ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 11
Registered: ‎09-24-2007

802.1x - Local database filled with mac address user

Hello.

Virtual ap with aaa profile to use 802.1x authentication and enforce machine authentication. EAP-TLS with both user and machine certificates.
SSID: WPA2/AES.
Authentication against windows 2003 radius server.

The users connect fine and the system is working, but there is one thing I cannot understand.
Why is the local-user database on the aruba controller being filled with
mac-address users of the laptop connecting with machine authentication?

Is there any way to prevent it?

Under you can see an example.


(Aruba800) #
(Aruba800) #show local-userdb

User Summary
------------
Name Password Role E-Mail Enabled Expiry Status Sponsor-Name Remote-IP Grantor-Name
---- -------- ---- ------ ------- ------ ------ ------------ --------- ------------
00:13:02:d1:7e:d3 ******** Ansatt-PC Yes 4/23/2010 4:35 Active 0.0.0.0

User Entries: 1

(Aruba800) # show us

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------
172.17.43.42 00:13:02:d1:7e:d3 host/CL1.testlab.com Ansatt-PC 00:00:03 8021x-Machine AP65-1 Wireless Ansatt/00:0b:86:59:29:40/g aaa-ansatt tunnel

User Entries: 1/1


Ole M
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: 802.1x - Local database filled with mac address user

When you enable machine authentication, the MAC address of each machine is placed into the local user db with the MAC address as the user name and password. There is a setting in the AAA profile that controls how long we cache that UID/PW. When the cache time expires, the UID is deleted from the db. If the user attempts to connect to the WLAN without machine authentication during the cache time (they come out of hibernate or sleep mode for instance), the local db will authenticate the machines address.
Occasional Contributor II
Posts: 11
Registered: ‎09-24-2007

Re: 802.1x - Local database filled with mac address user

Thanks for your reply. :)
Guru Elite
Posts: 19,953
Registered: ‎03-29-2007

Enforce machine authentication




It is when you enable "enforce machine authentication" checkbox in the 802.1x profile on the Aruba controller, to be exact. If you uncheck that, it will stop creating those local database entries.

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Search Airheads
Showing results for 
Search instead for 
Did you mean: