Security

Reply
Occasional Contributor II
Posts: 18
Registered: ‎03-07-2014

Dual authentication user id and mac address

               We have a requirement where only the trusted mobile devices should be allowed into network. Wifi username and password along with mac address should be verified. Wifi username is tied up with particular mac address. Same wifi user id cannot be used someother personal mobiles or trusted devices not allocated to him.

 

For eg,

Wifiuser1 is associated with mac1. Wifiuser1 can only log into the mobile device with the mac address mac1. He cannot log into other mobile devices.

 

How to do the dual verification (username with pass, mac address) in CPPM? I can pass the mac-address over calling station id & verify against mac address database. However, it will allow the user to log into any trusted device.

Guru Elite
Posts: 8,446
Registered: ‎09-08-2010

Re: Dual authentication user id and mac address

You should consider using certificate-based authentication. Using a MAC address for secure authentication is a very bad idea.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor II
Posts: 387
Registered: ‎09-05-2012

Re: Dual authentication user id and mac address

Are the mobile devices smart phones and tablets or laptops? If they are smart phones and tablets then follow what @cappalli recommends! If they are laptops that are joined to a domain there might be a way to tie a laptop to a specific user.


#AirheadsMobile
Occasional Contributor II
Posts: 18
Registered: ‎03-07-2014

Re: Dual authentication user id and mac address

Can I combine user + mac address authentication for a system?.  for eg, user1 can log into only system with mac address1. User1 should not log into any of the other systems wifi which has mac address mac2 or mac3 or something else.

 

 

We dont have centralized PKI in the network. Hence, We dont want to do that.

Guru Elite
Posts: 8,446
Registered: ‎09-08-2010

Re: Dual authentication user id and mac address

MAC address can be used as part of authorization after successful user authentication.

You can register devices via Device Registration portal and add the authorized user as the “sponsor”. Then do a compare during authorization.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 18
Registered: ‎03-07-2014

Re: Dual authentication user id and mac address

 

We need user to mac address mapping in such a way that an user(user1) can use only one machine address (mac1).

 

If we implement as you mentioned in your way, there will be a pool of mac addresses in database, any user can log into any device.

 

We want to lock the user to only one device he is assigned to use.

 

 

 

Guru Elite
Posts: 8,446
Registered: ‎09-08-2010

Re: Dual authentication user id and mac address

No. Like I mentioned, you’d put the “authorized” user as the sponsor name and then in your policies, you’d verify that the authenticating username matches the device record.

Just a heads up, all of this can be easily spoofed by any user. You should consider using certificates.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 16
Registered: ‎04-09-2017

Re: Dual authentication user id and mac address

Hi Arubabeginner,

 

Yes this is possible. You need to add Endpoint repository (Local SQL DB) as authorization source and policy condition are as below

 

Type : Endpoint

Name : Username

Operator : Equals

Value : %{Authentication:Username}

 

and assign desire enforcement profile.

 

You can validate Username which bind with Mac address from Enpoint repository by just click on one of listed mac address. It will show  you bind user name(attribute) for mac address.

 

Regards,

Milind Yashwantrao

Guru Elite
Posts: 8,446
Registered: ‎09-08-2010

Re: Dual authentication user id and mac address

It's recommended to use the Device Registration portal, not the endpoint repository...


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 16
Registered: ‎04-09-2017

Re: Dual authentication user id and mac address

Hi Cappalli,

 

If we use device registration portal(I assume guest device repository) then user can authenticate by using any mac address which available in guest device repository but arubabiggnier has already mentioned his requirement with example as below

 

 

For eg,

Wifiuser1 is associated with mac1. Wifiuser1 can only log into the mobile device with the mac address mac1. He cannot log into other mobile devices.

 

I found easiest way to use Endpoint repository to achive this requirement

 

Steps as below 

 

1) Create Enforcement profile with Clearpass entity update enforcement

Enforcement profile name is Endpoint_Username_Update

 

Type : Endpoint

Name : Username

Value : %{Authentication:Username}

 

Then Create Policy Condition as below

 

1) (Authorization:[Endpoints Repository]:MAC Vendor  NOT_EXISTS   ) 

Enfrcement Profile : [Aruba Terminate Session], Endpoint_Username_Update

 

With above condition, Client user name/id will be added in endpoint repository with associated mac address after first time successfully authentication and  client will automatically disconnect and connect again due to Aruba termination session enforcement profile but this time client will getiing apply below condition as first condition will not match.

 

2) (Endpoint:Username  EQUALS  %{Authentication:Username}) 

Enfrcement Profile : [Allow Access Profile] 

 

with above condition Wifiuser1 is associated with mac1. Wifiuser1 can only log into the mobile device with the mac address mac1. He cannot log into other mobile devices.

 

Regards,

Milind Yashwantrao

Search Airheads
Showing results for 
Search instead for 
Did you mean: