10-26-2012 05:49 AM
We have two aruba 3400 controler with 220.127.116.11 firmware.
we want associate authentication wpa2 and mac filtering.
I followed the instructions in Chapter 16 of the aruba User Guide and recommendations on this post
But mac filtering isn't working!!!
Can you help me?
10-26-2012 06:17 AM
What part is not working? Chapter 19 of the 6.1 users guide is the MAC auth chapter.
Create a server group that contains the RADIUS server where your MAC addresses are stored
Assign that server group to the MAC auth profile of your AAA profile
Set the MAC auth default role in your AAA profile
That should do it.
You might also have to edit the Authentication > L2 Authentication > MAC Authentication profile, if you use a delimiter in the MAC addresses when you input them (the default is no delimiter).
10-26-2012 06:44 AM
Yes, it is. Whe you create the server group, add the "internal" server. Then, you can add the MAC addresses to the internal db. Just make sure you enter them lowercase, without any delimiter (or change the default L2 MAC auth profile to match your delimeter).
10-26-2012 07:39 AM
Just a question
Why you want to use a such a weak authentication method as mac filtering?
it got lot of disasvantage
Aruba does not recomend it as far i read it in a VRD i think...
Now you should take in mind a few things
1-You got a limit of 4000 mac addresses on the internal database
2-When you want to manage it let say you will need to document it because you willl not know what mac address belongs to which pc later...
If you got Active directory and this is an enterprise enviroment use WPA2 enterprise with at least EAP PEAP
You just need a NPS server and a cert... if you got an internal cert authority well you just need one cert for that server with machine template...
Anyways what is hte enviroment in which you willl use this mac address filtering maybe we can help you with a better solution than mac address filtering.
Product Manager - Aruba Networks
10-26-2012 08:06 AM
Since it seems to be configured right, we will need more details to help out. Whats not working? How does the client fail (or does it get on when it is not supposed to)? Turn on debugging (logging level debug user-debug xx:xx:xx:xx:xx:xx) for the MAC address having trouble, then connect (or try to connect). Do "show log user-debug all" and see if you can find the source of the issue in the log messages. Also, do "show auth-tracebuf" after the problem occurs and see if you see failed auths going to the internal DB.
If all of that looks OK, you might want to open a TAC case so they can screen share with you and see what's going on.