Security

In your AAA profile, you need to disable L2 authentication fail through:

http://www.arubanetworks.com/techdocs/ArubaOS_6_5_4_X_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/1CommandList/aaa_profile.htm?Highlight=l2-auth-fail-through

Hi Colin,

Thank for your response,

I've checked on my AAA profile, unfortunately L2 authentication fail throuhg not enable.

You might be showing us the wrong AAA profile.  According to your screenshot, the mac authentication server group is "Internal" which means it is not pointing at CPPM.

Hi Colin,

I'm sorry, i've showed wrong screenshot.This is a screenshot when i've tested AAA profile with internal DB on controller, but i'm sure that L2 authentication failthough was not enable in my profile. You can see on attachment below.

Hi Colin,

As your comment above: "The Initial Role in the AAA profile is "logon", which means that the client will stay in the "logon" role if it does not pass mac authentication.  If you want the client's role to be restricted even more, you would change that role to something else." I have some confuse and hope you help.

1.Do you mean is  client will receive "logon role " if it does not mac authentication ( default policies include allow http, https, dns,dhcp...), so it still have network connectivity ?

2.So if it pass authentication, what is the role it will stay on?

3. If i want to deny all client, who does not pass authentication ( include mac , 802.1x ...) i need an " Initial Role " with a deny any any rule?

Hi Colin,

Thank for your help, i've resolve my issue . I've used 1 profile with blank rule in initial role. Is there any other way to reject client who does not pass authenticate? With my solution, client just does not receive dhcp or dns. Actually,they was not rejected.

Hope you help me more clearly this issue and 3 questions above.

Many thanks.

Ultimately, if you use 802.1x, the client does not get connected if they fail authentication.  That is the Gold standard.  Mac authentication does not scale and should only be used as an interim authentication solution.

The answer to #3 is yes.  The only other way to reject is to return a radius user role that offers no connectivity.  Again, the best way to do this is to employ 802.1x and NOT mac authentication.

Hi Colin,

Many thanks for your helpful comments.So, i was not only resolve my issue but also have more clearly about types of authentication.

Again, i'm very appreciate for your support.