Aruba Instant & Cloud Wi-Fi

Reply
Occasional Contributor I
Posts: 7
Registered: ‎03-26-2015

Can't get 'Perform MAC autherntication before 802.1X' to work on W-AP225 virtual controller.

Hello,

 

I'm in the process of standing up a WPA2-ENT network. I have everything working just fine, however, I'd like to use the MAC filter.

 

We're currently using the internal server on the virtual controller to do MAC filtering on our current WPA2-Personal network which works fine, however, if I tick the 'Perform MAC authentication before 802.1X' on the WPA2-Ent network nothing gets through.

 

Currently, the MAC addresses in the internal server on the virtual controller are in the format of xxxxxxxxxxxx rather than xx:xx:xx:xx:xx:xx.

 

Any hints or advice here would be hugely appreciate.

 

Kind regards.

Guru Elite
Posts: 19,987
Registered: ‎03-29-2007

Re: Can't get 'Perform MAC autherntication before 802.1X' to work on W-AP225 virtual controller.

Please see the link here:  http://www.arubanetworks.com/techdocs/Instant_41_WebHelp/InstantWebHelp.htm#UG_files/Authentication/MAC_Authentication.htm?Highlight=mac authentication

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor I
Posts: 7
Registered: ‎03-26-2015

Re: Can't get 'Perform MAC autherntication before 802.1X' to work on W-AP225 virtual controller.

Hello,

Thank you for your prompt reply. I forgot to mention that I did follow
those guides, and unfortunately it still doesn't seem to work.

As I mentioned, MAC filtering works fine for our WPA2-Personal network,
however, if I apply it to the WPA2-Enterprise network it doesn't work. It
simply just blocks all traffic on the Enterprise network.

Cheers.
Guru Elite
Posts: 19,987
Registered: ‎03-29-2007

Re: Can't get 'Perform MAC autherntication before 802.1X' to work on W-AP225 virtual controller.

[ Edited ]

Did you turn on user debugging to see why?  http://community.arubanetworks.com/t5/Community-Tribal-Knowledge-Base/How-to-troubleshoot-user-connectivity-issues-on-Instant-AP/ta-p/82142

 

"Doesn't work" is very general.  Debugging should provide some specifics.

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor I
Posts: 7
Registered: ‎03-26-2015

Re: Can't get 'Perform MAC autherntication before 802.1X' to work on W-AP225 virtual controller.

Hello,

Below is what I get for the connection attempt from the debug logs:

Apr 2 14:24:08 cli[4809]: <541004> |AP
KIT570WAP1@192.168.201.8 cli| recv_sta_update: receive station msg,
mac-04:0c:ce:e2:92:ec bssid-18:64:72:30:f7:f0 ssid-Test.
Apr 2 14:24:08 cli[4809]: check sid, client_ip='192.168.203.177',
sid='dq63ehycAtUFq4xfhYqr;refresh'
Apr 2 14:24:08 syslog: check_sid_type: sid check type, result-'0 admin'
Apr 2 14:24:08 cli[4809]: check sid, client_ip='192.168.203.177',
sid='dq63ehycAtUFq4xfhYqr;refresh'
Apr 2 14:24:08 syslog: check_sid_type: sid check type, result-'0 admin'
Apr 2 14:24:10 cli[4809]: check sid, client_ip='192.168.203.177',
sid='dq63ehycAtUFq4xfhYqr'
Apr 2 14:24:10 syslog: check_sid_type: sid check type, result-'0 admin'
Apr 2 14:24:10 syslog: process_msg_ref: 20: got msg_ref of len 9595
and body '/tmp/.cli_msg_tazZmT'
Apr 2 14:24:10 syslog: process_msg_ref: 33: opening '/tmp/.cli_msg_tazZmT'
Apr 2 14:24:10 syslog: process_msg_ref: 38: reading large msg
Apr 2 14:24:10 syslog: process_msg_ref: 41: read large msg of 9594 bytes
Valued Contributor II
Posts: 804
Registered: ‎12-01-2014

Re: Can't get 'Perform MAC autherntication before 802.1X' to work on W-AP225 virtual controller.

Hi,

Please go through "show log security" and " show ap debug auth-trace-buf" understand the issue.

 

Show auth-trace-buff will give complete messages exchanged between Client and AP. it should help you to diagnose the issue.

 

Feel free for any further help on this.

Cheers,
Venu Puduchery,
[Is my post helped you ? Give Kudos :) ]
Occasional Contributor I
Posts: 7
Registered: ‎03-26-2015

Re: Can't get 'Perform MAC autherntication before 802.1X' to work on W-AP225 virtual controller.

[ Edited ]

Hello all, 

 

My apologies for the delayed update. 

 

After quite a bit of experimenting and a fair bit of research it looks like it it just isn't possible to do with these units. 

 

It looks like if I want to combine MAC filtering and 802.1x I need perform all of that verification on the NPS server. 

 

Thank you all for your time and effort. 

 

Cheers

Search Airheads
Showing results for 
Search instead for 
Did you mean: