Security

Reply
New Contributor
Posts: 4
Registered: ‎02-27-2013

MAC Authentication on RAP is allowing any MAC despite internalDB being empty

Hello

I have:

Model:Aruba3600
Version:6.3.1.5

& Clearpass, although I didn't make any changes to clearpass for access via Eth1 port on RAPS, I tried using internal DB.

RAP-3WNP

 

Using a RAP-3WNP I wish to use eth1 interface for printer access on VLAN 50 using MAC address. I am using a AP Apecific config under testing and once proven will roll out config to the AP Group:

Config:

RAP-3WNP eth1:

Shut down                                       Unticked
Remote-AP Backup                         Tick
Bridge Roleauthenticated
Time to wait for authentication to succeed
 sec 20
Spanning Tree

 Unticked

default-mac-auth

 

Wired AP enable                 Tick
Trusted                                Unticked
Forward modetunnel
Switchport modeaccess
Access mode VLAN50
Trunk mode native VLAN 1
Trunk mode allowed VLANs1-4094
Broadcast                                        Unticked
Initial rolelogon
MAC Authentication Default Roleauthenticated
802.1X Authentication Default RoleGuest
L2 Authentication Fail Through                  Unticked
User idle timeout
Enable
seconds

 

 
MAC Authentication Profiledefault
MAC Authentication Server Groupdefault
802.1X Authentication Profile 
802.1X Authentication Server Group 
RADIUS Accounting Server Group 
XML API server 
RFC 3576 server

 

Authentication - internal DB (note the MAC account in internal DB is disabled and could still access newtork). RAP was rebooted twice.

 
Internal DB
Maximum Expiration min
This account is disabled
f01faf46375e******company_Employee No 0.0.0.0  
Guru Elite
Posts: 21,001
Registered: ‎03-29-2007

Re: MAC Authentication on RAP is allowing any MAC despite internalDB being empty

If you have a AAA profile attached to a wired port, the initial role is what a user gets and if they fail mac authentication, that is the role they stay in.  By default the initial role of logon allows DHCP.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 4
Registered: ‎02-27-2013

Re: MAC Authentication on RAP is allowing any MAC despite internalDB being empty

Thanks for your response, my test RAP is at home for me to look further into what I can do. However, I had my laptop on as test device with a static IP related to the printer VLAN, the only thing I tried after disabling the MAC user account in the internal DB was a ping and as that worked I assumed (without checking further) there was a greater security / privilage issue occuring.

 

So will the logon "initial role" restrict further access rights other than DHCP / ping? If it does allow more privelages is there another initial role I should use?

 

Thanks

Tony

Guru Elite
Posts: 21,001
Registered: ‎03-29-2007

Re: MAC Authentication on RAP is allowing any MAC despite internalDB being empty

You should create a new role that restricts traffic that you don't want to happen initially and assign that to the initial role of that AAA profile.  You don't want to edit the built-in logon role, because it is tied to other things.  The initial role is used, so that devices that fail are given the option to connect other ways.  The logon role would allow the user to open a captive portal to login, if they fail mac authentication.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: