HP-Aruba Wired Layer 2 Integration (ArubaOS-Switch)
Note – In this example, an HP Aruba 2930F configuration is provided as tested on WC.16.10.0002, however any arubaOS-Switch Layer 2 switch supporting the following features are eligible for integration. This integration is not intended for HPE switches running non-ArubaOS-Switch or ArubaOS software (K or Y software versions).
Note – In this example the NAC RADIUS Server / Policy Server is x.x.x.x (replace this IP with the IP of your NAC system)
Note – Be sure to remove comments in (BOLD) before cutting and pasting script into the switch
x
configure!class ipv4 "DNS" 10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53 exit!class ipv4 "DHCP" 10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67 exit!class ipv4 "INTERNAL" 10 match ip 0.0.0.0 255.255.255.255 192.168.0.0 0.0.255.255 (anynetwork denied to guest users - optional) exit!class ipv4 "IP-ANY-ANY" 10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 exit!class ipv4 "WEB-TRAFFIC" 10 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 80 20 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 443 exit!class ipv4 "SC-APPLIANCE" 10 match tcp 0.0.0.0 255.255.255.255 198.31.193.211 0.0.0.0 eq 80 20 match tcp 0.0.0.0 255.255.255.255 198.31.193.211 0.0.0.0 eq 443 30 match tcp 0.0.0.0 255.255.255.255 198.31.193.211 0.0.0.0 eq 8443 40 match tcp 0.0.0.0 255.255.255.255 x.x.x.x 0.0.0.0 eq 80 50 match tcp 0.0.0.0 255.255.255.255 x.x.x.x 0.0.0.0 eq 443 60 match tcp 0.0.0.0 255.255.255.255 x.x.x.x 0.0.0.0 eq 8443 exit!policy user "SC_COMPLIANT_POLICY" 10 class ipv4 "IP-ANY-ANY" action permit exit!policy user "SC_GUEST_POLICY" 10 class ipv4 "DNS" action permit 20 class ipv4 "DHCP" action permit 30 class ipv4 "INTERNAL" action deny 40 class ipv4 "IP-ANY-ANY" action permit exit!policy user "SC_INITIAL_POLICY" 10 class ipv4 "IP-ANY-ANY" action permit exit!policy user "SC_QUARANTINE_POLICY" 10 class ipv4 "DNS" action permit 20 class ipv4 "DHCP" action permit 30 class ipv4 "SC-APPLIANCE" action permit 40 class ipv4 "WEB-TRAFFIC" action redirect captive-portal exit!dhcp-snoopingdhcp-snooping authorized-server y.y.y.y (replace with ip address of dhcp server)dhcp-snooping database delay 15no dhcp-snooping option 82dhcp-snooping vlan x (client VLAN(s))dhcp-snooping allow-overwrite-bindingradius-server host x.x.x.x key "your-secret-here"radius-server host x.x.x.x dyn-authorizationradius-server host x.x.x.x time-window 0!interface x (uplink interface) dhcp-snooping trust exit!aaa server-group radius "NAC" host x.x.x.xaaa accounting update periodic 5aaa accounting network start-stop radiusNote – VLANs for all roles can be the same (as was done when testing) or whichever VLAN you prefer for the role.aaa authorization user-role name "SC_GUEST_ROLE" policy "SC_GUEST_POLICY" vlan-id x (VLAN # guest clients should be placed in) exitaaa authorization user-role name "SC_INITIAL_ROLE" policy "SC_INITIAL_POLICY" vlan-id x (VLAN # clients have when initially connecting) exitaaa authorization user-role name "SC_COMPLIANT_ROLE" policy "SC_COMPLIANT_POLICY" vlan-id x (VLAN # compliant clients should be placed in) exitaaa authorization user-role name "SC_QUARANTINE_ROLE" captive-portal-profile "use-radius-vsa" policy "SC_QUARANTINE_POLICY" vlan-id x (VLAN # blocked clients should be placed in) exitaaa authorization user-role enableaaa authentication port-access eap-radiusaaa authentication captive-portal enableaaa port-access gvrp-vlansaaa port-access authenticator x-x (can be a single port or range)aaa port-access authenticator x-x tx-period 10aaa port-access authenticator x-x supplicant-timeout 10aaa port-access authenticator x-x client-limit 1aaa port-access authenticator x-x cached-reauth-period 30aaa port-access authenticator eap-id-complianceaaa port-access authenticator activeaaa port-access supplicant x-xaaa port-access mac-based x-xaaa port-access mac-based x-x addr-limit 250aaa port-access mac-based x-x cached-reauth-period 1aaa port-access x-x auth-order authenticator mac-basedThis completes the ArubaOS-Switch device configuration for NAC integration.
Note – The switch must now be added to the NAC RADIUS server. Refer to the NAC RADIUS Server Configuration guide for details on how to add the switch as a NAS.
Note – Unless 802.1X is required, be sure to select the MAC Authentication Only mode when configuring the NAC RADIUS server
Troubleshooting Comnand:Show port-access clients 3 detaileddebug destination sessiondebug eventWas this page helpful?