Professional Documents
Culture Documents
Dynamic Segmentation
ARUBA AOS-CX SWITCHING WORKSHOP
TABLE OF CONTENTS
INTRODUCTION ........................................................................................................................................... 3
LAB GUIDE
INTRODUCTION
OBJECTIVE
At the end of this workshop, you will be able to implement the fundamentals of access control and dynamic segmentation in a
campus network based on Aruba CX Switches, Aruba ClearPass Policy Manager and Mobility Controller Gateways.
OVERVIEW
Scenario
• MAC authentication
• 802.1X authentication
• Local and downloadable user roles
• User based tunneling
IMPORTANT
• The port numbers of the 6300-B switch will change from 1/1/x to 2/1/x at the end of the VSF stack setup.
• Both 8325 switches have 48 25GbE SFP28 ports, however, all inter-switch connections are 10 GbE SFP+ DAC cables. To
enable these cables/transceivers, the speed on the ports will have to be changed to 10Gbps. On the 6300 switches, this
step is not necessary as they recognize SFP56, SFP28, and SFP+ automatically. This will be done in the next steps.
• The MC 7005 Gateway and the ClearPass server have already been configured. You will have access to review the
configuration.
Note: if you are not using a US keyboard, use the “Keyboard” selector when connecting to select the appropriate layout.
Logging in will open a remote desktop session to the Win 10 client (see Figure 2).
Your labs login name includes a unique number at the end, for example 12345user8. Remember that number as it will be used
in many configurations, for example in this VLAN ID: vlan X5, X is your user number and the VLAN ID would be 85.
It is recommended to switch off the system sounds if they annoy you. To do that, click in the Windows menu button, type
Sounds to find the ‘Change system sounds’ configuration. From there select the sound scheme ‘No Sounds’:
If you experience a hung terminal session (serial console), try to enter Ctrl-C (Mac: Cmd-C) followed by a few time Enter to make
it responding again.
If you are on a Mac, the Shift/Alt/CMD key sometimes get stuck in the VM. If that happens, you don’t see the characters you type
appear, but windows pop up. If you experience this: press Shift, after that Control, then Option, and finally Command, each key
one at a time to get the status ‘reset’. After that, you can type normal again.
Also, on a Mac:
- the Control key will be the Windows key in the VM
- the Option key will be the ALT key in the VM
- the Command key will be the Ctrl key in the VM
DO NOT MODIFY This is the NIC that provides you RDP connection to the Win 10 Client
Once logged in open MTPuTTY or PuTTY open the console of the following devices: 6300-A, 6300-B, 8325-A and 8325-B.
Note: if while opening MTPuTTY you are prompted for the location of PuTTY, find it here: C:\Program Files\PuTTY
In order to use copy/paste between the labs and your local computer, use the clipboard function in the left menu bar:
will pop up a window that holds the clipboard content, and where you can paste content from your local system to the
clipboard in the lab VM. You can use this to get the switch configuration after you finished your labs, for later reference.
These steps will guarantee that next time you connect you will be able to access the lab environment without difficulty.
INITIAL CONFIGURATION
All switches are preconfigured with the following parameters and states:
• Username: admin Password: admin
• CLI session expiration: disabled
• Management interface:
• Enabled
IMPORTANT
All switches have been preconfigured with:
• username: admin
• password: admin
The MC 7005 has been preconfigured with:
• username: admin
• password: password
The ClearPass server has been preconfigured with: a read-only account:
• username: readonly
• password: readonly
This activity assumes that you are familiar with the VSF technology. For more information read the VSF Best Practices White
Paper provided along with this lab guide.
To start:
Note: in this step you are taking advantage of using DAC cables, that show the same serial number at both ends.
6300-A 6300-B
--------------------------------------------------------------- ---------------------------------------------------------------
Port Type Product Serial # Part # Port Type Product Serial # Part #
--------------------------------------------------------------- ---------------------------------------------------------------
1/1/26 SFP56DAC0.65 R0M46A CN91KKD01P 8121-1715 1/1/25 SFP56DAC0.65 R0M46A CN91KKD01P 8121-1715
1/1/27 SFP+DAC1 J9281B CN2295L32P 8121-1151 1/1/27 SFP+DAC1 J9281D CN89KBZBHR 8121-1300
1/1/28 SFP+DAC1 J9281B CN2295L33H 8121-1151 1/1/28 SFP+DAC1 J9281D CN89KBZBDT 8121-1300
You can also verify the actual connection with the show lldp neighbor-info command:
If the connection is not between 6300-A 1/1/26 and 6300-B 1/1/25, make a note. You will need the correct port numbers to
setup the VSF link.
The config examples will follow that the 6300-A has port 1/1/26 connected to port 1/1/25 on the 6300-B. If you see different
values, please report to your instructor and be careful when entering the commands that you use the correct port numbers in
your lab situation.
On the 6300-B
• In the next steps you will
• Verify that the 6300-B is not eligible for VSF auto-join (it has a non-default configuration)
• Force eligibility
• Verify the change
Note: lines that start with “!” are comments in the CLI scripts and do not need to be entered in the console.
show vsf
Force Autojoin : Disabled
Autojoin Eligibility Status: Not Eligible
MAC Address : 88:3a:30:92:d5:00
Secondary :
Topology : Standalone
Status : No Split
Split Detection Method : None
Now the 6300-B is ready to join the stack when it receives the command from the 6300-A through its port 1/1/25.
On the 6300-A
The switch on which you will start the VSF process must be reset to the default configuration. Take the following steps:
! erase all non-VSF configurations
erase startup-config
! answer y at the prompt: Erase checkpoint startup-config?
! and reboot the switch
boot system primary
! at the following prompt
! Default boot image set to primary.
! Checking if the configuration needs to be saved...
! Do you want to save the current configuration (y/n)?
! answer n
!
! and then at the prompt
! This will reboot the entire switch and render it unavailable
! until the process is complete.
! Continue (y/n)?
! answer y
When the 6300-A completes the reboot process, you will notice that its prompt has changed to the default. Login using the
default credentials (username: admin, and no password). And without making any changes trigger the VSF auto-stack:
configure
vsf start-auto-stacking
This will configure links and secondary on master
After some time the show vrf command output should look like:
Force Autojoin : Disabled
Autojoin Eligibility Status: Not Eligible
MAC Address : 88:3a:30:92:f4:80
Secondary : 2
Topology : Chain
Status : No Split
Split Detection Method : None
IMPORTANT
Your labs login name included a unique number at the end, for example 12345user8.
This number will be used in many configurations, for example in this VLAN ID: vlan X5, X is your user number and the VLAN ID
would be 85. This notation can also be used in router IDs and IP addresses.
If you forgot that number, you can also find it in the prompt of your switches, for example: PNX-6300-A
configure
! vlan X5 will be configured on the client ports
vlan X5
exit
! create a layer 2 LAG (#1) and map the VLANs and the uplink ports to it
interface vlan X5
ip address 10.1.X5.99/24
exit
! default route
ip route 0.0.0.0/0 10.1.X5.1
! configure the downlink ports to the client
interface 1/1/1,2/1/1
no shutdown
no routing
vlan access X5
exit
!
! create uplink LAG
interface lag 1
no shutdown
no routing
lacp mode active
vlan trunk allowed X5
exit
! use an interface range to simplify assigning ports to LAG 1
! use an L2 MTU of 2048 Bytes to accommodate for tunneling to a gateway in later lab
interface 1/1/27,2/1/27
no shutdown
mtu 2048
lag 1
end
! save the configuration
write memory
! create a checkpoint
copy running checkpoint VSF
• Start by logging in and changing the system interface group 1 speed to support the 10GbE SFP+ and 1 GbE RJ45
transceivers. As mentioned earlier, the ports are 25Gbps ports and need to be configured for 10Gbps.
auto-confirm
configure
session-timeout 0
system interface-group 1 speed 10
• Sync the core with NTP, and make it NTP server for the lab controller:
ntp vrf mgmt
no ntp server pool.ntp.org
ntp server 10.250.1.3 iburst
ntp enable
ntp master vrf default stratum 10
• Create all VLANs and the LAG to connect to the 6300 VSF Stack. A loopback interface will be used to test the 6300 VSF
default route
interface loopback 0
ip address 10.254.X.1/32
!
vlan X0-X5
exit
interface vlan X5
ip address 10.1.X5.1/24
exit
!
! LAG to the 6300 VSF access stack
!
interface lag 12
no shutdown
no routing
lacp mode active
vlan trunk allowed X5
exit
!
interface 1/1/1,1/1/2
no shutdown
mtu 2048
lag 12
end
write memory
!
• On the 6300 VSF, validate link aggregation between the access and the aggregation switches and IP connectivity.
show lacp interfaces
State abbreviations:
A - Active P - Passive F - Aggregable I - Individual
S - Short-timeout L - Long-timeout N - InSync O - OutofSync
C - Collecting D - Distributing
X - State m/c expired E - Default neighbor state
----------------------------------------------------------------------------------
1/1/27 lag1 26 1 ALFNCD 88:3a:30:92:f4:80 65534 1 up
2/1/27 lag1 90 1 ALFNCD 88:3a:30:92:f4:80 65534 1 up
Figure 5. Connection between the aggregation switch and the mobility controller gateway
On the 8325
Notes:
. . .
Actor details of all interfaces:
------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr Forwarding
Name Id Pri Pri Key State
------------------------------------------------------------------------------
1/1/5 lag11 6 1 ALFNCD 90:20:c2:ba:18:00 65534 11 up
. . .
IP connectivity
ping 10.1.X4.100
The Ethernet Adapter “6300” is connected to the 6300 Stack port 1/1/1.
2. The connection between the access stack and the ClearPass server is implemented over the OOBM port (mgmt VRF)
NOTE: For the downloadable user roles lab, later on, it is required to have the ClearPass server configured by the FQDN,
not by the IP address. That is why we need to configure a DNS server. In a production deployment make sure the ClearPass
is entered in the DNS server as well.
Besides that, it is always a good practice to have all your network equipment time synchronized through NTP, for
downloadable user roles and User Based Tunnel, it is a requirement to have all clocks synchronized across switches,
controllers and ClearPass servers.
NOTE: If it is hard or impossible to get DNS working from the switch, you can create a ‘hosts’ file equivalent local hostname
to IP mapping:
DO NOT ENTER: ip dns host cppm.arubatraining.com 10.253.1.100 vrf mgmt.
DO NOT ENTER: ping cppm.arubatraining.com vrf mgmt.
DO NOT ENTER: PING cppm.arubatraining.com (10.253.1.100) 100(128) bytes of data.
Make sure you can successfully log in. We will continue with the switch configuration and come back to ClearPass later.
IPv4 Address :
IPv6 Address :
Authentication Details
----------------------
Status : mac-auth Authenticated
Auth Precedence : dot1x - Not attempted, mac-auth – Authenticated
Auth History : mac-auth - Authenticated, 41s ago
Authorization Details
----------------------
Role : RADIUS_773420618
Status : Applied
• Go to the ClearPass server web page and look for
Verify that there is an entry confirming the authentication. Look at the NAS IP Address column and see if there is an entry
(at the top or close to the top) with your 6300’s management address (10.251.X.4).
If you find the record, observe the Login Status, it should be: ACCEPT.
You can view more details by double-clicking on the entry. The Request Details popup should appear. Check the Input and
Output tabs.
• Click on the first one, the one NOT having (Signing) in the name. and export it:
• Select Local Machine; Next, place all certificates in the following Store; Select Trusted Root Certification Authorities:
• Press OK, Next, Finish to conclude the certificate import, and after a few seconds of delay there should be an import
successful message:
• Right-click on it and Start the service and make it startup Automatic as well, so if you reboot the client the 802.1X for wired
will restart automatically:
• Go to Settings and enter the EAP server name cppm.arubatraining.com in the ‘Connect to these servers’ field, and
select the Aruba vLabs Root CA 2021 as trusted Root CA:
• And under EAP MSCHAP v2 Configure... verify/uncheck Automatically use my Windows logon name . . .
• Close the Settings page and open the Additional Settings popup
• Under Specify authentication mode select User Authentication, and Save credentials
• Enter
Username: tX-user1 - Password: password
• Click OK to confirm all popup windows
BEST-PRACTICE NOTE: It is important to configure the 802.1X settings (supplicant) in Windows correctly with the proper
certificates. EAP MSCHAPv2 has been broken and when deployed like this it is only depending on the EAP server certificate
being validated. Although out of scope for this lab, EAP-TLS where client certificates are used for authentication, instead of
passwords, is strongly recommended. In production environments you should have the root certificate installation and
supplicant settings automatically deployed, like with Group Policies in Active Directory or a Device Management system for
non-Windows devices.
• Keep the Network Connections window open to monitor the state of the 6300 NIC
If the authentication is successful you should see:
• Check from the client that you can ping your access switch:
C:\ >ping 10.1.X5.99
Port : 1/1/1
. . .
Authentication Details
----------------------
Status : dot1x Authenticated
Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted
Auth History : dot1x - Authenticated, 50s ago
Authorization Details
----------------------
Role : RADIUS_773420618
Status : Applied
Notice that the switch attempted 802.1X authentication first, and only if it fails it attempts MAC-auth. If you need the
equivalent of ArubaOS-Switch, that tries 802.1X and MAC-auth concurrently, you can configure the interfaces with port-
access onboarding-method concurrent to do both methods in parallel.
• Click on the authentication to see more details like the Service (Dot1x auth) and the Authentication method:
IMPORTANT: ClearPass will need to have a signed HTTPS certificate for this. The default certificate that comes out of the box is
a self-signed untrusted certificate and needs to be replaced by one issued by a Certificate Authority. Best-practice is to have
this HTTPS certificate issued by a well-known public Certificate Authority, especially if you are deploying Guest or Onboard. For
lab purposes, you can use the ClearPass built-in Onboard Certificate Authority, which is what we did in this lab.
The easiest, and most reliable way to get the correct Root Certificate is through the URL:
http://10.253.1.100/.well-known/aruba/clearpass/https-root.pem
… and replace the hostname with your own ClearPass server in your own networks.
• Select the full content (you can use Ctrl-A), including the line -----BEGIN CERTIFICATE------- and -----END CERTIFICATE------
and ‘Copy’ it by right-clicking or Ctrl-C
NOTE: Some browsers like Edge show the content all on a single line without line-breaks. Make sure the certificate shows like
above, use Chrome to be sure.
On the 6300A
!
configure
radius-server host cppm.arubatraining.com clearpass-username duradmin clearpass-password
plaintext download123 vrf mgmt
end
write memory
!
• Verify
show run | include radius
• In the windows client, change the User Credentials used on the 6300 adapter: tX-user3 and password
On the 6300A
show port-access clients interface 1/1/1 detail
VLAN Details
------------
VLAN Group Name :
VLANs Assigned : X5
Access : X5
Native Untagged :
Allowed Trunk :
Authentication Details
----------------------
Status : dot1x Authenticated
Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted
Auth History : dot1x - Authenticated, 29s ago
mac-auth - Attempted, 29s ago
Authorization Details
----------------------
Role : Web_PoE_DSCP_DUR-3002-3
Status : Applied
Role Information:
Name : Web_PoE_DSCP_DUR-3002-3
Type : clearpass
Status: Completed
----------------------------------------------
Reauthentication Period :
Cached Reauthentication Period :
Authentication Mode :
Session Timeout :
Client Inactivity Timeout :
Description :
Gateway Zone :
UBT Gateway Role :
UBT Gateway Clearpass Role :
Access VLAN :
Native VLAN :
Allowed Trunk VLANs :
Access VLAN Name :
Native VLAN Name :
Allowed Trunk VLAN Names :
VLAN Group Name :
MTU :
QOS Trust Mode : dscp
STP Administrative Edge Port :
PoE Priority : critical
Captive Portal Profile :
Policy : webonly_Web_PoE_DSCP_DUR-3002-3
Class Details:
class ip web-traffic_Web_PoE_DSCP_DUR-3002-3
10 match tcp any any eq 80
20 match tcp any any eq 443
class ip dhcp_Web_PoE_DSCP_DUR-3002-3
10 match udp any any eq 67
20 match tcp any any eq 68
class ip dns_Web_PoE_DSCP_DUR-3002-3
10 match udp any any eq 53
NOTE: the QoS trust mode has been changed by the application of the user role.
BACKGROUND INFO: The Role has the name of the Enforcement Profile in ClearPass (Web-PoE-DSCP-DUR) an appended to
that two numbers. 3002 is the role ID internal to ClearPass, the -3 is a versioning number. When the ClearPass admin
changes the role content, for the next authentication ClearPass will use Web-PoE-DSCP-DUR-3002-4, and the switch will
know to download the new revision of the role and apply that. Already connected clients will keep using the old role until
there is a re-authentication.
• Verify the port access role independent from the assignment to an interface:
Role Information:
Name : Web_PoE_DSCP_DUR-3002-3
Type : clearpass
Status: Completed
----------------------------------------------
Reauthentication Period :
Authentication Mode :
Session Timeout :
. . .
Allowed Trunk VLANs :
Access VLAN Name :
Native VLAN Name :
Allowed Trunk VLAN Names :
MTU :
QOS Trust Mode : dscp
STP Administrative Edge Port :
PoE Priority : critical
Captive Portal Profile :
Policy : webonly_Web_PoE_DSCP_DUR-3002-3
• As you may have seen, the Policy allows HTTP, HTTPS, DNS, and DHCP, but not ICMP. Let’s check that from the Windows
command line by pinging the core
C:\>ping 10.1.X5.99
Note: This activity implements a local user role to assign User-Based Tunneling to your Windows client.
NOTE: The controller will activate the configuration only after you enter the write mem command.
On the 8325 Switch configure a DHCP Server and the WebUI on the VRF Default
!
configure
https-server vrf default
dhcp-server vrf default
pool VX3
range 10.1.X3.200 10.1.X3.209 prefix-len 24
lease 00:01:00
exit
enable
end
write memory
• Verify
show dhcp-server
Validate
On the ClearPass Server
• Locate the authentication entry (Access Tracker) and verify the output
• Remember that the Aruba-User-Role VSA is used for local roles while the Aruba-CPPM-Role is used for downloadable roles.
If you see a failed authentication in the next step, please double-check the gateway role name as configured on your 6300
versus the user-role name you configured on the 7005 gateway.
On the 6300A Switch
show port-access clients interface 1/1/1 detail
Port Access Client Status Details:
VLAN Details
------------
VLAN Group Name :
VLANs Assigned : 1000
Access : 1000
Native Untagged :
Allowed Trunk :
Authentication Details
----------------------
Status : dot1x Authenticated
Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted
Auth History : dot1x - Authenticated, 25s ago
mac-auth - Attempted, 25s ago
Authorization Details
----------------------
Role : tunnel-mc
Status : Applied
Role Information:
Name : tunnel-mc
Type : local
----------------------------------------------
Reauthentication Period :
Cached Reauthentication Period :
Authentication Mode :
Session Timeout :
Client Inactivity Timeout :
Description :
Gateway Zone : ubt-lab
UBT Gateway Role : ubt-tunneled-X3
UBT Gateway Clearpass Role :
Access VLAN :
Native VLAN :
Allowed Trunk VLANs :
Access VLAN Name :
Native VLAN Name :
Allowed Trunk VLAN Names :
VLAN Group Name :
MTU :
QOS Trust Mode :
STP Administrative Edge Port :
PoE Priority :
Captive Portal Profile :
Policy :
---------------------------------------------------------------------------
Zone Name UBT Mode Primary Controller Address VRF Name Status
----------------------------------------------------------------------------
ubt-lab local-vlan 10.1.X4.100 default Enabled
show vlan
------------------------------------------------------------------------------------------
VLAN Name Status Reason Type Interfaces
------------------------------------------------------------------------------------------
1 DEFAULT_VLAN_1 down no_member_forwarding default 1/1/2-1/1/24,1/1/26,1/1/28,
2/1/2-2/1/24,2/1/26-2/1/27
15 VLAN15 up ok static 2/1/1,lag1
1000 VLAN1000 up ok static 1/1/1
Note that VLAN X3 and X4 are not active on the access switch, only on the core and the controller.
On the MC7005
User Tunneled User Mac Tunneled Node Mac Vlan UAC IP Address Key Tunnel Index Flags
---- ----------------- ----------------- ---- -------------- --- ------------ -----
tX-user4 00:50:56:90:a1:bd 88:3a:30:92:f4:80 1000(X3) 10.1.X4.100 1 tunnel 10 UAC
• Additionally, run the following show commands and analyze their output.
Locate the IP address to verify that if the DHCP server worked, and gateway role (secondary role) has been applied.
show station-table
! (check output in your own lab setup)
Station Entry
-------------
MAC Name Role Age(d:h:m) Auth AP name Essid Phy Remote Profile User Type
------------ ------ ---- ---------- ---- ------- ----- --- ------ ------- ---------
00:50:56:90:a1:bd tX-user4 ubt-tunneled-X3 00:00:12 Yes 10.1.X5.99 - 1/1/1 No default-tunneled-user TUNNELED USER
Station Entries: 1
show user
Users
-----
IP MAC Name Role Auth AP name User Type
---------- ------------ ------ ---- ---- ------- ---------
10.1.X3.200 00:50:56:90:87:ab tX-user4 ubt-tunneled-X3 Tunneled-User-802.1X 10.1.X5.99 TUNNELED USER
Check in the above output the client IP as seen on the controller (IP from DHCP in VLAN X3 from the core; VLAN X3 is not
available on the access switch); the assigned role, and the switch IP as ‘AP name’.
ping 10.1.X3.1
Note that your client is behind port lag11, which is where the controller is connected. So from the core seen, the client is at
the controller.
Let’s describe the packet flow step by step in detail for User Based Tunnel in the next diagram:
The Client (PC) has been assigned a user role at the gateway (MC) in VLAN X3. This means that the client logically lives in that
VLAN and traffic is tunneled between the switch (SW) and gateway (MC) where it surfaces again and is ‘virtually’ local to that
VLAN X3.
• Step 1: Client (PC) starts, and sends a packet to the Server (S) IP, the destination MAC is the router in VLAN X3 at the
controller side.
• Step 2: Switch has role that requires tunneling, so encapsulates the packet in a GRE header that is between the Switch (SW)
and the Controller/Gateway (MC). That combination is routed to the MC via the Core; a Dot1Q VLAN tag is applied
• Step 3: Core routes the packet, GRE still in-tact, 1Q and L2 (outer) changed following standard routing.
• Step 4: MC receives on VLAN X4, then decapsulates the GRE and keeps the original packet. Because the user role for this
user has VLAN X3, the packet is sent to the core in VLAN X3 (assuming the firewall rules for the user role allow this).
From ClearPass, all looks good. ACCEPT Status and Role is returned.
• Now check the client status on the 6300 switch:
show aaa authentication port-access interface 1/1/1 client-status
Authentication Details
----------------------
Status : dot1x Authenticated
Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted
Auth History : dot1x - Authenticated, 26s ago
mac-auth - Attempted, 26s ago
Authorization Details
----------------------
Role :
Status : Not Ready
The Role status is: Not Ready, which means there is something wrong.
• Run show logging -r to find out what is wrong with the role sent:
show logging -r
---------------------------------------------------
Event logs from current boot
2021-04-22T15:19:33.149406+00:00 PN10-6300-VSF port-accessd[3415]:
Event|9301|LOG_ERR|MSTR|1|Failed to apply ClearPass role - Send_DUR_Lab6_Role-3018-5 -
Invalid input: eq Error at Line 6 - match ip any any eq 53 RET_VAL
The issue here is that match ip any any eq 53 is sent, but an ip match does not allow a port number. You are advised to
check the contents of downloadable user roles in the CLI of a switch first, before entering it in ClearPass. If you make
changes, be careful not to break the role and test well after your change as you may lock out clients from the network.
NOTE: Important to understand here, is that if there is an error in the Downloadable User Role contents, everything in the
role is rejected and NO access at all is granted to the client.
• When you have found the root cause of the issue, let’s have another troubleshooting ticket.
On the Windows client, change the authentication user
Username: tX-user6
Password: password
• The client should authenticate automatically after changing the authentication user.
• Checkout the status of the client. For some reason, the client failed to get proper access to the network. It is for you to find
out what the root cause is, and you can use your imagination on how to fix the issue.
• Guidance for this troubleshooting ticket:
• You may see the issue immediately from ClearPass Access Tracker, but please find the root cause of this issue
through logging of the switch.
• You need to dig a bit deeper into the debugging:
§ Start to debug the radius and portaccess processes. To limit the amount of logging messages, you only
have to enable debugging for the relevant processes. For example, you can see that the dot1x
authentication is successful when you check the port-access status for the interface. This means that you
don’t have to activate debugging for dot1x. Because you are performing dot1x authentication, this means
that you also don’t have to activate debugging for mac-auth. And the same applies for accounting,
• The AOS-CX Operator returns Shell:priv-lvl=1, following this table from the AOS-CX Security Guide (10.4):
- Other users will not get access (Default Profile: [TACACS Deny Profile]
• Make sure that you are in a role that has SSH access to your Access Switch. Easiest is to enable 802.1X on your interface
again with the username tX-user1 for 802.1X, and set back your IP to the static IP 10.1.X5.200 / 255.255.255.0.
• Use user tX-user1 to log in, and go into configuration mode to check if you have full admin access:
tX-user1@10.1.X5.99's password: password
END OF LABS
• Services
• Dot1X auth:
class ip web-traffic
match tcp any any eq 80
match tcp any any eq 443
exit
class ip dns
match udp any any eq 53
exit
class ip dhcp
match udp any any eq 67
match tcp any any eq 68
exit
port-access policy webonly
1 class ip web-traffic
2 class ip dhcp
3 class ip dns
exit
port-access role poe-dscp-role
poe-priority critical
trust-mode dscp
associate policy webonly
exit
• Service MAC-AUTHEN
----------------------------------------------------------------------------------
Port MAC-Address Onboarding Status Role
Method
----------------------------------------------------------------------------------
1/1/1 00:0c:29:ce:46:fa Fail
Authentication Details
----------------------
Status : dot1x Authenticated
Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted
Authorization Details
----------------------
Role :
Status : Invalid
Now, why do we get this Invalid/failed? Let’s have a look in the switch logging:
PN3-6300-A# show logging -r
---------------------------------------------------
Event logs from current boot
---------------------------------------------------
2021-04-06T13:56:23.597927+00:00 PN3-6300-A port-accessd[3267]:
Event|10502|LOG_INFO|MSTR|1|Port 1/1/1 is blocked by port-access
2021-04-06T13:56:23.575454+00:00 PN3-6300-A intfd[756]: Event|403|LOG_INFO|UKWN|1|Link
status for interface 1/1/1 is up
2021-04-06T13:56:23.542155+00:00 PN3-6300-A lldpd[3020]:
Event|110|LOG_INFO|MSTR|1|Configured LLDP reinit-delay to 2
2021-04-06T13:56:13.996278+00:00 PN3-6300-A port-accessd[3267]:
Event|10503|LOG_INFO|MSTR|1|Port 1/1/1 is unblocked by port-access
2021-04-06T13:56:13.972544+00:00 PN3-6300-A intfd[756]: Event|404|LOG_INFO|UKWN|1|Link
status for interface 1/1/1 is down
2021-04-06:14:24:39.439964|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|Dropped 14 log messages in last 50
seconds (most recently, 50 seconds ago) due to excessive rate
2021-04-06:14:24:36.439527|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|logID=39154 logID=39154 DB
Operation: Update dot1x statistics for port '1/1/1': statistics update for port row with
uuid df4c2259-327c-468b-9616-7648275041e2 successful
2021-04-06:14:24:31.435858|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|logID=39149 logID=39149 DB
Operation: Update dot1x statistics for port '1/1/1': statistics update for port row with
uuid df4c2259-327c-468b-9616-7648275041e2 successful
2021-04-06:14:24:26.434076|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|logID=39144 logID=39144 DB
Operation: Update dot1x statistics for port '1/1/1': statistics update for port row with
uuid df4c2259-327c-468b-9616-7648275041e2 successful
2021-04-06:14:24:21.427918|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|logID=39139 logID=39139 DB
Operation: Update dot1x statistics for port '1/1/1': statistics update for port row with
uuid df4c2259-327c-468b-9616-7648275041e2 successful
2021-04-06:14:24:16.423290|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|logID=39134 logID=39134 DB
Operation: Update dot1x statistics for port '1/1/1': statistics update for port row with
uuid df4c2259-327c-468b-9616-7648275041e2 successful
2021-04-06:14:24:11.419609|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|logID=39129 logID=39129 DB
Operation: Update dot1x statistics for port '1/1/1': statistics update for port row with
uuid df4c2259-327c-468b-9616-7648275041e2 successful
2021-04-06:14:24:06.418027|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|logID=39124 logID=39124 DB
Operation: Update dot1x statistics for port '1/1/1': statistics update for port row with
uuid df4c2259-327c-468b-9616-7648275041e2 successful
2021-04-06:14:24:01.415008|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|logID=39119 logID=39119 DB
Operation: Update dot1x statistics for port '1/1/1': statistics update for port row with
uuid df4c2259-327c-468b-9616-7648275041e2 successful
2021-04-06:14:23:56.411354|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|logID=39114 logID=39114 DB
Operation: Update dot1x statistics for port '1/1/1': statistics update for port row with
uuid df4c2259-327c-468b-9616-7648275041e2 successful
2021-04-06:14:23:51.407059|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|logID=39109 logID=39109 DB
Operation: Update dot1x statistics for port '1/1/1': statistics update for port row with
uuid df4c2259-327c-468b-9616-7648275041e2 successful
2021-04-06:14:23:49.591477|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Handling db
write(Update) success for client 00:0c:29:ce:46:fa in port 1/1/1
2021-04-06:14:23:49.591457|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Handling db
write(Update) success for client 00:0c:29:ce:46:fa in port 1/1/1
2021-04-06:14:23:49.591433|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DYNAUTZ|logID=39107 Successfully updated DB
with RADIUS CoA attributes
2021-04-06:14:23:49.591414|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|logID=39107 logID=39107 DB
Operation: Update state for pae with MAC 00:0c:29:ce:46:fa on port '1/1/1': state update for
pae with MAC 00:0c:29:ce:46:fa on port '1/1/1' successful
2021-04-06:14:23:49.591394|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|logID=39107 logID=39107 DB
Operation: Update RADIUS attributes for pae with MAC 00:0c:29:ce:46:fa on port '1/1/1':
RADIUS attributes update for pae with MAC 00:0c:29:ce:46:fa on port '1/1/1' successful
2021-04-06:14:23:49.591367|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|logID=39107 logID=39107 DB
Operation: Update username for pae with MAC 00:0c:29:ce:46:fa on port '1/1/1': username
update for pae with MAC 00:0c:29:ce:46:fa on port '1/1/1' successful
2021-04-06:14:23:49.582966|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Updating profile state
of client 00:0c:29:ce:46:fa in port 1/1/1 to not-valid
2021-04-06:14:23:49.582949|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Updating onboarded
method of client 00:0c:29:ce:46:fa in port 1/1/1 to dot1x
2021-04-06:14:23:49.582931|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Updating authentication
state of client 00:0c:29:ce:46:fa in port 1/1/1 to authenticated
2021-04-06:14:23:49.582914|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Updating radius server
state of client 00:0c:29:ce:46:fa in port 1/1/1 to rowb4170e9c_972f_477c_9f40_4fbf97c60bef
2021-04-06:14:23:49.582893|port-
accessd|LOG_INFO|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 PortClientProfile current
profile type is invalid 0
2021-04-06:14:23:49.582873|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Executing db
write(Update) for client 00:0c:29:ce:46:fa in port 1/1/1
2021-04-06:14:23:49.582848|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Updating profile state
of client 00:0c:29:ce:46:fa in port 1/1/1 to not-valid
2021-04-06:14:23:49.582827|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Updating onboarded
method of client 00:0c:29:ce:46:fa in port 1/1/1 to dot1x
2021-04-06:14:23:49.582806|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Updating authentication
state of client 00:0c:29:ce:46:fa in port 1/1/1 to authenticated
2021-04-06:14:23:49.582781|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Updating radius server
state of client 00:0c:29:ce:46:fa in port 1/1/1 to rowb4170e9c_972f_477c_9f40_4fbf97c60bef
2021-04-06:14:23:49.582755|port-
accessd|LOG_INFO|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 PortClientProfile current
profile type is invalid 0
2021-04-06:14:23:49.582735|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Executing db
write(Update) for client 00:0c:29:ce:46:fa in port 1/1/1
2021-04-06:14:23:49.582565|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_MACAUTH_PROTOCOL|logID=39107 Event handler of
MACAuthPAE 00:0c:29:ce:46:fa on port 1/1/1 for event 'Portclient Auth Stop' in state 'NULL'
returned 'OK'
2021-04-06:14:23:49.582544|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_MACAUTH_PROTOCOL|logID=39107 Handling event
'Portclient Auth Stop' for MACAuthPAE 00:0c:29:ce:46:fa on port 1/1/1 in state 'NULL'
2021-04-06:14:23:49.582524|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_ACCOUNTING|logID=39107 No op for event
'CLIENT Del' in state 'NULL' for Acctreq
2021-04-06:14:23:49.582501|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_MACAUTH_PROTOCOL|logID=39107 Event handler of
MACAuthPAE 00:0c:29:ce:46:fa on port 1/1/1 for event 'Profile Status For Client' in state
'NULL' returned 'OK'
2021-04-06:14:23:49.582476|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_MACAUTH_PROTOCOL|logID=39107 Handling event
'Profile Status For Client' for MACAuthPAE 00:0c:29:ce:46:fa on port 1/1/1 in state 'NULL'
2021-04-06:14:23:49.582450|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|logID=39107 logID=39107 Event
handler of Dot1XPort '1/1/1' for event 'Profile Status For Client On Port' in state 'READY'
returned 'OK'
2021-04-06:14:23:49.582384|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|logID=39107 logID=39107
Handling event 'Profile Status For Client On Port' for Dot1XPort '1/1/1' in state 'READY'
2021-04-06:14:23:49.582361|port-
accessd|LOG_INFO|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Secure client state
changed for client 00:0c:29:ce:46:fa in port 1/1/1 to Authenticated but failed to apply
role.
2021-04-06:14:23:49.582339|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Handling event Client
Status Changed for port 1/1/1 in state BLOCKED
2021-04-06:14:23:49.582316|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Request db write(Update)
for client 00:0c:29:ce:46:fa in port 1/1/1
2021-04-06:14:23:49.582292|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 portclientprofile SM
State transition [NULL] -> [INVALID PROFILE] for object with key '1/1/1, 00:0c:29:ce:46:fa'
2021-04-06:14:23:49.582273|port-
accessd|LOG_NOTICE|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Client '1/1/1
00:0c:29:ce:46:fa' failed authorization with role admin-client. State: INVALID PROFILE
2021-04-06:14:23:49.581926|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Event handler of
portclientauth with mac 00:0c:29:ce:46:fa on port '1/1/1' for event 'Auth-Response From
Auth-Module' in state 'AUTH IN PROGRESS' returned 'OK'
2021-04-06:14:23:49.581886|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Request db write(Update)
for client 00:0c:29:ce:46:fa in port 1/1/1
2021-04-06:14:23:49.581859|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 portclientauth SM State
transition [AUTH IN PROGRESS] -> [FINAL AUTH SUCCESS] for object with key '1/1/1,
00:0c:29:ce:46:fa'
2021-04-06:14:23:49.581833|port-
accessd|LOG_NOTICE|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Client '1/1/1
00:0c:29:ce:46:fa' identity 't3-user6' onboarded via dot1x successfully.
2021-04-06:14:23:49.579749|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Handling event 'Auth-
Response From Auth-Module' for mac 00:0c:29:ce:46:fain port 1/1/1 in state 'AUTH IN
PROGRESS'
2021-04-06:14:23:49.579724|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|logID=39107 logID=39107 Event
handler of Dot1XPort '1/1/1' for event 'First Authenticated Client On Port' in state
'DISCOVERING' returned 'OK'
2021-04-06:14:23:49.579706|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|logID=39107 logID=39107
dot1xport SM State transition [DISCOVERING] -> [READY] for object with key '1/1/1'
2021-04-06:14:23:49.579685|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|logID=39107 logID=39107
Handling event 'First Authenticated Client On Port' for Dot1XPort '1/1/1' in state
'DISCOVERING'
2021-04-06:14:23:49.579654|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|logID=39107 logID=39107 Event
handler of Dot1XPort '1/1/1' for event 'RADIUS Response Received On Port' in state
'DISCOVERING' returned 'OK'
2021-04-06:14:23:49.579600|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|logID=39107 dot1xpae SM State
transition [AUTHENTICATING] -> [AUTHENTICATED] for user 't3-user6' with key '1/1/1,
00:0c:29:ce:46:fa'
2021-04-06:14:23:49.573699|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|logID=39107 logID=39107
Handling event 'RADIUS Response Received On Port' for Dot1XPort '1/1/1' in state
'DISCOVERING'
2021-04-06:14:23:49.572413|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|logID=39106 logID=39106 DB
Operation: Update username for pae with MAC 00:0c:29:ce:46:fa on port '1/1/1': username
update for pae with MAC 00:0c:29:ce:46:fa on port '1/1/1' successful
2021-04-06:14:23:49.572327|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|logID=39106 logID=39106 Event
handler of Dot1XPort '1/1/1' for event 'Dot1X EAP Packet Received on Port' in state
'DISCOVERING' returned 'OK'
2021-04-06:14:23:49.571930|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|logID=39106 logID=39106
Handling event 'Dot1X EAP Packet Received on Port' for Dot1XPort '1/1/1' in state
'DISCOVERING'
PN3-6300-A(config-if)#
Wow, that is a lot… if you watch carefully, you can find the following log message:
2021-04-06:14:23:49.582273|port-
accessd|LOG_NOTICE|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Client '1/1/1
00:0c:29:ce:46:fa' failed authorization with role admin-client. State: INVALID PROFILE
The admin-client role does not exist in the switch as local user-role.
The data is there, it is in this specific case just hard to find the needle in the haystack.
Now we know this, we could have filtered the debug log messages to level notice and up:
# debug portaccess all severity notice
which would have resulted in only the relevant lines:
# show debug buffer
---------------------------------------------------------------------------------------------
2021-04-12:13:11:50.512859|port-
accessd|LOG_WARN|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=15750 Unable to update client
state of client 00:0c:29:2d:ff:ee in port 1/1/1 : Does not exist
2021-04-12:13:11:58.732553|port-
accessd|LOG_NOTICE|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=15812 Client '1/1/1
00:0c:29:2d:ff:ee' identity 't4-user6' onboarded via dot1x successfully.
2021-04-12:13:11:58.733295|port-
accessd|LOG_NOTICE|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=15812 Client '1/1/1
00:0c:29:2d:ff:ee' failed authorization with role admin-client. State: INVALID PROFILE
This exercise was in to demonstrate that it may be simple, like with the error in the ACL in the previous
example which shows up in the normal logs, or hard like this one where you need to enable debug logging
that generates massive amounts of data and if you don’t know what you are looking for, it is really hard to
find the actual issue.
END OF APPENDIX
Last page left intentionally blank. However, after typing this it is no longer blank.
www.arubanetworks.com
3333 Scott Blvd. Santa Clara, CA 95054
1.844.472.2782 | T: 1.408.227.4500 | FAX: 1.408.227.4550 | info@arubanetworks.com
55