Security

Reply
Occasional Contributor II
Posts: 14
Registered: ‎10-01-2010

EAP-TLS and Mac filtering

Hello, We want to use EAP-TLS and Mac filtering for IPAD devices. EAP-TLS is terminated on the controller now.But We have planned to use windows 2008 NPS instead of terminate it on controller For MAC filtering We have a user role ( each device's mac addresses are added ) that using for user derivation rules in VAP. Im confused Which roles such as initial role, 802.1x auth default role, Mac filtering default role, TLS Guest Role should I use, So clients have to pass both of EAP-TLS and mac filtering authentication to gain access. MAC filtering is not running. Client gain access always, while it's mac addess is in list or not.. Thanks,
Guru Elite
Posts: 21,029
Registered: ‎03-29-2007

Re: EAP-TLS and Mac filtering


aytan wrote:
Hello, We want to use EAP-TLS and Mac filtering for IPAD devices. EAP-TLS is terminated on the controller now.But We have planned to use windows 2008 NPS instead of terminate it on controller For MAC filtering We have a user role ( each device's mac addresses are added ) that using for user derivation rules in VAP. Im confused Which roles such as initial role, 802.1x auth default role, Mac filtering default role, TLS Guest Role should I use, So clients have to pass both of EAP-TLS and mac filtering authentication to gain access. MAC filtering is not running. Client gain access always, while it's mac addess is in list or not.. Thanks,

Aytan,

 

If you configure a mac authentication profile in your AAA profile for that 802.1x SSID, devices will get the mac authentication default role if they pass 802.1x authentication AND mac authentication.  If they do NOT pass mac authentication, they will not be allowed to connect.

 

In the AAA profile if you enable "layer 2 failthrough", devices that pass 802.1x authentication, but fail mac authentication will still get the default 802.1x role in the AAA profile and be able to pass traffic.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 14
Registered: ‎10-01-2010

Re: EAP-TLS and Mac filtering

Thanks cjoseph,

 

Please find my working on EAP-TLS and mac filtering config for IPAD in attach.
I could not success EAP-TLS with MAC filtering.
Result, If I enable TLS guest acces in 802.1x auth profile, aruba always is assigning user role that defined in TLS guest role.
If I disable TLS guest acces in 802.1x auth profile,Aruba always assigning user role that defined in 802.1x auth defult role to client.

Thanks,

 

Guru Elite
Posts: 21,029
Registered: ‎03-29-2007

Re: EAP-TLS and Mac filtering

[ Edited ]

Do you have a mac authentication profile configured on that AAA profile?

 

Please show the output of "show auth-tracebuf" when authentication is occuring.  Also configure debugging for that client and share the output.  The config is good, but we want to see the result.

 

EDIT:  Why do you want to layer mac authentication on top of TLS?  TLS is not secure enough?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 14
Registered: ‎10-01-2010

Re: EAP-TLS and Mac filtering

Dear cjoseph,

Do you have a mac authentication profile configured on that AAA profile?

No..I have used "user derivation rule" in AAA profile.But it can not affect. How can I use "user derivation rule".?Do I have to enable "Mac filtering profile"  to use user derivation in AAA profile.
  

 

Please show the output of "show auth-tracebuf" when authentication is occuring.  Also configure debugging for that client and share the output.  The config is good, but we want to see the result.

 Please find it in attach.

 

 

EDIT:  Why do you want to layer mac authentication on top of TLS?  TLS is not secure enough?
I am trying to explain to our customer..We dont need mac filtering..EAP-TLS is enough.Because mac filtering is not a safe method..Client certificate can not export from IPAD. But MAC can be spoofed easily. But They want to use minimum  two auth method. If possible , you can send me more deep information about why mac filtering should not be used.They respect to your opinion more than me..So You are a Guru..    

 

Thanks,

Guru Elite
Posts: 21,029
Registered: ‎03-29-2007

Re: EAP-TLS and Mac filtering

Thank you.

 

User derivation rule is overridden by later authentication like 802.1x, so it will not come into play and should not be used with 802.1x--(Note:  Only the DHCP option user derivation rule works with 802.1x).  You need to configure mac authentication, instead.  You need to:

 

- Create a mac authentication profile

- Create a mac authentication server group (choose default)

- Apply the mac authentication profile and the mac authentication server group to the AAA profile

- Add a mac address to the internal database as a username and password in the same format as the mac authentication profile.

 

EAP-TLS is probably the strongest method of authentication available.  MAC authentication has never been a very strong method, because it can easily being spoofed.  It should NEVER count as a second factor.

 

Please read the "Building a Global Security Policy for wireless LANS" whitepaper here for more information that you can pass on to the customer: http://www.arubanetworks.com/pdf/technology/whitepapers/wp_Global_security.pdf



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 14
Registered: ‎10-01-2010

Re: EAP-TLS and Mac filtering

Hello Cjoseph,

Thanks for your information.They will use only EAP-TLS. :)

Guru Elite
Posts: 21,029
Registered: ‎03-29-2007

Re: EAP-TLS and Mac filtering

Yes!



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 21
Registered: ‎02-12-2012

Re: EAP-TLS and Mac filtering

Hi Colin,

 

I'm having a similar issue. I have EAP-TLS deployed for my 802.1x SSID, but the customer would like to allow a handfull of devices to authenticate via MAC address that are unable to complete EAP-TLS.

 

I created and applied both the MAC auth profile and MAC auth server group to my AAA profile. Added MAC address of client to internal DB. Enabled L2 auth fail through.

 

When I try to conenct with the client and fail EAP-TLS, it appears that MAC auth is not even attempted. I ran the 'show auth-tracebuf' command and it shows the client only attempts 802.1x I see server rejected from my RADIUS server and noting else... For trouble shooting, I removed the 802.1x auth profile and the 802.1x server group. 'show auth-tracebuf' displayed 'dot1x disabled' and MAC auth never completed.

 

Unfortunetly I don't have debugs, configs, or logs since this was done at a customer site. I will be returning to the customer and was hoping to have this squared away. I tested in my lab (using EAP-PEAP instead of TLS as my 802.1x auth) and expereienced the same results.

 

Any ideas?

 

Just for clarification I am not doing anything with User-Derivation rules.

 

Thanks in advance,

Scott

Guru Elite
Posts: 21,029
Registered: ‎03-29-2007

Re: EAP-TLS and Mac filtering


snyer wrote:

Hi Colin,

 

I'm having a similar issue. I have EAP-TLS deployed for my 802.1x SSID, but the customer would like to allow a handfull of devices to authenticate via MAC address that are unable to complete EAP-TLS.

 

I created and applied both the MAC auth profile and MAC auth server group to my AAA profile. Added MAC address of client to internal DB. Enabled L2 auth fail through.

 

When I try to conenct with the client and fail EAP-TLS, it appears that MAC auth is not even attempted. I ran the 'show auth-tracebuf' command and it shows the client only attempts 802.1x I see server rejected from my RADIUS server and noting else... For trouble shooting, I removed the 802.1x auth profile and the 802.1x server group. 'show auth-tracebuf' displayed 'dot1x disabled' and MAC auth never completed.

 

Unfortunetly I don't have debugs, configs, or logs since this was done at a customer site. I will be returning to the customer and was hoping to have this squared away. I tested in my lab (using EAP-PEAP instead of TLS as my 802.1x auth) and expereienced the same results.

 

Any ideas?

 

Just for clarification I am not doing anything with User-Derivation rules.

 

Thanks in advance,

Scott


Devices that attempt to connect to an EAP-TLS network MUST be able to connect via EAP-TLS, otherwise traffic will not pass.  l2 passthrough only allow a device that fails mac auth to attempt to connect via EPA-TLS.  The exchange must take place successfully for a client to be let on an EAP-TLS network.  You cannot do what you are attempting.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: