Security

Reply
New Contributor

MAC authentication question

I have the Aruba3600 configured with SSID1, SSID2, ...

now, I'd like to control with MAC authentication. Some MACs only allowed to access SSID1, but access SSID2 is not allowed. The other group of MAC is allowed to access SSID2, but I don't want them access to SSID1.

Could you tell me how to get this function works? thanks

Guru Elite

Re: MAC authentication question

You would need to use a policy engine like ClearPass for this.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite

Re: MAC authentication question


samlui@sohu.com wrote:

I have the Aruba3600 configured with SSID1, SSID2, ...

now, I'd like to control with MAC authentication. Some MACs only allowed to access SSID1, but access SSID2 is not allowed. The other group of MAC is allowed to access SSID2, but I don't want them access to SSID1.

Could you tell me how to get this function works? thanks


To be honest, very few people use mac authentication, because it is not really secure and it requires quite a bit of administrative overhead to maintain.  Using two SSIDs with mac authentication would make this even more complicated.  Can you please state your use case so that we can propose a solution?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor

Re: MAC authentication question

Thanks Joseph,

The requirement is, we have two VLANs belong to two business units. we configured two SSIDs on Aruba controller for these two VLANs. For these two business units. we have different computers for operation. How to control the computers to connect their SSID and unable connect another SSID with MAC authentication?

Guru Elite

Re: MAC authentication question

Sonu,

Are both business units in Active Directory? Does one Vlan grant users more or different privileges than another?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor

Re: MAC authentication question

Dear Joseph,

 

not in Active Directory. 2 Vlans assigned to different ssid

Re: MAC authentication question

in principle you use different pre-shared keys i assume but that is of course not perfect either.

 

MAC auth is an option but it doesn't scale well and isn't really that secure (MAC spoofing isn't that hard).

 

how many users are you working with?

Aruba Employee

Re: MAC authentication question

We can acheive that by configuring two mac auth profiles.

 

1. We need to change the way mac-address format will be stored in the internal database using the above profile.

 

Eg: MAC-auth profile 1:

 

use delimiter as colon and case as lower

 

MAC auth profile 2

 

use delimiter as colon and case as upper

 

2. We need to map one these profiles to AAA profile in use

 

SSID 1: AAA Profile 1 mapped to MAC Auth Profile 1

 

SSID 2: AAA Profile 2 mapped to MAC Auth Profile 2.

 

3. Enter the mac-addresses in the internal database as per requirement (as per mac-auth profiles)

 

Note: As Colin mentioned earlier, mac-address is not secure.

 

The above config will help in acheiving the goal to an extent.

 

However, if there is a mac-address which needs to connect to both the SSID's, then more config/overtime is involved.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: