Security

Reply
New Contributor
Posts: 4
Registered: ‎07-28-2015

Is MAC Authentication on only one SSID possible?

I have 3 SSIDs set up on my controller:

1-Faculty

2-Student

3-Guest

Our desire it to leave the Faculty SSID as is with access via a password, but to change the Student SSID to include MAC Authentication with the password.  I have already collected a list of all the student device MAC addresses.

 

Is it possible to have the MAC authentication on only one of our SSIDs and if so, where do you assign this?

Guru Elite
Posts: 8,203
Registered: ‎09-08-2010

Re: Is MAC Authentication on only one SSID possible?

Are you using ClearPass?


Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Guru Elite
Posts: 20,588
Registered: ‎03-29-2007

Re: Is MAC Authentication on only one SSID possible?


klmfin wrote:

I have 3 SSIDs set up on my controller:

1-Faculty

2-Student

3-Guest

Our desire it to leave the Faculty SSID as is with access via a password, but to change the Student SSID to include MAC Authentication with the password.  I have already collected a list of all the student device MAC addresses.

 

Is it possible to have the MAC authentication on only one of our SSIDs and if so, where do you assign this?


You can do this, but it requires alot of administrative overhead to maintain the mac addresses.  If you type "show user-table verbose" there will be a column called "Profile".  Find any user on that SSID and find out what is in that profile column.  That name is the name of the AAA profile you need to add a mac authentication profile to, to start mac authentication on that SSID.  Go to configuration> security> authentication.  Click on the AAA profiles Tab.  Find your AAA profile from that column.  Expand your AAA profile by clicking on the + sign.  Click on MAC Authentication and click the dropdown to change it from default to NEW.  Type a name for your mac authentication profile (I typed mynewprofile as an example).  Leave the delimiter as "None" and the Case as "lower" (this dictates how you will enter your mac addresses to be entered in the internal database).  Click on Apply in the lower right hand corner to create your mac auth profile and apply it to your SSID:

profile2.png

Next, we need to decide what role that devices that mac authenticate successfully will get.  Click on the name of your AAA profile again and change the mac authentication default role to "authenticated":

 

mac-auth-default-role.png

 

Next, we need to add mac addresses that we want to allow.  Click on Security> Authentication> Servers.  Click on the internal database.  Add your mac address as the username and the password and then click on ADD to add it:

internaldb.png

 

Now, only devices whose mac addresses you add into the internal DB should be able to attach.  If they attach successfuly via mac authentication, they should get the "authenticated" or allow all role.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 4
Registered: ‎07-28-2015

Re: Is MAC Authentication on only one SSID possible?

[ Edited ]

Thank you for the quick replies.

cappalli - no, we are not using Clear Pass

 

cjoseph - you are wonderful, thank you for the very detailed instructions!  We have an Aruba3400 controller on ver 6.3.1.9  I believe all of this makes sense to me and I should be able to proceed, however I have one question and I hope I don't sound like an idiot...in your first instruction, you say:

"type 'show-user-table verbose' there will be a column called 'Profile'" 

I am assuming you mean at a command prompt, but I am struggling at finding the CLI in the controller, sorry if it should be obvious...I think I have clicked on just about every option :o)

 

I did find a field called Profile by doing the following and was wondering if it is referring to the same "profile":

  • Under the Monitoring Tab I chose Controller>Clients
  • I selected the radio button on one of the clients that was currently connected to the Student SSID and then clicked on the "Status" button below the search results
  • Under General it says Profile and next to it is "Student-Pride-aaa_prof"

If I go to Configuration>security>authentication then AAAprofiles tab I do see a profile of the same name.

 

Is it correct to assume that this is indeed the profile I need?

 

Thank you again for your help!

 

Guru Elite
Posts: 20,588
Registered: ‎03-29-2007

Re: Is MAC Authentication on only one SSID possible?

Yes.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 4
Registered: ‎07-28-2015

Re: Is MAC Authentication on only one SSID possible?

Beautiful!

One more question...if you willl allow me... 

I have my MAC addresses in a spreadsheet and would like to import them.  I tried to export my database to have a sample format to import back, it gave me a message that it was exported successfully, but to where?

I read that "ArubaOS only supports the importing of database files that were created during the export process." so that is why I want to have a file to import back.

New Contributor
Posts: 4
Registered: ‎07-28-2015

Re: Is MAC Authentication on only one SSID possible?

Incidentally,

in your directions it says:

 

"if they attach successfully via mac authentication, they should get the 'authenticated' or allow all role."

 

I have noticed when I go to Monitoring Tab>Controller>Clients and look at one of the clients I have entered a MAC address for, under user role it says Guest and under Auth Type it says MAC.  Is there another setting I should be changing to get the 'authenticated' or allow all role instead of guest?

MVP
Posts: 1,407
Registered: ‎11-30-2011

Re: Is MAC Authentication on only one SSID possible?

if you have done all correctly there shouldn't be another place, be sure to double check all setting, i.e. the MAC address format. perhaps post them here so we can check them.

Search Airheads
Showing results for 
Search instead for 
Did you mean: