Security

Reply
Occasional Contributor II
Posts: 19
Registered: ‎04-29-2017

Client was able to associate although failed authentication

[ Edited ]

Hi all,

 

I'm setting up a basic SSID with MAC address authentication on the mobility controller, using the endpoint list on CPPM as database for authentication. My test so far has had unexpected result, as the client was still able to associate and got IP address from DHCP, although it failed authentication. Below is my current config/status on mobility controller and CPPM:

 

Mobility Controller configuration (I use default config on guest and logon role):

MAC authen config

 

MAC authen config

 

CPPM log:

CPPM failed authen log

 

Mobility Controller - client still associated:

Client still associated

 

Please let me know if there's anything wrong with my setup. I really appreciate your help.

 

Thank you,

Guru Elite
Posts: 21,499
Registered: ‎03-29-2007

Re: Client was able to associate although failed authentication

If a client fails mac authentication and you have an initial role configured, failing mac authentication means that they still get the initial role.  In advance configurations, they theoretically can still get an ip address and then "register" to the captive portal to then get access.  A user who is already registered can skip the captive portal in that instance because they would pass mac authentication.  If you want the client to just be rejected, do not configure an initial role.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 19
Registered: ‎04-29-2017

Re: Client was able to associate although failed authentication

Hi Colin, 

 

Can you tell me how to not attach the initial role to the SSID? It looks like the GUI doesn't have such option.

 

5.PNG

Occasional Contributor II
Posts: 19
Registered: ‎04-29-2017

Re: Client was able to associate although failed authentication

Hi Colin,

 

Can you tell me how to not attach the initial role to SSID? It looks like the GUI doesn't have such option.

 

5.PNG

Occasional Contributor II
Posts: 19
Registered: ‎04-29-2017

Re: Client was able to associate although failed authentication

Hi Colin,

 

Can you tell me how to not attach the initial role to SSID? It looks to me the GUI doesn't have such option.

5.PNG

Occasional Contributor II
Posts: 19
Registered: ‎04-29-2017

Re: Client was able to associate although failed authentication

Hi Colin,

 

Can you tell me how to not attach the initial role to SSID? It looks like the GUI doesn't have such option.

 

5.PNG

Occasional Contributor II
Posts: 19
Registered: ‎04-29-2017

Re: Client was able to associate although failed authentication

Hi Colin,

 

Can you please tell me how to not attach the initial role to SSID? It looks to me the GUI doesn't have such option.

 

GUI

Search Airheads
Showing results for 
Search instead for 
Did you mean: