9.2.3.4. Aruba

9.2.3.4.1. 2530 and 2540

Firmware: ArubaOS accredited release J9854A #YA.16.10.0012

Administration Portal > ON CMDB > Network Devices Brand/Model: Aruba/2530 - Aruba/2540

9.2.3.4.1.1. Radius Global Configuration

Define the RADIUS servers to be used for authentications and their format:

HP-2530-24G-PoEP-2SFPP# configure
HP-2530-24G-PoEP-2SFPP(config)# radius-server host <Radius_Server_IP> key <Radius_Shared_Key>
HP-2530-24G-PoEP-2SFPP(config)# radius-server host <Radius_Server_IP> dyn-authorization
HP-2530-24G-PoEP-2SFPP(config)# radius-server host <Radius_Server_IP> time-window 0
HP-2530-24G-PoEP-2SFPP(config)# radius-server host <Radius_Server_IP> auth-port 1812
HP-2530-24G-PoEP-2SFPP(config)# radius-server host <Radius_Server_IP> acct-port 1813
HP-2530-24G-PoEP-2SFPP(config)# aaa server-group radius "opennac" host <Radius_Server_IP>
HP-2530-24G-PoEP-2SFPP(config)# aaa accounting network start-stop radius server-group "opennac"

8021X

HP-2530-24G-PoEP-2SFPP(config)# aaa authentication port-access eap-radius server-group "opennac"
HP-2530-24G-PoEP-2SFPP(config)# aaa port-access authenticator <port-range>
HP-2530-24G-PoEP-2SFPP(config)# aaa port-access authenticator <port-range> tx-period 10
HP-2530-24G-PoEP-2SFPP(config)# aaa port-access authenticator <port-range> client-limit 2
HP-2530-24G-PoEP-2SFPP(config)# aaa port-access authenticator active

MAC Authentication

HP-2530-24G-PoEP-2SFPP(config)# aaa authentication mac-based chap-radius server-group "opennac"
HP-2530-24G-PoEP-2SFPP(config)# aaa port-access mac-based <port-range>
HP-2530-24G-PoEP-2SFPP(config)# aaa port-access mac-based <port-range> addr-limit 4
HP-2530-24G-PoEP-2SFPP(config)# aaa port-access mac-based <port-range> reauth-period 144

9.2.3.4.1.2. Dot1x Features

Default VLAN

The default VLAN will be the one that will be assigned in case of defining the default VLAN in the openNAC policy.

HP-2530-24G-PoEP-2SFPP(config)# primary-vlan <vlan-id>
HP-2530-24G-PoEP-2SFPP(config)# vlan <vlan-id> name default_vlan

Also, we can apply an interface configuration and configure the auth-vid parameter. auth-vid: Configures the VLAN to which a port should be moved after successful authentication. This parameter is not configured by default.

HP-2530-24G-PoEP-2SFPP(config)# aaa port-access mac-based <port-range> auth-vid 200

Critical VLAN

The critical VLAN will be the one in which the connections will be established in case the RADIUS servers are not available for authorization. Once we have configured an authentication method, we will be able to configure the critical VLAN. unauth-vid: Configures the VLAN to which a port should be assigned while an unauthenticated client is connected. This parameter is not configured by default.

In addition, we can set a timeout for switch authentication before moving the port to the VLAN for unauthenticated clients with the unauth-period parameter.

For 802.1x:

HP-2530-24G-PoEP-2SFPP(config)# aaa port-access authenticator <port-range> unauth-vid 200
HP-2530-24G-PoEP-2SFPP(config)# aaa port-access authenticator <port-range> unauth-period 20

For MAB:

HP-2530-24G-PoEP-2SFPP(config)# aaa port-access mac-based <port-range> unauth-vid 200
HP-2530-24G-PoEP-2SFPP(config)# aaa port-access mac-based <port-range> unauth-period 20

Voice VLAN

The voice VLAN will be used to separate the voice traffic from the data traffic.

HP-2530-24G-PoEP-2SFPP(config)# vlan 100 voice

9.2.3.4.1.3. Security Profiles (ACL’s)

Static

HP-2530-24G-PoEP-2SFPP(config)# aaa port-access mac-based <port-range> unauth-vid 200
HP-2530-24G-PoEP-2SFPP(config)# aaa port-access mac-based <port-range> unauth-period 20

Dynamic

Assigns a RADIUS-configured ACL to filter inbound packets received from a specific client authenticated on a switch port. We will have to configure the following parameter on the opennac policy postconditions, so once the user matches a policy with a configured Dynamic ACL, the rule will be send as a RADIUS parameter and it will be applied in the switch. The parameter we have to configure is the Nas-filter-Rule.

Nas-filter-Rule=permit in tcp from any to any
Nas-filter-Rule=permit in tcp from any to any 23

9.2.3.4.1.4. SNMP

We will configure the SNMP feature to enable the communication between the OpenNAC Core and the network device to extract information like version, port type, location, toggle port, etc. To perform the policy reevaluation through SNMP, it will be necessary to activate this functionality and define the keys of the reading and writing communities:

HP-2530-24G-PoEP-2SFPP(config)# snmp-server community "public"
HP-2530-24G-PoEP-2SFPP(config)# snmp-server community "private" operator unrestricted

9.2.3.4.1.5. CoA

Implemented for versions 1.2.4 and higher. We will introduce the following configuration to be able to perform the CoA from different ips, so we will stablish as many servers as we want. We will need to configure the RADIUS servers previously with their secret key and then we will be able to add the following configuration for the desired servers.

HP-2530-24G-PoEP-2SFPP(config)# radius-server host <Radius_Server_IP dyn-authorization

9.2.3.4.1.6. Troubleshooting & Monitoring

  • RADIUS Debug:

HP-2530-24G-PoEP-2SFPP# debug security radius-server
HP-2530-24G-PoEP-2SFPP# debug security port-access
HP-2530-24G-PoEP-2SFPP# debug security port-security
HP-2530-24G-PoEP-2SFPP# debug destination session

  • Display connected users:

    • Dot1x:

HP-2530-24G-PoEP-2SFPP# display dot1x sessions interface <port>
HP-2530-24G-PoEP-2SFPP# display dot1x interface <port>

- MAC-Authentication (MAB):

HP-2530-24G-PoEP-2SFPP# display mac-authentication interface <port>
HP-2530-24G-PoEP-2SFPP# display mac-authentication interface <port>
HP-2530-24G-PoEP-2SFPP# display mac-address interface <port>

9.2.3.4.2. 2930F

Firmware: ArubaOS accredited release WC.16.04.0014

Administration Portal > ON CMDB > Network Devices Brand/Model: Aruba/2930F

9.2.3.4.2.1. RADIUS Global Configuration

Define the RADIUS servers to be used for authentications and their format:

radius-server host <Radius_Server_IP> key "<Radius_Shared_Key>"
radius-server host <Radius_Server_IP> dyn-authorization
radius-server host <Radius_Server_IP> time-window 0
radius-server dead-time 5
ip client-tracker
aaa accounting network start-stop radius
radius-server dyn-autz-port 3799
aaa server-group radius "opennac" host <Radius_Server_IP>
aaa authentication port-access eap-radius server-group "opennac"
aaa authentication mac-based chap-radius server-group "opennac"

Interface configuration

aaa port-access authenticator <port-range>
aaa port-access authenticator <port-range> tx-period 10
aaa port-access authenticator <port-range> auth-vid "unauthorized_vlan"
aaa port-access authenticator <port-range> client-limit 2
aaa port-access authenticator active

aaa port-access supplicant <port-range>

aaa port-access mac-based <port-range>
aaa port-access mac-based <port-range> addr-limit 4
aaa port-access mac-based <port-range> reauth-period 144

9.2.3.4.2.2. Dot1x Features

Critical VLAN

The critical VLAN will be the one in which the connections will be established in case the RADIUS servers are not available for authorization. Once we have configured an authentication method, we will be able to configure the critical VLAN.

This feature is available with ArubaOS 16.07.

For clients sending untagged traffic, if the RADIUS server is unreachable, the client is placed in a Critical VLAN. There are two ways to configure a Critical Data VLAN:

  1. Directly assigning the VLAN using the command:

aaa port-access <port-range> critical-auth datavlan <vlan-id>

  1. Assign a user-role containing untagged VLAN as critical-role using the command:

aaa port-access <port-range> critical-auth user-role <role-name>

9.2.3.4.2.3. SNMP Traps

In case we want to use SNMP for visibility, we need to enable SNMP on the switch.

Global configuration mode

snmp-server host <opennac-ip> community public
snmp-server community private unrestricted
snmp-server community public restricted

Configuring MAC Table

snmp-server enable traps mac-count-notify
snmp-server enable traps mac-notify
snmp-server enable traps mac-notify mac-move

Configuring access ports

snmp-server enable traps link-change <port-range>

To verify that the SNMP Traps configuration is correct, we can execute the following command:

switch# show mac-notify traps
Mac Notify Trap Information
Mac-notify Enabled : Yes
Mac-move Enabled : Yes
Trap-interval: 60
Port MAC Addresses trap learned/removed
------ ----------------------------------
1 None
2 None
3 Removed
4 Removed
5 Learned
6 Learned

The “Mac-notify Enabled” and “Mac-move Enabled” value should be set to yes.

Configuring SNMP v3

To activate SNMP v3 in a Aruba, several modes can be configured. Into this section we will describe the configuration you need for three of them. AuthPriv: This method provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms.

snmpv3 enable
snmpv3 group managerpriv user <username> sec-model ver3
snmpv3 user <username> auth [md5|sha] <preSharedKeyPriv-string> priv [des|aes] <preSharedKeyPriv-string>

AuthNoPriv: This method provides authentication based on the Hashed Message Authentication Code (HMAC)-MD5 or HMAC-SHA algorithms. “preSharedKeyAuth” is the keyword to authenticate. There is not encryption in this method.

snmpv3 enable
snmpv3 group managerauth user <username> sec-model ver3
snmpv3 user <username> auth sha/md5 <preSharedKeyPriv-string>

NoAuthNoPriv: This method provides no authentication and privacy.

snmpv3 enable
snmpv3 group operatornoauth user <username> sec-model ver3
snmpv3 user <username>

The next step is to configure traps receptors with minimum privilege (recommended).

ip authorized-managers <snmpServer_ip> <snmpServerip_mask> access operator access-method snmp
snmpv3 notify <notify_name> tagvalue <tag_name>
snmpv3 targetaddress [<ipv4-addr|ipv6-addr>] <name>
snmpv3 params <params_name> user <user_name>

9.2.3.4.3. 6200 legacy

Firmware: ArubaOS-CX:ML.10.10.1000

Administration Portal > ON CMDB > Network Devices Brand/Model: Aruba/6200 legacy

9.2.3.4.3.1. Radius Global Configuration

Define the RADIUS servers to be used for authentications and their format:

6200(config)# radius-server host <RADIUS IP> key plaintext <SharedKey> tracking enable
6200(config)# radius-server retries 3
6200(config)# radius-server tracking interval 60
6200(config)# radius-server tracking user-name monitorAruba password plaintext monitorAruba
6200(config)# aaa group server radius opennac
6200(config-sg)#   server <RADIUS IP>
6200(config-sg)#   exit
6200(config)# aaa accounting port-access start-stop group opennac

9.2.3.4.3.2. Dot1x Configuration

Global configuration

6200(config)# aaa authentication port-access dot1x authenticator
6200(config-dot1x-auth)# radius server-group opennac
6200(config-dot1x-auth)# enable
6200(config-dot1x-auth)# exit

Interface configuration

6200(config)# interface 1/1/1-1/1/4
6200(config-if-<1/1/1-1/1/4>)# aaa authentication port-access dot1x authenticator
6200(config-if-dot1x-auth)# max-eapol-requests 1
6200(config-if-dot1x-auth)# max-retries 1
6200(config-if-dot1x-auth)# reauth
6200(config-if- dot1x-auth)# reauth-period 3600
6200(config-if-dot1x-auth)# exit
6200(config-if-dot1x-auth)# enable
6200(config-if-<1/1/1-1/1/4)# aaa authentication port-access mac-auth
6200(config-if- macauth)# reauth
6200(config-if-macauth)# reauth-period 3600
6200(config-if- macauth)# enable
6200(config-if- macauth)# exit
6200(config-if-<1/1/1-1/1/4)# exit

9.2.3.4.3.3. MAC-Auth Configuration

Global Configuration

6200(config-if)# aaa authentication port-access mac-auth
6200(config-if- macauth)# reauth
6200(config-if-macauth)# reauth-period 3600
6200(config-if- macauth)# enable
6200(config-if- macauth)# exit
6200(config-macauth)# exit

Interface Configuration

6200(config)# interface 1/1/1-1/1/4
6200(config-if-<1/1/1-1/1/4>)# aaa authentication port-access mac-auth enable
6200(config-if-<1/1/1-1/1/4>)# exit

9.2.3.4.3.4. Dot1x Features

Default VLAN

The default VLAN will be the one that will be assigned in case of defining the default VLAN in the OpenNAC policy.

Role Configuration:

6200(config)# port-access role DEFAULT
6200(config-pa-role)# vlan access <VLAN ID>
6200(config-vlan-1)# exit

Interface Configuration:

6200(config)# interface 1/1/1
6200(config-if)# aaa authentication port-access auth-role DEFAULT

Or

Interface Configuration:

6200(config)# interface 1/1/1
6200(config-if)# vlan access <VLAN ID>

Reject VLAN

The Reject VLAN will be the one in which the connections will be established in case the RADIUS servers rejects the authentication.

Role Configuration:

6200(config)# port-access role REJECT
6200(config-pa-role)# vlan access <VLAN ID>
6200(config-vlan-252)# exit

Interface Configuration:

6200(config)# interface 1/1/1
6200(config-if)# aaa authentication port-access reject-role REJECT

Critical VLAN

The critical VLAN will be the one in which the connections will be established in case the RADIUS servers are not available for authorization.

Role Configuration:

6200(config)# port-access role CRITICAL
6200(config-pa-role)# vlan access <VLAN ID>
6200(config-vlan-252)# exit

Interface Configuration:

6200(config)# interface 1/1/1
6200(config-if)# aaa authentication port-access critical-role CRITICAL

9.2.3.4.3.5. Security Profiles (ACLs)

Static Security Profile

Static security profiles are defined by OpenNAC Enterprise and allow us to specify which Access Control List (ACL) to apply to a connection that is established, based on the previously created ACLs on the network device.

Example of defining an ACL on the switch:

access-list ip google
10 permit any any 8.8.8.8
20 deny any any any

Dynamic Security Profile

The dynamic security profiles are those in which OpenNAC Enterprise will send an ACL that has not been previously defined in the network device.

9.2.3.4.3.6. TogglePort

TogglePort SNMP

To perform the policy reevaluation through SNMP, it will be necessary to activate this functionality and define the keys of the reading and writing communities:

6200(config)# snmp-server community <CommunityName>
6200(config-community)# access-level rw

TogglePort CoA

To perform the policy reevaluation through CoA, it will be necessary to activate this functionality and define the clients with their shared-key:

6200(config)# radius dyn-authorization enable
6200(config)# radius dyn-authorization client <OpenNAC IP> secret-key plaintext <SharedKey>

9.2.3.4.3.7. SNMP Traps

In case we want to use SNMP for visibility, we need to enable SNMP on the switch.

Global Configuration:

6200(config)# snmp-server trap mac-notify

Interface Configuration:

6200(config-if)# mac-notify traps aged learned moved removed