ArubaOS and Controllers

Reply
Contributor II
Posts: 56
Registered: ‎04-13-2009

802.1X and Mac Questions

I am working with a client that has alot of Mac Computers. I usually setup 802.1x with machine authenication with one role, user authenication with one role, and if you use both another role. However the problem is I can't figure out how to get a Mac OS to connect with a machine authenication. All I can find is where it connects via USER. So the question becomes does anybody have any ideas? I guess the main idea behind it is one set of rules for those mac's that are Authorized devices and then one set of rules for people that just type in their user name and password on their Iphones. Any Ideas????
Guru Elite
Posts: 20,568
Registered: ‎03-29-2007

Re: 802.1X and Mac Questions

Machine authentication is when a Windows machine that is part of the domain logs in with host/ as its username and its SID (security identifier) as a password while it is sitting at the ctrl-alt-delete screen. When the Aruba controller sees this interaction (when enforce machine authentication is checked in the 802.1x profile), it adds the device's mac address to the local database. MAC OS X devices, even though they can be added do the domain somewhat, are not capable of this activity. If you want those mac devices to be "authorized", the workaround is to add their mac address as a username and password to the local database on the master controller. On the commandline, use "show local-userdb" to see the format necessary to do this and match that format for the mac address of the MAC OS X device that you want to add.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 27
Registered: ‎01-29-2009

Re: 802.1X and Mac Questions

I know this is old post, but just want to clarify this topic with current troubleshooting.

I have this working perfectly as mentioned above with 1 deployment. The Mac users with MAC address in local db move to fully authenticated 802.1X role.

In testing this same setup where termination is performed on the controller, the user stays in the 802.1X-user role.
I know machine authentication does not work with Termination, yet when enforce machine auth is checked in 8021X profile, there is extra set seen in auth-tracebuf = m-auth, where the local db MAC address is successfully looked up.


I just want to verify my testing is connect.
In 802.1X terminated on controller, it will never move from user role to 802.1X role?

thanks

peter
Guru Elite
Posts: 20,568
Registered: ‎03-29-2007

Re: 802.1X and Mac Questions

If the MAC address is in the table, yes.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 27
Registered: ‎01-29-2009

Re: 802.1X and Mac Questions

I have a 5.0 3400 controller with an 802.X profile of machine =MachUser, User = UserOnly 802.1X default = FullUser.

Terminating cert on the controller. Device MAC address in the controller Internal DB.

The user is able to logon with user account, but stays in UserOnly Role.

show user mac shows the authentication method as 802.1X (not 802.1X-User), so how come it did not switch to the default 802.1X user role?

Am I missing something in config, or is this how supposed to work?

thanks in advance.

peter
Guru Elite
Posts: 20,568
Registered: ‎03-29-2007

Re: 802.1X and Mac Questions

Make sure you entered that MAC address correctly. It should be username and password is that MAC address.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 27
Registered: ‎01-29-2009

Re: 802.1X and Mac Questions

Excuse me for wasting your time.
that was it. I was testing on our Lab controller, which had different default mac profile - no delimeter... Thanks though
Search Airheads
Showing results for 
Search instead for 
Did you mean: