Security

Hello community,

maybe someone here can help me with the following issue.
I have a customer with Aruba AP 635 models who is currently using both ports. We are in the process of implementing the NAC project and have reached the point where we also want to authenticate the APs.
This is where the problem starts. Is there a best practice guide from Aruba on how to properly implement this?

Challenges / Problems / Tested approaches:

• LACP and authentication are mutually exclusive (?!)

• 802.1X on both ports doesn't work (only one port gets authenticated, the second one doesn't come up and do not send any EAP messages)

• MAC authentication on both ports:

  • The MAC addresses of eth0 and eth1 are identical, since the CX switch uses the chassis MAC (the lower MAC of the AP = eth0) for both ports

  • Command: aaa authentication port-access allow-lldp-auth mac source-mac fixes this. After that, both ports get authenticated, but they start toggling sporadically.

any chances to achieve this?

Thanks in advance

------------------------------
Frederik
------------------------------

If you want to use 802.1X, don't use LACP.  Also, in general, don't bother with dual connections to the AP.  You're almost always better off just splitting the APs across multiple switches, perhaps increasing the AP density to provide sufficient secondary coverage, and saving the cost of running two cables to the AP.

802.1X when using active/standby can be accomplished but there are challenges with such because of how the AP handles the MAC address across the bond0 port.  AOS-CX has configuration options available specifically to assist with this.

------------------------------
Carson Hulcher, ACEX#110
------------------------------

curious to find what firmware do yo have on the AP and the switch?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Original Message:
Sent: Oct 17, 2025 11:01 AM
From: chulcher
Subject: AP 635 dual Port authentication

If you want to use 802.1X, don't use LACP.  Also, in general, don't bother with dual connections to the AP.  You're almost always better off just splitting the APs across multiple switches, perhaps increasing the AP density to provide sufficient secondary coverage, and saving the cost of running two cables to the AP.

802.1X when using active/standby can be accomplished but there are challenges with such because of how the AP handles the MAC address across the bond0 port.  AOS-CX has configuration options available specifically to assist with this.

------------------------------
Carson Hulcher, ACEX#110
------------------------------

ArubaOS (MODEL: Aruba7010), Version 8.10.0.20 LSR
and
Version      : ML.10.13.1070 (6200F)

------------------------------
Frederik
------------------------------

Original Message:
Sent: Oct 17, 2025 07:27 PM
From: ariyap
Subject: AP 635 dual Port authentication

curious to find what firmware do yo have on the AP and the switch?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------


Original Message:
Sent: Oct 17, 2025 11:01 AM
From: chulcher
Subject: AP 635 dual Port authentication

If you want to use 802.1X, don't use LACP.  Also, in general, don't bother with dual connections to the AP.  You're almost always better off just splitting the APs across multiple switches, perhaps increasing the AP density to provide sufficient secondary coverage, and saving the cost of running two cables to the AP.

802.1X when using active/standby can be accomplished but there are challenges with such because of how the AP handles the MAC address across the bond0 port.  AOS-CX has configuration options available specifically to assist with this.

------------------------------
Carson Hulcher, ACEX#110