ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 12
Registered: ‎11-29-2010

MAC Address Authentication (Server Group)

Hi,

Im implementing guest access SSID with 802.1x authentication, but I need the MAC Authentication. ¿How can I implement a server or server Group?

I supose the steps are:

  • Create MAC Authentication profile.
  • Add this profile to the aaa guests authentication profile.
  • Create a Server Group and assign to aaa guests authentication profile.


But I dont know how implement the third point, I only have a a default Server Group with one rule, and this group is used with the aaa employees authentication profile (server named 'Internal'), How can I add another one? Where can I add the MAC Address' ?

Thanks in advance.
Guru Elite
Posts: 21,026
Registered: ‎03-29-2007

Re: MAC Address Authentication (Server Group)

You said a guest SSID with 802.1x and mac authentication. Are your guests going to configure their laptops for 802.1x authentication? Isn't that difficult? Can you describe how you want things to work?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 12
Registered: ‎11-29-2010

Re: MAC Address Authentication (Server Group)




Hi cjoseph, thanks for the response.

Im implementing the SSID for guests, with 802.11 Security (WPA2-PSK, AES encryption), with a VLAN assigned. This is going on, but it is still in tests.

I need to add MAC authentication for the employees SSID, but I want to implement it over the SSID that I have testing (guest SSID) first... to test.

Thanks.

Guru Elite
Posts: 21,026
Registered: ‎03-29-2007

Re: MAC Address Authentication (Server Group)

Okay, let us add it to the Captive Portal SSID.

First, you need to create a "block all traffic" role, which is the role we want users to get when it fails authentication. Next, we need to go to the AAA profile for that SSID and make sure that the initial role is that "block all traffic" role. On the same AAA profile, we change the default mac authentication role to the "logon" role for that SSID. We then add a mac authentication server group to that AAA profile (default is normally good). We then add a New mac authentication profile to that AAA profile that has delimiter of "colon" and case as "lower". Next, we need to add the mac address of the user that we WANT to pass authentication to the local user database; go to Configuration> Security> Authentication. Click on internal database, then click on Add. Add a user with a username of and password of making sure that you add it with lower case, and colons.

You are now ready to test. Any device whose mac address is in the internal database should get the captive portal. Any device whose mac address is not in the internal database, will not even get an ip address.

MAC authentication happens on each association, so you should be able to simulate mac authentication either by doing a repair on a client or shutting the radio off, and then back on. You should be able to tell the status of the user by seeing what role the user is in and if his authentication type is "MAC".


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 12
Registered: ‎11-29-2010

Re: MAC Address Authentication (Server Group)


Okay, let us add it to the Captive Portal SSID.

First, you need to create a "block all traffic" role, which is the role we want users to get when it fails authentication. Next, we need to go to the AAA profile for that SSID and make sure that the initial role is that "block all traffic" role. On the same AAA profile, we change the default mac authentication role to the "logon" role for that SSID. We then add a mac authentication server group to that AAA profile (default is normally good). We then add a New mac authentication profile to that AAA profile that has delimiter of "colon" and case as "lower". Next, we need to add the mac address of the user that we WANT to pass authentication to the local user database; go to Configuration> Security> Authentication. Click on internal database, then click on Add. Add a user with a username of and password of making sure that you add it with lower case, and colons.

You are now ready to test. Any device whose mac address is in the internal database should get the captive portal. Any device whose mac address is not in the internal database, will not even get an ip address.

MAC authentication happens on each association, so you should be able to simulate mac authentication either by doing a repair on a client or shutting the radio off, and then back on. You should be able to tell the status of the user by seeing what role the user is in and if his authentication type is "MAC".




Hello Joseph, thanks for the response. ;)

Actually, Employees SSID is linked with default Server Group, without Mac authentication profile.
If I want to use the default Server Group with a new Mac authentication profile for Guest SSID, Is it posible without affect the Employees SSID?? :confused:

Thanks in advance.:cool:
Guru Elite
Posts: 21,026
Registered: ‎03-29-2007

Re: MAC Address Authentication (Server Group)

Yes,

Create a NEW aaa profile (configuration> security> Authentication). Assign the 802.1x profile from before to it. Assign the Server group to it. Assign the MAC authentication profile to it. Assign the MAC authentication profile to it. Next, for that NEW Virtual AP that you created to have this functionality, replace the current AAA profile with the one you just created: (configuration> wireless> AP confguration... Edit your server group... Expand Virtual AP, and choose the Virtual AP that you are assigning this to. Replace the existing AAA profile in the Virtual AP with the one you created above.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 12
Registered: ‎11-29-2010

Re: MAC Address Authentication (Server Group)

Thanks Joseph

The scenario is the following:

The CORP profile is actually in use for all.
The GUEST profile is for testing and it will be in use later.

CORP-AAA-profile
Mac-Authentication profile: None
Mac-Authentication Server Group: default
802.1x Authentication profile: CORP-dot1x_profile


GUEST-AAAA-profile
Mac-Authentication profile: GUEST-Mach_Auth_profile
Mac-Authentication Server Group: GUEST-Mac_ServerGroup
802.1x Authentication profile: GUEST-dot1x_profile

Server-Group
default
Guest-Mac_ServerGroup

default-ServerGroup
Servers: Internal

Guest-Mac-ServerGroup
Servers: Internal


According to the recomendations here, I need to add in the Internal DB the Mac Addresses like a user.

Does it affect to the default-ServerGroup that is linked to the CORP-aaa_profile that is in use? I dont want to affect this aaa profile actually in use.

I hope you can help me about this doubt, really you are good with your replies.

Thanks in advanced.

Ruben
Guru Elite
Posts: 21,026
Registered: ‎03-29-2007

Re: MAC Address Authentication (Server Group)

it will not affect it.

Please add mac addresses to the internal database like this:

local-userdb add username  00:21:5A:DD:BC:5A password  00:21:5A:DD:BC:5A


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 12
Registered: ‎11-29-2010

Nothing happens


it will not affect it.

Please add mac addresses to the internal database like this:

local-userdb add username  00:21:5A:DD:BC:5A password  00:21:5A:DD:BC:5A




Hi Colin Joseph,

Until today I made the changes, but... nothing happens, the mac authentication doesn't work... any can access
Guru Elite
Posts: 21,026
Registered: ‎03-29-2007

Re: MAC Address Authentication (Server Group)

Do you have a mac authentication profile configured?

(3600.arubanetworks.com) #show aaa authentication mac 

MAC Authentication Profile List
-------------------------------
Name References Profile Status
---- ---------- --------------
default 1

Total:1

(3600.arubanetworks.com) #show aaa authentication mac default

MAC Authentication Profile "default"
------------------------------------
Parameter Value
--------- -----
Delimiter colon
Case upper
Max Authentication failures 0


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: