Security

Reply
Frequent Contributor I
Posts: 71
Registered: ‎10-08-2011

MAC Authentication on WPA2 secured SSID

Hi all, 

 

Has anyone had any success getting devices to authenticate via MAC, on a WLAN which uses 802.1x? (on Aruba OS version 6.1.2.3)

 

Other forum posts seem to suggest that if you have MAC auth and 8021.x enabled, and the fall-through tick box enable, devices should attempt MAC authentication first, and follow up with 802.1x If this fails. (Unless I have mis-understood...)

However, so far devices which i attempt to do this with refuse to connect, instead, insisting I enter username credentials. the process logs are not actually showing anything up. The same profiles connecting to Layer3 authenticated SSID works OK.

 

Also, does each controller keep a speretate list of MAC addresses, or does the Master push out lists to the Locals? (Adding the same user to up to 6 seperate controllers might get a bit tiresome!)

 

Any help would be very much appreciated.

 

 

Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

Re: MAC Authentication on WPA2 secured SSID

Yes, it does work.  If Layer2 Fail through is unchecked, if a device fails mac authentication, it does not proceed with 802.1x authentication.  With it checked, it will just proceed to 802.1x authentication.  Please turn on user debugging to find out what is happening:

 

config t

logging level debug user

 

The controller stores the mac addresses in the internal database in the master controller.  By default, all local controllers authenticate to the master, so no need to duplicate.  You can optionally make each controller have a separate copy if its own mac addresses.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 71
Registered: ‎10-08-2011

Re: MAC Authentication on WPA2 secured SSID


cjoseph wrote:

Yes, it does work.  If Layer2 Fail through is unchecked, if a device fails mac authentication, it does not proceed with 802.1x authentication.  With it checked, it will just proceed to 802.1x authentication.  Please turn on user debugging to find out what is happening:

 

config t

logging level debug user

 

The controller stores the mac addresses in the internal database in the master controller.  By default, all local controllers authenticate to the master, so no need to duplicate.  You can optionally make each controller have a separate copy if its own mac addresses.

 


OK, done...

 

Not much is appearing in the logs... Getting a DHCP ACK for the mac, if I connect to the Layer3 auth'd SSID...

Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

Re: MAC Authentication on WPA2 secured SSID


eljay wrote:

cjoseph wrote:

Yes, it does work.  If Layer2 Fail through is unchecked, if a device fails mac authentication, it does not proceed with 802.1x authentication.  With it checked, it will just proceed to 802.1x authentication.  Please turn on user debugging to find out what is happening:

 

config t

logging level debug user

 

The controller stores the mac addresses in the internal database in the master controller.  By default, all local controllers authenticate to the master, so no need to duplicate.  You can optionally make each controller have a separate copy if its own mac addresses.

 


OK, done...

 

Not much is appearing in the logs... Getting a DHCP ACK for the mac, if I connect to the Layer3 auth'd SSID...


Are you sure that you are enabling mac authentication for the correct AAA profile?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 71
Registered: ‎10-08-2011

Re: MAC Authentication on WPA2 secured SSID

Apparently not...  :)

 

There were no references to the test AAA profile i was using... So i've tweaked this. 

 

Now I can see:- 

localdb[1816]: <133005> <INFO> |localdb| User 00:19:7e:b3:57:5c authenticated Successfully Authenticated

 

... But i'm still prompted for a username for the 802.1x element... implying that both MAC AND 802.1x are required?

Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

Re: MAC Authentication on WPA2 secured SSID

For a client to connect successfully on an 802.1x network with encryption it needs a username or password.  That is not optional.  What is optional is passing mac authentication.   The client will not be allowed to connect without passing username and password authentication, no.

 

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 71
Registered: ‎10-08-2011

Re: MAC Authentication on WPA2 secured SSID

Ok, I suspected that to be the case. Many thanks for the confirmation. 

Search Airheads
Showing results for 
Search instead for 
Did you mean: