Controllerless Networks

last person joined: 21 hours ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

aruba iap mac address error (deny all role..)

This thread has been viewed 8 times

  • 1.  aruba iap mac address error (deny all role..)

    Posted Jun 03, 2016 10:01 AM

    Hi all, i have 7 IAP (4 x IAP93 and 3 x IAP205).

    IAP93 use a specific zone, so i can deploy an SSID only to this group of IAP.

     

    Now i'm trying to deploy an SSID with WPA2 + MAC AUTH using internal db.

    So i prevently added a test user (MAC in username field and password field) without delimiter in user list (selecting employee, not guest)

    Then made an SSID in 2,4 ghz , but when i try to connect by my smartphone i can't connect (smartphone try to connect in loop, one time i 've see a client connected but with DENY ALL role)

    If i remove MAC AUTH, wifi is ok instantly

     

    What i can check?

    I can't try now making SSID on IAP205 instead of IAP93

    This is current firmware 6.4.2.6-4.1.1.7_50209, IAP93 is master virtual controller

    Ask me for details, really thanks!

    mattia

     

     



  • 2.  RE: aruba iap mac address error (deny all role..)
    Best Answer

    EMPLOYEE
    Posted Jun 03, 2016 10:09 AM

    The IAP-93 does not support mac authentication in the 4.1.x.x versions of code: (MAC authentication uses the Internal Radius Server).

     

    Screenshot 2016-06-03 at 09.07.22.png

     

    http://community.arubanetworks.com/t5/Software-Downloads/Aruba-Instant-6-4-2-6-4-1-1-10-Released-9-28-15/ta-p/255141



  • 3.  RE: aruba iap mac address error (deny all role..)

    Posted Jun 03, 2016 10:16 AM

    Thanks...so it doesn't work also if i update to latest version?

    (system notify there's a new update available -> 6.4.2.6-4.1.11_52666)

    =:-(

     

    I have to change IAP93 with a newer model or using a RADIUS\LDAP server?

    Mattia



  • 4.  RE: aruba iap mac address error (deny all role..)

    EMPLOYEE
    Posted Jun 03, 2016 10:20 AM

    It will not work on IAP-93s, even if you update, unfortunately.  You can use an external radius  or LDAP server to get around this, however.  



  • 5.  RE: aruba iap mac address error (deny all role..)

    Posted Jun 03, 2016 10:28 AM

    Ok..last thing please.

    I have to create object  with mac adress username\password in LDAP server, 

    then connect aruba virtual controller to LDAP using objectfilter?

    can you provide me a link to specific document?

    thanks again

    Mattia



  • 6.  RE: aruba iap mac address error (deny all role..)

    EMPLOYEE
    Posted Jun 03, 2016 10:32 AM

    - Create an LDAP server using the instructions here:  http://community.arubanetworks.com/t5/Controller-less-WLANs/How-to-configure-LDAP-authentication-on-the-Instant-for-the/ta-p/181130

    - Change the Authentication for mac address to point to that LDAP server.



  • 7.  RE: aruba iap mac address error (deny all role..)

    Posted Jun 04, 2016 03:12 PM

    ok.i see ldap is not the best solution, maybe i need to think about a radius server



  • 8.  RE: aruba iap mac address error (deny all role..)

    EMPLOYEE
    Posted Jun 04, 2016 03:48 PM

    If you have a Windows Server, you already have a free radius server that you can install...  (IAS or NPS).



  • 9.  RE: aruba iap mac address error (deny all role..)

    Posted Jun 04, 2016 05:13 PM

    my "chain" is made by 4 x IAP93 and 3 x IAP205

    virtual master controller now is the third IAP93

    what if i force master controller onone IAP205?

    there's the same limitation about MAC AUTH feature?

    thanks again

    now i'm going to accept your answer..

    Mattia



  • 10.  RE: aruba iap mac address error (deny all role..)

    EMPLOYEE
    Posted Jun 05, 2016 09:01 AM

    It will not work if your user is trying to associate to an AP93.  Making the AP205 a preferred master does not change this, unfortunately...