Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

mac authentication filter

This thread has been viewed 3 times

  • 1.  mac authentication filter

    Posted Feb 07, 2013 05:01 PM

    We have mac authentication enable for all users with x number of expiring hours. There are groups of computers(fix workstations) share with customers. I would like assign different mac authentication time out or no mac caching for these workstations. I can't differential this by user account because anyone can sign in with these workstations. The only thing is the mac address from each workstations. My though is build a list of mac addresses within Clearpass if anyone sign in with this mac address, assign different mac cach time out or no mac cache at all. I am running Clearpass version 3.9 at the momemt. 

     

    Let me know if you have the same situation and ideas for solution. Thx!



  • 2.  RE: mac authentication filter

    Posted Feb 07, 2013 07:23 PM

    Hello

    What kind of enviroment you got? because aruba recoments agains the use of Mac authentication as its really weak, and its easy to crack.

     

    It is not possible to deploy 802.1x?

    Or can you explain us why you using mac authentication in your enviroment maybe there is a better way to do this besides using mac authentication.

     

    Cheers

    Carlos



  • 3.  RE: mac authentication filter

    Posted Feb 08, 2013 09:56 AM

    i understand mac is easy to crack. This wlan is only use by the customer. It configure to authenticated over the captive portal (via ClearPass of course). Mac authentication is enable after first initial login. It just a convinient for customers to log back in without typing the credentail again. 



  • 4.  RE: mac authentication filter

    EMPLOYEE
    Posted Feb 08, 2013 10:22 AM
    @skywalker wrote:

    i understand mac is easy to crack. This wlan is only use by the customer. It configure to authenticated over the captive portal (via ClearPass of course). Mac authentication is enable after first initial login. It just a convinient for customers to log back in without typing the credentail again. 

    I would create a second SSID for those computers and only broadcast that SSID in that area where the fixed computers are.

     

    You would create a different Weblogin in ClearPass that does not have Mac Caching and in the initial role for those users, forward them via the Captive Portal authentication profile to the URL of that new Weblogin.

     



  • 5.  RE: mac authentication filter

    Posted Feb 11, 2013 05:11 PM

    Thanks Colin!

     

    As much as i want to avoid creating a new SSID for this. Thing will just get messier this way. I kinda have an idea. The captive portal from controler itself has a link for to click and logout. Is there a link like that from ClearPass? i can just create a short-cut/URL on the desktop for user to click and logout.



  • 6.  RE: mac authentication filter

    Posted Feb 11, 2013 05:45 PM
    Check the vrd for amigopod/clear pass guest. It has a pack you can import which has that logout functionality among other stuph