We’ve said it before but since it’s important we’ll say it again. Shared knowledge makes for a stronger ecosystem! With this in mind, I’m showing you how to set up the CL 3.7.5 campus feature: Multi-Domain Authentication in a 6-part blog series.

In this series we’re covering it all: Wired MAC Authentication using Aruba ClearPass, Multi-Domain Authentication using Aruba ClearPass, Wired 802.1x using Cisco ISE, Wired MAC Authentication using Cisco ISE, and Multi-Domain Authentication using Cisco ISE.

This third guide is how to enable Multi-Domain Authentication in Cumulus Linux 3.7.5 + using Aruba ClearPass 6.7.x.

Keep in mind that this step-by-step guide assumes that you have already performed an initial setup of Aruba ClearPass and read the following Wired 802.1x Authentication using Aruba ClearPass and Wired MAC Authentication using Aruba ClearPass.

Over the past year, Cumulus Networks has made a concerted effort to expand the breadth and scope of the campus features within Cumulus Linux. Hot off the press in 3.7.5 is one of those features, Multi-Domain Authentication (MDA).

Classically, MDA allows for a Voice VLAN and Data VLAN to be configured independently on the same switch port for a VoIP phone and a connected PC. The team at Cumulus Linux has updated hostapd and the underlying ifupdown2 to provide a robust MDA solution.

Here’s the network diagram of the Multi-Domain Authentication design:

Aruba ClearPass Configuration:

First, we are going to build the necessary MDA pieces in Aruba ClearPass

1. Adding an Enforcement Profile

Configuration > Enforcement > Profiles. Click “+Add” in the top right-hand corner

In the “Profile” tab, select “RADIUS Based Enforcement” from the “Template” dropdown.On the “Attributes” tab, set the following:

  • Type = “Radius:Cisco”
  • Name = “Cisco-AVPair (1)”
  • Operator = “EQUALS”
  • Value = “device-traffic-class=voice”

2. Modify an existing Enforcement Policy

Configuration > Enforcement > Policies

Select “PoC – Cumulus MAC Authentication Policy”, which is the name of the Enforcement Policy that we set up in the Wired MAC Authentication with Aruba ClearPass blog post.

Click on the “Rules” tab and edit line #1.

Previously, we were passing the Dynamic VLAN 36 from ClearPass to the Cumulus Switch:

Remove this entry and replace it with the “PoC – Cumulus MDA Voice VLAN” Enforcement Profile that was created in step #1.

Click the “Save” button in the bottom right-hand corner.

This will bring you back to the “Rules” tab:

Click “Save” in the bottom right-hand corner.

These are the only two steps that are required for MDA with Aruba ClearPass.

Cumulus Linux MDA setup:

I factory defaulted the switch that I had been using in the Wired 802.1X and Wired MAC Authentication blog posts. This next section will outline all of the steps necessary to build MDA on a brand new switch.

1. Testing an interface

I am going to be using “swp11” to test MDA

net add interface swp11
net add bridge bridge ports swp11
net commit

2. Enabling dot1x, MAB, and a Voice VLAN on swp11

Here are the following NCLU commands that I enter:

net add dot1x radius server-ip 10.10.102.252 vrf mgmt
net add dot1x radius client-source-ip 192.168.255.100
net add dot1x radius shared-secret cumulus11
net add dot1x send-eap-request-id
net add dot1x dynamic-vlan
net add bridge bridge ports swp11
net add interface swp11 dot1x mab
net commit

3. Modify the hostapd.conf file

The next step is to change the bottom two values in the /etc/hostapd.conf file from “=1” to “=0”

radius_das_require_event_timestamp=0
radius_das_require_message_authenticator=0

Restart the hostapd.service after making the above changes with the following command:

sudo systemctl restart hostapd.service

Let’s take a look under the hood to see what this new MDA configuration looks like in hostapd. By examining the /etc/hostapd.conf file, we see the following:

The Cumulus Linux MDA feature allows for two options:

Option 1 – A “Voice Interface” is configured and the RADIUS server provides the Dynamic Voice VLAN in the same manner that we have configured a Dynamic VLAN.

Option 2 – A “Voice Interface” is configured and the VLAN is locally defined on the switch. This locally defined VLAN appears as the value after the colon on the “voice_interfaces” stanza, as in the above.

