Security

Reply
Occasional Contributor II
Posts: 21
Registered: ‎02-01-2012

MAC authentication

Hi all.

 

I am new to posting on this forum though I've viewed it many times.  I have searched for the answer but cannot find anything that helps me.

 

I have an Alcatel connected to the Eth1 port on a RAP.  It works.

The problem is is that this port is trusted and because of that if some-one connects a laptop to the Eth1 they get a DHCP IP on our voice network which is ultimately a back door into our network.

 

I have began to investigate MAC authentication on the Wired port as a “Basic” security fix.  I wanted to allow only MAC’s that begin 00:80:9f:**:**:** to become authorised.

 

I’ve created a wired profile that’s “trusted” and a wired port profile.  There is no AAA profile attached.

 

Is it possible that you could tell me the steps I’d need to carry out in order to create MAC-authentication and apply it to my wired port profile?  I would want the default role to be deny but despite going on a course, looking in manuals and reading this forum I am struggling for answers.

 

Thanks in advance.

Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: MAC authentication

What version of ArubaOS are you running?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 21
Registered: ‎02-01-2012

Re: MAC authentication

 5.0.3.3 But with the Upgrade taking place this weekend.

Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: MAC authentication

In the ArubaOS 5.0 user guide  http://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=3848, in Chapter 17, entitled "MAC-Based Authentication" it tell you how to do it, step-by-step.

 

In general you need to :

 

create a mac authentication server group that has the internal database

create a mac authentication profile and assign the server group to it

create a AAA profile and assign the mac authentication profile to it

In the AAA profile, configure the mac authentication default role to be your "success" role.

In the same AAA profile, make the initial role a role that blocks all traffic

add a mac address, as a username and password in the internal database in the format that you created the mac authentication profile.

make that wired port untrusted and assign the AAA profile that you created to it.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 21
Registered: ‎02-01-2012

Re: MAC authentication

Colin - I'm so close I can smell it..

 

I followed your guide as the link in your previous post was not working. Everything looks pretty good, however, once the phone goes through its boot sequence, it gets an IP, downloads config, attempts to connect and comes back "Bad TFTP"

 

Now, looking at the Debug below it appears to Authenticate as set up on the Internal DB, but it appears to drop it into guest:- Authenticated MAC guest 

 

(Aruba-Master) (config) #  show log user all | include 00:80:9f:5f:2b:56
Feb 1 16:56:42 :522026:  <INFO> |authmgr|  MAC=00:80:9f:5f:2b:56 IP=10.150.50.238 User miss: ingress=0x1191, VLAN=800
Feb 1 16:56:42 :522004:  <DBUG> |authmgr|  Deleting RAP Wired User (tunnel) 00:80:9f:5f:2b:56/10.150.50.238 from STM stats tree
Feb 1 16:56:42 :522004:  <DBUG> |authmgr|  Adding RAP Wired User (tunnel) 00:80:9f:5f:2b:56 to STM stats tree
Feb 1 16:56:42 :522004:  <DBUG> |authmgr|  {10.150.50.238} autTable ("00:80:9f:5f:2b:56 Authenticated MAC guest   ")

 

I cannot find anywhere in my  config where I point to Guest.   Any ideas?  (Thanks)

Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: MAC authentication

Where your mac user is in the internal database change the role to something other than guest.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 21
Registered: ‎02-01-2012

Re: MAC authentication

It is, I've created a VOIP-Wired-Auth - with Allowall...

 

I've got a call out.  It's probably a check box somewhere.  I'll keep you posted.

Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: MAC authentication

What is the ROLE of the mac addresses in the internal database, I mean..?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 21
Registered: ‎02-01-2012

Re: MAC authentication

Okay,  I had created a new USER ROLE and added ALLOW ALL firewall policy to the user.

 

00:80:9f:5f:2b:56           ********  Wired-VOIP-Auth                              Yes                      Active                0.0.0.0    admin

 

user-role Wired-VOIP-Auth
 session-acl allowall ap-group rap-ap-ethvoip

 

aaa profile "Voip-AAA-Mauth"
   initial-role "denied-personal-device"
   authentication-mac "VOIP-MAC"
   mac-default-role "Wired-VOIP-Auth"
   mac-server-group "Internal-voip-mac"
   dot1x-default-role "Wired-VOIP-Auth"

 

ap wired-ap-profile "voip-sec-connection"
   wired-ap-enable
   switchport access vlan 800

 

ap wired-port-profile "voip-connection_sec-connection"
   wired-ap-profile "voip-sec-connection"
   enet-link-profile "voip-connection"
   aaa-profile "Voip-AAA-Mauth"

 

ap-group "RAP-AP-EthVoip"
   virtual-ap "Corp-VAP"
   enet1-port-profile "voip-connection_sec-connection"

 

Occasional Contributor II
Posts: 36
Registered: ‎06-25-2010

Re: MAC authentication

I would be very intrested in the outcome of this, as I am trying to set up something similar.

tweet @wjhphoto
Search Airheads
Showing results for 
Search instead for 
Did you mean: