Controllerless Networks

Reply
Occasional Contributor I
Posts: 7
Registered: ‎05-12-2015

IAP 103 MAC authentication + RADIUS authentication

Hi,

 

Current scenario:

 

Virtual Controller set by 13 IAP 103.

 

What the client wants:

 

First level of authentication: MAC Address - the client wants to allow only specific machines to access the Corporate Network.

Second level of authentication: Client's RADIUS Server - After passing the machine the user authenticates against the Corporate RADIUS Server.

 

I've already read some of the threads referring to this kind of topic but found none specifically for this kind of implementation:

 

http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/IAP-MAC-Authentication-with-Internal-Server-issue/td-p/112357

 

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/How-can-I-filter-smart-phones-from-connecting-to-my-WLAN/m-p/111101/highlight/true#M23821

 

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/External-MAC-Database/td-p/36576

 

Is this even possible on IAPs?

 

From the aforementioned posts I got the feeling that this is only possible having AAA profiles. 

Most probably I'm mistaken but I don't see that possibility on the IAPs.

 

TIA,

Pedro

Guru Elite
Posts: 8,798
Registered: ‎09-08-2010

Re: IAP 103 MAC authentication + RADIUS authentication

Do you have ClearPass? You should really handle this with a policy engine and not on the Instant cluster itself.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 21,588
Registered: ‎03-29-2007

Re: IAP 103 MAC authentication RADIUS authentication

[ Edited ]

The short answer is you can do it using the instructions here EDIT: BUT you need an external radius server http://community.arubanetworks.com/t5/Controller-less-WLANs/How-do-I-configure-802-1x-with-MAC-authentication-on-the-same/ta-p/179168

Long answer, just like Cappalli said, it is better to do all policy in one place on a radius server to avoid issues.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 7
Registered: ‎05-12-2015

Re: IAP 103 MAC authentication + RADIUS authentication

Hi Tim,

 

I checked the client's PO and there is no reference to ClearPass

 

I'll go ahead and assume (never worked with it) that ClearPass is some sort of platform that will enhance some of the IAPs capabilities, including a possible solution for this particular approach. Is that correct?

 

In other words, just with the virtual controller, it is not possible two have these two levels of authentication. correct?

 

Thanks for your kind reply.

Aruba Employee
Posts: 201
Registered: ‎07-14-2013

Re: IAP 103 MAC authentication + RADIUS authentication

Can you put both the Mac addresses and the user accounts on the client's RADIUS server? Create user accounts in the RADIUS server with the MAC address for both the username and password, and then specify that server on the SSID, with both MAC auth and 802.1x enabled. IAP will then first use MAC to authenticate against the RADIUS server and then use 802.1x to authenticate.

Thanks,

Yan Liu
Product Manager
Aruba Instant
US: +1 650 996 3520
China: +86 136 212 16844

Sent from my iPhone
Occasional Contributor I
Posts: 7
Registered: ‎05-12-2015

Re: IAP 103 MAC authentication RADIUS authentication

Hi Colin,

 

That's one of my problems.

 

The client tried to have its RADIUS server authenticating the MAC Addresses. We followed these instructions:

Creating User Accounts in Active Directory for MAC-based Authentication Table of Contents

No headers

With MAC based authentication, domain member computers use the MAC address of their wireless interface as the username and password. Therefore each domain computer requires an associated Windows User account in Active Directory to authenticate. This User account is not the same as its Active Directory computer object. After the User accounts have been created, they can be placed in a Windows security group for authentication.

Suppose a Windows domain member computer has the MAC address 01:23:45:67:8a:bc on its wireless interface. When connecting to an SSID where MAC based authentication is required, the computer will send its username and password as 01234679abc. This is the MAC address without uppercase or delimiting characters.

  1. Open Active Directory Users and Computers console.
  2. Right click the OU where you want to create the User account.
  3. Select New>User.
  4. Enter a value in the Full name field.
  5. Enter the MAC address without uppercase or delimiting characters for User logon name.
  6. Click Next.
  7. Enter the password which is the same string as the User logon name. Make sure to check User cannot change password and Password never expires.
  8. Click Next.
  9. Click Finish.

Perform these steps for each computer you want to authenticate. Once the User accounts are created add them to the appropriate Windows security group that is specified in the NPS policy.

###################################################################################

 

Unfortunately, by client's own domain rules, passwords have to have some degree of complexity thus rendering it impossible to do it this way.

 

What I was trying to achieve in the Virtual Controller was something like this:

 

For MAC authentication:

Create internal users with the devices MAC Addresses and have them authenticate againsta the controllers Internal Server.

 

having passed this level of authentication then I should go to the RADIUS Server.

 

But I think this is not possible.

Aruba Employee
Posts: 201
Registered: ‎07-14-2013

Re: IAP 103 MAC authentication RADIUS authentication

No this is not possible, IAP cannot use its internal DB for MAC auth and then use an external DB for 802.1x.

Are these windows or non-windows clients?

Yan Liu
Product Manager
Aruba Instant
US: +1 650 996 3520
China: +86 136 212 16844

Sent from my iPhone
Occasional Contributor I
Posts: 7
Registered: ‎05-12-2015

Re: IAP 103 MAC authentication RADIUS authentication

Hi Yan,

 

We haven't actually got into the definition of the devices to connect. But, being the employees network, I think it is fair to assume that these would be certified Windows laptops connecting to this network.

 

What the client doesn't want, mainly, are devices that are not controlled by their policies connecting to the network (e.g. smartphones, tablets, etc).

 

Thanks for your reply.

 

Cheers,

Pedro

Guru Elite
Posts: 8,798
Registered: ‎09-08-2010

Re: IAP 103 MAC authentication RADIUS authentication

The quick simple solution would be to only allow Machine Authentication.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba Employee
Posts: 201
Registered: ‎07-14-2013

Re: IAP 103 MAC authentication RADIUS authentication

Yes, machine authentication is the best way to ensure only corporate issued windows machines with both machine and user accounts in the Active Directory domain can connect to the network.

Yan Liu
Product Manager
Aruba Instant
US: +1 650 996 3520
China: +86 136 212 16844

Sent from my iPhone
Search Airheads
Showing results for 
Search instead for 
Did you mean: