Education

Reply
Occasional Contributor I
Posts: 8
Registered: ‎05-19-2011

MAC Authentication Setup

I work for a school district that uses Aruba wireless. On our High School campus we have an Aruba3200 working as the local controller for our 105 APs. The school wants students to be able to bring their laptops in and connect to the network along with the laptops that the school provides. We want to prevent people from just coming in and connecting but the teachers like to give out the encryption key. We are looking at setting up MAC address filtering over the summer to get it ready for next school year. I am looking for any advice on how to do this without causing problems or to see if anyone has another solution to the problem of unauthorized users gaining access to the network because they have been given the key. Thanks in advance.
Guru Elite
Posts: 20,966
Registered: ‎03-29-2007

Re: MAC Authentication Setup

I would consider moving to WPA2-AES with 802.1x authentication to Active Directory. That would mean that users would have to have a valid username and password to get on. That will allow valid users to get get and keep unauthorized users off. If you do MAC authentication, you will end up maintaining a large database of users and that is alot harder than maintaining students via username and password.

In each ArubaOS userguide there is an appendix on integrating Aruba with Active Directory on the server, as well as the client side. Take a look...


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 8
Registered: ‎05-19-2011

Re: MAC Authentication Setup

Would this prevent students from accessing the network on their mobile devices. We want them to be able to access the network on laptops but want to make sure the mobile devices are not on unless we give them approval. If they have a username and password would they be able to authenticate with that to get the mobile device on the network? Will there be any issues with getting Apple computers to use this type of setup?
Guru Elite
Posts: 20,966
Registered: ‎03-29-2007

Re: MAC Authentication Setup

Fortunately, in ArubaOS 6.0.1.0 and above, we have the ability to detect the OS of a device and allow/disallow them after they authenticate using DHCP fingerprinting: http://airheads.arubanetworks.com/vBulletin/showthread.php?t=3469


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 8
Registered: ‎05-19-2011

Re: MAC Authentication Setup

This looks like it is generic for the OS. Would that mean I can either allow or not allow iPhones or similar devices and not be able to go on a case by case basis?
Guru Elite
Posts: 20,966
Registered: ‎03-29-2007

Re: MAC Authentication Setup

You can allow or block all iPHones, android, Windows mobile, symbian at a time.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 8
Registered: ‎05-19-2011

Re: MAC Authentication Setup

Can I control it on a case by case basis? If we wanted one iPhone on and another iPhone not on would that be something we can do or would this config not allow for that?
Guru Elite
Posts: 20,966
Registered: ‎03-29-2007

Re: MAC Authentication Setup

You could only do that via mac authentication, which if you have a large enough number of users, you do NOT want to do. It is possible, but not practical.

The microsoft article here: http://blogs.technet.com/nap/archive/2006/09/08/454705.aspx shows you how you can tie a user's login to one or more mac addresses, if you wanted to.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 8
Registered: ‎05-19-2011

Re: MAC Authentication Setup

Do you know of any way to do this in an Open Directory environment. We are 100% Apple and Apple servers run OD.
Guru Elite
Posts: 20,966
Registered: ‎03-29-2007

Re: MAC Authentication Setup

You cannot lock a user to a mac address in OD, but you can populate the allowed mac addresses in OD and authenticate against them. You could put the mac addresses as users in OD (username is the mac address, as well as the password) and we can mac authenticate against OD via an LDAP connector.

Real talk, authenticating by mac address is not secure, because even though you are allowing a device on, anybody could be on that device. It is also time-consuming to permit/revoke devices tied to users on a semester or ad-hoc basis. Making users enter a username and password not only ties the security to the user, it gives you a flexible way to keep unauthorized users, NOT devices off the network. You can layer OS detection to do whatever you want above that.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base