Aruba Instant & Cloud Wi-Fi

Reply
MVP
Posts: 978
Registered: ‎04-13-2009

Instant MAC Auth fail-thru with Clearpass

I've been playing around with a lab and have a question about MAC auth on instants.

 

2014-02-11 16_58_29-Instant.png

 

With the above setting MAC auth should be performed then 802.1X will be performed only if MAC auth fails.

 

When testing this out clients appear to be doing 802.1X auth before MAC auth according to my Clearpass access tracker.

 

Has anyone else tested this out?

 

Cheers

James

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
MVP
Posts: 130
Registered: ‎06-11-2013

Re: Instant MAC Auth fail-thru with Clearpass

[ Edited ]

What exactly are you trying to achieve?

 

Are you trying to prevent certain clients from reaching the 802.1X-authentication stage?

 

If you just want 802.1X user and/or cert authenitcation with MAC authorization you can easily solve this in CPPM by using the Endpoint repository as an authorization source and creating the apporiate policies. From the 802.1X RADIUS request alone you will information about the endpoint (the client's MAC address will be in the IETF Calling-Station-ID).


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
MVP
Posts: 978
Registered: ‎04-13-2009

Re: Instant MAC Auth fail-thru with Clearpass

Hi Arjan_k,

 

I'm just playing around with scenarios and was attempting to get MAC auth working by using the setting on the Instant webconsole.

 

It didn't seem to work as expected.

 

Thanks for your help though.

 

Cheers

James

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
MVP
Posts: 1,413
Registered: ‎11-30-2011

Re: Instant MAC Auth fail-thru with Clearpass

jrwhitehead this is the same as when you would do MAC only authentication on a WPA2 enterprise profile in the controller, this isnt possible on itself. you can add MAC auth to an existing EAP-PEAP / ... but not only MAC auth.

New Contributor
Posts: 3
Registered: ‎10-07-2013

Re: Instant MAC Auth fail-thru with Clearpass

I too would like to employ MAC authentication inline with 802.1x. The reason/scenario, putting a ( xbox. tv, blu-ray ) on the same network that our Students connect to using 802.1x for authentication. This would allow us to provide WiFi to non-802.1x enabled devices without standing up another SSID.

Guru Elite
Posts: 21,031
Registered: ‎03-29-2007

Re: Instant MAC Auth fail-thru with Clearpass


jrwhitehead wrote:

I've been playing around with a lab and have a question about MAC auth on instants.

 

2014-02-11 16_58_29-Instant.png

 

With the above setting MAC auth should be performed then 802.1X will be performed only if MAC auth fails.

 

When testing this out clients appear to be doing 802.1X auth before MAC auth according to my Clearpass access tracker.

 

Has anyone else tested this out?

 

Cheers

James


jrwhitehead,

 

If mac authentication fail-thru is enabled, 802.1x authentication will be performed EVEN if mac auth fails:  http://www.arubanetworks.com/techdocs/Instant_40_WebHelp/InstantWebHelp.htm#UG_files/Authentication/MAC + 802.1X Authentication.htm



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 21,031
Registered: ‎03-29-2007

Re: Instant MAC Auth fail-thru with Clearpass


matthew.dillion@cnu.edu wrote:

I too would like to employ MAC authentication inline with 802.1x. The reason/scenario, putting a ( xbox. tv, blu-ray ) on the same network that our Students connect to using 802.1x for authentication. This would allow us to provide WiFi to non-802.1x enabled devices without standing up another SSID.


Matthew.Dillon, for any device to be able to work on a 802.1x SSID, they must support the encryption type.  Devices that are PSK only will not be able to join a 802.1x SSID, period.  They must use an SSID that supports PSK.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 3
Registered: ‎10-07-2013

Re: Instant MAC Auth fail-thru with Clearpass

Understood, that is what I was expecting to hear. Thank you for the clarification.

Search Airheads
Showing results for 
Search instead for 
Did you mean: