Wired Intelligent Edge

Hi everyone,

We just started receiving our new Aruba 6000 switches ( moving on from 2530 series). I had a small learning curves with the commands on the new OS that are not the same but so far so good, except for our dot1x authentication when using a Cisco phone between the switch and the PC . We didn't have that issue with past switches

If I connect only the PC, it works

If I connect only the phone, it works

If I connect both, only the PC works

From my troubleshooting so far, when both are connected, only the PC send the radius request and get approved; the phone doesn't send anything.

When I only have the phone, it send the Radius request and get approved, get an IP and connect.

We are using Clearpass has our Radius Server

Here's my current config : 

vlan 3
    name VoIP
    voice

vlan 8
    name WIRED_PC

aaa authentication port-access dot1x authenticator
    radius server-group clearpass
    enable

port-access role AUTH_VID
    vlan trunk native 8
    vlan trunk allowed 3,8

port-access role UNAUTH_VID
    description NOT_AUTH_PC_GUEST_VLAN
    vlan trunk native 50
    vlan trunk allowed 3,50

interface 1/1/1
    no shutdown
    vlan trunk native 8
    vlan trunk allowed 3,8
    aaa authentication port-access preauth-role UNAUTH_VID
    aaa authentication port-access reject-role UNAUTH_VID
    aaa authentication port-access auth-role AUTH_VID
    aaa authentication port-access dot1x authenticator
        enable

I'm pretty sure that there is not much missing but some help would be appreciate to resolve this ! 

Thanks,

Hi Jay

The main reason that only one device can connect successfully at any given time is that there is the following invisible default on each interface:
    aaa authentication port-access client-limit 1

    aaa authentication port-access auth-mode client-mode

This can be seen when you do a "show run all". To fix your issue you need to increase the client-limit. I would recommend it to set it to "3" as the phone may send some data on the untagged (native) data VLAN:

I  also recommend to remove the following line:

    aaa authentication port-access preauth-role UNAUTH_VID

There should be no need to get the devices access to the network before authentication is succeeded or is rejected. 

Regards Holger

Original Message:
Sent: Jul 12, 2023 04:00 PM
From: JayMars
Subject: Aruba 6000 - dot1x With Cisco Phone and PC

Hi everyone,

We just started receiving our new Aruba 6000 switches ( moving on from 2530 series). I had a small learning curves with the commands on the new OS that are not the same but so far so good, except for our dot1x authentication when using a Cisco phone between the switch and the PC . We didn't have that issue with past switches

If I connect only the PC, it works

If I connect only the phone, it works

If I connect both, only the PC works

From my troubleshooting so far, when both are connected, only the PC send the radius request and get approved; the phone doesn't send anything.

When I only have the phone, it send the Radius request and get approved, get an IP and connect.

We are using Clearpass has our Radius Server

Here's my current config : 

vlan 3
    name VoIP
    voice

vlan 8
    name WIRED_PC

aaa authentication port-access dot1x authenticator
    radius server-group clearpass
    enable

port-access role AUTH_VID
    vlan trunk native 8
    vlan trunk allowed 3,8

port-access role UNAUTH_VID
    description NOT_AUTH_PC_GUEST_VLAN
    vlan trunk native 50
    vlan trunk allowed 3,50

interface 1/1/1
    no shutdown
    vlan trunk native 8
    vlan trunk allowed 3,8
    aaa authentication port-access preauth-role UNAUTH_VID
    aaa authentication port-access reject-role UNAUTH_VID
    aaa authentication port-access auth-role AUTH_VID
    aaa authentication port-access dot1x authenticator
        enable

I'm pretty sure that there is not much missing but some help would be appreciate to resolve this ! 

Thanks,