Dot1X and MAB Authentication on Aruba OS

For security purpose, one customer asked to add Mac Access Bypass (MAB) to the existing 802.1X configuration. He had a few non compatibles 802.1X supplicants like televisor, bank card terminal and light PC.

As a reminder, MAB use device MAC to authenticate against the Radius Server. In my case, this is used to authenticate network equipments on wired LAN.

I already tested in LAB MAB on Cisco switches and it is working differently. Cisco Switches are waiting 802.1 authentication is failed while Aruba OS is doing both authentication methods at the same time. That’s a good point because it is much faster than Cisco. It is perhaps regretable this is not configurable with timers.

After some tests, I was able to configure MAB with following components

  • Switchs Aruba 2930 (Aruba OS ex HP provision)
  • Windows server 2008 with NPS role

Configuration on the switch is not complicated but few points require attention :

  • If you forget the client-limit, you can’t add the mac-based authentication
  • You can’t have an unauth-vid for 802.1x authenticator if you are using mac-based authentication. It makes sense, if you fail 802.1X authentication then MAB therefore you finish in unauth vlan
aaa port-access authenticator 1
aaa port-access authenticator 1 auth-vid 10
aaa port-access authenticator 1 client-limit 2
aaa port-access mac-based 1
aaa port-access mac-based 1 auth-vid 10
aaa port-access mac-based 1 unauth-vid 11
Aruba OS error when attemping to configure unauth-vid for 802.1X with MAC-based authentication enabled

Configuration on Radius Server is easy. You have to configure a rule used to match a security group applied for user in AD. Switch is using chap method to authenticate user against radius server.

User configuration on AD requires to enable password reversibility, you also need to redefine password each time you check the box. This is required to enable CHAP authentication. You will see an error 19 on NPS event log if you forgot it.

User account is defined by the equipment MAC address (without delimiter) and password should be MAC too. Also don’t forget to add the security group for this user.

Troubleshooting:

  • You can use several commands to troubleshoot auth process
  • Aruba OS differenciates 802.1X from MAC based authentication method with authenticator and mac-based keyword
show port-access client [X]
show port-access authenticator client [X]
show port-access mac-based client [X]
802.1X auth successfull
MAC-based auth successfull
MAC-based auth failed
802.1X and MAB enabled – MAB auth successfull

You can also activate advanced debug with following commands :

debug security port-access mac-based
debug security port-access authenticator
debug security port-access authenticator include Port 24

Example of output :

Successfull MAC-based auth :
0069:01:17:13.97 MAC mWebAuth:Port: 24 MAC: 008064-70c302 new client detected on vid: 1.
0069:01:17:13.97 MAC mWebAuth:Port: 24 MAC: 008064-70c302 RADIUS CHAP authentication started, session: 374.
0069:01:17:13.98 MAC mWebAuth:Port: 24 MAC: 008064-70c302 [374] client accepted.
0069:01:17:13.98 MAC mWebAuth:Port: 24 MAC: 008064-70c302 client successfully placed into vid: 1.

Failed MAC-based auth (note retry every 30 sec, and no response from Radius srv)
0069:00:30:30.03 1X m8021xCtrl:Port 24: sent ReqId #1 to 0180c2-000003.
0069:00:31:00.03 1X m8021xCtrl:Port 24: sent ReqId #2 to 0180c2-000003.
0069:00:31:30.03 1X m8021xCtrl:Port 24: sent ReqId #2 to 0180c2-000003.
0069:00:32:00.03 1X m8021xCtrl:Port 24: sent ReqId #3 to 0180c2-000003.

Successfull 802.1X authentication :
0069:00:27:47.83 1X m8021xCtrl:Port 6: connection detected.
0069:00:27:56.03 1X m8021xCtrl:Port 6: sent ReqId #19 to 0180c2-000003.
0069:00:27:56.04 1X m8021xCtrl:Port 6: added new client 0021b7-ed4f11.
0069:00:27:56.04 1X m8021xCtrl:Port 6: received RspId #19 from 0021b7-ed4f11.
0069:00:27:56.04 1X m8021xCtrl:Port 6: enterAuthState for client 0021b7-ed4f11, State SM_AUTHENTICATING for impscan
[…]
0069:00:27:56.07 1X m8021xCtrl:Port 6: Received Auth Success for client
0021b7-ed4f11, User impscan.
0069:00:27:56.07 1X m8021xCtrl:Port 6: starting Acct session for client
0021b7-ed4f11 User impscan.
0069:00:27:56.07 1X m8021xCtrl:Port 6: sent Success #22 to 0180c2-000003.
0069:00:27:56.07 1X m8021xCtrl:Port 6: enterAuthState for client 0021b7-ed4f11,State SM_AUTHENTICATED for impscan

Port configured with both 802.1X and MAB. MAB failed then 802.1X is successfull on port 1 :
0069:01:46:54.06 1X m8021xCtrl:Port 24: connection detected.
0069:01:46:54.06 1X m8021xCtrl:Port 24: sent ReqId #1 to 0180c2-000003.
0069:01:46:54.09 1X m8021xCtrl:Port 24: added new client 507b9d-49ccce.
0069:01:46:54.09 MAC mWebAuth:Port: 24 MAC: 507b9d-49ccce new client detected on vid: 1.
0069:01:46:54.09 MAC mWebAuth:Port: 24 MAC: 507b9d-49ccce RADIUS CHAP authentication started, session: 381.
0069:01:46:54.09 MAC mWebAuth:Port: 24 MAC: 507b9d-49ccce [381] client rejected, attempting to place client into unauth-vid: 103.
0069:01:46:54.59 MAC mWebAuth:Port: 24 MAC: 507b9d-49ccce client successfully placed into unauth-vid: 103.
0069:01:46:55.14 1X m8021xCtrl:Port 24: received EAPOL Start from 507b9d-49ccce.
0069:01:46:55.14 1X m8021xCtrl:Port 24: sent ReqId #1 to 507b9d-49ccce.
0069:01:46:55.15 1X m8021xCtrl:Port 24: received RspId #1 from 507b9d-49ccce.
0069:01:46:55.15 1X m8021xCtrl:Port 24: enterAuthState for client
507b9d-49ccce, State SM_AUTHENTICATING for host/TPDM6.XXXXX
0069:01:46:55.15 1X m8021xCtrl:Port 24: started authentication session for
client 507b9d-49ccce user: host/TPDM6.XXXXXXX
[…]
0069:01:46:55.26 1X m8021xCtrl:Port 24: Received Auth Success for client
507b9d-49ccce, User host/TPDM6.XXXXX
0069:01:46:55.26 MAC m8021xCtrl:Port: 24 MAC: 000000-000000 deauthenticating all other clients on port, deauthenticating client MAC: 507b9d-49ccce.
0069:01:46:55.26 MAC m8021xCtrl:Port: 24 MAC: 507b9d-49ccce client deauthenticated from all.
0069:01:46:55.26 MAC m8021xCtrl:Port: 24 MAC: 507b9d-49ccce client deauthenticated.
0069:01:46:55.26 1X m8021xCtrl:Port 24: starting Acct session for client 507b9d-49ccce User host/TPDM6.XXXXX
0069:01:46:55.26 1X m8021xCtrl:Port 24: sent Success #13 to 507b9d-49ccce.
0069:01:46:55.26 1X m8021xCtrl:Port 24: enterAuthState for client
507b9d-49ccce,State SM_AUTHENTICATED for host/TPDM6.XXXX

Author: Kévin SAS

I am Kévin SAS and live in France. I am an engineer in network and security. I worked for a lot of customers in these domains : Wireless, LAN, Datacenter, VoIP with several brands like Cisco, HPE, Aruba, Palo Alto amongst others. Previously working for a service provider. I currently work for an integrator while giving me lots of opportunity to learn. This blog stores some technicals notes I wanted to share.

Leave a Reply

Your email address will not be published. Required fields are marked *