Controllerless Networks

Hello,

 

I'm in the process of standing up a WPA2-ENT network. I have everything working just fine, however, I'd like to use the MAC filter.

 

We're currently using the internal server on the virtual controller to do MAC filtering on our current WPA2-Personal network which works fine, however, if I tick the 'Perform MAC authentication before 802.1X' on the WPA2-Ent network nothing gets through.

 

Currently, the MAC addresses in the internal server on the virtual controller are in the format of xxxxxxxxxxxx rather than xx:xx:xx:xx:xx:xx.

 

Any hints or advice here would be hugely appreciate.

 

Kind regards.

Please see the link here:  http://www.arubanetworks.com/techdocs/Instant_41_WebHelp/InstantWebHelp.htm#UG_files/Authentication/MAC_Authentication.htm?Highlight=mac authentication

Hello,

Thank you for your prompt reply. I forgot to mention that I did follow
those guides, and unfortunately it still doesn't seem to work.

As I mentioned, MAC filtering works fine for our WPA2-Personal network,
however, if I apply it to the WPA2-Enterprise network it doesn't work. It
simply just blocks all traffic on the Enterprise network.

Cheers.

Did you turn on user debugging to see why?  http://community.arubanetworks.com/t5/Community-Tribal-Knowledge-Base/How-to-troubleshoot-user-connectivity-issues-on-Instant-AP/ta-p/82142

 

"Doesn't work" is very general.  Debugging should provide some specifics.

Hello,

Below is what I get for the connection attempt from the debug logs:

Apr 2 14:24:08 cli[4809]: <541004> |AP
KIT570WAP1@192.168.201.8 cli| recv_sta_update: receive station msg,
mac-04:0c:ce:e2:92:ec bssid-18:64:72:30:f7:f0 ssid-Test.
Apr 2 14:24:08 cli[4809]: check sid, client_ip='192.168.203.177',
sid='dq63ehycAtUFq4xfhYqr;refresh'
Apr 2 14:24:08 syslog: check_sid_type: sid check type, result-'0 admin'
Apr 2 14:24:08 cli[4809]: check sid, client_ip='192.168.203.177',
sid='dq63ehycAtUFq4xfhYqr;refresh'
Apr 2 14:24:08 syslog: check_sid_type: sid check type, result-'0 admin'
Apr 2 14:24:10 cli[4809]: check sid, client_ip='192.168.203.177',
sid='dq63ehycAtUFq4xfhYqr'
Apr 2 14:24:10 syslog: check_sid_type: sid check type, result-'0 admin'
Apr 2 14:24:10 syslog: process_msg_ref: 20: got msg_ref of len 9595
and body '/tmp/.cli_msg_tazZmT'
Apr 2 14:24:10 syslog: process_msg_ref: 33: opening '/tmp/.cli_msg_tazZmT'
Apr 2 14:24:10 syslog: process_msg_ref: 38: reading large msg
Apr 2 14:24:10 syslog: process_msg_ref: 41: read large msg of 9594 bytes

Hi,

Please go through "show log security" and " show ap debug auth-trace-buf" understand the issue.

 

Show auth-trace-buff will give complete messages exchanged between Client and AP. it should help you to diagnose the issue.

 

Feel free for any further help on this.

Hello all, 

 

My apologies for the delayed update. 

 

After quite a bit of experimenting and a fair bit of research it looks like it it just isn't possible to do with these units. 

 

It looks like if I want to combine MAC filtering and 802.1x I need perform all of that verification on the NPS server. 

 

Thank you all for your time and effort. 

 

Cheers