Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

MAC authentication question

This thread has been viewed 2 times

  • 1.  MAC authentication question

    Posted Nov 18, 2015 10:12 AM

    I have the Aruba3600 configured with SSID1, SSID2, ...

    now, I'd like to control with MAC authentication. Some MACs only allowed to access SSID1, but access SSID2 is not allowed. The other group of MAC is allowed to access SSID2, but I don't want them access to SSID1.

    Could you tell me how to get this function works? thanks



  • 2.  RE: MAC authentication question

    EMPLOYEE
    Posted Nov 18, 2015 10:14 AM
    You would need to use a policy engine like ClearPass for this.


  • 3.  RE: MAC authentication question

    EMPLOYEE
    Posted Nov 18, 2015 10:24 AM
    samlui@sohu.com wrote:

    I have the Aruba3600 configured with SSID1, SSID2, ...

    now, I'd like to control with MAC authentication. Some MACs only allowed to access SSID1, but access SSID2 is not allowed. The other group of MAC is allowed to access SSID2, but I don't want them access to SSID1.

    Could you tell me how to get this function works? thanks

    To be honest, very few people use mac authentication, because it is not really secure and it requires quite a bit of administrative overhead to maintain.  Using two SSIDs with mac authentication would make this even more complicated.  Can you please state your use case so that we can propose a solution?

     



  • 4.  RE: MAC authentication question

    Posted Nov 19, 2015 12:26 AM

    Thanks Joseph,

    The requirement is, we have two VLANs belong to two business units. we configured two SSIDs on Aruba controller for these two VLANs. For these two business units. we have different computers for operation. How to control the computers to connect their SSID and unable connect another SSID with MAC authentication?



  • 5.  RE: MAC authentication question

    EMPLOYEE
    Posted Nov 19, 2015 05:56 AM
    Sonu,

    Are both business units in Active Directory? Does one Vlan grant users more or different privileges than another?


  • 6.  RE: MAC authentication question

    Posted Nov 19, 2015 08:14 AM

    Dear Joseph,

     

    not in Active Directory. 2 Vlans assigned to different ssid



  • 7.  RE: MAC authentication question

    Posted Dec 26, 2015 06:23 AM

    in principle you use different pre-shared keys i assume but that is of course not perfect either.

     

    MAC auth is an option but it doesn't scale well and isn't really that secure (MAC spoofing isn't that hard).

     

    how many users are you working with?



  • 8.  RE: MAC authentication question

    Posted Dec 28, 2015 04:09 PM

    We can acheive that by configuring two mac auth profiles.

     

    1. We need to change the way mac-address format will be stored in the internal database using the above profile.

     

    Eg: MAC-auth profile 1:

     

    use delimiter as colon and case as lower

     

    MAC auth profile 2

     

    use delimiter as colon and case as upper

     

    2. We need to map one these profiles to AAA profile in use

     

    SSID 1: AAA Profile 1 mapped to MAC Auth Profile 1

     

    SSID 2: AAA Profile 2 mapped to MAC Auth Profile 2.

     

    3. Enter the mac-addresses in the internal database as per requirement (as per mac-auth profiles)

     

    Note: As Colin mentioned earlier, mac-address is not secure.

     

    The above config will help in acheiving the goal to an extent.

     

    However, if there is a mac-address which needs to connect to both the SSID's, then more config/overtime is involved.