Security

Reply
Occasional Contributor I

Bridged-mode: Roles and Radius accounting

Hi everybody,

 

I have, among the others, a virtual-ap group with APs in bridged mode and WPA2 PSK auth... Which are the best settings for AAA Initial role, Mac authentication Default Role, 802.1X Authentication Default Role? (Now they are: guest, guest, authenticated... I want to deny everything to unauth clients, and permit everything to auth ones, and I have already experienced that a "deny all" as Initial role breaks the authentication process avoiding clients to establish WPA handshake)

 

I have Aruba MC6000 and AP135, OS 6.2.0.2

 

And, btw, is it possible in my deployment to have radius accounting (and interim as well) for that kind of clients? (aka, does controller send to APs radius accounting parameters to allow them to send records to my freeradius? - APs' IP already accepted as freeradius clients)

 

Thank you very much

Best regards

Andrea Barontini

 

 

 

 

Guru Elite

Re: Bridged-mode: Roles and Radius accounting


baro wrote:

Hi everybody,

 

I have, among the others, a virtual-ap group with APs in bridged mode and WPA2 PSK auth... Which are the best settings for AAA Initial role, Mac authentication Default Role, 802.1X Authentication Default Role? (Now they are: guest, guest, authenticated... I want to deny everything to unauth clients, and permit everything to auth ones, and I have already experienced that a "deny all" as Initial role breaks the authentication process avoiding clients to establish WPA handshake)

 

I have Aruba MC6000 and AP135, OS 6.2.0.2

 

And, btw, is it possible in my deployment to have radius accounting (and interim as well) for that kind of clients? (aka, does controller send to APs radius accounting parameters to allow them to send records to my freeradius? - APs' IP already accepted as freeradius clients)

 

Thank you very much

Best regards

Andrea Barontini

 

 

 

 


For WPA/2 PSK clients, the initial role in the AAA profile is the role that a client gets when it attaches.  The initial role is normally saved for Virtual APs where the clients do not authenticate when they attach (PSK networks or open networks).

 

You can only send radius accounting for clients that send radius traffic to a server.  WPA2-PSK clients do NOT send radius traffic to a server unless you have a mac authentication profile attached to your aaa profile that would point  to a radius server.  That means, if you are not doing mac authentication, you also cannot send radius accounting information using a WPA2-PSK SSID.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Bridged-mode: Roles and Radius accounting

Ok thank you very much... thanks to your explaination now the roles' meaning in bridged-mode is more meaningful for me!

 

Regarding MAC auth in bridged mode.. the NAS IP sent to my freeradius would be AP's IP or controller's IP? (I think the latter, but I hope the first ;-) )

 

Best regards

Andrea Barontini

Guru Elite

Re: Bridged-mode: Roles and Radius accounting

Controller's... There is an attribute in radius that sends the ap name, as well.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Bridged-mode: Roles and Radius accounting

Ok thank you very much for all infos

Best regards

A.B.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: