Security

Reply
Contributor I
Posts: 76
Registered: ‎05-14-2009

mac authentication filter

We have mac authentication enable for all users with x number of expiring hours. There are groups of computers(fix workstations) share with customers. I would like assign different mac authentication time out or no mac caching for these workstations. I can't differential this by user account because anyone can sign in with these workstations. The only thing is the mac address from each workstations. My though is build a list of mac addresses within Clearpass if anyone sign in with this mac address, assign different mac cach time out or no mac cache at all. I am running Clearpass version 3.9 at the momemt. 

 

Let me know if you have the same situation and ideas for solution. Thx!

MVP
Posts: 3,015
Registered: ‎10-25-2011

Re: mac authentication filter

Hello

What kind of enviroment you got? because aruba recoments agains the use of Mac authentication as its really weak, and its easy to crack.

 

It is not possible to deploy 802.1x?

Or can you explain us why you using mac authentication in your enviroment maybe there is a better way to do this besides using mac authentication.

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Contributor I
Posts: 76
Registered: ‎05-14-2009

Re: mac authentication filter

i understand mac is easy to crack. This wlan is only use by the customer. It configure to authenticated over the captive portal (via ClearPass of course). Mac authentication is enable after first initial login. It just a convinient for customers to log back in without typing the credentail again. 

Guru Elite
Posts: 21,489
Registered: ‎03-29-2007

Re: mac authentication filter


skywalker wrote:

i understand mac is easy to crack. This wlan is only use by the customer. It configure to authenticated over the captive portal (via ClearPass of course). Mac authentication is enable after first initial login. It just a convinient for customers to log back in without typing the credentail again. 


I would create a second SSID for those computers and only broadcast that SSID in that area where the fixed computers are.

 

You would create a different Weblogin in ClearPass that does not have Mac Caching and in the initial role for those users, forward them via the Captive Portal authentication profile to the URL of that new Weblogin.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 76
Registered: ‎05-14-2009

Re: mac authentication filter

Thanks Colin!

 

As much as i want to avoid creating a new SSID for this. Thing will just get messier this way. I kinda have an idea. The captive portal from controler itself has a link for to click and logout. Is there a link like that from ClearPass? i can just create a short-cut/URL on the desktop for user to click and logout.

MVP
Posts: 520
Registered: ‎05-11-2011

Re: mac authentication filter

Check the vrd for amigopod/clear pass guest. It has a pack you can import which has that logout functionality among other stuph

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
Showing results for 
Search instead for 
Did you mean: