Security

Reply
Occasional Contributor I
Posts: 7
Registered: ‎02-21-2014

Creating a mac address whitelist using the internal DB

I am attempting to implement a mac address whitelist for one of our VLANs. I'm using the internal database to store these mac addresses. Previously, the internal DB was only used for guest provisioning, and so every user automatically gets the role 'guest'

 

The VLAN I want to filter has the default role of logon, so if I understand it right, I should change the initial role to denyall, and then when I store the mac addresses in the internal db, their roles should be 'logon'

 

Unfortunately I  cannot assign a different role to the entries in the internal db. I do not have the option to select a role from the 'add user' dialog, and if I try adding via the command line with this command:

 

local-userdb add username <mac> password <mac> role logon 

 

it tells me I have invalid input, but without the "role logon" it adds the entry fine (with guest as the role).

 

I was not around when the guest provisioning was initially set up but it seems like something overriding my requests to use a different role and I can't figure out what! Any ideas?

Guru Elite
Posts: 20,815
Registered: ‎03-29-2007

Re: Creating a mac address whitelist using the internal DB

[ Edited ]

In the AAA profile, you can set the default role for a successful mac auth.  Your initial role in the AAA profile can be the "deny all" role.

 That will override any role you put in the local-user-db

mac.png



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 7
Registered: ‎02-21-2014

Re: Creating a mac address whitelist using the internal DB

[ Edited ]

see now this leads to another oddity. When I go to my AAA profile these are the only options I have... it was because of this that I started looking how to change the role in the internal database in the first place...

 

CAqHulH.png

Guru Elite
Posts: 20,815
Registered: ‎03-29-2007

Re: Creating a mac address whitelist using the internal DB

Do you have the PEF (policy enforcement license) installed?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 7
Registered: ‎02-21-2014

Re: Creating a mac address whitelist using the internal DB

[ Edited ]

If that's the Policy Enforcement Firewall license, then no it reads as Disabled

 

is this required in order to do mac filtering, even if I don't require any other firewall features?

 

(just to add to this, currently our controller uses 802.11 authentication and also captive portal login for guest accounts)

Guru Elite
Posts: 20,815
Registered: ‎03-29-2007

Re: Creating a mac address whitelist using the internal DB

I don't know, but you cannot have any different roles besides "logon" and "guest" when you don't have the PEF license.

 

I am not sure that you can layer another type of authentication on top of an existing one without the PEF license.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 7
Registered: ‎02-21-2014

Re: Creating a mac address whitelist using the internal DB

oh I see, so even though 'logon' is an available role, I may not be able to define a role other than 'guest' for the internal database and/or likewise for the AAA profile's mac authentication role?

Guru Elite
Posts: 20,815
Registered: ‎03-29-2007

Re: Creating a mac address whitelist using the internal DB

Correct.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 7
Registered: ‎02-21-2014

Re: Creating a mac address whitelist using the internal DB

okay, we'll look into getting things worked out, thanks for your help!

Search Airheads
Showing results for 
Search instead for 
Did you mean: