Security

Reply
Occasional Contributor II
Posts: 14
Registered: ‎10-30-2014

User Roles and WPA2-PSK

How is user role determined from WPA2-PSK method of authentication?

 

 

Guru Elite
Posts: 8,792
Registered: ‎09-08-2010

Re: User Roles and WPA2-PSK

By default, the user-role is what is defined as the initial role in the AAA profile. You can also use user derivation rules or RADIUS with MAC authentication for dynamic role assignment.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 14
Registered: ‎10-30-2014

Re: User Roles and WPA2-PSK

Ahhhh....so you can't define a post-authentication role for that method? 

Guru Elite
Posts: 8,792
Registered: ‎09-08-2010

Re: User Roles and WPA2-PSK

No, because no authentication has occurred. You would need to add MAC authentication.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor
Posts: 2
Registered: ‎12-27-2015

Re: User Roles and WPA2-PSK

Hi Tim.

 

Does this mean you can do PSK auth, have a device get the AAA initial role, then have that role subsequently changed by a user derivation rule?   It says in the docs that user derivation rules apply pre-authentication, I thought that meant it would only apply to open SSID users.  Please confirm.  thank you.

 

Neal

Guru Elite
Posts: 8,792
Registered: ‎09-08-2010

Re: User Roles and WPA2-PSK

Yes, the deriviation rule would be evaluated.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I
Posts: 368
Registered: ‎03-02-2017

Re: User Roles and WPA2-PSK

Hi Tim,

 

You said:

 

No, because no authentication has occurred.

 

With WPA2-PSK you must enter the preshared key when you connecto to the network and the controller checks that preshared key, it is correct you can access the network, otherwise you can't. For me this is a kind of authentication, do you mean an authentication based on user?

 

Regards,

Julián

Occasional Contributor II
Posts: 11
Registered: ‎11-27-2012

Re: User Roles and WPA2-PSK

I think Tim means that no authentication has occurred against Clearpass.  I asked a similar question a while back here: https://community.arubanetworks.com/t5/Security/PSK-SSID-Endpoint-Repository-for-role-assignment/m-p/297425#M31804

 

Once MAC auth was configured, I was able to leverage additional authorization steps against Clearpass to determine which role the client should be getting.

Search Airheads
Showing results for 
Search instead for 
Did you mean: