Access Points

Reply
JYL
Occasional Contributor II
Posts: 25
Registered: ‎10-08-2009

Does Aruba AP support supplicant?

We have a about 700 AP and we implemented NAC, DAI on wired. all our pc/notebook client has odessey supplicant. our wireless AP are currently doing mac-auth bypass on our NAC implementation.

Now our security is asking me if we can put supplicant to the Aruba AP to avoid exploiting the mac address of our AP which is what happened when one of the hacker was able to use the mac address of the AP to get in into the network.

any idea on how to solve this type of issue? I got couple but want to know more if any of you got same issue as mine.

Your input are highly appreciated
Thanks
Guru Elite
Posts: 21,037
Registered: ‎03-29-2007

Supplicant

Aruba APs do not support 802.1x authentication as a supplicant at this time. Please contact your local sales engineer to request this feature.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 13
Registered: ‎09-22-2009

Re: Does Aruba AP support supplicant?

Could you use WPA2 instead? The Odyssey client supports it, and other Aruba users have reported good results.

http://airheads.arubanetworks.com/vBulletin/showpost.php?p=868&postcount=28
Guru Elite
Posts: 21,037
Registered: ‎03-29-2007

authentication

Correct me if I'm wrong JYL, but I think you mean wired authentication to the switch the AP is connected to, right?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 13
Registered: ‎09-22-2009

Re: Does Aruba AP support supplicant?




I misunderstood. Sorry.

As a workaround, until Aruba has time to implement a 802.1x supplicant in the aps, maybe they could use some of the port security options in wired switches. I'm most familiar with Cisco, but I suspect other vendors have similar functions.

Instead of a mac bypass in the 802.1x controller, disable 802.1x on the switch ports feeding the aps, and lock those ports to the ap's mac address (ie cisco switchport port-security). That way they'd have to steal the ap's mac AND it's physical connection. The mac wouldn't work on other ports, and other macs wouldn't work on that port.

They could also assign the aps fixed ip addresses that are filtered to not talk to anything but the controllers. Then also filter at the switch port to prevent it using any other ip (perhaps with something like cisco's Dynamic ARP Inspection). So if someone does steal the mac and physical connection, they would also have to use a heavily filtered ip address. It wouldn't do them any good.

Search Airheads
Showing results for 
Search instead for 
Did you mean: