We have 22 buildings and all of our building-to-building links are layer 3 only (there are always exceptions...). If you're doing layer 2 back to the core and routing there then, I agree, my setup wouldn't work but I'm curious what the advantage of that is. If you have 54xx and 64xx switches in the BDF's then you should have plenty of routing power there (unless you're pushing a TON of traffic through really complicated ACLs). Most of my BDF's have 6300's and even those are fine (for my loads).
For me, the biggest advantage to layer 3 between buildings is that I can build redundant links and use OSPF to sort out the loops instead of needing to do some flavor of STP.
Original Message:
Sent: Jan 08, 2025 09:28 AM
From: HornAlum
Subject: Aruba CX 802.1x Port-Access status "Failed"
how large is your environment? Our routing actually happens at the core level (Layer 3 at the core, Layer 2 at the IDF's) so we aren't able to use the same VLAN ID's across every switch. I do understand what you are doing with your subnets though.
We run 3 of the 8400's, in a bit of a triangle, in 3 separate datacenters. We run 5412 and 6405/10 chassis at the various BDF's and IDF's across campus that home run back to their respective cores (the 8400s).
Original Message:
Sent: Jan 08, 2025 09:19 AM
From: davidwk
Subject: Aruba CX 802.1x Port-Access status "Failed"
Regarding: I'm not sure how downloadable roles would work in an environment where every switch uses different VLANs and VLAN's don't span across the environment
You probably don't want to renumber all your VLANs but, for anyone else wondering this same thing, here's how I do it in my network. All of my buildings have the same set of VLANs and they all use the same VLAN ID's. In my environment data is 44, voice is 45, security cameras are 253, etc. Each building has a unique subnet for each of its VLANs and they're routed at the building level. From the Clearpass perspective, when a security camera connects I don't need to care which building it's in, I just return the DUR for security cameras which assigns VLAN 253. Does that make sense? It took me a while to get used to having dozens of distinct VLANs that had the same ID but once you wrap your head around it it actually works really well. I especially like doing it with DUR's because changes are super easy to push out.
Original Message:
Sent: Jan 08, 2025 08:56 AM
From: HornAlum
Subject: Aruba CX 802.1x Port-Access status "Failed"
It looks like the CX platform does have limitations with vlan NAMES where AOS did not. I changed the port-access role rules to use the actual vlan tags instead of the names, and it seems to work fine.
I think this can work, since we are not using downloadable user roles. I'm not sure how downloadable roles would work in an environment where every switch uses different VLANs and VLAN's don't span across the environment
port-access role COD-MACHINE
associate policy COD-Machines
reauth-period 86400
vlan trunk native 1188
vlan trunk allowed 1188,1190,1196
6300(config)# show port-access clients
Port Access Clients
Status Codes: d device-mode, c client-mode, m multi-domain
-----------------------------------------------------------------------------------------------------------------
Port MAC-Address Onboarding Status Role Device Type
Method
-----------------------------------------------------------------------------------------------------------------
c 1/1/1 f4:39:09:12:e8:d3 mac-auth Success LUR-UBT-User
c 1/1/2 10:e7:c6:b8:1c:0b dot1x Success COD-MACHINE
Original Message:
Sent: Jan 07, 2025 08:46 AM
From: Herman Robers
Subject: Aruba CX 802.1x Port-Access status "Failed"
What are the attributes returned from ClearPass? Failed to assign VLAN typically is a conflict or wrong attributes, or a missing VLAN. Also, I'm not 100% sure if vlan names can be used in a role; have you tried with the vlan ids to see if it works with that?
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jan 07, 2025 07:49 AM
From: HornAlum
Subject: Aruba CX 802.1x Port-Access status "Failed"
We are using ClearPass to send down a user-role to our Aruba CX switch. We are using local user roles in this environment. I am successfully applying the local user roles on our Aruba AOS switches but am having difficulty with our CX switches. this is on one of our lab switches as we are still in the beginning stages of trying to get wired security to work.
Our CX switch is failing to apply the local user role to the port in question once ClearPass has performed the necessary authentication checks and sent down the proper user role
6300# show port-access clients
Port Access Clients
Status Codes: d device-mode, c client-mode, m multi-domain
-----------------------------------------------------------------------------------------------------------------
Port MAC-Address Onboarding Status Role Device Type
Method
-----------------------------------------------------------------------------------------------------------------
c 1/1/1 f4:39:09:12:e8:d3 mac-auth Success LUR-UBT-User
c 1/1/2 10:e7:c6:b8:1c:0b dot1x Fail COD-MACHINE
We are successfully tunneling one port over to our hardware controller, but failing to apply the role to port 2. I'm getting some kind of VLAN application error
6300# show aaa authentication port-access interface 1/1/2 client-status
Port Access Client Status Details
Client 10:e7:c6:b8:1c:0b, anonymous
===================================
Session Details
---------------
Port : 1/1/2
Session Time : 422s
IPv4 Address :
IPv6 Address :
Device Type :
Authentication Details
----------------------
Status : dot1x Authenticated
Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted
Auth History : dot1x - Authenticated, 422s ago
Authorization Details
----------------------
Role : COD-MACHINE
Status : Failed, Failed to assign VLAN
I've checked the spelling of the port-access role, and even changed the name of the associated policy, as it had the same name but different case
Name : COD-MACHINE
Type : local
----------------------------------------------
Reauthentication Period : 86400 secs
Cached Reauthentication Period :
Authentication Mode :
Session Timeout :
Client Inactivity Timeout :
Description :
Gateway Zone :
UBT Gateway Role :
UBT Gateway Clearpass Role :
Access VLAN :
Native VLAN :
Allowed Trunk VLANs :
Access VLAN Name :
Native VLAN Name : data
Allowed Trunk VLAN Names : data,voice
VLAN Group Name :
MTU :
QOS Trust Mode :
STP Administrative Edge Port :
PoE Priority :
PVLAN Port Type :
Captive Portal Profile :
Policy : COD-Machines
GBP :
Device Type :
MACsec-Policy :
Here is the actual config of the port-access role:
port-access role COD-MACHINE
associate policy COD-Machines
reauth-period 86400
vlan trunk native name data
vlan trunk allowed name data,voice
vlans:
6300(config)# show vlan
------------------------------------------------------------------------------------------------------------------
VLAN Name Status Reason Type Interfaces
------------------------------------------------------------------------------------------------------------------
1 DEFAULT_VLAN_1 down no_member_forwarding default 1/1/49-1/1/50,lag1
1188 data up ok static 1/1/1-1/1/48,lag1
1190 voice up ok static 1/1/1-1/1/48,lag1
1196 finhr down no_member_forwarding static lag1
1800 Management up ok static 1/1/48,lag1
4091 tunnel up ok static 1/1/1,lag1
The following is the interface configuration itself. We have the VLANs defined on the interfaces as that is our standard production configuration, and we are just beginning to try to deploy wired network security, as stated previously
interface 1/1/2
no shutdown
no routing
vlan trunk native 1188
vlan trunk allowed 1188,1190
spanning-tree port-type admin-edge
aaa authentication port-access client-limit 12
aaa authentication port-access dot1x authenticator
eapol-timeout 10
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
enable
6300(config)# show logging -r
---------------------------------------------------
Event logs from current boot
---------------------------------------------------
2025-01-07T06:44:28.182387-06:00 6300 port-accessd[4403]: Event|10502|LOG_INFO|CDTR|1|Port 1/1/2 is blocked by port-access
2025-01-07T06:44:28.145444-06:00 6300 intfd[751]: Event|403|LOG_INFO|UKWN|1|Link status for interface 1/1/2 is up
I've been stuck on this for weeks, looking for some help here. Probably something obvious I'm missing