Controllerless Networks

last person joined: 2 days ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

How to do two step authentication, MAC-based & 802.1x?

This thread has been viewed 2 times

  • 1.  How to do two step authentication, MAC-based & 802.1x?

    Posted Sep 14, 2017 07:08 AM

    http://community.arubanetworks.com/t5/Wireless-Access/How-to-do-two-step-authentication-MAC-based-amp-802-1x/td-p/20582

     

    I came across this. I would like to know what role client will get if both authentication passed successfully?

     

    Do I have to apply rules for mac too? or just 802.x rules will work.

    E.g. I have configured vlan assignment based on the filter-id. 

     



  • 2.  RE: How to do two step authentication, MAC-based & 802.1x?

    EMPLOYEE
    Posted Sep 14, 2017 07:12 AM

    It would get the default mac authentication role in the AAA profile.



  • 3.  RE: How to do two step authentication, MAC-based & 802.1x?

    Posted Sep 14, 2017 07:24 AM

    Does that mean I have configure rule for each mac?

     

    Also, how can I restrict mobile devices connecting to 802.1x network? Can I pass filter-id for OS specific?



  • 4.  RE: How to do two step authentication, MAC-based & 802.1x?

    EMPLOYEE
    Posted Sep 14, 2017 08:13 AM

    The easy way would be to setup your Windows clients to only authenticate with their Machine Credentials.  On your NPS Server, you would only allow authentication from the AD group "Domain Computers".



  • 5.  RE: How to do two step authentication, MAC-based & 802.1x?

    Posted Sep 14, 2017 11:22 AM

    So I will be able to apply vlan policies like we do for user accounts based on the group membership.



  • 6.  RE: How to do two step authentication, MAC-based & 802.1x?

    Posted Sep 15, 2017 12:31 AM

    One more question, when user and machine based authentication enabled. Role assignment will happen based on user rules or machine? I mean how vlan will get assgined?



  • 7.  RE: How to do two step authentication, MAC-based & 802.1x?

    EMPLOYEE
    Posted Sep 15, 2017 04:17 AM
    @agirme wrote:

    One more question, when user and machine based authentication enabled. Role assignment will happen based on user rules or machine? I mean how vlan will get assgined?

    Are you using NPS for authentication?



  • 8.  RE: How to do two step authentication, MAC-based & 802.1x?

    Posted Sep 18, 2017 12:44 AM

    Yes, deployed NPS.

     

    User and machine authentication was bit confusing and ended up deploying CA and certificate based authentication which is more easy and working seamlessly.

    Going to rollout in production.

     

    Able to assign vlans based on group a membership.



  • 9.  RE: How to do two step authentication, MAC-based & 802.1x?

    EMPLOYEE
    Posted Sep 15, 2017 04:17 AM
    @agirme wrote:

    So I will be able to apply vlan policies like we do for user accounts based on the group membership.

    You will not.  Only the machine will authenticate, so there is no visibility of the user on the machine from the 802.1x perspective.