In a large deployment, “Option 2” is the best solution. First, if you have different Voice VLANs on different switches, this will allow you to reference that locally defined Voice VLAN no matter the switch. Second, from a ClearPass perspective, Option 2 allows for a single Enforcement Profile for the entire enterprise, providing a clean configuration.

Verification and Troubleshooting

First, we will plug in a wired VoIP phone into port swp11. Within 3CX, the SIP VoIP server in this test, the phone has come up and registered with the system:

Within 3CX, we see that the Avaya Phone is registered with a 192.168.36.x address – which is on the Voice VLAN. Let’s take a look under the hood to see what is happening on the switch and within ClearPass.

On the Cumulus switch, the following commands will show the status of dot1x:

The output shows that we have MAB, Voice, and “Interfaces” / 802.1x running on swp11.

Next, run the following command to show the status of the swp11 interface:

net show dot1x interface swp11

Adding the “details” command will provide more information about the connected device:

net show dot1x interface swp11 details

The “Server Flags” are reporting “[MAB]”, which is the abbreviation for MAC Authentication Bypass.

Aruba ClearPass also provides a view of the MAC Authenticated connection through the Access Tracker:

Monitoring > Live Monitoring > Access Tracker

Clicking on the top entry within Access Tracker will open up the “Request Details” window:

1. Service – The request is hitting the “PoC – Cumulus Wired MAC Authentication” service that was created in the “Campus design feature set-up: Part 2” blog post.
2. Authentication Method – ClearPass is reporting MAC-AUTH
3. Enforcement Profiles – This service request is sending the “PoC – Cumulus MDA Voice VLAN” down to the Cumulus Switch. This Enforcement Profile was created earlier in this blog post.

Let’s examine the Enforcement Profile by clicking on the “Output” tab in the “Request Details:”

Here we are sending the RADIUS VSA for Multi-Domain Authentication down to the Cumulus Switch. The Cumulus Switch will see this RADIUS VSA and move the connecting device to the Voice VLAN.

Now, we are going to test wired 802.1x by plugging a laptop into the PC port on the Avaya Phone:

The device was placed on the 192.168.17.x subnet, which corresponds to VLAN 17, from the “Campus design feature set-up: Part 1” blog post. We are using the exact same configuration from that blog post with this test.

On the Cumulus Switch, run the following command to see the updated interface status:

net show dot1x interface swp11

The Avaya phone is still authenticating with MAC Authentication Bypass and the laptop is authenticating using EAP-TLS and on VLAN 17.

Adding the “details” command will provide more information about the connected device:

net show dot1x interface swp11 details

Notice that the “Status Flags” report that this connection is using a “[DYNAMIC VLAN]” which is being sent from the Aruba ClearPass server

Aruba ClearPass also provides a view of the 802.1x connection through the Access Tracker:

Monitoring > Live Monitoring > Access Tracker

In the above example, I am filtering on “Cumulus”

Clicking on the top entry within Access Tracker will open up the “Request Details” window:

1. Service – The request is hitting the “PoC – Cumulus 802.1x Wired” service that we created in the “Campus design feature set-up: Part 1” blog post.
2. Authentication Method – ClearPass is reporting EAP-TLS, which is exactly what the laptop is offering and the Cumulus Switch is reporting
3. Enforcement Profiles – This service request is sending the “PoC – Cumulus Dynamic VLAN 17” down to the Cumulus Switch

Let’s examine the Enforcement Profile by clicking on the “Output” tab in the “Request Details:”

1. Enforcement Profile – We are sending the Dynamic VLAN 17 profile that we created in ClearPass Step #4
2. Radius:IETF:Tunnel-Private-Group-Id – We are sending VLAN value “17” down to the Cumulus Switch as a Dynamic VLAN.

Multi-Domain Authentication allows for the successful authentication of a laptop on the PC port of a VoIP Phone, with different VLANs and different domains (MAB + 802.1x) on the same physical port.

For further MDA troubleshooting, the link in the 802.1x Interface docs page is an invaluable resource.

In the next blog, I’ll cover Wired 802.1x using Cisco ISE. In the meantime, take a look at some of the other tutorials we offer engineers where you can learn basic open networking commands and configurations, all the way up to advanced configurations. Our how-to videos are a great place to start.