: If, for any reason, your NAS device is temporarily unable to connect to Portnox Cloud RADIUS servers, the client device attempting 802.1X authentication is assigned to this VLAN. This lets your network administrators maintain client connectivity to certain resources without compromising security in circumstances such as an Internet connection failure.Note: This function is supported on 3810, 5400R, 2930F, and 2930M switches. For more information, consult Aruba documentation on critical authentication.
aaa port-access 1/1/27 critical-auth-data-vlan 10In this example, we are using VLAN 10, but you can use a different configuration.
Here is the entire example configuration for your convenience:
radius-server host 20.119.69.248 auth-port 10322 acct-port 10323 key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
radius-server host 52.232.122.157 auth-port 10476 acct-port 10477 key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
aaa server-group radius "PORTNOX" host 20.119.69.248
aaa server-group radius "PORTNOX" host 52.232.122.157
aaa authentication port-access eap-radius server-group "PORTNOX" authorized
aaa authentication mac-based chap-radius server-group "PORTNOX" authorized
aaa port-access gvrp-vlans
aaa port-access authenticator active
aaa authentication port-access dot1x authenticator
radius server-group PORTNOX
enable
aaa authentication port-access mac-auth
radius server-group PORTNOX
enable
interface 1/1/27
aaa authentication port-access auth-precedence dot1x mac-auth
aaa authentication port-access client-limit multi-domain 2
aaa authentication port-access auth-mode multi-domain
aaa authentication port-access dot1x authenticator
enable
aaa authentication port-access mac-auth
enable
aaa port-access 1/1/27 critical-auth-data-vlan 10Aruba 6200
This is a general configuration template for Aruba 6200 switches.
Warning: Please treat this configuration as an example template only. To get the most accurate and current
configuration guidance on switch 802.1X configuration, we strongly recommend that you refer to the documentation
provided on these topics for your particular device model and OS version.
Important: All values in this configuration are examples. Make sure to adjust the configuration to your
individual RADIUS server addresses, ports, and keys, as well as device interfaces.
-
Define Portnox Cloud RADIUS server IPs and ports:
Important: The IP addresses, port numbers, and keys below are examples. Replace them with your individual IP addresses, port numbers, and keys from your Portnox Cloud configuration.
In this configuration, we assume that you are using both Portnox Cloud RADIUS servers.
-
Create a new RADIUS server group and add RADIUS servers.
aaa group server radius PORTNOX server 20.119.69.248 port 10322 server 52.232.122.157 port 10476 -
Assign the RADIUS group to port-access accounting.
aaa accounting port-access start-stop group PORTNOX -
Enable 802.1X and MAC-based authentication.
aaa authentication port-access dot1x authenticator radius server-group PORTNOX enable aaa authentication port-access mac-auth radius server-group PORTNOX enable -
Configure 802.1X authentication on interface 1/1/27:
interface 1/1/27 no shutdown no routing vlan trunk native 151 vlan trunk allowed 151,651 port-access onboarding-method concurrent enable aaa authentication port-access client-limit multi-domain 3 aaa authentication port-access client-limit 4 aaa authentication port-access auth-mode multi-domain aaa authentication port-access dot1x authenticator enable aaa authentication port-access mac-auth enable
Here is the entire example configuration for your convenience:
radius-server host 20.119.69.248 port 10322 acct-port 10323 key plaintext rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
radius-server host 52.232.122.157 port 10476 acct-port 10477 key plaintext fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
aaa group server radius PORTNOX
server 20.119.69.248 port 10322
server 52.232.122.157 port 10476
aaa accounting port-access start-stop group PORTNOX
aaa authentication port-access dot1x authenticator
radius server-group PORTNOX
enable
aaa authentication port-access mac-auth
radius server-group PORTNOX
enable
interface 1/1/27
no shutdown
no routing
vlan trunk native 151
vlan trunk allowed 151,651
port-access onboarding-method concurrent enable
aaa authentication port-access client-limit multi-domain 3
aaa authentication port-access client-limit 4
aaa authentication port-access auth-mode multi-domain
aaa authentication port-access dot1x authenticator
enable
aaa authentication port-access mac-auth
enableAruba 1930
This is a general configuration template for Aruba 1930 Instant On switches.
-
In the left-hand side menu, select the option. Then, in the RADIUS Server Configuration pane, click on the
+ button to add a RADIUS server.
-
In the Add RADIUS Server pane, enter your RADIUS server information from Portnox Cloud:
Server IP Address, Authentication Port, Accounting
Port, and Secret. Then, click on the Apply
button.
Important: The IP address, port number, and key below are examples. Replace them with your individual IP address, port number, and key from your Portnox Cloud configuration.
- Repeat the above 2 steps for the second Portnox Cloud RADIUS server and/or the local RADIUS server, if necessary.
-
In the left-hand side menu, select the option. Then, in the Global Configuration pane, activate the 802.1x
Authentication Mode switch.
-
To enable MAC Address Bypass on specific ports, in the left-hand side menu, select the option, and select relevant 802.1X ports.
For each of these ports, in the Edit Port Configuration window:
-
In the Control Mode field, select the MAC Based option.
-
Activate the MAC Authentication switch.
-
In the Control Mode field, select the MAC Based option.