Security

Reply
Regular Contributor I

Allow MAC-Auth on Guest SSID

Hello,

I am having trouble getting MAC-Auth to work through my Guest SSID. I am using MACTrac to enter a mac address tied to a user account. With the mac of a device added it does not use this service to authenticate. The devices comes through a lower service using "WebAuth" authentication where it fails because it's unexpected.  Below I will post screen captures of my service, role map, and enforcement policies.  What am I missing? Or is it my configuration on the controller? Can anyone point me in the right direction? Thanks

 

Service.PNG

RoleMap.PNG

Enforcement.PNG

Guru Elite

Re: Allow MAC-Auth on Guest SSID

You need a service rule that says Authentication:Username equals connection:client-mac-address


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I

Re: Allow MAC-Auth on Guest SSID

Alright so I am trying this but the device I have to test with is not reauthenticating. Any tips on forcing it to reauthenticate? 

Guru Elite

Re: Allow MAC-Auth on Guest SSID

You'll have to clear it from the user table. AAA user delete mac _macaddress_


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba Employee

Re: Allow MAC-Auth on Guest SSID

Did you enable Insight under server settings? Looks like you are using the pre-6.5 methods for MAC Caching as Days-Since-Auth and the other caching is using Insight.

 

Not sure if this really affects what you are trying to do, but it's worth noting.

Thanks,

Zach Jennings
Regular Contributor I

Re: Allow MAC-Auth on Guest SSID

So here is what I'm seeing. 

 

My first device is a game console. It joins the SSID and it initally WebAuth, it is accepted but no Mac Auth.

 

My second device is an android tablet. It joins the SSID initally WebAuth then it authenticates 5 - 10 seconds later as MacAuth.  

 

Any idea why WebAuth might be happening first?

 

 

Can you point me to any documentation on setting this up? I followed this guide (How-To: Advanced MACTrac designs in ClearPass November-MHC) but I feel like I must be missing a step between the controller and clearpass.

 

Would upgrading to 6.5 give me any benefit in this setup? I planned to upgrade to 6.5 later this month. 

Guru Elite

Re: Allow MAC-Auth on Guest SSID

Sounds like your services might be missing something. A MAC-auth only device should never web auth.

 

Can you export your two services and post here or email to me?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: