Security

I have 3 SSIDs set up on my controller:

1-Faculty

2-Student

3-Guest

Our desire it to leave the Faculty SSID as is with access via a password, but to change the Student SSID to include MAC Authentication with the password.  I have already collected a list of all the student device MAC addresses.

Is it possible to have the MAC authentication on only one of our SSIDs and if so, where do you assign this?

---

@klmfin wrote:

I have 3 SSIDs set up on my controller:

1-Faculty

2-Student

3-Guest

Our desire it to leave the Faculty SSID as is with access via a password, but to change the Student SSID to include MAC Authentication with the password.  I have already collected a list of all the student device MAC addresses.

 

Is it possible to have the MAC authentication on only one of our SSIDs and if so, where do you assign this?

---

You can do this, but it requires alot of administrative overhead to maintain the mac addresses.  If you type "show user-table verbose" there will be a column called "Profile".  Find any user on that SSID and find out what is in that profile column.  That name is the name of the AAA profile you need to add a mac authentication profile to, to start mac authentication on that SSID.  Go to configuration> security> authentication.  Click on the AAA profiles Tab.  Find your AAA profile from that column.  Expand your AAA profile by clicking on the + sign.  Click on MAC Authentication and click the dropdown to change it from default to NEW.  Type a name for your mac authentication profile (I typed mynewprofile as an example).  Leave the delimiter as "None" and the Case as "lower" (this dictates how you will enter your mac addresses to be entered in the internal database).  Click on Apply in the lower right hand corner to create your mac auth profile and apply it to your SSID:

Next, we need to decide what role that devices that mac authenticate successfully will get.  Click on the name of your AAA profile again and change the mac authentication default role to "authenticated":

Next, we need to add mac addresses that we want to allow.  Click on Security> Authentication> Servers.  Click on the internal database.  Add your mac address as the username and the password and then click on ADD to add it:

Now, only devices whose mac addresses you add into the internal DB should be able to attach.  If they attach successfuly via mac authentication, they should get the "authenticated" or allow all role.

Thank you for the quick replies.

cappalli - no, we are not using Clear Pass

cjoseph - you are wonderful, thank you for the very detailed instructions!  We have an Aruba3400 controller on ver 6.3.1.9  I believe all of this makes sense to me and I should be able to proceed, however I have one question and I hope I don't sound like an idiot...in your first instruction, you say:

"type 'show-user-table verbose' there will be a column called 'Profile'" 

I am assuming you mean at a command prompt, but I am struggling at finding the CLI in the controller, sorry if it should be obvious...I think I have clicked on just about every option :o)

I did find a field called Profile by doing the following and was wondering if it is referring to the same "profile":

• Under the Monitoring Tab I chose Controller>Clients
• I selected the radio button on one of the clients that was currently connected to the Student SSID and then clicked on the "Status" button below the search results
• Under General it says Profile and next to it is "Student-Pride-aaa_prof"

If I go to Configuration>security>authentication then AAAprofiles tab I do see a profile of the same name.

Is it correct to assume that this is indeed the profile I need?

Thank you again for your help!

Beautiful!

One more question...if you willl allow me... 

I have my MAC addresses in a spreadsheet and would like to import them.  I tried to export my database to have a sample format to import back, it gave me a message that it was exported successfully, but to where?

I read that "ArubaOS only supports the importing of database files that were created during the export process." so that is why I want to have a file to import back.

Incidentally,

in your directions it says:

"if they attach successfully via mac authentication, they should get the 'authenticated' or allow all role."

I have noticed when I go to Monitoring Tab>Controller>Clients and look at one of the clients I have entered a MAC address for, under user role it says Guest and under Auth Type it says MAC.  Is there another setting I should be changing to get the 'authenticated' or allow all role instead of guest?

if you have done all correctly there shouldn't be another place, be sure to double check all setting, i.e. the MAC address format. perhaps post them here so we can check them.