Clients are skipping MAC auth when connected to open SSID configured for MAC authentication

Aruba Employee
Aruba Employee
Q:

Clients are skipping MAC auth when connected to open SSID configured with MAC authentication.



A:

In this scenario, clients are connecting to open system SSID configured for MAC Authentication.

The following sequence of steps occur in this setup:


1.If the mac-address of user is added in the internal database of controller prior to connecting it to the wireless network, the authentication will work fine.
2.In case we connect a user whose mac-address if not part of internal database, it will fail mac-authentication as expected.

Now, if the mac-address is added in the database & we try to reconnect the device, it still gets stuck & will never pass mac-authentication.

 

May 25 02:13:21  station-down           *  00:1e:65:71:1f:44  24:de:c6:26:1f:b0 -  -

May 25 04:34:07  mac-auth-skip         *   00:1e:65:71:1f:44  24:de:c6:26:1f:b0  -  -  no registration-------->We can see the mac-auth-skip message

 

This is due to the fact that "registration-role" knob is not enabled in the role mapped to initial role field in the AAA profile.

registration-role       Mark as Registation Role to not cache layer2 auth
                                    status. Use only with Open-system Opmode

We will cache the mac auth status if it fails or succeeds. To query the auth-server for the mac address, we need to enable registration-role knob in initial role.

 

We will see the following logs post enabling the knob.

Eg: Lets assume the initial role mapped to the AAA profile is "logon"

 

(Aruba) (config) #user-role logon

(Aruba) (config-role) #registration-role

(Aruba) (config-role) #!

(Aruba) (config) #write memory

 

Auth Trace Buffer

-----------------

May 25 04:34:07  mac-auth-skip         *   00:1e:65:71:1f:44  24:de:c6:26:1f:b0  -  -  no registration

May 25 04:34:07  station-up             *  00:1e:65:71:1f:44  24:de:c6:26:1f:b0  -  -  open system

May 25 04:34:52  station-down           *  00:1e:65:71:1f:44  24:de:c6:26:1f:b0  -  -

May 25 04:35:17  mac-auth-req          ->  00:1e:65:71:1f:44  24:de:c6:26:1f:b0  -  -------------------->We can see the mac-auth request being generated

May 25 04:35:17  mac-auth-success      <-  00:1e:65:71:1f:44  24:de:c6:26:1f:b0  -  -

 

 

Version history
Revision #:
2 of 2
Last update:
a month ago
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: