04-15-2014 12:40 PM
I am trying to get MACTrac setup. I have created the portal for the users to create their devices. But I cannot seem to get devices to authenticate against a service that I have tried to create. I figure I am missing something, but I have been putting this together largely without much example.
Does someone have an example. Looking for something really basic, simply to authenticate based on a MAC address inputted by a user. I will get more complex once I get the basics working.
All the Devices I attempt to connect using a MACTrac created account seem to fall directly into the AirGroup Authorization Service and not my test service that I have created. Even when I move the service I created higher on the list. Short of making an exact copy of the AirGroup Authorization Service, I cannot get another service to process these devices.
Solved! Go to Solution.
04-15-2014 12:44 PM
your authentication source. I'll post a sample when I get home.
04-15-2014 12:50 PM
Should it not be RADIUS enforcement? I just assumed that was the correct option for the service since the Airgroup Authorization Service is a RADIUS enforcement service.
I have my service set as a RADIUS Enforcement and the only Authentication Source is the Device Repository.
04-17-2014 08:45 AM - edited 04-17-2014 09:04 AM
Sorry for the delayed response. Was out replacing certificates yesterday.
This worked perfectly to get devices to authenticate using that rule.
However, it only works if I place it higher than my Airgroup Authentication Rule.
Do you have any suggestion as to a way to make devices authenticated via Device Repository fall through so they can be picked up by my MACTrac service? Essid does not seem to work.
Or do you happen to know what makes the client hand off the Essid name when it's trying to authenticate? When connecting to our 802.1x network we do the the Essid information, but this network will not be 802.1x.
04-17-2014 09:08 AM
Here it is. I disabled the Airgroup Authorization Service and Copied it, so that I could try adding different checks to let things fall through to my test network. If I move my Test network about that, then it works, but in the training I attended they said not to put anything higher than the Aruba Default Services.
04-17-2014 09:10 AM
Did you modify the default Airgroup Authorization Service? You shouldn't touch that service. It's a system level service and doesn't need to be changed.
04-17-2014 09:13 AM - edited 04-17-2014 09:27 AM
I copied it, and as it stands right now the copy is exactly the same as the default service. My problem is, the default service is what is authenticating MAC auth usernames, so it doesn't get to the MACTrac service.
So I think the reason it is being picked up there is the Authentication is coming through with Radius:IETF Service-Type of Authorize-Only (17)
Which was not a service type you had included in your rule. Where are these Service-Types set/configured?
04-17-2014 09:32 AM - edited 04-17-2014 09:32 AM
You shouldn't have authorize-only in your MACTrac service. This is an authentication, not an authorization. Mirror the same service rules that I posted in the screenshot above and add another rule for the ESSID.