Ethernet 802.1X configuration – Aruba

In this topic, you will learn how to configure Aruba switches to work together with Portnox™ Cloud and 802.1X RADIUS authentication for wired Ethernet connections.

General configuration

This is a general configuration template for Aruba switches.

Important:
This guide gives general instructions for integrating Portnox Cloud with specific third-party devices. We try to provide useful examples for common models, but settings can differ between manufacturers, models, and environments. Because of this, we cannot guarantee these steps will work in every case. For questions or problems with RADIUS setup – which is an industry standard and not specific to Portnox – or with device-specific settings and troubleshooting, we recommend checking the device manufacturer’s documentation and contacting their support team. Portnox Support can help when possible, but detailed setup of third-party devices is usually best handled by the manufacturer. We also recommend updating your NAS device firmware to the latest version, as old firmware can cause issues.
Important:
All values in this configuration are examples. Make sure to adjust the configuration to your individual profile names, RADIUS server addresses, ports, and keys by replacing the values that are presented as underlined italics.
  1. Define Portnox Cloud RADIUS server IPs and ports.
    Important:
    The IP addresses, port numbers, and keys below are examples. Replace them with your individual IP addresses, port numbers, and keys from your Portnox Cloud configuration.

    In this configuration, we assume that you are using both Portnox Cloud RADIUS servers.

    1. Add the US Cloud RADIUS server: 
      radius-server host 20.119.69.248 auth-port 10322 acct-port 10323 key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
    2. Add the Europe Cloud RADIUS server: 
      radius-server host 52.232.122.157 auth-port 10476 acct-port 10477 key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
  2. Create a new RADIUS server group and add RADIUS servers. 
    aaa server-group radius "PORTNOX" host 20.119.69.248
aaa server-group radius "PORTNOX" host 52.232.122.157
  3. Configure 802.1X on the switch. 
    aaa authentication port-access eap-radius server-group "PORTNOX" authorized
aaa authentication mac-based chap-radius server-group "PORTNOX" authorized
aaa port-access gvrp-vlans
aaa port-access authenticator active
aaa authentication port-access dot1x authenticator
  radius server-group PORTNOX
    enable
aaa authentication port-access mac-auth
  radius server-group PORTNOX 
    enable
  4. Configure 802.1X authentication on interface 1/1/27: 
    interface 1/1/27
  aaa authentication port-access auth-precedence dot1x mac-auth 
  aaa authentication port-access client-limit multi-domain 2
  aaa authentication port-access auth-mode multi-domain 
  aaa authentication port-access dot1x authenticator
      enable 	
  aaa authentication port-access mac-auth
      enable
  5. Configure a critical authentication VLAN
    Note:
    If, for any reason, your NAS device is temporarily unable to connect to Portnox Cloud RADIUS servers, the client device attempting 802.1X authentication is assigned to this VLAN. This lets your network administrators maintain client connectivity to certain resources without compromising security in circumstances such as an Internet connection failure.
    Note:
    This function is supported on 3810, 5400R, 2930F, and 2930M switches. For more information, consult Aruba documentation on critical authentication.
    aaa port-access 1/1/27 critical-auth-data-vlan 10

    In this example, we are using VLAN 10, but you can use a different configuration.

Here is the entire example configuration for your convenience:

radius-server host 20.119.69.248 auth-port 10322 acct-port 10323 key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
radius-server host 52.232.122.157 auth-port 10476 acct-port 10477 key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
aaa server-group radius "PORTNOX" host 20.119.69.248
aaa server-group radius "PORTNOX" host 52.232.122.157
aaa authentication port-access eap-radius server-group "PORTNOX" authorized
aaa authentication mac-based chap-radius server-group "PORTNOX" authorized
aaa port-access gvrp-vlans
aaa port-access authenticator active
aaa authentication port-access dot1x authenticator
  radius server-group PORTNOX
    enable
aaa authentication port-access mac-auth
  radius server-group PORTNOX 
    enable
interface 1/1/27
  aaa authentication port-access auth-precedence dot1x mac-auth 
  aaa authentication port-access client-limit multi-domain 2
  aaa authentication port-access auth-mode multi-domain 
  aaa authentication port-access dot1x authenticator
      enable 	
  aaa authentication port-access mac-auth
      enable
aaa port-access 1/1/27 critical-auth-data-vlan 10

Aruba 6200

This is a general configuration template for Aruba 6200 switches.

Warning:
Please treat this configuration as an example template only. To get the most accurate and current configuration guidance on switch 802.1X configuration, we strongly recommend that you refer to the documentation provided on these topics for your particular device model and OS version.
Important:
All values in this configuration are examples. Make sure to adjust the configuration to your individual profile names, RADIUS server addresses, ports, and keys by replacing the values that are presented as underlined italics.
  1. Define Portnox Cloud RADIUS server IPs and ports:
    Important:
    The IP addresses, port numbers, and keys below are examples. Replace them with your individual IP addresses, port numbers, and keys from your Portnox Cloud configuration.

    In this configuration, we assume that you are using both Portnox Cloud RADIUS servers.

    1. Add the US Cloud RADIUS server: 
      radius-server host 20.119.69.248 port 10322 acct-port 10323 key plaintext rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
    2. Add the Europe Cloud RADIUS server: 
      radius-server host 52.232.122.157 port 10476 acct-port 10477 key plaintext fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
  2. Create a new RADIUS server group and add RADIUS servers. 
    aaa group server radius PORTNOX
    server 20.119.69.248 port 10322
    server 52.232.122.157 port 10476
  3. Assign the RADIUS group to port-access accounting. 
    aaa accounting port-access start-stop group PORTNOX
  4. Enable 802.1X and MAC-based authentication. 
    aaa authentication port-access dot1x authenticator
    radius server-group PORTNOX
    enable
aaa authentication port-access mac-auth
    radius server-group PORTNOX
    enable
  5. Configure 802.1X authentication on interface 1/1/27: 
    interface 1/1/27
  no shutdown
  no routing
  vlan trunk native 151
  vlan trunk allowed 151,651
  port-access onboarding-method concurrent enable
  aaa authentication port-access client-limit multi-domain 3
  aaa authentication port-access client-limit 4
  aaa authentication port-access auth-mode multi-domain
  aaa authentication port-access dot1x authenticator
      enable
  aaa authentication port-access mac-auth
      enable

Here is the entire example configuration for your convenience:

radius-server host 20.119.69.248 port 10322 acct-port 10323 key plaintext rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
radius-server host 52.232.122.157 port 10476 acct-port 10477 key plaintext fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
aaa group server radius PORTNOX
    server 20.119.69.248 port 10322
    server 52.232.122.157 port 10476
aaa accounting port-access start-stop group PORTNOX
aaa authentication port-access dot1x authenticator
    radius server-group PORTNOX
    enable
aaa authentication port-access mac-auth
    radius server-group PORTNOX
    enable
interface 1/1/27
  no shutdown
  no routing
  vlan trunk native 151
  vlan trunk allowed 151,651
  port-access onboarding-method concurrent enable
  aaa authentication port-access client-limit multi-domain 3
  aaa authentication port-access client-limit 4
  aaa authentication port-access auth-mode multi-domain
  aaa authentication port-access dot1x authenticator
      enable
  aaa authentication port-access mac-auth
      enable

Aruba 1930

This is a general configuration template for Aruba 1930 Instant On switches.

  1. In the left-hand side menu, select the Security > RADIUS Configuration option. Then, in the RADIUS Server Configuration pane, click on the + button to add a RADIUS server.

  2. In the Add RADIUS Server pane, enter your RADIUS server information from Portnox Cloud: Server IP Address, Authentication Port, Accounting Port, and Secret. Then, click on the Apply button.
    Important:
    The IP address, port number, and key below are examples. Replace them with your individual IP address, port number, and key from your Portnox Cloud configuration.

  3. Repeat the above 2 steps for the second Portnox Cloud RADIUS server and/or the local RADIUS server, if necessary.
  4. In the left-hand side menu, select the Security > RADIUS Configuration option. Then, in the Global Configuration pane, activate the 802.1x Authentication Mode switch.

  5. To enable MAC Address Bypass on specific ports, in the left-hand side menu, select the Security > Port Access Control > Port Configuration option, and select relevant 802.1X ports.

    For each of these ports, in the Edit Port Configuration window:

    1. In the Control Mode field, select the MAC Based option.

    2. Activate the MAC Authentication switch.

    3. Click on the Apply button.

RadSec on Aruba 6300M

This is an example RadSec configuration, tested on an Aruba 6300M switch.

  1. Install OpenSSL on your personal computer.

    OpenSSL is an open source library for converting certificates. You will need it to convert the certificate formats so that they are readable for Ubiquiti devices.

    • Windows: Download the relevant installation package from the Shining Light Productions website. For example, Win64 OpenSSL Light for Windows 64-bit systems. Then, follow the installer steps to install the package.
    • macOS: Install HomeBrew. Then, execute the command in Terminal: 
      brew install openssl
    • Ubuntu: 
      sudo apt install openssl libssl-dev
    • RedHat: 
      sudo dnf install openssl openssl-devel
      or 
      sudo yum install openssl openssl-devel
  2. Follow the steps in this section to download and install the self-onboarding certificate: Get and import the certificate.
    Note:
    After you download the certificate, you do not need to install it. Take note of the location where you downloaded the certificate.
  3. Follow the steps in this section to download the Cloud RADIUS root CA certificate: Download the root CA certificate from Portnox Cloud.
  4. Use OpenSSL to extract the private key and the client certificate from the self-onboarding certificate:

    Type the following commands in the Windows command line window or the macOS/Linux Terminal window:

    openssl pkcs12 -in self-onboarding-certificate.p12 -clcerts -nokeys -out clientCertificate.crt
    openssl pkcs12 -in self-onboarding-certificate.p12 -nocerts -nodes -out privateKey.pem

    When asked for an import password, press the Enter key (empty password).

    Note:
    On Windows, you may need to first change the directory to the installation directory of OpenSSL: C:\Program Files\OpenSSL-Win64\bin.
    Note:
    We recommend that you open the extracted files in a text editor of your choice and remove all of the content before the -----BEGIN CERTIFICATE----- line.
  5. Use OpenSSL to convert the root CA certificate into the Base64-encoded X.509 format:

    Type the following command in the Windows command line window or the macOS/Linux Terminal window:

    openssl x509 -in rootCertificate.cer -inform der -out rootCertificate.crt -outform pem
  6. Upload the three certificate/key files to the switch using SFTP, HTTP, or USB.

    For example, using SFTP:

    copy sftp://admin@10.10.10.5/rootCertificate.crt flash:
copy sftp://admin@10.10.10.5/clientCertificate.crt flash:
copy sftp://admin@10.10.10.5/privateKey.pem flash:
  7. Install the three certificates/keys in the PKI store.

    For example:

    crypto pki trustpoint RadSec-CA
import certificate flash:rootCertificate.crt
crypto pki certificate RadSec-Client-Cert
import certificate flash:clientCertificate.crt
import private-key flash:privateKey.pem
  8. Optional: Verify the previous step:

    For example:

    show crypto pki certificates
show crypto pki trustpoints
  9. Associate the client certificate for RadSec.

    For example:

    crypto pki application radsec-client
use-certificate RadSec-Client-Cert
  10. Configure the RadSec server.
    1. Define the RADIUS server using TLS (RadSec).

      For example:

      radius-server host clear-rad.portnox.com tls auth-type pap timeout 10 port 10476 tracking enable tracking-mode any vrf default
      Note:
      • tls: Enables RADIUS over TLS
      • auth-type: Matches your RADIUS server (PAP is common for RadSec)
      • port: Use the port defined in your Portnox Cloud RADIUS server configuration
      • tracking: Enables reachability checks
      Important:
      For NAS devices that check the server name against the CN (Common Name) in the certificate, like the Aruba 6300M switch, you must configure the RADIUS server with a FQDN, not the IP address as seen in your Portnox Cloud RADIUS server configuration. Otherwise, Aruba will show an error like: Certificate SAN/CN doesn't match the peer name.. To find your Cloud RADIUS server FQDNs, see the following topic: What are the fully qualified domain names (FQDNs) of Cloud RADIUS servers.
    2. Optional: Set the keep-alive for TLS sessions.

      For example:

      radius-server host clear-rad.portnox.com tls port-access keep-alive
    3. Optional: Set the global TLS timeout.

      For example:

      radius-server tls timeout 15
  11. Configure AAA to use RadSec.

    For example, if using 802.1X:

    aaa authentication port-access dot1x authenticator
aaa authentication port-access dot1x authenticator radius server-group radius
  12. Optional: Verify the configuration.

    For example:

    show radius-server
show crypto pki application radsec-client
show logging | include radius

Here is the entire example configuration for your convenience:

! Upload certificates
copy sftp://admin@10.10.10.5/rootCertificate.crt flash:
copy sftp://admin@10.10.10.5/clientCertificate.crt flash:
copy sftp://admin@10.10.10.5/privateKey.pem flash:
                    
! Install a trust anchor
crypto pki trustpoint RadSec-CA
import certificate flash:rootCertificate.crt
                    
! Install switch client cert and key
crypto pki certificate RadSec-Client-Cert
import certificate flash:clientCertificate.crt
import private-key flash:privateKey.pem
                    
! Tell RadSec to use this certificate
crypto pki application radsec-client
use-certificate RadSec-Client-Cert
                    
! Configure the RadSec RADIUS server 
radius-server host clear-rad.portnox.com tls auth-type pap timeout 10 port 10476 tracking enable tracking-mode any vrf default
radius-server host clear-rad.portnox.com tls port-access keep-alive
                    
! Global timeout (optional)
radius-server tls timeout 15
                    
! AAA config
aaa authentication port-access dot1x authenticator
aaa authentication port-access dot1x authenticator radius server-group radius