Security

I want to use AD as MAC Authentication server for Guest users how can I  do so??

This will not scale well. You will need to make AD accounts for every MAC address and also stand up an NPS server.

So you mean like adding computers in specific OU?

No, you literally need to make user accounts for every device with the mac address as the username and password.

you really helps alot thank you

So I don't mean to hijack this thread, but I wanted some clarification.  Setting an AD user object with the mac address as both the username and the password is a pretty large security hole, don't you think?  That would mean that someone would only need to know a single mac address and they'll be able to log in to any service that relies on AD for authentication.  

 

Is there a more secure way to implement this, or perhaps a mitigation technique to limit these 'users' exposure?

 

Thanks.

This is by no means a good practice but is something to help those who don't have ClearPass achieve basic MAC-authentication.

So then those of us without clearpass interested in mac auth + PEAP auth on the same SSID can use FreeRADIUS rather than MS NPS?

MAC address is used for authorization after authentication and is not recommended as a security method.

Methods for authentication are limited by what a client supports.  Whether or not it is 'best practice' is something that should be directed at the wireless sensor/embedded device maker.  We're just here trying to make things work.

 

 

Making something work with a false sense of security is sometimes worse.

It's hardly any worse than creating AD user accounts where the password equals the username and that string is almost always printed on the device itself somewhere. 

 

Regardless, of what best practices should be, I was merely looking for some technical guidance on the best way to procede.  Can you confirm that I can implement mac auth chained with PEAP using FreeRADIUS where aruba is the client and AD is used to authenticate PEAP while something else (LDAP, PostgreSQL, a file, whatever) is used to authenticate mac address?

 

My goal for the authentication to go as follows:

 

Wireless device joins SSID, first the MAC address is checked to see if it is whitelisted, if it is then the device is joined, if it isn't, then a username/password (PEAP) is expected from the client to be authenticated against AD.

 

Thanks.

Authorization has to come after authentication.

 

After username/password authentication is successful (PEAP), you can authorize based on attributes like MAC address to make a final access decision.

So the way Aruba makes this work using AD/ClearPass, is they short-circuit authentication by testing the mac-address to see if it is a valid username/password credential?

No. MAC address can ONLY be used as authorization during 802.1X authentication.

 

1) Authentication starts

2) User's credentials are checked against identity store.

3) If they fail, game over, deny access. If they pass, move on to authorization.

4) Authorization starts (optional)

5) In this case MAC address is checked against a back end database. If exists, pass authorization, send ACCESS-ACCEPT. If fails, deny or take other action.

this is exacly what i want. what exaclty i have to do for that in aruba os 6.4.x?
my authentication via radius on ad is workinig already.

Now when i also activate the mac-authentication the aruba controller is asking the radius server for that autentication?! i dont want that.

I want:

User "Authenticate" with his User/Passwort over Radius (NPS) ActiveDirectory.

Then the Aruba-Controller checks the Mac-Address in "Internal"-Database if there exist...

 

What is the Step-by-Step way to do that?

 

thx