Security

Reply
Occasional Contributor II
Posts: 11
Registered: ‎03-11-2014

Wireless Mac Device Authentication

[ Edited ]

I am trying to setup Mac Auth in our environment, but dont seem to be having to much luck (I am not way familiar with Aruba to begin with). I currently have an SSID (Guest), which has users login via a captive portal. The SSID is accessed with a preshared key (just to conserve IP addresses).

I would like to have certain devices at the campus (possibly several labs of wireless devices) connect to this same SSID, but bypass the captive portal based on their Mac Address being in a certain group.

I've created a Static Host List with the mac addresses. However, I cannot seem to figure out a way to implement this list. Anyone has any advice, is this possible in the way that I am suggesting? Many thanks!

Guru Elite
Posts: 7,836
Registered: ‎09-08-2010

Re: Wireless Mac Device Authentication

[ Edited ]

Use the Allow All MAC Auth method, add Static Host Lists as an authorization source and then add a rule at the top of your enforcement policy that checks to see if the MAC address belongs to that group.

 

connection-mac-belongsto.JPG


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 4,010
Registered: ‎07-20-2011

Re: Wireless Mac Device Authentication

Try the following:

Make sure that in the controller you define :

- Mac auth profile

- Mac authentication server - ClearPass Server

2014-11-07 13_56_05-ClearPass Policy Manager - Aruba Networks.png

 

2014-11-07 13_56_25-ClearPass Policy Manager - Aruba Networks.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 11
Registered: ‎03-11-2014

Re: Wireless Mac Device Authentication

But would that bypass the captive portal we currently have for Guests on that SSID, or would something like this require a totally separate SSID? We want to keep the captive portal on the SSID, but if the system sees a Mac address that is allowed connect to the SSID, the device bypasses that SSID and is placed in some role. The current setup is an Instant AP cluster that we manage in with a Template in Airwave.
Guests connecting to their SSID have rules in ClearPass that require ALL matched:

Radius:IETF____Calling-Station-Id____EXISTS
Connection____Client-Mac-Address_____NOT EQUALS____ %{Radius:IETF:User-Name}
Radius:Aruba___Aruba-Essid-Name____EQUALS____Guest

-Dave
Guru Elite
Posts: 7,836
Registered: ‎09-08-2010

Re: Wireless Mac Device Authentication

Yes as long as the rule is higher than your guest rules in the enforcement policy.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 11
Registered: ‎03-11-2014

Re: Wireless Mac Device Authentication

Thanks everyone. It took some playing around, but we were missing the Mac Caching and a few other options. This did help though. So now we have some mac devices that bypass the captive portal and are placed in a separate VLAN.

 

 

Thanks!

Search Airheads
Showing results for 
Search instead for 
Did you mean: