Security

Reply
Occasional Contributor II

User Roles and WPA2-PSK

How is user role determined from WPA2-PSK method of authentication?

 

 

Guru Elite

Re: User Roles and WPA2-PSK

By default, the user-role is what is defined as the initial role in the AAA profile. You can also use user derivation rules or RADIUS with MAC authentication for dynamic role assignment.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: User Roles and WPA2-PSK

Ahhhh....so you can't define a post-authentication role for that method? 

Guru Elite

Re: User Roles and WPA2-PSK

No, because no authentication has occurred. You would need to add MAC authentication.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: User Roles and WPA2-PSK

Hi Tim.

 

Does this mean you can do PSK auth, have a device get the AAA initial role, then have that role subsequently changed by a user derivation rule?   It says in the docs that user derivation rules apply pre-authentication, I thought that meant it would only apply to open SSID users.  Please confirm.  thank you.

 

Neal

Guru Elite

Re: User Roles and WPA2-PSK

Yes, the deriviation rule would be evaluated.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor I

Re: User Roles and WPA2-PSK

Hi Tim,

 

You said:

 

No, because no authentication has occurred.

 

With WPA2-PSK you must enter the preshared key when you connecto to the network and the controller checks that preshared key, it is correct you can access the network, otherwise you can't. For me this is a kind of authentication, do you mean an authentication based on user?

 

Regards,

Julián


Regards,
Julián
Occasional Contributor II

Re: User Roles and WPA2-PSK

I think Tim means that no authentication has occurred against Clearpass.  I asked a similar question a while back here: https://community.arubanetworks.com/t5/Security/PSK-SSID-Endpoint-Repository-for-role-assignment/m-p/297425#M31804

 

Once MAC auth was configured, I was able to leverage additional authorization steps against Clearpass to determine which role the client should be getting.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: