Security

Reply
Regular Contributor I

Sample for MACTrac Service

Hello guys,

I am trying to get MACTrac setup. I have created the portal for the users to create their devices. But I cannot seem to get devices to authenticate against a service that I have tried to create. I figure I am missing something, but I have been putting this together largely without much example. 

 

Does someone have an example. Looking for something really basic, simply to authenticate based on a MAC address inputted by a user. I will get more complex once I get the basics working. 

 

All the Devices I attempt to connect using a MACTrac created account seem to fall directly into the AirGroup Authorization Service and not my test service that I have created. Even when I move the service I created higher on the list. Short of making an exact copy of the AirGroup Authorization Service, I cannot get another service to process these devices.

 

Clearpass.JPG

Guru Elite

Re: Sample for MACTrac Service

You need to create a RADIUS service with the guest device repository as
your authentication source. I'll post a sample when I get home.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I

Re: Sample for MACTrac Service

Should it not be RADIUS enforcement? I just assumed that was the correct option for the service since the Airgroup Authorization Service is a RADIUS enforcement service. 

 

 

I have my service set as a RADIUS Enforcement  and the only Authentication Source is the Device Repository. 

Guru Elite

Re: Sample for MACTrac Service

mactfac.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I

Re: Sample for MACTrac Service

Sorry for the delayed response. Was out replacing certificates yesterday.

 

 

This worked perfectly to get devices to authenticate using that rule.

 

However, it only works if I place it higher than my Airgroup Authentication Rule. 

 

Do you have any suggestion as to a way to make devices authenticated via Device Repository fall through so they can be picked up by my MACTrac service? Essid does not seem to work. 

 

 

 

EDIT:


Or do you happen to know what makes the client hand off the Essid name when it's trying to authenticate? When connecting to our 802.1x network we do the the Essid information, but this network will not be 802.1x. 

Guru Elite

Re: Sample for MACTrac Service

Can you post a screenshot of your service list?

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I

Re: Sample for MACTrac Service

Here it is. I disabled the Airgroup Authorization Service and Copied it, so that I could try adding different checks to let things fall through to my test network. If I move my Test network about that, then it works, but in the training I attended they said not to put anything higher than the Aruba Default Services. 

Services.JPG

Guru Elite

Re: Sample for MACTrac Service

Did you modify the default Airgroup Authorization Service? You shouldn't touch that service. It's a system level service and doesn't need to be changed.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I

Re: Sample for MACTrac Service

I copied it, and as it stands right now the copy is exactly the same as the default service. My problem is, the default service is what is authenticating MAC auth usernames, so it doesn't get to the MACTrac service.

 

 

 

EDIT:

 

So I think the reason it is being picked up there is the Authentication is coming through with Radius:IETF Service-Type of Authorize-Only (17) 

 

Which was not a service type you had included in your rule. Where are these Service-Types set/configured? 

Guru Elite

Re: Sample for MACTrac Service

You shouldn't have authorize-only in your MACTrac service. This is an authentication, not an authorization. Mirror the same service rules that I posted in the screenshot above and add another rule for the ESSID.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: